On 11/13/07 09:37, Carl-Daniel Hailfinger wrote:
Well, you can surely try. But then again, I have been doing research
(publication pending) in traffic-pattern-based detection of VoIP
flows and peer-to-peer connections. While it usually is easy to find
a pattern matching your particular traffic class very well, part of
this research has been dedicated to automatically circumvent these
systems. Why that? Simple. Application evolve to circumvent
detection. If you can simulate that evolution in the lab, you can
find out where your detection algorithms will fail. Of course, that
enumeration of possible failure modes is non-exhaustive.
Bottom line: This is an arms race. Unless you do lots of research and
testing, detection will always be trying to catch up. If detection
manages to catch up, circumvention will advance, but you may have a
small time window where you can enjoy the "win". However, winning
becomes more and more expensive. Clients can expend considerable
amount of CPU power to avoid detection. You don't have that luxury in
filter systems unless you have one filter per client.
All very good points with regard to pattern based detecting P2P (and the
likes) traffic. What do you think about recognizing the traffic you do
want and treating all else as a second or third class citizen. Or is
this just a form of net neutrality? Or really is this entire discussion
such. Further does the net neutrality issue apply to companies (read:
non ISPs) wanting to filter their own internal traffic.
Additionally as an aside will you please provide more information on
your pending publication? I'd likely be curious to read (what ever)
when ever it is published. Thanks in advance.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
