[161471] in North American Network Operators' Group
Re: What are y'all doing for CALEA compliance?
daemon@ATHENA.MIT.EDU (Joshua Goldbard)
Fri Mar 15 11:33:40 2013
From: Joshua Goldbard <j@2600hz.com>
To: Warren Bailey <wbailey@satelliteintelligencegroup.com>
Date: Fri, 15 Mar 2013 15:32:26 +0000
In-Reply-To: <hy5e6wl7v0bbnemjtnafl8uk.1363361371421@email.android.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
God I want one of those PA firewalls just to play with in the lab. I can't =
justify the expense, but as far as firewalls go they're gorgeous. From the =
chassis to the UI, PA is just doing it right.
If anyone has a different experience, I'd love to hear it.
Sent from my iPad
On Mar 15, 2013, at 8:29 AM, "Warren Bailey" <wbailey@satelliteintelligence=
group.com<mailto:wbailey@satelliteintelligencegroup.com>> wrote:
We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo =
Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message --------
From: Joshua Goldbard <j@2600hz.com<mailto:j@2600hz.com>>
Date: 03/15/2013 8:25 AM (GMT-08:00)
To: Christopher Morrow <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.=
com>>
Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: What are y'all doing for CALEA compliance?
I am not a lawyer, this is not legal advice. If you make decisions about wh=
at you should be doing in your business based solely on emails from strange=
rs you won't do well. Get a second opinion from a lawyer.
This comes up about once every 6 months on the voice ops mailing list. If y=
ou are a CLEC and you are not CALEA compliant, you are in for a world of hu=
rt.
If you're a non-facilities based reseller this is open for interpretation, =
but many folks believe that if you don't have gear inside the carrier pops,=
you aren't subject to CALEA. In practice, who is and who isn't effected by=
CALEA is directly proportional to the number of CALEA requests to your net=
work (ergo, if you don't have any CALEA requests no one cares if you're out=
of compliance).
That being said, there are further problems underfoot. CALEA does not speci=
fy what technologies should be used when presenting the data to law enforce=
ment, I forget the exact wording but its something like "a reasonable forma=
t". CDRs are not sufficient as CALEA requires the ability to tap sessions, =
but in the past we've seen most legal requests placated with an excel sheet=
.
As far as monitoring your connection, if your 10gig is coming in over fiber=
you should just buy a vampire tap and be done with it.
I hope this helps, but CALEA is inherently messy.
Cheers,
Joshua
Sent from my iPad
On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com<=
mailto:morrowc.lists@gmail.com>> wrote:
> On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com<mailto=
:uwcableguy@gmail.com>> wrote:
>> What are you RENs out there doing for CALEA compliance? Is there actual=
ly
>
> being happy we solved it 6 yrs ago?
>
>> any teeth to the law? Our systems guys have tried a product called 'Ope=
n
>
> teeth as in the 100k/day fine?
>
>> CALEA' but the router and the server simply can't keep up with mirroring
>> from a 10Gbps connection into a 1Gbps link. I'm no legal expert
>
> that seems like a suboptimal design ... why would you mirror 10lbs of
> poo into a 1lb bag? that seems like it's bound to fail from the
> get-go.
>
>> either....any lawyers on this list?
>
> you should find a lawyer... srsly.
>
>> Thanks for all the great advice. This is a great community!
>
> -chris
>
