At 10:13 AM 11/4/02 -0500, Tyler Durden wrote: >This is an interesting issue...how much information can be gleaned from
>encrypted "payloads"? Traffic analysis (who, how frequently, temporal patterns) Size of payload Is it possible for a switch or whatever that has >visibility up to layers 4/5/6 to determine (at least) what type of file is >being sent? Yes. Modern network equiptment can examine all the way up to "layer 7". Can tell that you're sending an .mp3 and will cut your QoS, if that's the policy. > Can it determine at what layer encryption was performed? Various "packet classification" hardware companies [1] make chips to find fields in headers. (The classification chips pass this info to the NPU) IPsec, SSL are trivial. App-level crypto is easy if the crypto has signatures, like "-----BEGIN PGP MESSAGE-----". Steganography + encryption, however, is pretty tough. The S/N ratio can become useless due to false alarms. The Feds probably have an enormous collection of intercepted arab baby pictures... [1] Here's a blurb from http://solidum.com/products/index.cfm Based on programmable state machine technology and a powerful, openly-distributed pattern description language, our scalable, forward-compatible, and field-upgradable classification processors can be configured to closely inspect packets for vital information up to and including Layer 7. The information collected can then be used to make intelligent routing and switching decisions for service, application, and QoS requirements. This improves the speed, power and efficiency of next generation network processing architectures, facilitates the delivery of content-based services and enables true QoS for differentiated services. --- CALEA: What did you think layer 7 awareness meant?