I'm looking into the FCC ruling to require CALEA support for certain classes of VoIP providers, as upheld by the DC circuit court a couple of weeks ago [1]. The portion of VoIP that is covered by this order is pretty narrow (ie, you provide telephony-like voip services for $$ [read the specs for the real definition]), and the FCC is looking at narrowing it down further but has not done so yet. Meanwhile, the deadline for implementation -- May 14, 2007 -- is starting to get pretty close. The operational part of this subject, and the reason for this mail, is the implementation of the wiretap interface. Obviously there are going to be a range of implementation approaches, given that there are a wide variety of providers. I mean, big-switch users probably just enable a feature, but small providers that rely on IP PBX gear with FXO cards will have to do something specific. Are vendors stepping up to the plate? Did you even know about this? Off-list is fine, and I'll summarize if there's interest. Thanks [1] http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
I'm willing to reply on-list, but obviously any business or legal contacts have to be off-list. For those, I can point you to the product manager for the technology, but it would frankly be better for one to go through one's account team, for scaling reasons. Yes, the vendors are aware of this. Our legal people track it pretty closely, and we have been dealing with the issues in Europe, Australia, and a number of other places for quite a while. We talk directly with legislators, regulators, and various police entities. Before you ask whether we speak with China, I'll point out that we deliver a common technology that people using it configure to the applicable laws and warrants, and the laws we looked at in designing it were the laws and regulations of the various countries that signed the CyberCrime treaty. We designed it the way we did to meet the laws and regulations of western democracies like the US and EU. RFC 2804 requested that anyone that designed a Lawful Intercept technology please publish it so that it could have open review. We did so: http://www.ietf.org/rfc/rfc3924.txt 3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker, B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes) (Status: INFORMATIONAL) This has also been submitted to ETSI, as an alternative to the model initially proposed there, which was "why don't we just split every fiber and run one instance under the appropriate agency's door?". I am not personally involved in that effort, but someone from my company is and I understand that ETSI is considering the model. What this describes is the interface from a router or switch, or from a control application like a SIP proxy, to a third party mediation device. The interface from the mediation device to the law enforcement agency is different, and differs by country. The fundamental principle that we are trying to design to is "give the LEA what the warrant says they should get, no more and no less"; in some cases, that means that the mediation device will get a superset of the warranted data and have to edit it appropriately. There are various technologies for lawful intercept that exist that require a site visit to the POP to respond to the warrant or deployment of a stack of equipment in each POP in case an LEA ever asks; we try to make this a feature of the router or switch that can be configured the same way anything else is, but the information regarding the intercept kept appropriately private. You might also take a look at http://www.cisco.com/pcgi-bin/search/ search.pl?searchPhrase=lawful+intercept On Jun 20, 2006, at 9:48 AM, Eric A. Hall wrote:
I'm looking into the FCC ruling to require CALEA support for certain classes of VoIP providers, as upheld by the DC circuit court a couple of weeks ago [1]. The portion of VoIP that is covered by this order is pretty narrow (ie, you provide telephony- like voip services for $$ [read the specs for the real definition]), and the FCC is looking at narrowing it down further but has not done so yet. Meanwhile, the deadline for implementation -- May 14, 2007 -- is starting to get pretty close.
The operational part of this subject, and the reason for this mail, is the implementation of the wiretap interface. Obviously there are going to be a range of implementation approaches, given that there are a wide variety of providers. I mean, big-switch users probably just enable a feature, but small providers that rely on IP PBX gear with FXO cards will have to do something specific. Are vendors stepping up to the plate? Did you even know about this?
Off-list is fine, and I'll summarize if there's interest.
Thanks
[1] http://pacer.cadc.uscourts.gov/docs/common/opinions/ 200606/05-1404a.pdf
-- Eric A. Hall http:// www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/ coreprot/
On 6/20/2006 1:33 PM, Fred Baker wrote:
Yes, the vendors are aware of this. Our legal people track it pretty closely, and we have been dealing with the issues in Europe, Australia, and a number of other places for quite a while. We talk directly with legislators, regulators, and various police entities.
I was more curious about operators but this is interesting
http://www.ietf.org/rfc/rfc3924.txt 3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker, B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes) (Status: INFORMATIONAL)
This is interesting approach. For one, it seems to cover a lot more technology than CALEA requires. I suppose that is an artifact of trying to serve multiple countries' requiresments in a single architecture. Also, to my knowledge the FCC/FBI have not yet agreed to accept any kind of pure packet-level intercept interfaces as meeting LEA requirements. The only "approved" interfaces I know of are for telco and cellular networks (see http://www.askcalea.net/standards.html). Until they approve a packet-based interface like you describe, it remains unapproved by default, meaning that it would not count to satisfy the CALEA requirements, right? You said that you put this to ETSI; have you put it to the FCC and FBI for approval as a qualified interface? Along those same lines... given that the covered VoIP providers are mostly going to be interfacing to PSTN, my general assumption is that they will use 3rd party gear to provide the supported CALEA interfaces, and then interface that device into their VoIP infrastructure somehow (this assumes the operator isn't using a real switch with CALEA interfaces already built-in). A pure packet-based interface would be cheaper and better than that, but given the reasons above it seems unlikely in the short term. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Jun 20, 2006, at 11:44 AM, Eric A. Hall wrote:
This is interesting approach. For one, it seems to cover a lot more technology than CALEA requires. I suppose that is an artifact of trying to serve multiple countries' requiresments in a single architecture.
Actually, no. IANAL US laws include Title III of the 1968 OCCSS, 1978 FISA, and the 1994 CALEA, with updates related to PATRIOT. The US is unusual in this respect; most of the countries that have published law or regulation relating to lawful intercept simply state that the police have authority to intercept any communications a surveillance subject participates in. As such Cisco implemented the PacketCable solution for CALEA a while, and then went on to meet the requirements of our various customers that have IP data intercept requirements. You might find the following of interest.It's more about e-911, but if you want to read forensic access in as well, the shoe fits. http://blogs.cisco.com/networkers/2006/06/ deploying_emergency_services_e.html It's my opinion. Cisco is welcome to espouse it as well if it wants to.
USTelecom has put on a free webinar about this, with guests from VeriSign. It might be on interest. http://www.ustelecom.org/events.php?urh=home.events.web2006_0615 Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Eric A. Hall Sent: Tuesday, June 20, 2006 11:49 AM To: nanog list Subject: voip calea interfaces I'm looking into the FCC ruling to require CALEA support for certain classes of VoIP providers, as upheld by the DC circuit court a couple of weeks ago [1]. The portion of VoIP that is covered by this order is pretty narrow (ie, you provide telephony-like voip services for $$ [read the specs for the real definition]), and the FCC is looking at narrowing it down further but has not done so yet. Meanwhile, the deadline for implementation -- May 14, 2007 -- is starting to get pretty close. The operational part of this subject, and the reason for this mail, is the implementation of the wiretap interface. Obviously there are going to be a range of implementation approaches, given that there are a wide variety of providers. I mean, big-switch users probably just enable a feature, but small providers that rely on IP PBX gear with FXO cards will have to do something specific. Are vendors stepping up to the plate? Did you even know about this? Off-list is fine, and I'll summarize if there's interest. Thanks [1] http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Sorry, I should have given a link to the actual archived copy: http://w.on24.com/r.htm?e=24039&s=1&k=38C852E931DEFE2A92A709EDE5FCF209&partn erref=website The master list of event can be found on this page: http://www.ustelecom.org/webinars.php?urh=home.events.webinars Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Frank Bulk Sent: Tuesday, June 20, 2006 3:14 PM To: nanog list Subject: RE: voip calea interfaces USTelecom has put on a free webinar about this, with guests from VeriSign. It might be on interest. http://www.ustelecom.org/events.php?urh=home.events.web2006_0615 Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Eric A. Hall Sent: Tuesday, June 20, 2006 11:49 AM To: nanog list Subject: voip calea interfaces I'm looking into the FCC ruling to require CALEA support for certain classes of VoIP providers, as upheld by the DC circuit court a couple of weeks ago [1]. The portion of VoIP that is covered by this order is pretty narrow (ie, you provide telephony-like voip services for $$ [read the specs for the real definition]), and the FCC is looking at narrowing it down further but has not done so yet. Meanwhile, the deadline for implementation -- May 14, 2007 -- is starting to get pretty close. The operational part of this subject, and the reason for this mail, is the implementation of the wiretap interface. Obviously there are going to be a range of implementation approaches, given that there are a wide variety of providers. I mean, big-switch users probably just enable a feature, but small providers that rely on IP PBX gear with FXO cards will have to do something specific. Are vendors stepping up to the plate? Did you even know about this? Off-list is fine, and I'll summarize if there's interest. Thanks [1] http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
If anyone has a contact for the dns folks over at af.mil could you please inform them that their authorative DNS servers have no A records so their zone is failing to resolve for many people who have enabled anti-dnscache poisoning features. George Roettger Netlink Services
participants (4)
-
Eric A. Hall -
Frank Bulk -
Fred Baker -
Geo.