lawful intercept/IOS at BlackHat DC, bypassing and recommendations

Steven Bellovin smb at
Fri Feb 5 02:42:24 UTC 2010

On Feb 4, 2010, at 9:26 PM, Christopher Morrow wrote:

> On Thu, Feb 4, 2010 at 5:49 PM, Steven Bellovin <smb at> wrote:
>> On Feb 4, 2010, at 5:42 PM, Christopher Morrow wrote:
>>> On Thu, Feb 4, 2010 at 5:26 PM, Crist Clark <Crist.Clark at> wrote:
>>>>> this seems like much more work that matt blaze's work that said:
>>>> "Just
>>>>> send more than 10mbps toward what you want to sneak around... the
>>>>> LEA's pipe is saturated so nothing of use gets to them"
>>>> The Cross/XForce/IBM talk appears more to be about unauthorized
>>>> access to communications via LI rather than evading them,
>>>>  "...there is a risk that [LI tools] could be hijacked by third
>>>>   parties and used to perform surveillance without authorization."
>>>> Of course, this has already happened,
>>> right... plus the management (for cisco) is via snmp(v3), from
>>> (mostly) windows servers as the mediation devices (sad)...  and the
>>> traffic is simply tunneled from device -> mediation -> lea .... not
>>> necessarily IPSEC'd from mediation -> LEA, and udp-encapped from
>>> device -> mediation server.
>>> yea, good times... that's really just re-use of the normal LEA hooks
>>> in all telco phone switch gear though... not 'calea features' in
>>> particular.
>> There's a difference?  CALEA is just the US goverment profile of the generic international concept of lawful intercept.
> hrm, I always equate 'calea' with 'ip intercept', because I
> (thankfully) never had to see a phone switch (dms type thingy). You
> are, I believe, correct in that CALEA was first 'telephone' intercept
> implemented in phone-switch-thingies in ~94?? and was later applied
> (may 2007ish?) to IP things as well.

I can make a very good case that CALEA was not just originally intended for voice, but was sold to Congress as something that didn't apply to data networks.  The EFF has said it better than I could, though, so look at

		--Steve Bellovin,

More information about the NANOG mailing list