Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network
undetectable to the surveillance subject, not missing any
relevant data, and not exposing the installer to undue risk?
'Best' rarely has a straight-forward answer. 
Lawful access is subject to many of the same scaling issues which we
confront in building up our networks. Solutions which can work well for
'small' access or hosting providers may not be sensible for larger scale
environment.
If you have only a low rate of warrants to process per year,
   and if your facilities are few in number and/or geographically close
together,
   and if your 'optimum' point of tap insertion happens to be a link which
can be reasonably traced without very expensive ASIC-based gear
   and if your operation can tolerate breaking open the link to insert the
tap,
   and if the law enforcement types agree that the surveillance target is
unlikely to notice the link going down to insert the tap...
   then in-line taps such as Finisar or NetOptics can be quite sensible.
If your operation can tolerate the continuing presence of the in-line tap
and you only ever need a small number of them then leaving the taps
permanently installed may be entirely reasonable.
On the other hand, if your environment consists of a large number (100's) of
potential tapping points, then you will quickly determine that in-line taps
have very poor scaling properties.
  a) They are not rack-dense
  b) They require external power warts
  c) They are not cheap (in the range of US$500 each)
  d) Often when you have that many potential tapping points, you are
likely to be processing a larger number of warrants in a year. An in-line
tap arrangement will require a body to physically install the recording
equipment and cables to the trace-ports on the tap. You may also need to
make room for more than one set of recording gear at each site.
Large-scale providers will probably want to examine solutions based on
support built directly into their traffic-carrying infrastructure (switches,
routers.)
You should be watchful for law enforcement types trying dictate a 'solution'
which is not a good fit to your own business environment. There are usually
several ways of getting them the data which they require to do their jobs.
Eriks
Scott C. McGrath
Sean Donelan wrote:
> Assuming lawful purposes, what is the best way to tap a network
> undetectable to the surveillance subject, not missing any
> relevant data, and not exposing the installer to undue risk?
'Best' rarely has a straight-forward answer.
Lawful access is subject to many of the same scaling issues which we
confront in building up our networks. Solutions which can work well for
'small' access or hosting providers may not be sensible for larger scale
environment.
If you have only a low rate of warrants to process per year,
   and if your facilities are few in number and/or geographically close
together,
   and if your 'optimum' point of tap insertion happens to be a link which
can be reasonably traced without very expensive ASIC-based gear
   and if your operation can tolerate breaking open the link to insert the
tap,
   and if the law enforcement types agree that the surveillance target is
unlikely to notice the link going down to insert the tap...
   then in-line taps such as Finisar or NetOptics can be quite sensible.
If your operation can tolerate the continuing presence of the in-line tap
and you only ever need a small number of them then leaving the taps
permanently installed may be entirely reasonable.
On the other hand, if your environment consists of a large number (100's) of
potential tapping points, then you will quickly determine that in-line taps
have very poor scaling properties.
  a) They are not rack-dense
  b) They require external power warts
  c) They are not cheap (in the range of US$500 each)
  d) Often when you have that many potential tapping points, you are
likely to be processing a larger number of warrants in a year. An in-line
tap arrangement will require a body to physically install the recording
equipment and cables to the trace-ports on the tap. You may also need to
make room for more than one set of recording gear at each site.
Large-scale providers will probably want to examine solutions based on
support built directly into their traffic-carrying infrastructure (switches,
routers.)
Using cisco's feature set on a uBR it would be
cable intercept interface x/y <Target MAC> <Logging Server IP> <port>
as an example of lawful access on infrastructure equipment
Eriks Rugelis wrote:
On the other hand, if your environment consists of a large number (100's) of
potential tapping points, then you will quickly determine that in-line taps
have very poor scaling properties.
        a) They are not rack-dense
        b) They require external power warts
        c) They are not cheap (in the range of US$500 each)
        d) Often when you have that many potential tapping points, you are
likely to be processing a larger number of warrants in a year. An in-line
tap arrangement will require a body to physically install the recording
equipment and cables to the trace-ports on the tap. You may also need to
make room for more than one set of recording gear at each site.
This is a feature, not a bug. Law enforcement is required to pay --
up front -- all costs of tapping. No pay, no play.
Large-scale providers will probably want to examine solutions based on
support built directly into their traffic-carrying infrastructure (switches,
routers.)
You should be watchful for law enforcement types trying dictate a 'solution'
which is not a good fit to your own business environment. There are usually
several ways of getting them the data which they require to do their jobs.
Whatever they are willing to pay for -- a good fit for the business
environment is the largest effort and highest cost, as the overhead
and administrative charges should enough to be profitable.
Oh, I wish, I wish....
In NL, law dictates any telecommunicatins device (as defined amongst things
as "anything with an IP address") neds to be tappable. Infrastructure costs
are not reimbursed. Only operational costs for enabling/disabling are
reimbursed here.
Paul, who wished he was at a certain IX when the LEA's came and asked for
*all* traffic.