Mechanics of CALEA taps

Tue Jun 11 23:22:42 UTC 2013

> Message: 1
> Date: Sun, 9 Jun 2013 18:59:16 -0400
> From: Randy Fischer <randy.fischer at gmail.com>
> To: North American Network Operators Group <nanog at nanog.org>
> Subject: Mechanics of CALEA taps
> Message-ID:
> 	<CAGXkcm46fVFhnoHKZiACEYe5k4CV=H45Ff=zZMLz2pQyeyNAcA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Dear nanog:
> 
> Honestly, I expect replies to this question to range between zero and none,
> but I have to ask it.
> 
> I understand the CALEA tap mechanism for most ISPs, generally, works like
> this:
> 
> * we outsource our CALEA management to company X
> * we don't even know there's been a request until we've gotten a bill from
> X.
> 
> And that's the extent of it.
> 
> Well, golly Slothrop, maybe someone else has started picking up the tab.
> Would you even know?
> 
> Is that possible?
> 
> Thanks,
> 
> Randy Fischer

Operators can choose to be involved, or they can choose not to be involved, according to the specs - the extent is ultimately up to them.  It is perhaps possible that some operators know nothing more about the intercepts happening on their network than what their bill tells them.  I can believe that but I would hope that it is rare.  Likewise, I believe that any operator who makes an effort to understand and have control over their network could be fooled so easily.

CALEA tap mechanism does not necessarily work as you have outlined.  The telecom industry fought for and won two other options that give the operator more involvement and authority over the execution of the intercepts.

All of the options end up impacting your network, as you have to decide how to feed a copy of all of the data belonging to the subscriber(s) named in a warrant to a CALEA probe.  The probe drops all of the packets that don't belong to the subject, then it ASN.1-encodes the data and tunnels it over the public network to a law-enforcement agency (or their contractor).

That's generally how it works.  Once the taps and probes and mediation device are in place, it's just a matter of provisioning.  But that engineering is the tough part - after that just about all you see is the warrant itself, and then some phone calls and email from the law-enforcment folks setting up the transport stuff.  No lawyers visit, no law-enforcement officials visit, you just get a warrant and then how you handle it is up to you.

So if an operator chooses to engage themselves instead of handing control over to someone else, they can be quite sure of what is happening.  For reasons I don't quite understand, however, it doesn't seem like many operators who don't otherwise outsource ISP services do tend to outsource CALEA.

In my opinion, if you manage your own DNS and/or mail servers, you can handle CALEA.  Not only could it save you some money, but it gives you a discrete way to isolate test-traffic on your network with a more intuitive filter (ie subscriber name) than just an IP or a MAC address.*  If you live in wireshark all day then you will appreciate having the haystack separated from the needle before it enters your system.

The three options are:

1.  Rent CALEA gear - hand warrant to company X

2.  Build your own CALEA gear - evaluate and execute the warrant yourself.

3.  Buy company Y's gear - evaluate and execute the warrant yourself.

Obviously one could outsource the evaluation of a warrant to a third party;  and sure you could probably have a private line between you and the LEA... the details vary, I am drawing a very generic picture here.

So, generally, the biggest problem is a technical one:  how to add this "tap" feature to your network - either with real physical taps or mirror-ports of some kind.  There are lots of such considerations and lots of options.  Once they're done you can probably make use of them for worthwhile operational purposes, but probably only with options 2 and 3.

The smaller problem is the legal one:  is a lawyer required to read the warrant and then make the provisioning call, or not?

* Disclosure:  I try not to be biased, but I do work for a vendor of a CALEA probe product, so "caveat lector".  Comments submitted here have nothing to do with my employer, however, and are provided only as a help to those that really don't know that they can and ought to be fully involved and aware of any "taps".

-- 
Rick Robino

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130611/b414f120/attachment.sig>