[c-nsp] IOS and CALEA intercepts?

Thu Jan 25 08:41:01 EST 2007

On Thu, Jan 25, 2007 at 12:31:28AM -0600, Frank Bulk wrote:
> Based on the various CALEA presentations I have seen from our consultant,
> upstream internet provider, NECA, and others, it seems that at the end of
> the day LEA is looking for best-effort and smart capturing.  So if you can
> do it via SII, great, but if the network device can only do port spanning
> and that feeds into a "mediation device", that's OK, too.  If you use DHCP
> to provide IP addresses to your users and can extend the lease so that it
> doesn't change for a long time, perfect.  If you need to do it via some
> other kind of mechanism, that's fine, too.  If the LEA needs to capture some
> traffic and you have OC-3 terminated connections on your 7200 and there's
> the possibility that the target might be communicating with a co-conspirator
> who is also terminated on that 7200 such that you can't easily mirror the
> traffic, you might need to break out an OC-3 probe to capture the necessary
> traffic.  But if it's all upstream from the 7200 then an Ethernet probe
> might device.
> 
> So at the end of the day it seems very pragmatic -- following the order, of
> course, but doing what it needs to take, within reason, to get the job done.
> 
> Does anyone have impressions that indicate otherwise?

	I suggest contacting the "CALEA Implementation Unit".
You need to be able to send them the traffic in the "LES" protocol,
I kinda doubt your router(s) support this.  You may also need a
VPN to relay the data with the correct timestamps (200ms accuracy), 
within ~8 seconds.  And once again, remember, it's not just DoJ
that could serve you with a CALEA request, it could be your local
DA or similar.

	It should be noted that some of what you speak of (above)
are covered by Title III intercept capabilities vs Title 18 vs CALEA.
While the others have the concept of best-effort, CALEA is mandatory
(if it applies to you).

	- Jared

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Wednesday, January 24, 2007 6:48 PM
> To: Eric Helm; david raistrick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS and CALEA intercepts?
> 
> >From having done a marginal amount of research on the topic I see the
> documentation make frequent reference to a "mediation device."  I was
> under the impression that you simply matched the target's traffic with
> an ACL and used the LI commands to copy that traffic to the LEA over the
> network.  Is a "mediation device" required for LI?  The docs imply that
> the mediation device matches the CALEA request with the target by way of
> AAA.  What if the user doesn't have to auth to get onto the network.
> For example what do ISPs do that use RBE instead of PPPoE/A?  This is an
> interesting discussion.
> 
> Thanks
> Justin
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Helm
> Sent: Wednesday, January 24, 2007 4:44 PM
> To: david raistrick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS and CALEA intercepts?
> 
> 
> A vendor that uses SS8 Networks for the CALEA function, recommended a
> feature called Service Independent Intercept
> (http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a
> 008060dece.html).
> 
> Feature Navigator lists the AS5350/5400/5850, 7200, 7100, 10000, and
> 3660 as supported platforms.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.