[c-nsp] What are other SPs doing about CALEA?

Justin Shore justin at justinshore.com
Tue Feb 6 23:18:48 EST 2007 

Thanks for the reply.  My comments are inline.

Robert Blayzor wrote:
> Justin Shore wrote:
>   
>> The only equipment in this list that support any form of LI for data are 
>> the C3s, 7206VXRs, 7600s in an upcoming IOS release, the 3845s, the 
>> 3660s if we downgrade to a 12.3 release (and only voice then from what 
>> I've been told), and the Pannaway devices (only voice).  All VoIP 
>> provided by this provider/telco can be pulled off a class-5 switch which 
>> meets the voice CALEA requirements.
>>     
>
> CALEA is a requirement for any facilities based broadband service
> provider that offers transmission speeds of 200kbps or faster.  It
> doesn't matter if the SP provides voice or not; they must intercept VoIP
> if it traverses the wire.
>   
Right, that what I was getting at.  All our telephony services are 
either traditional POTS, voice over cable, or voice along side DSL and 
punted to the class-4 switches using SIP.  Other voice traffic is not 
our specific concern.  A CALEA request for the data would cover 
everything but our telephony and a request for the voice wouldn't matter 
in what we connect to the customer.  It still gets picked up on one of 
our soft switches.

>> I've been told that most SPs aren't replacing non-LI-compliant hardware 
>> and are simply planning on getting the data upstream of those edge 
>> devices.  For example our 3660s that are terminating customer T1s aren't 
>> compliant.  It was suggested that we simply get the traffic upstream of 
>> the 3660.  Does this meet the spirit of LI though?  What if one T1 
>> customer talks directly with another T1 customer and never leaves the 
>> 3660 (same goes for cable, DSL, etc)?
>>     
>
> That's exactly it, it's not compliant.  If you have an ATM OC3 where one
> caller with a PPPoE session can call another on the same OC3, in the
> same router, you have to be able to intercept; so your probes won't do
> you a lot of good if they don't leave the router.  Remember CALEA is for
> voice only, there is no requirement to "capture all data" AFAIK.
>   
That's rather the point though.  CALEA will cover all data on May 14th.  
CALEA is no longer only voice.  That's why the mailing lists are buzzing 
with CALEA discussions. 

http://www.askcalea.net/docs/20060503_2nd-memorandum.pdf
http://www.networkworld.com/news/2006/050406-fcc-calea-wiretapping-deadline.html

As far as communication within a non-LI router, we're still trying to 
figure out what to do.  We won't spend a couple hundred-thousand dollars 
to replace everything that won't do LI.  Neither will anyone else.

> I'd like to know what a lot of the cable companies are going to do with
> DOCSIS where you technically have a lot of neighbors sitting right next
> to each other with no possible snoop point.
>   
It's not a problem for cable systems.  By their very nature for one CPE 
to talk to another CPE it must first pass through the upstream interface 
on the CMTS and be switched back out the appropriate downstream 
interface.  There is no direct CPE to CPE communication.  Fortunately 
our Arris CMTSs are LI-capable.

>> This question was asked of me and I'll forward it to the group.  Can the 
>> 7613s act as a LI-aggregation point and take stream of LI data from 
>> other LI-enabled devices and send it to the MD or act as the MD?
>>     
>
> Not that I've read anywhere.  Seems the LI devices are either setup via
> SNMPv3 or via RADIUS records which give the intercept device the
> information it needs to send a copy of the session to the MD.
>   
That seems to be ideal way of doing it.  The classic LI example is that 
someone commands the MD to get Joe Blow's voice or data or both.  The MD 
learns where Joe Blow is currently connect to the network via the AAA 
server.  The MD issues the LI request to the edge device via SNMPv3 and 
tell it to copy the MD on Joe Blow's traffic.  The MD then punts that 
off to the appropriate LEA.  Of course few devices actually support LI 
so this is in all practicality simple not possible.  It sure does sound 
good on paper though.

>> Has anyone found a decently priced trusted 3rd-party that knows how to 
>> implement LI correctly?  We've found many that really don't know how but 
>> they are sure willing to bill us to try.
>>
>> I know we're not alone in this.  How are the rest of you fairing?
>>     
>
> A TTP really seems like it's for larger networks; it doesn't seem at all
> cost effective for us.  We're basically just buying all the LI licenses
> where we can, upgrading to devices where that can LI where we need to
> and we're exploring a MD centrally located in our operations center.
> For the amount of requests we'll probably get, we can handle it
> internally with existing staff.  A good place to start looking for MD
> devices/services is http://www.verint.com/. (it's one on the list that
> Cisco recommends)
>   
We're not terribly large either.  Initially the cost of bringing an 
outside vendor appeared to be the same as buying a MD ourselves.  Now 
the MD appears to be cheaper.  We still don't have the underlying design 
ready though.  So much to do...

Thanks for your input.  It would be nice to see this thread stay alive 
for a while.

Justin

More information about the cisco-nsp mailing list