[c-nsp] What are other SPs doing about CALEA?

[Justin Shore]

I'm sure this has been a hot topic around your local water dispenser, 
coffee maker or Mountain Dew machine.  It's been a hot topic in our 
office for many months.  How do we support this unfunded and 
ill-conceived mandate with our existing hardware?  What follows is a 
plethora of thoughts and questions.

This particular network consists of 2800 series branch routers (2821s, 
not the 2851 LI-supported model), 3660s for DSL aggregation and T1 
leased lines, 7206VXRs for DSL aggregation and another as a border 
router, AS5300s for dialin and some other misc routers, firewalls and 
SBCs for non-access-layer tasks.  Our newest addtions are 7600s and 
ME6524s for core routers at 2 POPs, ME3750s for aggregation at a POP, 
3845s for SSL VPN termination, and another 3845 that will deployed as a 
border router.  We also have Arris C3 CMTSs and are deploying Pannaway 
ADSL2+ products.

The only equipment in this list that support any form of LI for data are 
the C3s, 7206VXRs, 7600s in an upcoming IOS release, the 3845s, the 
3660s if we downgrade to a 12.3 release (and only voice then from what 
I've been told), and the Pannaway devices (only voice).  All VoIP 
provided by this provider/telco can be pulled off a class-5 switch which 
meets the voice CALEA requirements.

We been in discussions with trusted 3rd-party vendors over their 
possible solution, all of which are cost prohibitive (I swear we must be 
in the wrong business).  The most recent and most reasonably-priced 
vendor turned out to be very expensive when they told us that each 
LI-enabled device and each probe placed on the network to assist with 
non-LI-enabled devices would require a license.  That's for each capture 
point.  They recommended the use of probes and port mirroring or RSPAN 
where possible to capture data and to shunt it off to the mediation 
device.  All of my reading about LI makes me believe that the transport 
between the LI-enabled edge devices is encrypted, stuffed into UDP 
datagrams, addressed to the MD and routed back out onto the wire.  I'm 
not sure how a tcpdump can meet CALEA's requirements (not that the FCC 
really defined any requirements other than read our minds and make it 
work).  Am I missing something here?

I've been told that most SPs aren't replacing non-LI-compliant hardware 
and are simply planning on getting the data upstream of those edge 
devices.  For example our 3660s that are terminating customer T1s aren't 
compliant.  It was suggested that we simply get the traffic upstream of 
the 3660.  Does this meet the spirit of LI though?  What if one T1 
customer talks directly with another T1 customer and never leaves the 
3660 (same goes for cable, DSL, etc)?

This question was asked of me and I'll forward it to the group.  Can the 
7613s act as a LI-aggregation point and take stream of LI data from 
other LI-enabled devices and send it to the MD or act as the MD?  I'm 
doubting it; it sounds like LI stream have to be punted  to the MD 
directly.  Does Cisco make a MD or are they all 3rd-party devices?

What exactly is a LI stream composed of?  Is it a GRE tunnel, IPSec 
tunnel, a tunnel at all?  The docs have not gone into it at all.  I 
suppose I should just read the RFC for myself.

Does anyone know of an open source project to build a MD?  This strikes 
me as something a group of individuals would turn into an OSS project.  
It meets all the usual requirements to spawn an OSS project:  canned 
solutions are prohibitively expensive, mass problem for large groups of 
geeks, sufficient complexity, etc.  I can't imagine it being all that 
complicated if the protocols are standardized and published.

Has anyone found a decently priced trusted 3rd-party that knows how to 
implement LI correctly?  We've found many that really don't know how but 
they are sure willing to bill us to try.

I know we're not alone in this.  How are the rest of you fairing?

Thanks
  Justin