[c-nsp] What are other SPs doing about CALEA?

Robert Blayzor rblayzor at inoc.net
Wed Feb 7 07:18:10 EST 2007


Justin Shore wrote:
> Right, that what I was getting at.  All our telephony services are
> either traditional POTS, voice over cable, or voice along side DSL and
> punted to the class-4 switches using SIP.  Other voice traffic is not
> our specific concern.  A CALEA request for the data would cover
> everything but our telephony and a request for the voice wouldn't matter
> in what we connect to the customer.  It still gets picked up on one of
> our soft switches.

Your switch, no problem.  But if you're a facilities based broadband
provider, even if you do not provide VoIP it's now your responsibility
to intercept the voice at your expense for the government.  Thanks
Vonage and the like! ;-)

> That's rather the point though.  CALEA will cover all data on May 14th. 
> CALEA is no longer only voice.  That's why the mailing lists are buzzing
> with CALEA discussions.

If thats true then all of the Cisco LI code is non-compliant as the last
thing I read it was VoIP only and did not currently support data.
Perhaps that's changed but that's what I just recently found right off CCO.

> As far as communication within a non-LI router, we're still trying to
> figure out what to do.  We won't spend a couple hundred-thousand dollars
> to replace everything that won't do LI.  Neither will anyone else.

Look on the bright side, if for some reason they make a request, and you
can't fill it, the fine can be up to $10k a day until you do.

> It's not a problem for cable systems.  By their very nature for one CPE
> to talk to another CPE it must first pass through the upstream interface
> on the CMTS and be switched back out the appropriate downstream
> interface.  There is no direct CPE to CPE communication.  Fortunately
> our Arris CMTSs are LI-capable.

Good to know.  I don't do a lot with DOCSIS or CMTSs, all of the
broadband we do is PPPoX, so they all come back to one point.

> That seems to be ideal way of doing it.  The classic LI example is that
> someone commands the MD to get Joe Blow's voice or data or both.  The MD
> learns where Joe Blow is currently connect to the network via the AAA
> server.  The MD issues the LI request to the edge device via SNMPv3 and
> tell it to copy the MD on Joe Blow's traffic.  The MD then punts that
> off to the appropriate LEA.  Of course few devices actually support LI
> so this is in all practicality simple not possible.  It sure does sound
> good on paper though.

Right.  I'm getting more info on this myself.  I believe the LEA will
make the request, and in that request, they should probably have the
connection/VPN info on where to send the data too. (one would think)  I
think overall there is just a lot of concern on the costs to become
fully compliant... we're spending quite a bit of money for LI licenses
and replacing network processors and such that will support it.

> We're not terribly large either.  Initially the cost of bringing an
> outside vendor appeared to be the same as buying a MD ourselves.  Now
> the MD appears to be cheaper.  We still don't have the underlying design
> ready though.  So much to do...

Check out Verint's Star-Gate Lite.  That seems to be geared for the
tier2/3 provider.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E 66F9 0BFC

Memory dump:  Amnesia...


More information about the cisco-nsp mailing list