Merit Network: Connecting People and Organizations Since 1966

CALEA Compliance – A Feasibility StudyOctober 25, 2006

Mary Eileen McLaughlin

Director – Networking

Merit Network, Inc.

Merit Network: Connecting People and Organizations Since 1966

Overview Merit believes it will need to be “Gateway

compliant” for CALEA– Will need to have a device at the ingress/egress

points of our network– In other words, where traffic enters or leaves AS-

237– About 9 sites including private peering points

We wanted to see if we could develop an architecture that– Met what we see today as the law’s requirements– Was cost effective and practical

We’re not talking the legal pros/cons, or the expectations of law, or challenges

Merit Network: Connecting People and Organizations Since 1966

Goals of Experimental Framework Build a modest packet capture platform

– Based on simple hardware and open-source software

Test ability to capture a single data stream– In the presence of a moderate amount of

background traffic Measure performance

– Packet loss – Make decision on just how good performance

has to be for Merit to say it is in conformance with the law

cont.

Merit Network: Connecting People and Organizations Since 1966

Goals of Experimental Frameworkcont.

Where will this solution ‘break’– Or, until what level of aggregate bandwidth

usage is this solution functional How well might this solution work with 10G

cards compared to price/performance of commercial solutions

Testing only traffic capture functionality, not– Transfer to law enforcement device– Re-aggregation of traffic– Other

Merit Network: Connecting People and Organizations Since 1966

INTERNET

Collector

Collector

Controller

Law Enforcement Agency Device

10 Gig Switch

10 Gig Switch

10 Gig Switch

Merit’s 10G Core NetworkAS 237

CALEA ARCHITECTURE PROTOTYPE TEST ENVIRONMENT

MERIT NETWORK

09/15/2006

MSUGrand Rapids

Chicago

Kalamazoo UM

WSU

Chicago CRS Router Ann Arbor

CRS Router

Detroit 1 Gig Router

Note: This diagram reflects only Merit’s 10G switch locations. Also only the two switches we will use in the testing are shown. Note that there will be collectors and switches at each of the egress/ingress points for AS 237.

Merit Network: Connecting People and Organizations Since 1966

Hardware/Software Dell Precision GX260 Workstation, 2 GIGE

interfaces for management and sampling Pentium 4 3GHz 1GB RAM 7200 RPM disk Gentoo Linux OS Tcpdump/tethereal for packet capture -- both

depend on pcap library– Testing whether tcpdump can handle the data rates

Iperf as the traffic generator Some custom wrapper software to make it

easier to manage the data collection activity

Merit Network: Connecting People and Organizations Since 1966

Experiment Architecture

MeritBuilding Switch

Traffic CaptureDevice

Merit LAN

IPERF Sink

IPERF Source

Ameritech

SBCCogent

Merit

DSL

MirrorPort

Fiber

Out to net

Merit Network: Connecting People and Organizations Since 1966

Experiment Methodology Background traffic for the duration of the test:

~ 190-225Mbps (Sunday evening load), repeat for higher traffic load ~400Mbps (Monday afternoon)

Phase 1 test:– Send data from source to sink using iperf– Attempt to capture traffic stream at capture device

at Merit building– Measure actual number of packets transmitted at

the source and compare with number of full packets captured

– Measure for Short / medium / large TCP flow

Merit Network: Connecting People and Organizations Since 1966

10 sec Expt (~ 200Mbps Load)

Pkts Sent

Pkts Captured

% Pkt Loss

1 546 542 0.007

2 662 659 0.004

3 649 645 0.006

4 655 649 0.009

5 637 634 0.004

Avg Test Traffic Data Rate: ~380KbpsAvg Transfer: ~ 500KB

Merit Network: Connecting People and Organizations Since 1966

5 min Expt (~200Mbps Load)

Pkts Sent Pkts Captured

% Pkt Loss

1 16425 16326 0.006

2 16551 16461 0.005

3 16622 16533 0.005

4 16453 16360 0.006

5 16515 16434 0.005

Avg Test Traffic Data Rate: ~390KbpsAvg Transfer: ~ 14.1MB

Merit Network: Connecting People and Organizations Since 1966

30 min Expt (~200Mbps Load)

Pkts Sent Pkts Captured

% Pkt Loss

1 98893 98315 0.006

2 98901 98297 0.006

3 98961 98404 0.006

4 99259 98578 0.007

5 98488 97712 0.008

Avg Test Traffic Data Rate: ~390KbpsAvg Transfer: ~ 83MB

Merit Network: Connecting People and Organizations Since 1966

5 min Expt (~400Mbps Load)

Pkts Sent Pkts Captured

% Pkt Loss

1 16389 16279 0.007

2 16379 16271 0.007

3 16381 16258 0.008

4 16385 16269 0.007

5 16336 16219 0.007

Avg Test Traffic Data Rate: ~393KbpsAvg Transfer: ~ 14.1MB

Merit Network: Connecting People and Organizations Since 1966

Preliminary Conclusions and Discussion At a load of roughly 200Mbps there are less than 1%

(0.006% - 0.007%) of the packets missing at the capture device– This seems to hold at least up to an aggregate load

level of 400Mbps (bidirectional traffic mirrored onto a single port)

But what about VoIP (UDP)? How does our lost packets compare with what might normally happen to a datastream across the same datapath?– A UDP stream along the same path at 380Kbps

experienced roughly 1.5% packet loss– Thus, less than 1% packet loss for our mirrored traffic

is well within a “normal” range– Should be sufficient for law enforcement

Merit Network: Connecting People and Organizations Since 1966

Discussion and Next Steps Simple hardware/software holds promise for

at least the lower rate uplink capacities (definitely for OC3, GIGE type rates)

Need to repeat experiments, systematically, and at different (higher) loads

Future work includes – Examining 10Gig cards– Multiple sites concurrently; possibly on-campus– Price/performance comparison with commercial

offerings, e.g., ENDACE hardware solution Perhaps have a combination of build & buy