[c-nsp] IOS and CALEA intercepts?
Jared Mauch
jared at puck.nether.net
Thu Jan 25 13:35:06 EST 2007
On Thu, Jan 25, 2007 at 12:25:19PM -0600, Frank Bulk wrote:
> Jared:
>
> I agree with you, complying with CALEA may be mandatory, but the LEA will
> not dictate which vendor you use to gather the information or how you need
> to architect you network.
>
> The NECA presentation was led by Subsentio and Verint (NECA disclaims
> endorsing them). In that presentation Verint emphasized the requirement
> that CALEA has on following a nationally recognized standard for data
> collection. There is no standard today, but Verint claimed that
> mid-February ATIS would be approving a standard, perhaps ANSI/J-STD-025-B.
> Once that happened Verint claimed, all service providers who need to comply
> with CALEA would need to use equipment that complies with the national
> standard. It sounded like marketing FUD to me, but perhaps someone else on
> this listserv had heard something similar.
My understanding is that J-STD-025-B is not going to apply
to the "broadband" space, that T1.IAS will. I've spent more than my
fair share of time looking at this recently. The important
caveat is what would be considered a 'safe harbor' for your
network(s), and in this case, T1.IAS would be that 'safe harbor'.
Perhaps I will take a few moments and write up some slides for
the upcoming NANOG meeting. I would also point you to recent
presentations from places such as educause that are online.
Some things that appear clear (to me, but IANAL, nor is this
legal advice):
1) Your internal network(s) do not need to have CALEA
intercept capabilities (eg: that stuff behind the firewall).
2) Your office PBX does not need CALEA capabilities (unless
you are selling service to customers via it).
3) customer-VoIP needs intercept capabilities (internal voip
falls under #2)
4) "broadband" is poorly defined, but appears to only
cover what is a "substantial replacement" for dial-up. So if it's
a form of internet access that replaced that external modem (and is
over 200kbps) it is likely to be covered by CALEA.
I can create a seperate mailing list if there's enough
interest in talking about CALEA, but there may be other forums
that would better apply. If you're not sure, put "FCC form 445" in your
favorite search engine and hand it do your ceo/owner/president/legal counsel
sooner than later, as the filing date is rapidly approaching.
- jared
> -----Original Message-----
> From: Jared Mauch [mailto:jared at puck.nether.net]
> Sent: Thursday, January 25, 2007 7:41 AM
> To: Frank Bulk
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS and CALEA intercepts?
>
> On Thu, Jan 25, 2007 at 12:31:28AM -0600, Frank Bulk wrote:
> > Based on the various CALEA presentations I have seen from our consultant,
> > upstream internet provider, NECA, and others, it seems that at the end of
> > the day LEA is looking for best-effort and smart capturing. So if you can
> > do it via SII, great, but if the network device can only do port spanning
> > and that feeds into a "mediation device", that's OK, too. If you use DHCP
> > to provide IP addresses to your users and can extend the lease so that it
> > doesn't change for a long time, perfect. If you need to do it via some
> > other kind of mechanism, that's fine, too. If the LEA needs to capture
> some
> > traffic and you have OC-3 terminated connections on your 7200 and there's
> > the possibility that the target might be communicating with a
> co-conspirator
> > who is also terminated on that 7200 such that you can't easily mirror the
> > traffic, you might need to break out an OC-3 probe to capture the
> necessary
> > traffic. But if it's all upstream from the 7200 then an Ethernet probe
> > might device.
> >
> > So at the end of the day it seems very pragmatic -- following the order,
> of
> > course, but doing what it needs to take, within reason, to get the job
> done.
> >
> > Does anyone have impressions that indicate otherwise?
>
> I suggest contacting the "CALEA Implementation Unit".
> You need to be able to send them the traffic in the "LES" protocol,
> I kinda doubt your router(s) support this. You may also need a
> VPN to relay the data with the correct timestamps (200ms accuracy),
> within ~8 seconds. And once again, remember, it's not just DoJ
> that could serve you with a CALEA request, it could be your local
> DA or similar.
>
> It should be noted that some of what you speak of (above)
> are covered by Title III intercept capabilities vs Title 18 vs CALEA.
> While the others have the concept of best-effort, CALEA is mandatory
> (if it applies to you).
>
> - Jared
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> > Sent: Wednesday, January 24, 2007 6:48 PM
> > To: Eric Helm; david raistrick
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] IOS and CALEA intercepts?
> >
> > >From having done a marginal amount of research on the topic I see the
> > documentation make frequent reference to a "mediation device." I was
> > under the impression that you simply matched the target's traffic with
> > an ACL and used the LI commands to copy that traffic to the LEA over the
> > network. Is a "mediation device" required for LI? The docs imply that
> > the mediation device matches the CALEA request with the target by way of
> > AAA. What if the user doesn't have to auth to get onto the network.
> > For example what do ISPs do that use RBE instead of PPPoE/A? This is an
> > interesting discussion.
> >
> > Thanks
> > Justin
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Helm
> > Sent: Wednesday, January 24, 2007 4:44 PM
> > To: david raistrick
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] IOS and CALEA intercepts?
> >
> >
> > A vendor that uses SS8 Networks for the CALEA function, recommended a
> > feature called Service Independent Intercept
> > (http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a
> > 008060dece.html).
> >
> > Feature Navigator lists the AS5350/5400/5850, 7200, 7100, 10000, and
> > 3660 as supported platforms.
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list