[163557] in North American Network Operators' Group
Re: Mechanics of CALEA taps
daemon@ATHENA.MIT.EDU (Rick Robino)
Tue Jun 11 19:23:18 2013
From: Rick Robino <rick.robino@ipfabrics.com>
Date: Tue, 11 Jun 2013 16:22:42 -0700
To: randy.fischer@gmail.com,
nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_5BC673AD-2A08-45B9-9F69-4CE3DD4D53C5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
> Message: 1
> Date: Sun, 9 Jun 2013 18:59:16 -0400
> From: Randy Fischer <randy.fischer@gmail.com>
> To: North American Network Operators Group <nanog@nanog.org>
> Subject: Mechanics of CALEA taps
> Message-ID:
> =
<CAGXkcm46fVFhnoHKZiACEYe5k4CV=3DH45Ff=3DzZMLz2pQyeyNAcA@mail.gmail.com>
> Content-Type: text/plain; charset=3DISO-8859-1
>=20
> Dear nanog:
>=20
> Honestly, I expect replies to this question to range between zero and =
none,
> but I have to ask it.
>=20
> I understand the CALEA tap mechanism for most ISPs, generally, works =
like
> this:
>=20
> * we outsource our CALEA management to company X
> * we don't even know there's been a request until we've gotten a bill =
from
> X.
>=20
> And that's the extent of it.
>=20
> Well, golly Slothrop, maybe someone else has started picking up the =
tab.
> Would you even know?
>=20
> Is that possible?
>=20
> Thanks,
>=20
> Randy Fischer
Operators can choose to be involved, or they can choose not to be =
involved, according to the specs - the extent is ultimately up to them. =
It is perhaps possible that some operators know nothing more about the =
intercepts happening on their network than what their bill tells them. =
I can believe that but I would hope that it is rare. Likewise, I =
believe that any operator who makes an effort to understand and have =
control over their network could be fooled so easily.
CALEA tap mechanism does not necessarily work as you have outlined. The =
telecom industry fought for and won two other options that give the =
operator more involvement and authority over the execution of the =
intercepts.
All of the options end up impacting your network, as you have to decide =
how to feed a copy of all of the data belonging to the subscriber(s) =
named in a warrant to a CALEA probe. The probe drops all of the packets =
that don't belong to the subject, then it ASN.1-encodes the data and =
tunnels it over the public network to a law-enforcement agency (or their =
contractor).
That's generally how it works. Once the taps and probes and mediation =
device are in place, it's just a matter of provisioning. But that =
engineering is the tough part - after that just about all you see is the =
warrant itself, and then some phone calls and email from the =
law-enforcment folks setting up the transport stuff. No lawyers visit, =
no law-enforcement officials visit, you just get a warrant and then how =
you handle it is up to you.
So if an operator chooses to engage themselves instead of handing =
control over to someone else, they can be quite sure of what is =
happening. For reasons I don't quite understand, however, it doesn't =
seem like many operators who don't otherwise outsource ISP services do =
tend to outsource CALEA.
In my opinion, if you manage your own DNS and/or mail servers, you can =
handle CALEA. Not only could it save you some money, but it gives you a =
discrete way to isolate test-traffic on your network with a more =
intuitive filter (ie subscriber name) than just an IP or a MAC address.* =
If you live in wireshark all day then you will appreciate having the =
haystack separated from the needle before it enters your system.
The three options are:
1. Rent CALEA gear - hand warrant to company X
2. Build your own CALEA gear - evaluate and execute the warrant =
yourself.
3. Buy company Y's gear - evaluate and execute the warrant yourself.
Obviously one could outsource the evaluation of a warrant to a third =
party; and sure you could probably have a private line between you and =
the LEA... the details vary, I am drawing a very generic picture here.
So, generally, the biggest problem is a technical one: how to add this =
"tap" feature to your network - either with real physical taps or =
mirror-ports of some kind. There are lots of such considerations and =
lots of options. Once they're done you can probably make use of them =
for worthwhile operational purposes, but probably only with options 2 =
and 3.
The smaller problem is the legal one: is a lawyer required to read the =
warrant and then make the provisioning call, or not?
* Disclosure: I try not to be biased, but I do work for a vendor of a =
CALEA probe product, so "caveat lector". Comments submitted here have =
nothing to do with my employer, however, and are provided only as a help =
to those that really don't know that they can and ought to be fully =
involved and aware of any "taps".
--=20
Rick Robino
--Apple-Mail=_5BC673AD-2A08-45B9-9F69-4CE3DD4D53C5
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
iQEcBAEBAgAGBQJRt7FDAAoJEN0/bvVTNECdlygIAILsYoje7wdx6eoN95PnyQKe
t7/wUx0Ljy1s/JMIzFlNfq9ikA6/H96A8mbp3w4RY+sXKeaO67O1x+t+JpZesu+c
kg8UP2EMDSLiAcSiwmCv32cmvw7a5RhkUIEt9urH/hwwlszBebQHd7K+pSxOPMqo
P0tXnFp5JB/qcNvL9bwroIIikG4Htcc/AvFEoRnc2qIoGE30KC4KR+3+ox90FC5x
jj/7wr3Tph5dZEh+RsL04evPYqPUBHu48QadB6CHezPHiJBR2CdaaLQR+6vXo23Q
48zNvjIOpJ+zQk1R8+ViYIyc77kjamJE3HjFTkEbJJgK4Z4jnpFdxdDsxRj0KQU=
=wBS0
-----END PGP SIGNATURE-----
--Apple-Mail=_5BC673AD-2A08-45B9-9F69-4CE3DD4D53C5--
