voip calea interfaces

Eric_A_Hall · June 20, 2006, 4:48pm

I'm looking into the FCC ruling to require CALEA support for certain
classes of VoIP providers, as upheld by the DC circuit court a couple of
weeks ago [1]. The portion of VoIP that is covered by this order is pretty
narrow (ie, you provide telephony-like voip services for $$ [read the
specs for the real definition]), and the FCC is looking at narrowing it
down further but has not done so yet. Meanwhile, the deadline for
implementation -- May 14, 2007 -- is starting to get pretty close.

The operational part of this subject, and the reason for this mail, is the
implementation of the wiretap interface. Obviously there are going to be a
range of implementation approaches, given that there are a wide variety of
providers. I mean, big-switch users probably just enable a feature, but
small providers that rely on IP PBX gear with FXO cards will have to do
something specific. Are vendors stepping up to the plate? Did you even
know about this?

Off-list is fine, and I'll summarize if there's interest.

Thanks

[1] http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf

Baker_Fred · June 20, 2006, 5:33pm

I'm willing to reply on-list, but obviously any business or legal contacts have to be off-list. For those, I can point you to the product manager for the technology, but it would frankly be better for one to go through one's account team, for scaling reasons.

Yes, the vendors are aware of this. Our legal people track it pretty closely, and we have been dealing with the issues in Europe, Australia, and a number of other places for quite a while. We talk directly with legislators, regulators, and various police entities. Before you ask whether we speak with China, I'll point out that we deliver a common technology that people using it configure to the applicable laws and warrants, and the laws we looked at in designing it were the laws and regulations of the various countries that signed the CyberCrime treaty. We designed it the way we did to meet the laws and regulations of western democracies like the US and EU.

RFC 2804 requested that anyone that designed a Lawful Intercept technology please publish it so that it could have open review. We did so:

http://www.ietf.org/rfc/rfc3924.txt
3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker,
B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes) (Status:
INFORMATIONAL)

This has also been submitted to ETSI, as an alternative to the model initially proposed there, which was "why don't we just split every fiber and run one instance under the appropriate agency's door?". I am not personally involved in that effort, but someone from my company is and I understand that ETSI is considering the model.

What this describes is the interface from a router or switch, or from a control application like a SIP proxy, to a third party mediation device. The interface from the mediation device to the law enforcement agency is different, and differs by country. The fundamental principle that we are trying to design to is "give the LEA what the warrant says they should get, no more and no less"; in some cases, that means that the mediation device will get a superset of the warranted data and have to edit it appropriately. There are various technologies for lawful intercept that exist that require a site visit to the POP to respond to the warrant or deployment of a stack of equipment in each POP in case an LEA ever asks; we try to make this a feature of the router or switch that can be configured the same way anything else is, but the information regarding the intercept kept appropriately private.

You might also take a look at http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=lawful+intercept

Eric_A_Hall · June 20, 2006, 6:44pm

Yes, the vendors are aware of this. Our legal people track it pretty
closely, and we have been dealing with the issues in Europe,
Australia, and a number of other places for quite a while. We talk
directly with legislators, regulators, and various police entities.

I was more curious about operators but this is interesting

http://www.ietf.org/rfc/rfc3924.txt
3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker,
B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes)
(Status:
INFORMATIONAL)

This is interesting approach. For one, it seems to cover a lot more
technology than CALEA requires. I suppose that is an artifact of trying to
serve multiple countries' requiresments in a single architecture.

Also, to my knowledge the FCC/FBI have not yet agreed to accept any kind
of pure packet-level intercept interfaces as meeting LEA requirements. The
only "approved" interfaces I know of are for telco and cellular networks
(see http://www.askcalea.net/standards.html). Until they approve a
packet-based interface like you describe, it remains unapproved by
default, meaning that it would not count to satisfy the CALEA
requirements, right? You said that you put this to ETSI; have you put it
to the FCC and FBI for approval as a qualified interface?

Along those same lines... given that the covered VoIP providers are mostly
going to be interfacing to PSTN, my general assumption is that they will
use 3rd party gear to provide the supported CALEA interfaces, and then
interface that device into their VoIP infrastructure somehow (this assumes
the operator isn't using a real switch with CALEA interfaces already
built-in). A pure packet-based interface would be cheaper and better than
that, but given the reasons above it seems unlikely in the short term.

Frank_Bulk1 · June 20, 2006, 8:13pm

USTelecom has put on a free webinar about this, with guests from VeriSign.
It might be on interest.
http://www.ustelecom.org/events.php?urh=home.events.web2006_0615

Frank

Baker_Fred · June 20, 2006, 8:42pm

Actually, no.

IANAL

US laws include Title III of the 1968 OCCSS, 1978 FISA, and the 1994 CALEA, with updates related to PATRIOT. The US is unusual in this respect; most of the countries that have published law or regulation relating to lawful intercept simply state that the police have authority to intercept any communications a surveillance subject participates in. As such Cisco implemented the PacketCable solution for CALEA a while, and then went on to meet the requirements of our various customers that have IP data intercept requirements.

You might find the following of interest.It's more about e-911, but if you want to read forensic access in as well, the shoe fits.

http://blogs.cisco.com/networkers/2006/06/deploying_emergency_services_e.html

It's my opinion. Cisco is welcome to espouse it as well if it wants to.

Frank_Bulk1 · June 20, 2006, 9:33pm

Sorry, I should have given a link to the actual archived copy:
http://w.on24.com/r.htm?e=24039&s=1&k=38C852E931DEFE2A92A709EDE5FCF209&partn
erref=website

The master list of event can be found on this page:
http://www.ustelecom.org/webinars.php?urh=home.events.webinars

Frank

Geo · June 22, 2006, 12:42pm

If anyone has a contact for the dns folks over at af.mil could you please
inform them that their authorative DNS servers have no A records so their
zone is failing to resolve for many people who have enabled anti-dnscache
poisoning features.

George Roettger
Netlink Services