Re: Mechanics of CALEA taps
> Message: 1 > Date: Sun, 9 Jun 2013 18:59:16 -0400 > From: Randy Fischer > To: North American Network Operators Group > Subject: Mechanics of CALEA taps > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Dear nanog: > > Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. > > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from > X. > > And that's the extent of it. > > Well, golly Slothrop, maybe someone else has started picking up the tab. > Would you even know? > > Is that possible? > > Thanks, > > Randy Fischer Operators can choose to be involved, or they can choose not to be involved, according to the specs - the extent is ultimately up to them. It is perhaps possible that some operators know nothing more about the intercepts happening on their network than what their bill tells them. I can believe that but I would hope that it is rare. Likewise, I believe that any operator who makes an effort to understand and have control over their network could be fooled so easily. CALEA tap mechanism does not necessarily work as you have outlined. The telecom industry fought for and won two other options that give the operator more involvement and authority over the execution of the intercepts. All of the options end up impacting your network, as you have to decide how to feed a copy of all of the data belonging to the subscriber(s) named in a warrant to a CALEA probe. The probe drops all of the packets that don't belong to the subject, then it ASN.1-encodes the data and tunnels it over the public network to a law-enforcement agency (or their contractor). That's generally how it works. Once the taps and probes and mediation device are in place, it's just a matter of provisioning. But that engineering is the tough part - after that just about all you see is the warrant itself, and then some phone calls and email from the law-enforcment folks setting up the transport stuff. No lawyers visit, no law-enforcement officials visit, you just get a warrant and then how you handle it is up to you. So if an operator chooses to engage themselves instead of handing control over to someone else, they can be quite sure of what is happening. For reasons I don't quite understand, however, it doesn't seem like many operators who don't otherwise outsource ISP services do tend to outsource CALEA. In my opinion, if you manage your own DNS and/or mail servers, you can handle CALEA. Not only could it save you some money, but it gives you a discrete way to isolate test-traffic on your network with a more intuitive filter (ie subscriber name) than just an IP or a MAC address.* If you live in wireshark all day then you will appreciate having the haystack separated from the needle before it enters your system. The three options are: 1. Rent CALEA gear - hand warrant to company X 2. Build your own CALEA gear - evaluate and execute the warrant yourself. 3. Buy company Y's gear - evaluate and execute the warrant yourself. Obviously one could outsource the evaluation of a warrant to a third party; and sure you could probably have a private line between you and the LEA... the details vary, I am drawing a very generic picture here. So, generally, the biggest problem is a technical one: how to add this "tap" feature to your network - either with real physical taps or mirror-ports of some kind. There are lots of such considerations and lots of options. Once they're done you can probably make use of them for worthwhile operational purposes, but probably only with options 2 and 3. The smaller problem is the legal one: is a lawyer required to read the warrant and then make the provisioning call, or not? * Disclosure: I try not to be biased, but I do work for a vendor of a CALEA probe product, so "caveat lector". Comments submitted here have nothing to do with my employer, however, and are provided only as a help to those that really don't know that they can and ought to be fully involved and aware of any "taps". -- Rick Robino signature.asc Description: Message signed with OpenPGP using GPGMail
RE: Mechanics of CALEA taps
The only calea intercept I watched take place was with a system made by Sandvine.. And it was pretty shocking. Sent from my Mobile Device. Original message From: Dennis Burgess Date: 06/10/2013 6:25 AM (GMT-08:00) To: Randy Fischer ,nanog@nanog.org Subject: RE: Mechanics of CALEA taps While its possible to do this, you would have to have a device that would not impact performance typically at every exit point, but in a perfect world it would be on the clients CPE device!Our wireless CPE's can do this.I would not that a business model to not bill until a request is completed would work due to the amount of hardware that x company would have to put out. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition" Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net - Skype: linktechs -- Create Wireless Coverage's with www.towercoverage.com<http://www.towercoverage.com> - 900Mhz - LTE - 3G - 3.65 - TV Whitespace -Original Message- From: Randy Fischer [mailto:randy.fisc...@gmail.com] Sent: Sunday, June 09, 2013 5:59 PM To: North American Network Operators Group Subject: Mechanics of CALEA taps Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Thanks, Randy Fischer
RE: Mechanics of CALEA taps
While its possible to do this, you would have to have a device that would not impact performance typically at every exit point, but in a perfect world it would be on the clients CPE device!Our wireless CPE's can do this.I would not that a business model to not bill until a request is completed would work due to the amount of hardware that x company would have to put out. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition" Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net - Skype: linktechs -- Create Wireless Coverage's with www.towercoverage.com - 900Mhz - LTE - 3G - 3.65 - TV Whitespace -Original Message- From: Randy Fischer [mailto:randy.fisc...@gmail.com] Sent: Sunday, June 09, 2013 5:59 PM To: North American Network Operators Group Subject: Mechanics of CALEA taps Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Thanks, Randy Fischer
Re: Mechanics of CALEA taps
It is possible, and not just for "ISPs" Matthew Kaufman (Sent from my iPhone) On Jun 9, 2013, at 3:59 PM, Randy Fischer wrote: > Dear nanog: > > Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. > > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from > X. > > And that's the extent of it. > > Well, golly Slothrop, maybe someone else has started picking up the tab. > Would you even know? > > Is that possible? > > Thanks, > > Randy Fischer
Re: Mechanics of CALEA taps
On Sun, 9 Jun 2013, Randy Fischer wrote: Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Inconceivable! That'd be like having your security system monitoring company able to eavesdrop on your house any time they want, just in case. Come to think of it, the latest greatest systems are capable of that. It sounds so stupid to me, I bet someone's doing it. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Mechanics of CALEA taps
(from back when I cared more about calea as an implementor) On Sun, Jun 9, 2013 at 8:15 PM, Alex Rubenstein wrote: >> Honestly, I expect replies to this question to range between zero and none, >> but I have to ask it. > > Surprise! me too! > >> I understand the CALEA tap mechanism for most ISPs, generally, works like >> this: >> >> * we outsource our CALEA management to company X >> * we don't even know there's been a request until we've gotten a bill from >> X. > > I've never even thought of the idea of outsourcing CALEA requests. That is > probably because I would never consider doing it. > > Perhaps we are in the minority, but we scrutinize every request of any sort > to ensure it has jurisdiction and is valid. I can't even fathom the thought > of trusting a third party for this. > agreed, since most of the tap-work actually requires changes on network equipment in the network you run, why would you outsource this? Especially when the taps impact forwarding performance of the platforms in question...
RE: Mechanics of CALEA taps
> Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. Surprise! > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from X. I've never even thought of the idea of outsourcing CALEA requests. That is probably because I would never consider doing it. Perhaps we are in the minority, but we scrutinize every request of any sort to ensure it has jurisdiction and is valid. I can't even fathom the thought of trusting a third party for this.
