[c-nsp] What are other SPs doing about CALEA?

Frank Bulk frnkblk at iname.com
Wed Feb 7 00:26:43 EST 2007


> Justin Shore wrote:
> > The only equipment in this list that support any form of LI for data are

> > the C3s, 7206VXRs, 7600s in an upcoming IOS release, the 3845s, the 
> > 3660s if we downgrade to a 12.3 release (and only voice then from what 
> > I've been told), and the Pannaway devices (only voice).  All VoIP 
> > provided by this provider/telco can be pulled off a class-5 switch which

> > meets the voice CALEA requirements.
> 
> CALEA is a requirement for any facilities based broadband service
> provider that offers transmission speeds of 200kbps or faster.  It
> doesn't matter if the SP provides voice or not; they must 
> intercept VoIP
> if it traverses the wire.

It's been our understanding that if Vonage voice traffic crosses our
broadband networks that the LEA will work with Vonage, not us, to recover
the signaling and audio.  That is, we're only responsible for recovering the
voice traffic for the voice services *we* provide.  The Vonages of this
world also have CALEA requirements and obligations and they will fulfill
that for their own voice customers.  Of course, if the order is for us to
capture all data traffic to and from a subscriber, and that includes Vonage
SIP and RTP traffic, then of course, that's passed on, too, but we won't
need to extract the signaling or audio.

> > I've been told that most SPs aren't replacing non-LI-compliant hardware 
> > and are simply planning on getting the data upstream of those edge 
> > devices.  For example our 3660s that are terminating customer T1s aren't

> > compliant.  It was suggested that we simply get the traffic upstream of 
> > the 3660.  Does this meet the spirit of LI though?  What if one T1 
> > customer talks directly with another T1 customer and never leaves the 
> > 3660 (same goes for cable, DSL, etc)?
> 
> That's exactly it, it's not compliant.  If you have an ATM OC3 where one
> caller with a PPPoE session can call another on the same OC3, in the
> same router, you have to be able to intercept; so your probes won't do
> you a lot of good if they don't leave the router.  Remember CALEA is for
> voice only, there is no requirement to "capture all data" AFAIK.

I think the term 'CALEA-compliant' is somewhat of a misnomer.  If the device
can't natively do packet reflection (or whatever you want to call it there)
then there are usually other ways to get a copy of the traffic, such as port
mirroring or inline probes.  It's not like the non-compliant hardware
carries some stigma or needs to be replaced or anything.
In the case you describe, if you terminate your PPPoE connections over an
OC-3 on a BRAS that doesn't support LI, then yeah, that's going to be an
expensive OC-3 probe if the LEA requires you to capture any possible traffic
from the target to any other of your PPPoE subscribers on that BRAS.  It's
been my understanding that the SP may not necessarily have to put their
probe at the farthest edge of their network, but that it depends on the
order and what the LEA requests.  Of course, if you have the probes or
mechanisms in place to do it at the edge, it may be most expeditious to do
that right away.
 
> I'd like to know what a lot of the cable companies are going to do with
> DOCSIS where you technically have a lot of neighbors sitting right next
> to each other with no possible snoop point.

The three leading CMTS vendors, Arris, Cisco, and Motorola, have had
PacketCable intercept in their CMTS software for quite some time.  In our
Motorola the configuration is covered over several pages of the
documentation.
 
> > This question was asked of me and I'll forward it to the group.  Can the

> > 7613s act as a LI-aggregation point and take stream of LI data from 
> > other LI-enabled devices and send it to the MD or act as the MD?
> 
> Not that I've read anywhere.  Seems the LI devices are either setup via
> SNMPv3 or via RADIUS records which give the intercept device the
> information it needs to send a copy of the session to the MD.
> 
> 
> > What exactly is a LI stream composed of?  Is it a GRE tunnel, IPSec 
> > tunnel, a tunnel at all?  The docs have not gone into it at all.  I 
> > suppose I should just read the RFC for myself.
> 
> I believe RFC3924 is Cisco's method for lawful intercept, thats a good
> place to start.
> 
> > Has anyone found a decently priced trusted 3rd-party that knows how to 
> > implement LI correctly?  We've found many that really don't know how but

> > they are sure willing to bill us to try.
> > 
> > I know we're not alone in this.  How are the rest of you fairing?
> 
> A TTP really seems like it's for larger networks; it doesn't seem at all
> cost effective for us.  We're basically just buying all the LI licenses
> where we can, upgrading to devices where that can LI where we need to
> and we're exploring a MD centrally located in our operations center.
> For the amount of requests we'll probably get, we can handle it
> internally with existing staff.  A good place to start looking for MD
> devices/services is http://www.verint.com/. (it's one on the list that
> Cisco recommends)

Our state-wide co-op has set themselves up as a trusted third-party for
interested members.  Since we already get our TDM voice, data, and some
video services through them it makes natural sense.  They will be buying the
equipment and be in a position to provide JIT service.  The price per year
is less than what it costs for even one probe, and they can do that because
they are splitting the cost over dozens of member companies.

Regards,

Frank



More information about the cisco-nsp mailing list