On Fri, 20 Dec 2002, David Lesher wrote: :[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?] There is a really easy way to accomplish this, and it has been apparently partially implemented within UUNet as an overlaid network of GRE tunnels for a few years, at least based on a Nanog presentaton from October 1999. This can be accomplished quite cost effectively, provided the government doesn't want to archive *everything*. I keep mentioning this, and for some reason few people seem to recognize how profoundly simple it would be for the government to legislate themselves into exchange points and have the authority to announce certain prefixes to the IX, tunnel the traffic of the affected route into their own network, and monitor it without ever showing up in a traceroute. MPLS makes this even simpler, where certain routes can be tagged and switched invisibly into the Total Information Awareness network for monitoring, and switched back out with nobody being the wiser. Technically this is simple. The infrastructure is in place, it just needs some legal teeth. As soon as they figure out BGP, governments could seek authority over exchange point routing tables so that they can implement data sanctions against foreign and/or non-compliant ASN's. It's pretty easy to imagine, we'll just have to see how it plays out. Also, if you want to monitor massive amounts of data (something people say can't be done easily) you just demux it using a device like those at www.toplayer.com, or http://www.radware.com/content/products/fire.asp . Both solutions are adequate for breaking up massive amounts of data. I could write snort signatures that will trigger a session to be re-routed based on packet content. It's fugly, but if I can do it in my basement, a multi-billion dollar agency acting on behalf of the only global superpower can probably think up something a little more elegant. :) -- batz