The Dutch NAO organisation has tried to describe that problem. NAO is a
colaborate effort of most of the Dutch ISP/Telco's (note: not Colocation
facilities or webhosters) who faced these exact requirements half a year ago
when the Dutch mandatory tapping requirement became effective. They managed
to produce a presentation on "possible network topologies" that ISP's might
Their workgroup "topologie" produced something as well, but I can't find it
on their on site (There is a confusing policy on what parts are government
secrets and what parts are public information, which is so badly specified
that I as an ISP can't get any tapping specification, while I need to comply
to the tapping laws). Here's the copy of the document on Opentap:
I went to the vendor day that was helt by NAO to bring vendors of tapping
boxes closer to their potential ISP clients.
There were two kind's of products
1) Vapourware ("Do you have something ready that complies to Dutch law NOW?")
2) standard sniffing boxes/carnivore compatibles ("Do you have something
ready that complies to Dutch law NOW?")
For the vendors who claimed to be "almost ready" or my favourite one "already
doing labtesting on some secret location within the NL" I asked them how
the box plugged in, parallell on the network, or as a link in the chain.
If they answered it was a link in the chain, I asked them about redundancy,
high availability and failover, and asked them how to convince my boss that
a single point of failure should be added to our network. If they said in
parallel I asked them how I could catch all traffic. If they tried to say
something clever about puttings ports in management mode to see the traffic
of all ports, I asked them why I should tell my boss to reduce our backbone
to the capacity of a single 100MB ethernet port.
Needless to say, I was in awe. So I wrote:
And later added some comments: http://cryptome.org/nl-tap2.htm
For the Law Enforcement Agencies (LEA's) the answer is always quite simple.
"You should be able to tap everything we want". From the ISP's point of view
this is often impossible. He's not allowed to change the service of a user,
in case the user might detect that, but how is an ISP going to tap traffic
that never gets onto his network. Two neighbouring cable users, two dailin
users in the same local modem pool. And last but not least, the entire VPOP
structures where lots of smaller ISP's buy "national dailup" from the big
guys. They don't even have access to the infrastructure to add a tapping box.
The government's answer "Administrative issue, can be dealt with by bilateral
talks". My interpretation for that is "You've broken the law, you will do
everything we say". Our government learned that trick from the US government.
The FBI will face similar problems, the interpop traffic is not going to be
captured. It's not a big problem, since the terrible crimes on that traffic
will mostly be copying illegal movies and songs. If two terrorists are
neighbours, I'd assume they would go to a sauna (I loved Icepick) to talk.
The problem will become worse with all the 802.11 networks popping up
everywhere (esp if people are using things like IPSec with oppurtunistic)