[c-nsp] What are other SPs doing about CALEA?

[Robert Blayzor]

Justin Shore wrote:
> The only equipment in this list that support any form of LI for data are 
> the C3s, 7206VXRs, 7600s in an upcoming IOS release, the 3845s, the 
> 3660s if we downgrade to a 12.3 release (and only voice then from what 
> I've been told), and the Pannaway devices (only voice).  All VoIP 
> provided by this provider/telco can be pulled off a class-5 switch which 
> meets the voice CALEA requirements.

CALEA is a requirement for any facilities based broadband service
provider that offers transmission speeds of 200kbps or faster.  It
doesn't matter if the SP provides voice or not; they must intercept VoIP
if it traverses the wire.

> I've been told that most SPs aren't replacing non-LI-compliant hardware 
> and are simply planning on getting the data upstream of those edge 
> devices.  For example our 3660s that are terminating customer T1s aren't 
> compliant.  It was suggested that we simply get the traffic upstream of 
> the 3660.  Does this meet the spirit of LI though?  What if one T1 
> customer talks directly with another T1 customer and never leaves the 
> 3660 (same goes for cable, DSL, etc)?

That's exactly it, it's not compliant.  If you have an ATM OC3 where one
caller with a PPPoE session can call another on the same OC3, in the
same router, you have to be able to intercept; so your probes won't do
you a lot of good if they don't leave the router.  Remember CALEA is for
voice only, there is no requirement to "capture all data" AFAIK.

I'd like to know what a lot of the cable companies are going to do with
DOCSIS where you technically have a lot of neighbors sitting right next
to each other with no possible snoop point.

> This question was asked of me and I'll forward it to the group.  Can the 
> 7613s act as a LI-aggregation point and take stream of LI data from 
> other LI-enabled devices and send it to the MD or act as the MD?

Not that I've read anywhere.  Seems the LI devices are either setup via
SNMPv3 or via RADIUS records which give the intercept device the
information it needs to send a copy of the session to the MD.


> What exactly is a LI stream composed of?  Is it a GRE tunnel, IPSec 
> tunnel, a tunnel at all?  The docs have not gone into it at all.  I 
> suppose I should just read the RFC for myself.

I believe RFC3924 is Cisco's method for lawful intercept, thats a good
place to start.

> Has anyone found a decently priced trusted 3rd-party that knows how to 
> implement LI correctly?  We've found many that really don't know how but 
> they are sure willing to bill us to try.
> 
> I know we're not alone in this.  How are the rest of you fairing?

A TTP really seems like it's for larger networks; it doesn't seem at all
cost effective for us.  We're basically just buying all the LI licenses
where we can, upgrading to devices where that can LI where we need to
and we're exploring a MD centrally located in our operations center.
For the amount of requests we'll probably get, we can handle it
internally with existing staff.  A good place to start looking for MD
devices/services is http://www.verint.com/. (it's one on the list that
Cisco recommends)

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E 66F9 0BFC

(A)bort, (R)etry, (T)ake down entire network?