ietf
[Top] [All Lists]

RE: Should IETF do more to fight computer crime?

2000-05-23 13:50:02

-----Original Message-----
From: Vernon Schryver [mailto:vjs(_at_)calcite(_dot_)rhyolite(_dot_)com]
Sent: Tuesday, May 23, 2000 4:14 PM
To: ietf(_at_)ietf(_dot_)org
Subject: RE: Should IETF do more to fight computer crime?


From: "Dawson, Peter D" <Dawson(_dot_)Peter(_at_)emeryworld(_dot_)com>

Jacob Palme <jpalme(_at_)DSV(_dot_)SU(_dot_)SE> wrote:

But would not better logg production in routers be an aid
in finding the villain behind computer crimes?

What type of logging do you propose?  It seems that the types 
of logging
that are already done enable people to trace the origins of 
suspicious
traffic.

--gregbo

True, but only the origin of packets are determined. What is 
needed is
a code of ethics between ISPs , to share information.
i.e once a packet leaves isp1 cloud and travels across isp2 cloud,
very rarely would isp1 be willing to disclose to isp2,...
which (user) is leased that specific dynamic ip address.

btw, this info would be required on the fly... so that net admin/sec
would be in a better position to pinpoint the perpetrator's habits/ 
physiological profile etc..


Let's actually think for a moment about serious logging or sharing
information about Internet traffic.  State of the art large routers
move Tbits/sec.  If the average packet size is 500 bytes, you're
talking about logging or sharing information about 100 Mpackets/second.
If you only log or share the source and destination IPv4 addresses,
TCP or UDP port numbers, in incoming interface, a timestamp, and 1 or
2 bits saying the packet was not unusual (e.g. no TCP options other
than window scaling or SAK and no IP options), you're talking about
logging or sharing more than 20 bytes/packet or a few GBytes/second/big
router.  There are 86,400 seconds/day, so you're talking about logging
or sharing about 100 TBytes/day per large router.

Typical IP paths seem to be at least 10 hops long these days, and
often 20 or 30.  Most of those routers are not going to be Tbit/sec
backbone routers, but more than one will be, and the rest can be
counted or aggregated as if they were.  Thus, you're talking about
logging or sharing several 1000 TBytes/day.

Perhaps it would not be a problem to burn 1,000,000 GByte CDROM, tapes,
or other media per day, but what would you be able to do with 
those logs?
Searching a 1000 TByte database on the fly, especially if it is merely
a primitive sequential log, would be a serious challenge.

Yes, not many Tbit routers have been deployed, but they will be, and I
think the average packet size is less than 500, which 
increases the amount
of logging.  Yes, you might not need to keep those 1000's of TBytes for
more than a few days, but you still need a way to do something 
with them.

To put it another way, the complaints from the large ISP's 
that they cannot
police Internet traffic to shield their customers from 
pornography, talk
about World War II political parties, and the other things that various
pressure groups and governments dislike have some technical reality.

I agree on the technical reality of tbyte storage/tcpdump etc...


Technical reality always trumps political blather everywhere 
that matters.


Yes, but if I were  behind a DMZ and my IDS triggers... and if I got a
source address .. my question is...
 would 'THe ISP' provide any type of information to  negate the threat ? is
this a political problem?? , beyond technical reality or just plain
non-compliance to 'Collabration' ???


/pd