[c-nsp] IOS and CALEA intercepts?

Frank Bulk frnkblk at iname.com
Thu Jan 25 13:25:19 EST 2007 

Jared:

I agree with you, complying with CALEA may be mandatory, but the LEA will
not dictate which vendor you use to gather the information or how you need
to architect you network.  

The NECA presentation was led by Subsentio and Verint (NECA disclaims
endorsing them).  In that presentation Verint emphasized the requirement
that CALEA has on following a nationally recognized standard for data
collection.  There is no standard today, but Verint claimed that
mid-February ATIS would be approving a standard, perhaps ANSI/J-STD-025-B.
Once that happened Verint claimed, all service providers who need to comply
with CALEA would need to use equipment that complies with the national
standard.  It sounded like marketing FUD to me, but perhaps someone else on
this listserv had heard something similar.

Regards,

Frank

-----Original Message-----
From: Jared Mauch [mailto:jared at puck.nether.net] 
Sent: Thursday, January 25, 2007 7:41 AM
To: Frank Bulk
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS and CALEA intercepts?

On Thu, Jan 25, 2007 at 12:31:28AM -0600, Frank Bulk wrote:
> Based on the various CALEA presentations I have seen from our consultant,
> upstream internet provider, NECA, and others, it seems that at the end of
> the day LEA is looking for best-effort and smart capturing.  So if you can
> do it via SII, great, but if the network device can only do port spanning
> and that feeds into a "mediation device", that's OK, too.  If you use DHCP
> to provide IP addresses to your users and can extend the lease so that it
> doesn't change for a long time, perfect.  If you need to do it via some
> other kind of mechanism, that's fine, too.  If the LEA needs to capture
some
> traffic and you have OC-3 terminated connections on your 7200 and there's
> the possibility that the target might be communicating with a
co-conspirator
> who is also terminated on that 7200 such that you can't easily mirror the
> traffic, you might need to break out an OC-3 probe to capture the
necessary
> traffic.  But if it's all upstream from the 7200 then an Ethernet probe
> might device.
> 
> So at the end of the day it seems very pragmatic -- following the order,
of
> course, but doing what it needs to take, within reason, to get the job
done.
> 
> Does anyone have impressions that indicate otherwise?

	I suggest contacting the "CALEA Implementation Unit".
You need to be able to send them the traffic in the "LES" protocol,
I kinda doubt your router(s) support this.  You may also need a
VPN to relay the data with the correct timestamps (200ms accuracy), 
within ~8 seconds.  And once again, remember, it's not just DoJ
that could serve you with a CALEA request, it could be your local
DA or similar.

	It should be noted that some of what you speak of (above)
are covered by Title III intercept capabilities vs Title 18 vs CALEA.
While the others have the concept of best-effort, CALEA is mandatory
(if it applies to you).

	- Jared

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Wednesday, January 24, 2007 6:48 PM
> To: Eric Helm; david raistrick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS and CALEA intercepts?
> 
> >From having done a marginal amount of research on the topic I see the
> documentation make frequent reference to a "mediation device."  I was
> under the impression that you simply matched the target's traffic with
> an ACL and used the LI commands to copy that traffic to the LEA over the
> network.  Is a "mediation device" required for LI?  The docs imply that
> the mediation device matches the CALEA request with the target by way of
> AAA.  What if the user doesn't have to auth to get onto the network.
> For example what do ISPs do that use RBE instead of PPPoE/A?  This is an
> interesting discussion.
> 
> Thanks
> Justin
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Helm
> Sent: Wednesday, January 24, 2007 4:44 PM
> To: david raistrick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS and CALEA intercepts?
> 
> 
> A vendor that uses SS8 Networks for the CALEA function, recommended a
> feature called Service Independent Intercept
> (http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a
> 008060dece.html).
> 
> Feature Navigator lists the AS5350/5400/5850, 7200, 7100, 10000, and
> 3660 as supported platforms.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list