Re: Mechanics of CALEA taps

[Rick Robino <rick.robino () ipfabrics com>]

> Message: 1
> Date: Sun, 9 Jun 2013 18:59:16 -0400
> From: Randy Fischer <randy.fischer () gmail com>
> To: North American Network Operators Group <nanog () nanog org>
> Subject: Mechanics of CALEA taps
> Message-ID:
>       <CAGXkcm46fVFhnoHKZiACEYe5k4CV=H45Ff=zZMLz2pQyeyNAcA () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Dear nanog:
>
> Honestly, I expect replies to this question to range between zero and none,
> but I have to ask it.
>
> I understand the CALEA tap mechanism for most ISPs, generally, works like
> this:
>
> * we outsource our CALEA management to company X
> * we don't even know there's been a request until we've gotten a bill from
> X.
>
> And that's the extent of it.
>
> Well, golly Slothrop, maybe someone else has started picking up the tab.
> Would you even know?
>
> Is that possible?
>
> Thanks,
>
> Randy Fischer


Operators can choose to be involved, or they can choose not to be involved, according to the specs - the extent is 
ultimately up to them.  It is perhaps possible that some operators know nothing more about the intercepts happening on 
their network than what their bill tells them.  I can believe that but I would hope that it is rare.  Likewise, I 
believe that any operator who makes an effort to understand and have control over their network could be fooled so 
easily.

CALEA tap mechanism does not necessarily work as you have outlined.  The telecom industry fought for and won two other 
options that give the operator more involvement and authority over the execution of the intercepts.

All of the options end up impacting your network, as you have to decide how to feed a copy of all of the data belonging 
to the subscriber(s) named in a warrant to a CALEA probe.  The probe drops all of the packets that don't belong to the 
subject, then it ASN.1-encodes the data and tunnels it over the public network to a law-enforcement agency (or their 
contractor).

That's generally how it works.  Once the taps and probes and mediation device are in place, it's just a matter of 
provisioning.  But that engineering is the tough part - after that just about all you see is the warrant itself, and 
then some phone calls and email from the law-enforcment folks setting up the transport stuff.  No lawyers visit, no 
law-enforcement officials visit, you just get a warrant and then how you handle it is up to you.

So if an operator chooses to engage themselves instead of handing control over to someone else, they can be quite sure 
of what is happening.  For reasons I don't quite understand, however, it doesn't seem like many operators who don't 
otherwise outsource ISP services do tend to outsource CALEA.

In my opinion, if you manage your own DNS and/or mail servers, you can handle CALEA.  Not only could it save you some 
money, but it gives you a discrete way to isolate test-traffic on your network with a more intuitive filter (ie 
subscriber name) than just an IP or a MAC address.*  If you live in wireshark all day then you will appreciate having 
the haystack separated from the needle before it enters your system.

The three options are:

1.  Rent CALEA gear - hand warrant to company X

2.  Build your own CALEA gear - evaluate and execute the warrant yourself.

3.  Buy company Y's gear - evaluate and execute the warrant yourself.

Obviously one could outsource the evaluation of a warrant to a third party;  and sure you could probably have a private 
line between you and the LEA... the details vary, I am drawing a very generic picture here.

So, generally, the biggest problem is a technical one:  how to add this "tap" feature to your network - either with 
real physical taps or mirror-ports of some kind.  There are lots of such considerations and lots of options.  Once 
they're done you can probably make use of them for worthwhile operational purposes, but probably only with options 2 
and 3.

The smaller problem is the legal one:  is a lawyer required to read the warrant and then make the provisioning call, or 
not?



* Disclosure:  I try not to be biased, but I do work for a vendor of a CALEA probe product, so "caveat lector".  
Comments submitted here have nothing to do with my employer, however, and are provided only as a help to those that 
really don't know that they can and ought to be fully involved and aware of any "taps".


-- 
Rick Robino

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail