ISP CALEA compliance

Daniel Senie dts at
Thu May 10 19:36:53 UTC 2007

At 03:23 PM 5/10/2007, Sean Donelan wrote:

>On Thu, 10 May 2007, Patrick Muldoon wrote:
>>We've been under the impression that is *all* data.  So for us, 
>>things like PPPoE Sessions, just putting a tap/span port upstream 
>>of the aggregation router will not work as you would miss any 
>>traffic going from USER A <-> USER B, if they where on the same 
>>aggregation device.   Since the Intercept has to be invisible to 
>>the parties being tapped, you can't route their traffic back out 
>>and then in either, since the tap would change the flow.    In that 
>>regard, we've been upgrading our older NPE's to newer ones in order 
>>to support SII,  All the while I keep having something a co-worker 
>>said stuck in my head.  "CALEA - Consultant And Lawyer Enrichment Act" :)
>If you are doing PPPOE over another carrier's ATM network, are you really
>a "facilities-based" provider?  Or is the CALEA compliance the 
>responsibility of the underlying ATM network provider to give LEA 
>access to the ATM VC of the subscriber under surviellance?

Just had this conversation with one of my clients, and it's a good 
question. Seems like the telco providing the ATM (or other) access 
cloud might be the responsible party. The ISP reselling that DSL is 
too far upstream anyway to capture traffic between users of the same 
DSL cloud, though they could capture traffic between those DSL users 
and other users of their network or the Internet at large.

Consult your attorney, of course. 

More information about the NANOG mailing list