[unisog] Your ISP as Net watchdog???

Peter Van Epp vanepp at sfu.ca
Tue Jul 5 23:29:07 GMT 2005


On Wed, Jul 06, 2005 at 12:27:23AM +0200, Florian Weimer wrote:
> * Leo Howell:
> 
> > How do you all feel about ISPs logging and storing all internet
> > transaction history?
> 
> It's not too uncommon to do this on academic networks for comparable
> short periods of time (days and weeks, not months), at least as layer
> 3 and 4 data is concerned.  Most estimates of the storage requirements
> for the data per se are way too high.  Such data helps a lot during
> incident handling.  Furthermore, such networks gather invaluable
> intelligence, which helps to increase on the Internet as a whole.
> 
> (Just to provide a different view on this issue.)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	Yep, do that (even to tape) for exactly those reasons, the difference 
is that it is our choice. If it gets too expensive compared to the utility we 
can choose to stop doing it. When it is legislated it may not matter if you 
can afford it, you get to do it anyway which in turn may limit the links you 
can practically deploy. The equivelent proposed legislation here in Canada is 
suggesting that ISPs (and it isn't clear that a University won't be considered 
an ISP in this context, certainly the local ORAN with OC192 links will be) 
would have to provide (at their cost) the capability of wire tapping and 
preserving the data for specified accounts (if I remember correctly up to 
100 simultaneous) on any link requested (with a warrent) by various government 
agencys. 
	There go the 10 gig links we are just about to deploy, there isn't 
anything that I know of that will do that. We have users that are planning 
on 10 gig host adapters directly in to a machine, so doing it down stream at an 
aggregation point isn't going to work even if we could afford the hardware
(which at high link speeds is going to be amazingly expensive) and/or the 
amount of hardware to cover multiple links or the edges.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list