[c-nsp] What are other SPs doing about CALEA?
Justin Shore
justin at justinshore.com
Tue Feb 6 23:18:48 EST 2007
Thanks for the reply. My comments are inline.
Robert Blayzor wrote:
> Justin Shore wrote:
>
>> The only equipment in this list that support any form of LI for data are
>> the C3s, 7206VXRs, 7600s in an upcoming IOS release, the 3845s, the
>> 3660s if we downgrade to a 12.3 release (and only voice then from what
>> I've been told), and the Pannaway devices (only voice). All VoIP
>> provided by this provider/telco can be pulled off a class-5 switch which
>> meets the voice CALEA requirements.
>>
>
> CALEA is a requirement for any facilities based broadband service
> provider that offers transmission speeds of 200kbps or faster. It
> doesn't matter if the SP provides voice or not; they must intercept VoIP
> if it traverses the wire.
>
Right, that what I was getting at. All our telephony services are
either traditional POTS, voice over cable, or voice along side DSL and
punted to the class-4 switches using SIP. Other voice traffic is not
our specific concern. A CALEA request for the data would cover
everything but our telephony and a request for the voice wouldn't matter
in what we connect to the customer. It still gets picked up on one of
our soft switches.
>> I've been told that most SPs aren't replacing non-LI-compliant hardware
>> and are simply planning on getting the data upstream of those edge
>> devices. For example our 3660s that are terminating customer T1s aren't
>> compliant. It was suggested that we simply get the traffic upstream of
>> the 3660. Does this meet the spirit of LI though? What if one T1
>> customer talks directly with another T1 customer and never leaves the
>> 3660 (same goes for cable, DSL, etc)?
>>
>
> That's exactly it, it's not compliant. If you have an ATM OC3 where one
> caller with a PPPoE session can call another on the same OC3, in the
> same router, you have to be able to intercept; so your probes won't do
> you a lot of good if they don't leave the router. Remember CALEA is for
> voice only, there is no requirement to "capture all data" AFAIK.
>
That's rather the point though. CALEA will cover all data on May 14th.
CALEA is no longer only voice. That's why the mailing lists are buzzing
with CALEA discussions.
http://www.askcalea.net/docs/20060503_2nd-memorandum.pdf
http://www.networkworld.com/news/2006/050406-fcc-calea-wiretapping-deadline.html
As far as communication within a non-LI router, we're still trying to
figure out what to do. We won't spend a couple hundred-thousand dollars
to replace everything that won't do LI. Neither will anyone else.
> I'd like to know what a lot of the cable companies are going to do with
> DOCSIS where you technically have a lot of neighbors sitting right next
> to each other with no possible snoop point.
>
It's not a problem for cable systems. By their very nature for one CPE
to talk to another CPE it must first pass through the upstream interface
on the CMTS and be switched back out the appropriate downstream
interface. There is no direct CPE to CPE communication. Fortunately
our Arris CMTSs are LI-capable.
>> This question was asked of me and I'll forward it to the group. Can the
>> 7613s act as a LI-aggregation point and take stream of LI data from
>> other LI-enabled devices and send it to the MD or act as the MD?
>>
>
> Not that I've read anywhere. Seems the LI devices are either setup via
> SNMPv3 or via RADIUS records which give the intercept device the
> information it needs to send a copy of the session to the MD.
>
That seems to be ideal way of doing it. The classic LI example is that
someone commands the MD to get Joe Blow's voice or data or both. The MD
learns where Joe Blow is currently connect to the network via the AAA
server. The MD issues the LI request to the edge device via SNMPv3 and
tell it to copy the MD on Joe Blow's traffic. The MD then punts that
off to the appropriate LEA. Of course few devices actually support LI
so this is in all practicality simple not possible. It sure does sound
good on paper though.
>> Has anyone found a decently priced trusted 3rd-party that knows how to
>> implement LI correctly? We've found many that really don't know how but
>> they are sure willing to bill us to try.
>>
>> I know we're not alone in this. How are the rest of you fairing?
>>
>
> A TTP really seems like it's for larger networks; it doesn't seem at all
> cost effective for us. We're basically just buying all the LI licenses
> where we can, upgrading to devices where that can LI where we need to
> and we're exploring a MD centrally located in our operations center.
> For the amount of requests we'll probably get, we can handle it
> internally with existing staff. A good place to start looking for MD
> devices/services is http://www.verint.com/. (it's one on the list that
> Cisco recommends)
>
We're not terribly large either. Initially the cost of bringing an
outside vendor appeared to be the same as buying a MD ourselves. Now
the MD appears to be cheaper. We still don't have the underlying design
ready though. So much to do...
Thanks for your input. It would be nice to see this thread stay alive
for a while.
Justin
More information about the cisco-nsp
mailing list