Re: What are y'all doing for CALEA compliance?

[Ben Bartsch <uwcableguy () gmail com>]

Thanks to everyone who replied on and off list today.  I found a wide range
of opinions on CALEA.  I did have one person give me a very specific
example of a vendor that can ensure compliance, which is really what I was
after.

See y'all on Bourbon Street in June!

-ben

On Fri, Mar 15, 2013 at 10:36 AM, Warren Bailey <
wbailey () satelliteintelligencegroup com> wrote:

> Seemed legit to me. I'm a satellite guy, so the Palo Alto gear was really
> for me to look at the traffic profiles. They did a killer job classifying
> traffic though, and I guess they update the rules every couple days?
>
>
> From my Android phone on T-Mobile. The first nationwide 4G network.
>
>
>
> -------- Original message --------
> From: Joshua Goldbard <j () 2600hz com>
> Date: 03/15/2013 8:33 AM (GMT-08:00)
> To: Warren Bailey <wbailey () satelliteintelligencegroup com>
> Cc: Christopher Morrow <morrowc.lists () gmail com>,NANOG <nanog () nanog org>
> Subject: Re: What are y'all doing for CALEA compliance?
>
>
> God I want one of those PA firewalls just to play with in the lab. I can't
> justify the expense, but as far as firewalls go they're gorgeous. From the
> chassis to the UI, PA is just doing it right.
>
> If anyone has a different experience, I'd love to hear it.
>
> Sent from my iPad
>
> On Mar 15, 2013, at 8:29 AM, "Warren Bailey" <
> wbailey () satelliteintelligencegroup com<mailto:
> wbailey () satelliteintelligencegroup com>> wrote:
>
> We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo
> Alto. Worked okay, never did have to execute a warrant or anything.
>
>
> From my Android phone on T-Mobile. The first nationwide 4G network.
>
>
>
> -------- Original message --------
> From: Joshua Goldbard <j () 2600hz com<mailto:j () 2600hz com>>
> Date: 03/15/2013 8:25 AM (GMT-08:00)
> To: Christopher Morrow <morrowc.lists () gmail com<mailto:
> morrowc.lists () gmail com>>
> Cc: NANOG <nanog () nanog org<mailto:nanog () nanog org>>
> Subject: Re: What are y'all doing for CALEA compliance?
>
>
> I am not a lawyer, this is not legal advice. If you make decisions about
> what you should be doing in your business based solely on emails from
> strangers you won't do well. Get a second opinion from a lawyer.
>
> This comes up about once every 6 months on the voice ops mailing list. If
> you are a CLEC and you are not CALEA compliant, you are in for a world of
> hurt.
>
> If you're a non-facilities based reseller this is open for interpretation,
> but many folks believe that if you don't have gear inside the carrier pops,
> you aren't subject to CALEA. In practice, who is and who isn't effected by
> CALEA is directly proportional to the number of CALEA requests to your
> network (ergo, if you don't have any CALEA requests no one cares if you're
> out of compliance).
>
> That being said, there are further problems underfoot. CALEA does not
> specify what technologies should be used when presenting the data to law
> enforcement, I forget the exact wording but its something like "a
> reasonable format". CDRs are not sufficient as CALEA requires the ability
> to tap sessions, but in the past we've seen most legal requests placated
> with an excel sheet.
>
> As far as monitoring your connection, if your 10gig is coming in over
> fiber you should just buy a vampire tap and be done with it.
>
> I hope this helps, but CALEA is inherently messy.
>
> Cheers,
> Joshua
>
> Sent from my iPad
>
> On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists () gmail com
> <mailto:morrowc.lists () gmail com>> wrote:
>
> > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy () gmail com
> <mailto:uwcableguy () gmail com>> wrote:
> > > What are you RENs out there doing for CALEA compliance?  Is there
> actually
> > being happy we solved it 6 yrs ago?
> >
> > > any teeth to the law?  Our systems guys have tried a product called
> 'Open
> > teeth as in the 100k/day fine?
> >
> > > CALEA' but the router and the server simply can't keep up with mirroring
> > > from a 10Gbps connection into a 1Gbps link.  I'm no legal expert
> >
> > that seems like a suboptimal design ... why would you mirror 10lbs of
> > poo into a 1lb bag? that seems like it's bound to fail from the
> > get-go.
> >
> > > either....any lawyers on this list?
> >
> > you should find a lawyer... srsly.
> >
> > > Thanks for all the great advice.  This is a great community!
> >
> > -chris