Re: CALEA
"Encryption The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts." that's certainly interesting... On Tue, May 31, 2016 at 3:12 AM, Martin Hannigan wrote: > Misfire. Sorry, early in the AM. The URL I intended to send is here: > > http://www.uscourts.gov/statistics-reports/wiretap-report-2014 > > > Best, > > -M< > > On Tue, May 31, 2016 at 9:10 AM, Martin Hannigan > wrote: > > CALEA isn't a type of request, it's a law that enabled par function > > access for LEO's e.g. "the ladder" pin register, trap+trace, DTMF > > translation, three-way/off hook ops and the call content (not > > necessarily in that order). > > > > You can see the non national security activity here: > > > > > > On Sat, May 28, 2016 at 5:37 AM, Mike Joseph wrote: > >> I can say via firsthand knowledge that CALEA requests are definitely > >> happening and are not even that rare, proportional to a reasonably sized > >> subscriber-base. It would be unlawful for me to comment specifically on > >> any actual CALEA requests, however. But if you have general questions > >> about my observations, feel free to reach out directly. > >> > >> -MJ > >> > >> On Thu, May 12, 2016 at 11:28 AM, Brian Mengel > wrote: > >> > >>> My comments were strictly limited to my understanding of CALEA as it > >>> applied to ISPs, not telcos. A request for a lawful intercept can > entail > >>> mirroring a real time stream of all data sent to/from a customer's > Internet > >>> connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this > >>> requires mediation before being sent to the LEA and it is the mediation > >>> server itself that initiates the intercept when so configured by the > ISP. > >>> Perhaps some LEAs have undertaken the mediation function so as to > >>> facilitate these intercepts where the neither the ISP nor a third > party can > >>> do so. If that were the case then very little would be needed on the > part > >>> of the ISP in order to comply with a request for lawful intercept. I > can > >>> say with certainty that these types of requests are being made of > broadband > >>> ISPs though I agree that they are very rare. > >>> > >>> On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: > >>> > >>> > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel > >>> > wrote: > >>> > > >>> > AFAIK being able to do a lawful intercept on a specific, named, > >>> >> individual's service has been a requirement for providers since > 2007. > >>> >> > >>> > > >>> > It's been required for longer than that. The telco I worked for over > a > >>> > decade ago didn't build the infrastructure until the FCC said they > were > >>> > going to stop funding upgrades. That really got 'em movin'. (suddenly > >>> "data > >>> > services" people -- i.e. ME -- weren't redheaded stepchildren.) > >>> > > >>> > have never heard of a provider, big or small, being called out for > being > >>> >> unable to provide this service when requested. > >>> >> > >>> > > >>> > Where existing infrastructure is not already in place (read: > >>> T1/BRI/etc.), > >>> > the telco can take up to 60 days to get that setup. I know more than > one > >>> > telco that used that grace period to actually setup CALEA in the > first > >>> > place. > >>> > > >>> > did not perform intercepts routinely. > >>> >> > >>> > > >>> > The historic published figures (i've not looked in years) suggest > CALEA > >>> > requests are statistically rare. The NC based telco I worked for had > >>> never > >>> > received an order in the then ~40yr life of the company. > >>> > > >>> > The mediation server needed to "mediate" between your customer > >>> aggregation > >>> >> box and the LEA is not inexpensive. > >>> >> > >>> > > >>> > And also is not the telco's problem. Mediation is done by the LEA or > 3rd > >>> > party under contract to any number of agencies. For example, a telco > tap > >>> > order would mirror the control and voice traffic of a POTS line > (T1/PRI > >>> > channel, etc.) into a BRI or specific T1 channel. (dialup was later > >>> added, > >>> > but wasn't required in my era, so we didn't support it.) We used to > test > >>> > that by tapping a tech's phone. Not having any mediation software, > all I > >>> > could do is "yeap, it's sending data" and listen to the voice > channels > >>> on a > >>> > t-berd. > >>> > > >>> > --Ricky > >>> > > >>> > >>> >
Re: CALEA
Misfire. Sorry, early in the AM. The URL I intended to send is here: http://www.uscourts.gov/statistics-reports/wiretap-report-2014 Best, -M< On Tue, May 31, 2016 at 9:10 AM, Martin Hannigan wrote: > CALEA isn't a type of request, it's a law that enabled par function > access for LEO's e.g. "the ladder" pin register, trap+trace, DTMF > translation, three-way/off hook ops and the call content (not > necessarily in that order). > > You can see the non national security activity here: > > > On Sat, May 28, 2016 at 5:37 AM, Mike Joseph wrote: >> I can say via firsthand knowledge that CALEA requests are definitely >> happening and are not even that rare, proportional to a reasonably sized >> subscriber-base. It would be unlawful for me to comment specifically on >> any actual CALEA requests, however. But if you have general questions >> about my observations, feel free to reach out directly. >> >> -MJ >> >> On Thu, May 12, 2016 at 11:28 AM, Brian Mengel wrote: >> >>> My comments were strictly limited to my understanding of CALEA as it >>> applied to ISPs, not telcos. A request for a lawful intercept can entail >>> mirroring a real time stream of all data sent to/from a customer's Internet >>> connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this >>> requires mediation before being sent to the LEA and it is the mediation >>> server itself that initiates the intercept when so configured by the ISP. >>> Perhaps some LEAs have undertaken the mediation function so as to >>> facilitate these intercepts where the neither the ISP nor a third party can >>> do so. If that were the case then very little would be needed on the part >>> of the ISP in order to comply with a request for lawful intercept. I can >>> say with certainty that these types of requests are being made of broadband >>> ISPs though I agree that they are very rare. >>> >>> On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: >>> >>> > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel >>> > wrote: >>> > >>> > AFAIK being able to do a lawful intercept on a specific, named, >>> >> individual's service has been a requirement for providers since 2007. >>> >> >>> > >>> > It's been required for longer than that. The telco I worked for over a >>> > decade ago didn't build the infrastructure until the FCC said they were >>> > going to stop funding upgrades. That really got 'em movin'. (suddenly >>> "data >>> > services" people -- i.e. ME -- weren't redheaded stepchildren.) >>> > >>> > have never heard of a provider, big or small, being called out for being >>> >> unable to provide this service when requested. >>> >> >>> > >>> > Where existing infrastructure is not already in place (read: >>> T1/BRI/etc.), >>> > the telco can take up to 60 days to get that setup. I know more than one >>> > telco that used that grace period to actually setup CALEA in the first >>> > place. >>> > >>> > did not perform intercepts routinely. >>> >> >>> > >>> > The historic published figures (i've not looked in years) suggest CALEA >>> > requests are statistically rare. The NC based telco I worked for had >>> never >>> > received an order in the then ~40yr life of the company. >>> > >>> > The mediation server needed to "mediate" between your customer >>> aggregation >>> >> box and the LEA is not inexpensive. >>> >> >>> > >>> > And also is not the telco's problem. Mediation is done by the LEA or 3rd >>> > party under contract to any number of agencies. For example, a telco tap >>> > order would mirror the control and voice traffic of a POTS line (T1/PRI >>> > channel, etc.) into a BRI or specific T1 channel. (dialup was later >>> added, >>> > but wasn't required in my era, so we didn't support it.) We used to test >>> > that by tapping a tech's phone. Not having any mediation software, all I >>> > could do is "yeap, it's sending data" and listen to the voice channels >>> on a >>> > t-berd. >>> > >>> > --Ricky >>> > >>> >>>
Re: CALEA
CALEA isn't a type of request, it's a law that enabled par function access for LEO's e.g. "the ladder" pin register, trap+trace, DTMF translation, three-way/off hook ops and the call content (not necessarily in that order). You can see the non national security activity here: On Sat, May 28, 2016 at 5:37 AM, Mike Joseph wrote: > I can say via firsthand knowledge that CALEA requests are definitely > happening and are not even that rare, proportional to a reasonably sized > subscriber-base. It would be unlawful for me to comment specifically on > any actual CALEA requests, however. But if you have general questions > about my observations, feel free to reach out directly. > > -MJ > > On Thu, May 12, 2016 at 11:28 AM, Brian Mengel wrote: > >> My comments were strictly limited to my understanding of CALEA as it >> applied to ISPs, not telcos. A request for a lawful intercept can entail >> mirroring a real time stream of all data sent to/from a customer's Internet >> connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this >> requires mediation before being sent to the LEA and it is the mediation >> server itself that initiates the intercept when so configured by the ISP. >> Perhaps some LEAs have undertaken the mediation function so as to >> facilitate these intercepts where the neither the ISP nor a third party can >> do so. If that were the case then very little would be needed on the part >> of the ISP in order to comply with a request for lawful intercept. I can >> say with certainty that these types of requests are being made of broadband >> ISPs though I agree that they are very rare. >> >> On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: >> >> > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel >> > wrote: >> > >> > AFAIK being able to do a lawful intercept on a specific, named, >> >> individual's service has been a requirement for providers since 2007. >> >> >> > >> > It's been required for longer than that. The telco I worked for over a >> > decade ago didn't build the infrastructure until the FCC said they were >> > going to stop funding upgrades. That really got 'em movin'. (suddenly >> "data >> > services" people -- i.e. ME -- weren't redheaded stepchildren.) >> > >> > have never heard of a provider, big or small, being called out for being >> >> unable to provide this service when requested. >> >> >> > >> > Where existing infrastructure is not already in place (read: >> T1/BRI/etc.), >> > the telco can take up to 60 days to get that setup. I know more than one >> > telco that used that grace period to actually setup CALEA in the first >> > place. >> > >> > did not perform intercepts routinely. >> >> >> > >> > The historic published figures (i've not looked in years) suggest CALEA >> > requests are statistically rare. The NC based telco I worked for had >> never >> > received an order in the then ~40yr life of the company. >> > >> > The mediation server needed to "mediate" between your customer >> aggregation >> >> box and the LEA is not inexpensive. >> >> >> > >> > And also is not the telco's problem. Mediation is done by the LEA or 3rd >> > party under contract to any number of agencies. For example, a telco tap >> > order would mirror the control and voice traffic of a POTS line (T1/PRI >> > channel, etc.) into a BRI or specific T1 channel. (dialup was later >> added, >> > but wasn't required in my era, so we didn't support it.) We used to test >> > that by tapping a tech's phone. Not having any mediation software, all I >> > could do is "yeap, it's sending data" and listen to the voice channels >> on a >> > t-berd. >> > >> > --Ricky >> > >> >>
Re: CALEA
How many requests per 1k or 10k customers? Is primarily residential a safe assumption? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, May 27, 2016 at 11:37 PM, Mike Joseph wrote: > I can say via firsthand knowledge that CALEA requests are definitely > happening and are not even that rare, proportional to a reasonably sized > subscriber-base. It would be unlawful for me to comment specifically on > any actual CALEA requests, however. But if you have general questions > about my observations, feel free to reach out directly. > > -MJ > > On Thu, May 12, 2016 at 11:28 AM, Brian Mengel wrote: > > > My comments were strictly limited to my understanding of CALEA as it > > applied to ISPs, not telcos. A request for a lawful intercept can entail > > mirroring a real time stream of all data sent to/from a customer's > Internet > > connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this > > requires mediation before being sent to the LEA and it is the mediation > > server itself that initiates the intercept when so configured by the ISP. > > Perhaps some LEAs have undertaken the mediation function so as to > > facilitate these intercepts where the neither the ISP nor a third party > can > > do so. If that were the case then very little would be needed on the > part > > of the ISP in order to comply with a request for lawful intercept. I can > > say with certainty that these types of requests are being made of > broadband > > ISPs though I agree that they are very rare. > > > > On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: > > > > > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel > > > wrote: > > > > > > AFAIK being able to do a lawful intercept on a specific, named, > > >> individual's service has been a requirement for providers since 2007. > > >> > > > > > > It's been required for longer than that. The telco I worked for over a > > > decade ago didn't build the infrastructure until the FCC said they were > > > going to stop funding upgrades. That really got 'em movin'. (suddenly > > "data > > > services" people -- i.e. ME -- weren't redheaded stepchildren.) > > > > > > have never heard of a provider, big or small, being called out for > being > > >> unable to provide this service when requested. > > >> > > > > > > Where existing infrastructure is not already in place (read: > > T1/BRI/etc.), > > > the telco can take up to 60 days to get that setup. I know more than > one > > > telco that used that grace period to actually setup CALEA in the first > > > place. > > > > > > did not perform intercepts routinely. > > >> > > > > > > The historic published figures (i've not looked in years) suggest CALEA > > > requests are statistically rare. The NC based telco I worked for had > > never > > > received an order in the then ~40yr life of the company. > > > > > > The mediation server needed to "mediate" between your customer > > aggregation > > >> box and the LEA is not inexpensive. > > >> > > > > > > And also is not the telco's problem. Mediation is done by the LEA or > 3rd > > > party under contract to any number of agencies. For example, a telco > tap > > > order would mirror the control and voice traffic of a POTS line (T1/PRI > > > channel, etc.) into a BRI or specific T1 channel. (dialup was later > > added, > > > but wasn't required in my era, so we didn't support it.) We used to > test > > > that by tapping a tech's phone. Not having any mediation software, all > I > > > could do is "yeap, it's sending data" and listen to the voice channels > > on a > > > t-berd. > > > > > > --Ricky > > > > > > > >
Re: CALEA
I can say via firsthand knowledge that CALEA requests are definitely happening and are not even that rare, proportional to a reasonably sized subscriber-base. It would be unlawful for me to comment specifically on any actual CALEA requests, however. But if you have general questions about my observations, feel free to reach out directly. -MJ On Thu, May 12, 2016 at 11:28 AM, Brian Mengel wrote: > My comments were strictly limited to my understanding of CALEA as it > applied to ISPs, not telcos. A request for a lawful intercept can entail > mirroring a real time stream of all data sent to/from a customer's Internet > connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this > requires mediation before being sent to the LEA and it is the mediation > server itself that initiates the intercept when so configured by the ISP. > Perhaps some LEAs have undertaken the mediation function so as to > facilitate these intercepts where the neither the ISP nor a third party can > do so. If that were the case then very little would be needed on the part > of the ISP in order to comply with a request for lawful intercept. I can > say with certainty that these types of requests are being made of broadband > ISPs though I agree that they are very rare. > > On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: > > > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel > > wrote: > > > > AFAIK being able to do a lawful intercept on a specific, named, > >> individual's service has been a requirement for providers since 2007. > >> > > > > It's been required for longer than that. The telco I worked for over a > > decade ago didn't build the infrastructure until the FCC said they were > > going to stop funding upgrades. That really got 'em movin'. (suddenly > "data > > services" people -- i.e. ME -- weren't redheaded stepchildren.) > > > > have never heard of a provider, big or small, being called out for being > >> unable to provide this service when requested. > >> > > > > Where existing infrastructure is not already in place (read: > T1/BRI/etc.), > > the telco can take up to 60 days to get that setup. I know more than one > > telco that used that grace period to actually setup CALEA in the first > > place. > > > > did not perform intercepts routinely. > >> > > > > The historic published figures (i've not looked in years) suggest CALEA > > requests are statistically rare. The NC based telco I worked for had > never > > received an order in the then ~40yr life of the company. > > > > The mediation server needed to "mediate" between your customer > aggregation > >> box and the LEA is not inexpensive. > >> > > > > And also is not the telco's problem. Mediation is done by the LEA or 3rd > > party under contract to any number of agencies. For example, a telco tap > > order would mirror the control and voice traffic of a POTS line (T1/PRI > > channel, etc.) into a BRI or specific T1 channel. (dialup was later > added, > > but wasn't required in my era, so we didn't support it.) We used to test > > that by tapping a tech's phone. Not having any mediation software, all I > > could do is "yeap, it's sending data" and listen to the voice channels > on a > > t-berd. > > > > --Ricky > > > >
Re: CALEA
My comments were strictly limited to my understanding of CALEA as it applied to ISPs, not telcos. A request for a lawful intercept can entail mirroring a real time stream of all data sent to/from a customer's Internet connection (cable modem/DSL/dedicated Ethernet) to a LEA. AFAIK this requires mediation before being sent to the LEA and it is the mediation server itself that initiates the intercept when so configured by the ISP. Perhaps some LEAs have undertaken the mediation function so as to facilitate these intercepts where the neither the ISP nor a third party can do so. If that were the case then very little would be needed on the part of the ISP in order to comply with a request for lawful intercept. I can say with certainty that these types of requests are being made of broadband ISPs though I agree that they are very rare. On Wed, May 11, 2016 at 2:58 PM, Ricky Beam wrote: > On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel > wrote: > > AFAIK being able to do a lawful intercept on a specific, named, >> individual's service has been a requirement for providers since 2007. >> > > It's been required for longer than that. The telco I worked for over a > decade ago didn't build the infrastructure until the FCC said they were > going to stop funding upgrades. That really got 'em movin'. (suddenly "data > services" people -- i.e. ME -- weren't redheaded stepchildren.) > > have never heard of a provider, big or small, being called out for being >> unable to provide this service when requested. >> > > Where existing infrastructure is not already in place (read: T1/BRI/etc.), > the telco can take up to 60 days to get that setup. I know more than one > telco that used that grace period to actually setup CALEA in the first > place. > > did not perform intercepts routinely. >> > > The historic published figures (i've not looked in years) suggest CALEA > requests are statistically rare. The NC based telco I worked for had never > received an order in the then ~40yr life of the company. > > The mediation server needed to "mediate" between your customer aggregation >> box and the LEA is not inexpensive. >> > > And also is not the telco's problem. Mediation is done by the LEA or 3rd > party under contract to any number of agencies. For example, a telco tap > order would mirror the control and voice traffic of a POTS line (T1/PRI > channel, etc.) into a BRI or specific T1 channel. (dialup was later added, > but wasn't required in my era, so we didn't support it.) We used to test > that by tapping a tech's phone. Not having any mediation software, all I > could do is "yeap, it's sending data" and listen to the voice channels on a > t-berd. > > --Ricky >
Re: CALEA
On Tue, 10 May 2016 17:00:54 -0400, Brian Mengel wrote: AFAIK being able to do a lawful intercept on a specific, named, individual's service has been a requirement for providers since 2007. It's been required for longer than that. The telco I worked for over a decade ago didn't build the infrastructure until the FCC said they were going to stop funding upgrades. That really got 'em movin'. (suddenly "data services" people -- i.e. ME -- weren't redheaded stepchildren.) have never heard of a provider, big or small, being called out for being unable to provide this service when requested. Where existing infrastructure is not already in place (read: T1/BRI/etc.), the telco can take up to 60 days to get that setup. I know more than one telco that used that grace period to actually setup CALEA in the first place. did not perform intercepts routinely. The historic published figures (i've not looked in years) suggest CALEA requests are statistically rare. The NC based telco I worked for had never received an order in the then ~40yr life of the company. The mediation server needed to "mediate" between your customer aggregation box and the LEA is not inexpensive. And also is not the telco's problem. Mediation is done by the LEA or 3rd party under contract to any number of agencies. For example, a telco tap order would mirror the control and voice traffic of a POTS line (T1/PRI channel, etc.) into a BRI or specific T1 channel. (dialup was later added, but wasn't required in my era, so we didn't support it.) We used to test that by tapping a tech's phone. Not having any mediation software, all I could do is "yeap, it's sending data" and listen to the voice channels on a t-berd. --Ricky
Re: CALEA
In a message written on Tue, May 10, 2016 at 03:00:59PM -0500, Josh Reynolds wrote: > This is a large list that includes many Tier 1 network operators, > government agencies, and Fortune 500 network operators. > > The silence should be telling. NANOG has a strong self-selection for people who run core routing devices and do things like BGP and peering negotiations with other providers. By contrast, CALEA requirements are generally all met by features deployed at the customer-edge. These groups are often a separate silo from the backbone folks at the largest providers. This is likely the wrong list for asking such questions, and the few who do answer is likely to be smaller providers where people wear multiple hats. -- Leo Bicknell - bickn...@ufp.org PGP keys at http://www.ufp.org/~bicknell/ pgpWM43j2G20q.pgp Description: PGP signature
Re: CALEA
AFAIK being able to do a lawful intercept on a specific, named, individual's service has been a requirement for providers since 2007. I have never heard of a provider, big or small, being called out for being unable to provide this service when requested. I would be surprised if a national broadband ISP with millions of subs did not have this ability and did not perform intercepts routinely. I would be surprised if a small town providing it's own Internet access or small WISP serving a few hundred customers went through the trouble and expense of being able to provide this service. The mediation server needed to "mediate" between your customer aggregation box and the LEA is not inexpensive. I believe there was talk about "trusted third parties" providing mediation-as-a-service but I do not know if any such entities exist. The logistics of running a mediation server in the cloud and being able to signal from the cloud to the aggregation box to begin a mediation and ensuring that the data exported from the ISP to the cloud to the LEA remained private would seem to be significant but not insurmountable. On Tue, May 10, 2016 at 4:11 PM, Josh Reynolds wrote: > The first rule of prism is... > > > *silence* > > > :) > > On Tue, May 10, 2016 at 3:04 PM, Christopher Morrow > wrote: > > > > > > On Tue, May 10, 2016 at 4:00 PM, Josh Reynolds > wrote: > >> > >> This is a large list that includes many Tier 1 network operators, > >> government agencies, and Fortune 500 network operators > > > > > > no one gets calea requests because prism gets all requests? > > >
Re: CALEA
The first rule of prism is... *silence* :) On Tue, May 10, 2016 at 3:04 PM, Christopher Morrow wrote: > > > On Tue, May 10, 2016 at 4:00 PM, Josh Reynolds wrote: >> >> This is a large list that includes many Tier 1 network operators, >> government agencies, and Fortune 500 network operators > > > no one gets calea requests because prism gets all requests? >
Re: CALEA
On Tue, May 10, 2016 at 4:00 PM, Josh Reynolds wrote: > This is a large list that includes many Tier 1 network operators, > government agencies, and Fortune 500 network operators > no one gets calea requests because prism gets all requests?
Re: CALEA
This is a large list that includes many Tier 1 network operators, government agencies, and Fortune 500 network operators. The silence should be telling. On May 10, 2016 2:52 PM, "Matt Hoppes" wrote: > Perhaps the silence is an indication no one is doing CALEA or knows > anything about it? > > Personally, I can't say I've heard anything about CALEA, seen people > trying to sell CALEA appliances, or received a CALEA request in maybe 8 > years? > > On 5/10/16 12:34 AM, Josh Reynolds wrote: > >> Hrm? >> On May 9, 2016 11:04 PM, "shawn wilson" wrote: >> >> The OP is also asking someone to register a throwaway email, subscribe, >>> and >>> respond "yes" so that the owner can't be tracked to their employer. >>> That's >>> kind of a steep ask for something that's almost moot. >>> On May 9, 2016 23:16, "Greg Sowell" wrote: >>> >>> I haven't had a request in ages...back then all of the links worked. >>> On May 9, 2016 3:02 PM, "Jeremy Austin" wrote: >>> >>> On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: >>>> >>>> What is the community hearing about CALEA? >>>>> >>>>> >>>> Crickets? >>>> >>>> >>>> -- >>>> Jeremy Austin >>>> >>>> (907) 895-2311 >>>> (907) 803-5422 >>>> jhaus...@gmail.com >>>> >>>> Heritage NetWorks >>>> Whitestone Power & Communications >>>> Vertical Broadband, LLC >>>> >>>> Schedule a meeting: http://doodle.com/jermudgeon >>>> >>>> >>>
Re: CALEA
Perhaps the silence is an indication no one is doing CALEA or knows anything about it? Personally, I can't say I've heard anything about CALEA, seen people trying to sell CALEA appliances, or received a CALEA request in maybe 8 years? On 5/10/16 12:34 AM, Josh Reynolds wrote: Hrm? On May 9, 2016 11:04 PM, "shawn wilson" wrote: The OP is also asking someone to register a throwaway email, subscribe, and respond "yes" so that the owner can't be tracked to their employer. That's kind of a steep ask for something that's almost moot. On May 9, 2016 23:16, "Greg Sowell" wrote: I haven't had a request in ages...back then all of the links worked. On May 9, 2016 3:02 PM, "Jeremy Austin" wrote: On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: What is the community hearing about CALEA? Crickets? -- Jeremy Austin (907) 895-2311 (907) 803-5422 jhaus...@gmail.com Heritage NetWorks Whitestone Power & Communications Vertical Broadband, LLC Schedule a meeting: http://doodle.com/jermudgeon
Re: CALEA
Hrm? On May 9, 2016 11:04 PM, "shawn wilson" wrote: > The OP is also asking someone to register a throwaway email, subscribe, and > respond "yes" so that the owner can't be tracked to their employer. That's > kind of a steep ask for something that's almost moot. > On May 9, 2016 23:16, "Greg Sowell" wrote: > > I haven't had a request in ages...back then all of the links worked. > On May 9, 2016 3:02 PM, "Jeremy Austin" wrote: > > > On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: > > > > > What is the community hearing about CALEA? > > > > > > > Crickets? > > > > > > -- > > Jeremy Austin > > > > (907) 895-2311 > > (907) 803-5422 > > jhaus...@gmail.com > > > > Heritage NetWorks > > Whitestone Power & Communications > > Vertical Broadband, LLC > > > > Schedule a meeting: http://doodle.com/jermudgeon > > >
Re: CALEA
The OP is also asking someone to register a throwaway email, subscribe, and respond "yes" so that the owner can't be tracked to their employer. That's kind of a steep ask for something that's almost moot. On May 9, 2016 23:16, "Greg Sowell" wrote: I haven't had a request in ages...back then all of the links worked. On May 9, 2016 3:02 PM, "Jeremy Austin" wrote: > On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: > > > What is the community hearing about CALEA? > > > > Crickets? > > > -- > Jeremy Austin > > (907) 895-2311 > (907) 803-5422 > jhaus...@gmail.com > > Heritage NetWorks > Whitestone Power & Communications > Vertical Broadband, LLC > > Schedule a meeting: http://doodle.com/jermudgeon >
Re: CALEA
I haven't had a request in ages...back then all of the links worked. On May 9, 2016 3:02 PM, "Jeremy Austin" wrote: > On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: > > > What is the community hearing about CALEA? > > > > Crickets? > > > -- > Jeremy Austin > > (907) 895-2311 > (907) 803-5422 > jhaus...@gmail.com > > Heritage NetWorks > Whitestone Power & Communications > Vertical Broadband, LLC > > Schedule a meeting: http://doodle.com/jermudgeon >
Re: CALEA
On Thu, May 5, 2016 at 4:43 PM, Justin Wilson wrote: > What is the community hearing about CALEA? > Crickets? -- Jeremy Austin (907) 895-2311 (907) 803-5422 jhaus...@gmail.com Heritage NetWorks Whitestone Power & Communications Vertical Broadband, LLC Schedule a meeting: http://doodle.com/jermudgeon
CALEA
Does anyone have some up-to-date information on CALEA? https://askcalea.fbi.gov/ <https://askcalea.fbi.gov/> has a fair amount of broken links. The servicer provider registration is broken. The web-site has not been updated. Searches on FBI.gov and the FCC site just point back to askcalea. Are any of you still seeing CALEA requests on the voice or the data sides? What is the community hearing about CALEA? Justin Wilson j...@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric
Re: CALEA Requirements
The FBI CALEA folks have always had a somewhat expansive interpretation of their authorities. For example, "dialed digit extraction." The court cases supporting pen registers are based on business record exception, i.e. Smith v. Maryland says dial numbers are disclosed to the telephone company so the phone company can connect and bill the call do not have a reasonable expectation of privacy. The FBI expanded its pen-register authority to include all numbers dialed *DURING* the call because in the 1970's pen-register technology didn't stop recording digits (i.e. the "clicks") after a call was answered. Although modern pen-register technology can distinguish between numbers dialed for the purpose of connecting the call, and numbers dialed during the call (i.e. your online banking PIN), and dialed digit extraction during VOIP calls is an extreme pain in the ass. In the 1990's, the FBI convinced the FCC to order carriers under CALEA to do dialed digit extraction because "that's what they've always done," not because its what the law and court cases required. Even the FCC says in its CALEA order, the FBI's justification was flimsy but the FCC wasn't willing to oppose the FBI. As several folks have pointed out, talk to your own legal counsel. The FBI CALEA website is the FBI's interpretation of its authority, not necessarily what your own counsel would advise.
Re: CALEA Requirements
If you are a wireline ISP, start with the ATIS-113* docs, you will see from the FBI link below, different services and carrier types (e.g. voice or cable) have additional needs on top of this. As Scott said, your legal/regulatory team needs to guide you to exactly which in the listMAY apply in your situation, but from a technical point of view you can at least get an idea about what you might have to do by starting with the ATIS specs: https://askcalea.fbi.gov/standards.html Rob On 14 March 2016 at 13:57, Scott Weeks wrote: > > > --- lor...@hathcock.org wrote: > From: "Lorell Hathcock" > > Can someone point me to the current CALEA requirements? > > As an ISP, should I be recording all internet traffic that passes my > routers? Or do I only have to record when and if I receive a court order? > > I'm not under any court order now, I just want to be sure that I am > compliant going forward in my capabilities. > - > > > This is something your company's lawyers should hash out. > That said, you shouldn't record anything unless forced to > do so. It'll just make pervasive surveillance easier. > > scott >
Re: E911 (was CALEA Requirements)
Todd, Could you pick a more problematic venture in telecom? ;-) I have done a couple of these. (I just joined the list and have no idea how much you know on the subject) My clients are wholesale customers of different local LECs (Local Exchange Carrier). These are the guys that own the wire centers in your location (e.g. CenturyLink, Verizon, etc.) I do not know how they work with non-wholesale customers with regards to E911 services. The specifics of what will be required differ from LEC to LEC and also depend on the PSAP (E911 center) you will connect to. Most people use a consultant to get this done since there will be many technical details related to the circuits and technical meetings with the LEC and PSAP. The LECs and PSAPs are not in the business of building your network... so they typically don't offer much assistance. (If you have ever submitted an ASR to a LEC, you will know what I mean). Your first step is to get in touch with your LEC and find out what services they can provide. You could also contact your PSAP and find out their interconnection requirements. Then you will have some scope on the project. If you go the wholesale route you really will need someone to guide you through the process. On the other hand, if you are already a wholesale customer of a LEC, experienced with placing ASRs for DS0s, DS1s and multiplexors, then you probably can get this done in-house. Sincerely, Dan
Re: CALEA Requirements
Thanks for the tips. All good info. Sent from my iPhone > On Mar 18, 2016, at 3:31 PM, Kraig Beahn wrote: > > I believe Scott, just hit the nail on the head... > "but keep in mind that it's normal for people who have > had to fulfill a request *to be disallowed from talking about it* which > makes > them seem even more rare than they actually are." > >> On Fri, Mar 18, 2016 at 4:28 PM, Scott Helms wrote: >> >> Kevin, >> >> That's largely true, but keep in mind that it's normal for people who have >> had to fulfill a request to be disallowed from talking about it which makes >> them seem even more rare than they actually are. I'm also not familiar >> with any laws that prevent state or local agencies from leveraging CALEA >> and I've certainly seen it used on the voice side by state level law >> enforcement. >> >> >> Scott Helms >> Chief Technology Officer >> ZCorum >> (678) 507-5000 >> >> http://twitter.com/kscotthelms >> >> >> On Fri, Mar 18, 2016 at 4:19 PM, Kevin Burke > wrote: >> >>> Ignore it until you get the paperwork. The local law enforcement can not >>> get a warrant for the real time, full data capture. Only FBI or other >>> national agencies can get those subpeona's. We went through this with >> our >>> local police department. They wanted to make sure we were prepared and >>> wanted a test for the real time number capture on phone calls. They >> didn't >>> mention they don't have any equipment on their side to connect the T1. >>> >>> Ask your local neighbors. Some area's have a number of local federal >>> investigations. If you get the deer in the headlights look from your >>> competition then you may never get one of these. >>> >>> The full data captures are rare. >>> >>> Kevin Burke >>> 802-540-0979 >>> Burlington Telecom - City of Burlington >>> 200 Church St, Burlington, VT 05401 >>> >>> -Original Message- >>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lorell >> Hathcock >>> Sent: Monday, March 14, 2016 4:47 PM >>> To: 'NANOG list' >>> Subject: CALEA Requirements >>> >>> NANOG: >>> >>> >>> >>> Can someone point me to the current CALEA requirements? >>> >>> >>> >>> As an ISP, should I be recording all internet traffic that passes my >>> routers? Or do I only have to record when and if I receive a court >> order? >>> >>> >>> >>> I'm not under any court order now, I just want to be sure that I am >>> compliant going forward in my capabilities. >>> >>> >>> >>> Thanks! >>> >>> >>> >>> Lorell Hathcock >>
Re: CALEA Requirements
Kevin, That's largely true, but keep in mind that it's normal for people who have had to fulfill a request to be disallowed from talking about it which makes them seem even more rare than they actually are. I'm also not familiar with any laws that prevent state or local agencies from leveraging CALEA and I've certainly seen it used on the voice side by state level law enforcement. Scott Helms Chief Technology Officer ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Fri, Mar 18, 2016 at 4:19 PM, Kevin Burke wrote: > Ignore it until you get the paperwork. The local law enforcement can not > get a warrant for the real time, full data capture. Only FBI or other > national agencies can get those subpeona's. We went through this with our > local police department. They wanted to make sure we were prepared and > wanted a test for the real time number capture on phone calls. They didn't > mention they don't have any equipment on their side to connect the T1. > > Ask your local neighbors. Some area's have a number of local federal > investigations. If you get the deer in the headlights look from your > competition then you may never get one of these. > > The full data captures are rare. > > Kevin Burke > 802-540-0979 > Burlington Telecom - City of Burlington > 200 Church St, Burlington, VT 05401 > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lorell Hathcock > Sent: Monday, March 14, 2016 4:47 PM > To: 'NANOG list' > Subject: CALEA Requirements > > NANOG: > > > > Can someone point me to the current CALEA requirements? > > > > As an ISP, should I be recording all internet traffic that passes my > routers? Or do I only have to record when and if I receive a court order? > > > > I'm not under any court order now, I just want to be sure that I am > compliant going forward in my capabilities. > > > > Thanks! > > > > Lorell Hathcock > >
Re: CALEA Requirements
I believe Scott, just hit the nail on the head... "but keep in mind that it's normal for people who have had to fulfill a request *to be disallowed from talking about it* which makes them seem even more rare than they actually are." On Fri, Mar 18, 2016 at 4:28 PM, Scott Helms wrote: > Kevin, > > That's largely true, but keep in mind that it's normal for people who have > had to fulfill a request to be disallowed from talking about it which makes > them seem even more rare than they actually are. I'm also not familiar > with any laws that prevent state or local agencies from leveraging CALEA > and I've certainly seen it used on the voice side by state level law > enforcement. > > > Scott Helms > Chief Technology Officer > ZCorum > (678) 507-5000 > > http://twitter.com/kscotthelms > > > On Fri, Mar 18, 2016 at 4:19 PM, Kevin Burke > > wrote: > > > Ignore it until you get the paperwork. The local law enforcement can not > > get a warrant for the real time, full data capture. Only FBI or other > > national agencies can get those subpeona's. We went through this with > our > > local police department. They wanted to make sure we were prepared and > > wanted a test for the real time number capture on phone calls. They > didn't > > mention they don't have any equipment on their side to connect the T1. > > > > Ask your local neighbors. Some area's have a number of local federal > > investigations. If you get the deer in the headlights look from your > > competition then you may never get one of these. > > > > The full data captures are rare. > > > > Kevin Burke > > 802-540-0979 > > Burlington Telecom - City of Burlington > > 200 Church St, Burlington, VT 05401 > > > > -Original Message- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lorell > Hathcock > > Sent: Monday, March 14, 2016 4:47 PM > > To: 'NANOG list' > > Subject: CALEA Requirements > > > > NANOG: > > > > > > > > Can someone point me to the current CALEA requirements? > > > > > > > > As an ISP, should I be recording all internet traffic that passes my > > routers? Or do I only have to record when and if I receive a court > order? > > > > > > > > I'm not under any court order now, I just want to be sure that I am > > compliant going forward in my capabilities. > > > > > > > > Thanks! > > > > > > > > Lorell Hathcock > > > > >
RE: CALEA Requirements
Ignore it until you get the paperwork. The local law enforcement can not get a warrant for the real time, full data capture. Only FBI or other national agencies can get those subpeona's. We went through this with our local police department. They wanted to make sure we were prepared and wanted a test for the real time number capture on phone calls. They didn't mention they don't have any equipment on their side to connect the T1. Ask your local neighbors. Some area's have a number of local federal investigations. If you get the deer in the headlights look from your competition then you may never get one of these. The full data captures are rare. Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401 -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lorell Hathcock Sent: Monday, March 14, 2016 4:47 PM To: 'NANOG list' Subject: CALEA Requirements NANOG: Can someone point me to the current CALEA requirements? As an ISP, should I be recording all internet traffic that passes my routers? Or do I only have to record when and if I receive a court order? I'm not under any court order now, I just want to be sure that I am compliant going forward in my capabilities. Thanks! Lorell Hathcock
E911 (was CALEA Requirements)
While we're at it, can somebody point me on the right path for E911. I'm not looking for a managed service but rather an in-house solution. Todd Crane > On Mar 14, 2016, at 2:57 PM, Scott Weeks wrote: > > > > --- lor...@hathcock.org wrote: > From: "Lorell Hathcock" > > Can someone point me to the current CALEA requirements? > > As an ISP, should I be recording all internet traffic that passes my > routers? Or do I only have to record when and if I receive a court order? > > I'm not under any court order now, I just want to be sure that I am > compliant going forward in my capabilities. > - > > > This is something your company's lawyers should hash out. > That said, you shouldn't record anything unless forced to > do so. It'll just make pervasive surveillance easier. > > scott
Re: CALEA Requirements
--- lor...@hathcock.org wrote: From: "Lorell Hathcock" Can someone point me to the current CALEA requirements? As an ISP, should I be recording all internet traffic that passes my routers? Or do I only have to record when and if I receive a court order? I'm not under any court order now, I just want to be sure that I am compliant going forward in my capabilities. - This is something your company's lawyers should hash out. That said, you shouldn't record anything unless forced to do so. It'll just make pervasive surveillance easier. scott
CALEA Requirements
NANOG: Can someone point me to the current CALEA requirements? As an ISP, should I be recording all internet traffic that passes my routers? Or do I only have to record when and if I receive a court order? I'm not under any court order now, I just want to be sure that I am compliant going forward in my capabilities. Thanks! Lorell Hathcock
Re: What are y'all doing for CALEA compliance?
Palo Alto has zero support for anything lea wise past the 7200 if I recall. We
spent a ton of money on asr's and found out we needed to lawful intercept ios
which was only working/tested on a 7206vxr with a g2. Palo Alto is insanely
expensive, and (in my opinion) is only really cool for seeing what kind of porn
people are looking at. This was an international (literally, every country AND
every body of water) and was required as every government on the planet wanted
access to data from their flagged airplanes. It was cool, but not cool enough
to be priced at what it is (the support and update costs were pretty intense on
a larger deployment). Any deeper questions etc, reply off list.
Sent from my Mobile Device.
Original message
From: Eric G
Date: 07/04/2013 11:23 AM (GMT-08:00)
To: Christopher Morrow
Cc: NANOG list
Subject: Re: What are y'all doing for CALEA compliance?
On Mar 15, 2013 11:37 AM, "Christopher Morrow"
wrote:
>
> On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard wrote:
> > God I want one of those PA firewalls just to play with in the lab. I
can't
> > justify the expense, but as far as firewalls go they're gorgeous. From
the
> > chassis to the UI, PA is just doing it right.
> >
> > If anyone has a different experience, I'd love to hear it.
>
> for any firewall/appliance .. ask this:
> "How can I manage 200 of these things remotely"
>
> UI is pretty and nice and cool.. but utterly useless if you have more
> than 1 of the things.
> also, a firewall is a firewall is a firewall... they all do the basics
> (nat/filter/'proxy') nothing else in that category really matters...
> management matters.
>
I know I'm necro'ing a thread, but PA has a centralized management product
called Panorama. I threw up a Panorama VM the other day at work and I was
thoroughly impressed with how easy it was to set up ("establish SIC? What's
that?") and the slick management UI on Panorama that basically mirrors the
normal PA UI.
The App-ID thing that PA implemented *does* matter in my humble opinion...
being able to say "allow specifically traffic that looks and smells like
RADIUS" instead of "allow UDP 1812 and 1813" is neato
PA has had some rough edges (their client VPN solution for Windows and OSX
is not ready for prime time in my opinion) but this is one thing they
nailed.
Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for
like $1k. I've only played with PA over the year and a half I've been with
my current employer, but they've got a neat product. I've been tempted to
buy one for the house even honestly... having URL filtering, SSL decrypt,
SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some
malware analysis (Wildfire) built right in is kind of compelling
--
Eric
http://linkedin.com/in/ericgearhart
Re: What are y'all doing for CALEA compliance?
On Mar 15, 2013 11:37 AM, "Christopher Morrow"
wrote:
>
> On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard wrote:
> > God I want one of those PA firewalls just to play with in the lab. I
can't
> > justify the expense, but as far as firewalls go they're gorgeous. From
the
> > chassis to the UI, PA is just doing it right.
> >
> > If anyone has a different experience, I'd love to hear it.
>
> for any firewall/appliance .. ask this:
> "How can I manage 200 of these things remotely"
>
> UI is pretty and nice and cool.. but utterly useless if you have more
> than 1 of the things.
> also, a firewall is a firewall is a firewall... they all do the basics
> (nat/filter/'proxy') nothing else in that category really matters...
> management matters.
>
I know I'm necro'ing a thread, but PA has a centralized management product
called Panorama. I threw up a Panorama VM the other day at work and I was
thoroughly impressed with how easy it was to set up ("establish SIC? What's
that?") and the slick management UI on Panorama that basically mirrors the
normal PA UI.
The App-ID thing that PA implemented *does* matter in my humble opinion...
being able to say "allow specifically traffic that looks and smells like
RADIUS" instead of "allow UDP 1812 and 1813" is neato
PA has had some rough edges (their client VPN solution for Windows and OSX
is not ready for prime time in my opinion) but this is one thing they
nailed.
Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for
like $1k. I've only played with PA over the year and a half I've been with
my current employer, but they've got a neat product. I've been tempted to
buy one for the house even honestly... having URL filtering, SSL decrypt,
SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some
malware analysis (Wildfire) built right in is kind of compelling
--
Eric
http://linkedin.com/in/ericgearhart
Re: Mechanics of CALEA taps
> Message: 1 > Date: Sun, 9 Jun 2013 18:59:16 -0400 > From: Randy Fischer > To: North American Network Operators Group > Subject: Mechanics of CALEA taps > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Dear nanog: > > Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. > > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from > X. > > And that's the extent of it. > > Well, golly Slothrop, maybe someone else has started picking up the tab. > Would you even know? > > Is that possible? > > Thanks, > > Randy Fischer Operators can choose to be involved, or they can choose not to be involved, according to the specs - the extent is ultimately up to them. It is perhaps possible that some operators know nothing more about the intercepts happening on their network than what their bill tells them. I can believe that but I would hope that it is rare. Likewise, I believe that any operator who makes an effort to understand and have control over their network could be fooled so easily. CALEA tap mechanism does not necessarily work as you have outlined. The telecom industry fought for and won two other options that give the operator more involvement and authority over the execution of the intercepts. All of the options end up impacting your network, as you have to decide how to feed a copy of all of the data belonging to the subscriber(s) named in a warrant to a CALEA probe. The probe drops all of the packets that don't belong to the subject, then it ASN.1-encodes the data and tunnels it over the public network to a law-enforcement agency (or their contractor). That's generally how it works. Once the taps and probes and mediation device are in place, it's just a matter of provisioning. But that engineering is the tough part - after that just about all you see is the warrant itself, and then some phone calls and email from the law-enforcment folks setting up the transport stuff. No lawyers visit, no law-enforcement officials visit, you just get a warrant and then how you handle it is up to you. So if an operator chooses to engage themselves instead of handing control over to someone else, they can be quite sure of what is happening. For reasons I don't quite understand, however, it doesn't seem like many operators who don't otherwise outsource ISP services do tend to outsource CALEA. In my opinion, if you manage your own DNS and/or mail servers, you can handle CALEA. Not only could it save you some money, but it gives you a discrete way to isolate test-traffic on your network with a more intuitive filter (ie subscriber name) than just an IP or a MAC address.* If you live in wireshark all day then you will appreciate having the haystack separated from the needle before it enters your system. The three options are: 1. Rent CALEA gear - hand warrant to company X 2. Build your own CALEA gear - evaluate and execute the warrant yourself. 3. Buy company Y's gear - evaluate and execute the warrant yourself. Obviously one could outsource the evaluation of a warrant to a third party; and sure you could probably have a private line between you and the LEA... the details vary, I am drawing a very generic picture here. So, generally, the biggest problem is a technical one: how to add this "tap" feature to your network - either with real physical taps or mirror-ports of some kind. There are lots of such considerations and lots of options. Once they're done you can probably make use of them for worthwhile operational purposes, but probably only with options 2 and 3. The smaller problem is the legal one: is a lawyer required to read the warrant and then make the provisioning call, or not? * Disclosure: I try not to be biased, but I do work for a vendor of a CALEA probe product, so "caveat lector". Comments submitted here have nothing to do with my employer, however, and are provided only as a help to those that really don't know that they can and ought to be fully involved and aware of any "taps". -- Rick Robino signature.asc Description: Message signed with OpenPGP using GPGMail
RE: Mechanics of CALEA taps
The only calea intercept I watched take place was with a system made by Sandvine.. And it was pretty shocking. Sent from my Mobile Device. Original message From: Dennis Burgess Date: 06/10/2013 6:25 AM (GMT-08:00) To: Randy Fischer ,nanog@nanog.org Subject: RE: Mechanics of CALEA taps While its possible to do this, you would have to have a device that would not impact performance typically at every exit point, but in a perfect world it would be on the clients CPE device!Our wireless CPE's can do this.I would not that a business model to not bill until a request is completed would work due to the amount of hardware that x company would have to put out. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition" Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net - Skype: linktechs -- Create Wireless Coverage's with www.towercoverage.com<http://www.towercoverage.com> - 900Mhz - LTE - 3G - 3.65 - TV Whitespace -Original Message- From: Randy Fischer [mailto:randy.fisc...@gmail.com] Sent: Sunday, June 09, 2013 5:59 PM To: North American Network Operators Group Subject: Mechanics of CALEA taps Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Thanks, Randy Fischer
RE: Mechanics of CALEA taps
While its possible to do this, you would have to have a device that would not impact performance typically at every exit point, but in a perfect world it would be on the clients CPE device!Our wireless CPE's can do this.I would not that a business model to not bill until a request is completed would work due to the amount of hardware that x company would have to put out. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition" Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net - Skype: linktechs -- Create Wireless Coverage's with www.towercoverage.com - 900Mhz - LTE - 3G - 3.65 - TV Whitespace -Original Message- From: Randy Fischer [mailto:randy.fisc...@gmail.com] Sent: Sunday, June 09, 2013 5:59 PM To: North American Network Operators Group Subject: Mechanics of CALEA taps Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Thanks, Randy Fischer
Re: Mechanics of CALEA taps
It is possible, and not just for "ISPs" Matthew Kaufman (Sent from my iPhone) On Jun 9, 2013, at 3:59 PM, Randy Fischer wrote: > Dear nanog: > > Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. > > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from > X. > > And that's the extent of it. > > Well, golly Slothrop, maybe someone else has started picking up the tab. > Would you even know? > > Is that possible? > > Thanks, > > Randy Fischer
Re: Mechanics of CALEA taps
On Sun, 9 Jun 2013, Randy Fischer wrote: Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Inconceivable! That'd be like having your security system monitoring company able to eavesdrop on your house any time they want, just in case. Come to think of it, the latest greatest systems are capable of that. It sounds so stupid to me, I bet someone's doing it. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Mechanics of CALEA taps
(from back when I cared more about calea as an implementor) On Sun, Jun 9, 2013 at 8:15 PM, Alex Rubenstein wrote: >> Honestly, I expect replies to this question to range between zero and none, >> but I have to ask it. > > Surprise! me too! > >> I understand the CALEA tap mechanism for most ISPs, generally, works like >> this: >> >> * we outsource our CALEA management to company X >> * we don't even know there's been a request until we've gotten a bill from >> X. > > I've never even thought of the idea of outsourcing CALEA requests. That is > probably because I would never consider doing it. > > Perhaps we are in the minority, but we scrutinize every request of any sort > to ensure it has jurisdiction and is valid. I can't even fathom the thought > of trusting a third party for this. > agreed, since most of the tap-work actually requires changes on network equipment in the network you run, why would you outsource this? Especially when the taps impact forwarding performance of the platforms in question...
RE: Mechanics of CALEA taps
> Honestly, I expect replies to this question to range between zero and none, > but I have to ask it. Surprise! > I understand the CALEA tap mechanism for most ISPs, generally, works like > this: > > * we outsource our CALEA management to company X > * we don't even know there's been a request until we've gotten a bill from X. I've never even thought of the idea of outsourcing CALEA requests. That is probably because I would never consider doing it. Perhaps we are in the minority, but we scrutinize every request of any sort to ensure it has jurisdiction and is valid. I can't even fathom the thought of trusting a third party for this.
Mechanics of CALEA taps
Dear nanog: Honestly, I expect replies to this question to range between zero and none, but I have to ask it. I understand the CALEA tap mechanism for most ISPs, generally, works like this: * we outsource our CALEA management to company X * we don't even know there's been a request until we've gotten a bill from X. And that's the extent of it. Well, golly Slothrop, maybe someone else has started picking up the tab. Would you even know? Is that possible? Thanks, Randy Fischer
Re: What are y'all doing for CALEA compliance?
On Mar 15, 2013, at 9:38 AM, Ben Bartsch wrote: > Is there actually any teeth to the law? Find a real lawyer and show her/him http://www.law.cornell.edu/uscode/text/18/2522 --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: What are y'all doing for CALEA compliance?
Thanks to everyone who replied on and off list today. I found a wide range of opinions on CALEA. I did have one person give me a very specific example of a vendor that can ensure compliance, which is really what I was after. See y'all on Bourbon Street in June! -ben On Fri, Mar 15, 2013 at 10:36 AM, Warren Bailey < wbai...@satelliteintelligencegroup.com> wrote: > Seemed legit to me. I'm a satellite guy, so the Palo Alto gear was really > for me to look at the traffic profiles. They did a killer job classifying > traffic though, and I guess they update the rules every couple days? > > > From my Android phone on T-Mobile. The first nationwide 4G network. > > > > Original message > From: Joshua Goldbard > Date: 03/15/2013 8:33 AM (GMT-08:00) > To: Warren Bailey > Cc: Christopher Morrow ,NANOG > Subject: Re: What are y'all doing for CALEA compliance? > > > God I want one of those PA firewalls just to play with in the lab. I can't > justify the expense, but as far as firewalls go they're gorgeous. From the > chassis to the UI, PA is just doing it right. > > If anyone has a different experience, I'd love to hear it. > > Sent from my iPad > > On Mar 15, 2013, at 8:29 AM, "Warren Bailey" < > wbai...@satelliteintelligencegroup.com wbai...@satelliteintelligencegroup.com>> wrote: > > We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo > Alto. Worked okay, never did have to execute a warrant or anything. > > > From my Android phone on T-Mobile. The first nationwide 4G network. > > > > Original message > From: Joshua Goldbard mailto:j...@2600hz.com>> > Date: 03/15/2013 8:25 AM (GMT-08:00) > To: Christopher Morrow morrowc.li...@gmail.com>> > Cc: NANOG mailto:nanog@nanog.org>> > Subject: Re: What are y'all doing for CALEA compliance? > > > I am not a lawyer, this is not legal advice. If you make decisions about > what you should be doing in your business based solely on emails from > strangers you won't do well. Get a second opinion from a lawyer. > > This comes up about once every 6 months on the voice ops mailing list. If > you are a CLEC and you are not CALEA compliant, you are in for a world of > hurt. > > If you're a non-facilities based reseller this is open for interpretation, > but many folks believe that if you don't have gear inside the carrier pops, > you aren't subject to CALEA. In practice, who is and who isn't effected by > CALEA is directly proportional to the number of CALEA requests to your > network (ergo, if you don't have any CALEA requests no one cares if you're > out of compliance). > > That being said, there are further problems underfoot. CALEA does not > specify what technologies should be used when presenting the data to law > enforcement, I forget the exact wording but its something like "a > reasonable format". CDRs are not sufficient as CALEA requires the ability > to tap sessions, but in the past we've seen most legal requests placated > with an excel sheet. > > As far as monitoring your connection, if your 10gig is coming in over > fiber you should just buy a vampire tap and be done with it. > > I hope this helps, but CALEA is inherently messy. > > Cheers, > Joshua > > Sent from my iPad > > On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <mailto:morrowc.li...@gmail.com>> wrote: > > > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <mailto:uwcable...@gmail.com>> wrote: > >> What are you RENs out there doing for CALEA compliance? Is there > actually > > > > being happy we solved it 6 yrs ago? > > > >> any teeth to the law? Our systems guys have tried a product called > 'Open > > > > teeth as in the 100k/day fine? > > > >> CALEA' but the router and the server simply can't keep up with mirroring > >> from a 10Gbps connection into a 1Gbps link. I'm no legal expert > > > > that seems like a suboptimal design ... why would you mirror 10lbs of > > poo into a 1lb bag? that seems like it's bound to fail from the > > get-go. > > > >> eitherany lawyers on this list? > > > > you should find a lawyer... srsly. > > > >> Thanks for all the great advice. This is a great community! > > > > -chris > > > > >
Re: What are y'all doing for CALEA compliance?
Seemed legit to me. I'm a satellite guy, so the Palo Alto gear was really for me to look at the traffic profiles. They did a killer job classifying traffic though, and I guess they update the rules every couple days? >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Joshua Goldbard Date: 03/15/2013 8:33 AM (GMT-08:00) To: Warren Bailey Cc: Christopher Morrow ,NANOG Subject: Re: What are y'all doing for CALEA compliance? God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. Sent from my iPad On Mar 15, 2013, at 8:29 AM, "Warren Bailey" mailto:wbai...@satelliteintelligencegroup.com>> wrote: We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything. >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Joshua Goldbard mailto:j...@2600hz.com>> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow mailto:morrowc.li...@gmail.com>> Cc: NANOG mailto:nanog@nanog.org>> Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" mailto:morrowc.li...@gmail.com>> wrote: > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch > mailto:uwcable...@gmail.com>> wrote: >> What are you RENs out there doing for CALEA compliance? Is there actually > > being happy we solved it 6 yrs ago? > >> any teeth to the law? Our systems guys have tried a product called 'Open > > teeth as in the 100k/day fine? > >> CALEA' but the router and the server simply can't keep up with mirroring >> from a 10Gbps connection into a 1Gbps link. I'm no legal expert > > that seems like a suboptimal design ... why would you mirror 10lbs of > poo into a 1lb bag? that seems like it's bound to fail from the > get-go. > >> eitherany lawyers on this list? > > you should find a lawyer... srsly. > >> Thanks for all the great advice. This is a great community! > > -chris >
Re: What are y'all doing for CALEA compliance?
On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard wrote: > God I want one of those PA firewalls just to play with in the lab. I can't > justify the expense, but as far as firewalls go they're gorgeous. From the > chassis to the UI, PA is just doing it right. > > If anyone has a different experience, I'd love to hear it. for any firewall/appliance .. ask this: "How can I manage 200 of these things remotely" UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters. > > Sent from my iPad > > On Mar 15, 2013, at 8:29 AM, "Warren Bailey" > wrote: > > We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo > Alto. Worked okay, never did have to execute a warrant or anything. > > > From my Android phone on T-Mobile. The first nationwide 4G network. > > > > Original message > From: Joshua Goldbard > Date: 03/15/2013 8:25 AM (GMT-08:00) > To: Christopher Morrow > Cc: NANOG > Subject: Re: What are y'all doing for CALEA compliance? > > > I am not a lawyer, this is not legal advice. If you make decisions about > what you should be doing in your business based solely on emails from > strangers you won't do well. Get a second opinion from a lawyer. > > This comes up about once every 6 months on the voice ops mailing list. If > you are a CLEC and you are not CALEA compliant, you are in for a world of > hurt. > > If you're a non-facilities based reseller this is open for interpretation, > but many folks believe that if you don't have gear inside the carrier pops, > you aren't subject to CALEA. In practice, who is and who isn't effected by > CALEA is directly proportional to the number of CALEA requests to your > network (ergo, if you don't have any CALEA requests no one cares if you're > out of compliance). > > That being said, there are further problems underfoot. CALEA does not > specify what technologies should be used when presenting the data to law > enforcement, I forget the exact wording but its something like "a reasonable > format". CDRs are not sufficient as CALEA requires the ability to tap > sessions, but in the past we've seen most legal requests placated with an > excel sheet. > > As far as monitoring your connection, if your 10gig is coming in over fiber > you should just buy a vampire tap and be done with it. > > I hope this helps, but CALEA is inherently messy. > > Cheers, > Joshua > > Sent from my iPad > > On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" > wrote: > >> On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch wrote: >>> What are you RENs out there doing for CALEA compliance? Is there >>> actually >> >> being happy we solved it 6 yrs ago? >> >>> any teeth to the law? Our systems guys have tried a product called 'Open >> >> teeth as in the 100k/day fine? >> >>> CALEA' but the router and the server simply can't keep up with mirroring >>> from a 10Gbps connection into a 1Gbps link. I'm no legal expert >> >> that seems like a suboptimal design ... why would you mirror 10lbs of >> poo into a 1lb bag? that seems like it's bound to fail from the >> get-go. >> >>> eitherany lawyers on this list? >> >> you should find a lawyer... srsly. >> >>> Thanks for all the great advice. This is a great community! >> >> -chris >> > >
Re: What are y'all doing for CALEA compliance?
God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. Sent from my iPad On Mar 15, 2013, at 8:29 AM, "Warren Bailey" mailto:wbai...@satelliteintelligencegroup.com>> wrote: We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything. >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Joshua Goldbard mailto:j...@2600hz.com>> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow mailto:morrowc.li...@gmail.com>> Cc: NANOG mailto:nanog@nanog.org>> Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" mailto:morrowc.li...@gmail.com>> wrote: > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch > mailto:uwcable...@gmail.com>> wrote: >> What are you RENs out there doing for CALEA compliance? Is there actually > > being happy we solved it 6 yrs ago? > >> any teeth to the law? Our systems guys have tried a product called 'Open > > teeth as in the 100k/day fine? > >> CALEA' but the router and the server simply can't keep up with mirroring >> from a 10Gbps connection into a 1Gbps link. I'm no legal expert > > that seems like a suboptimal design ... why would you mirror 10lbs of > poo into a 1lb bag? that seems like it's bound to fail from the > get-go. > >> eitherany lawyers on this list? > > you should find a lawyer... srsly. > >> Thanks for all the great advice. This is a great community! > > -chris >
Re: What are y'all doing for CALEA compliance?
We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything. >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Joshua Goldbard Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow Cc: NANOG Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" wrote: > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch wrote: >> What are you RENs out there doing for CALEA compliance? Is there actually > > being happy we solved it 6 yrs ago? > >> any teeth to the law? Our systems guys have tried a product called 'Open > > teeth as in the 100k/day fine? > >> CALEA' but the router and the server simply can't keep up with mirroring >> from a 10Gbps connection into a 1Gbps link. I'm no legal expert > > that seems like a suboptimal design ... why would you mirror 10lbs of > poo into a 1lb bag? that seems like it's bound to fail from the > get-go. > >> eitherany lawyers on this list? > > you should find a lawyer... srsly. > >> Thanks for all the great advice. This is a great community! > > -chris >
Re: What are y'all doing for CALEA compliance?
I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" wrote: > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch wrote: >> What are you RENs out there doing for CALEA compliance? Is there actually > > being happy we solved it 6 yrs ago? > >> any teeth to the law? Our systems guys have tried a product called 'Open > > teeth as in the 100k/day fine? > >> CALEA' but the router and the server simply can't keep up with mirroring >> from a 10Gbps connection into a 1Gbps link. I'm no legal expert > > that seems like a suboptimal design ... why would you mirror 10lbs of > poo into a 1lb bag? that seems like it's bound to fail from the > get-go. > >> eitherany lawyers on this list? > > you should find a lawyer... srsly. > >> Thanks for all the great advice. This is a great community! > > -chris >
Re: What are y'all doing for CALEA compliance?
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch wrote: > What are you RENs out there doing for CALEA compliance? Is there actually being happy we solved it 6 yrs ago? > any teeth to the law? Our systems guys have tried a product called 'Open teeth as in the 100k/day fine? > CALEA' but the router and the server simply can't keep up with mirroring > from a 10Gbps connection into a 1Gbps link. I'm no legal expert that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go. > eitherany lawyers on this list? you should find a lawyer... srsly. > Thanks for all the great advice. This is a great community! -chris
What are y'all doing for CALEA compliance?
What are you RENs out there doing for CALEA compliance? Is there actually any teeth to the law? Our systems guys have tried a product called 'Open CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert eitherany lawyers on this list? Thanks for all the great advice. This is a great community! -ben
Re: CALEA options for small/midsize ISPs
- Original Message - > From: "Jimmy Hess" > Forget about FCC civil penalties: the LEA may start arresting > managers responsible for refusal, on the charges of obstruction, due > to interfering with an investigation. > > People might talk about refusing to process a CALEA warrant. > > IF/when they do receive such a lawful order: I am almost positive > they will respond in some way other than a refusal to attempt to > comply. > > So that's probably why it's not likely we will hear of a refusal > occuring, at least for a long time Yes, "constructive" refusal is much harder to prove. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: CALEA options for small/midsize ISPs
On 1/20/13, Warren Bailey wrote: [snip] > want to play ball, they take what you give with a smile. I would be > curious to see what would happen if a lawful intercept request came > through and the service provider refused to process it. I have been a The LEAs might be flexible in how they are willing to take the data. But it would be a very dangerous proposition indeed to outright 'refuse'; I am sure most organizations would be exhausting every reasonable course to satisfy the requirements of the order. Forget about FCC civil penalties: the LEA may start arresting managers responsible for refusal, on the charges of obstruction, due to interfering with an investigation. People might talk about refusing to process a CALEA warrant. IF/when they do receive such a lawful order: I am almost positive they will respond in some way other than a refusal to attempt to comply. So that's probably why it's not likely we will hear of a refusal occuring, at least for a long time > On 1/20/13 8:10 PM, "Justin Wilson" wrote: [snip] -- -JH
Re: CALEA options for small/midsize ISPs
I have yet to see a lot of networks in TRUE compliance with CALEA requirements. Most of the time, it's some intermediate box that is doing a netflow-esque imports from routers that net/j/xyzflow normally. The only issue I/we ever ran into was how to in fact process the LEA request for an actual CALEA intercept (as you pointed out, there are differences). At the end of the day, I'm not totally convinced there is a completely tried and true way to get it out. The burden is on the SP to show some level of compliance, which I think is probably done pretty well at the end of the day. The CALEA equipment is often very expensive, and often the expense is just not feasible to many small to mid sized ISP's. On another note, the CALEA for telephony is absolutely rock solid. They can include Side A and Side B (to show a party was indeed talking on the phone for evidence purposes), they can have the switch center automatically call the LEA to listen in on the conversation in real time. All said, the phone guys have been processing wire taps and LEA requests for years, and do it on a fairly regular basis. I have never actually seen a real life CALEA request for real time interception of data (not saying they don't exist), so I have little experience in actually pressing the button. I think as long as you're showing the local/state/feds that you want to play ball, they take what you give with a smile. I would be curious to see what would happen if a lawful intercept request came through and the service provider refused to process it. I have been a party to many discussions as to the application of CALEA and most people believe (rightly or not) they are not required to comply. On 1/20/13 8:10 PM, "Justin Wilson" wrote: > I agree with the TTP taking the IP traffic. They simply re-package it >for the LEA. > > It's up to the LEA to take the traffic flow or not. If it's a true CALEA >warrant, not a normal wire tap, the defense could argue they did not >follow protocol. > > Justin > > >-Original Message- >From: Frank Bulk >Date: Sunday, January 20, 2013 11:03 PM >To: Justin Wilson , >Subject: RE: CALEA options for small/midsize ISPs > >>Our Trusted Third Party (TTP) asked us to IP Traffic Export. As others >>commented in this forum, the LEAs is not looking for SPs to replace their >>entire networks to create an ideal CALEA-compliant environment. It's my >>understanding that LEA will take a Cisco IP Traffic Export flow. >> >>Frank >> >>-Original Message- >>From: Justin Wilson [mailto:li...@mtin.net] >>Sent: Sunday, January 20, 2013 9:54 PM >>To: nanog@nanog.org >>Subject: Re: CALEA options for small/midsize ISPs >> >> I don't see any mention of CALEA. A traffic dump won't satisfy a >>CALEA >>warrant. >> >> Justin >> >> >>-Original Message- >>From: Frank Bulk >>Date: Sunday, January 20, 2013 10:31 PM >>To: 'Warren Bailey' , Byron >>Hooper >>, >>Subject: RE: CALEA options for small/midsize ISPs >> >>>Another option is the IP traffic export option. >>>http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip. >>>h >>>t >>>ml >>> >>>Frank >>> >>>-Original Message- >>>From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] >>>Sent: Sunday, January 20, 2013 6:34 PM >>>To: Byron Hooper; nanog@nanog.org >>>Subject: RE: CALEA options for small/midsize ISPs >>> >>>We used Cisco for lawful intercept.. Their mibs are wanky and at the >>>time >>>only the 7206 was support for the LI functionality. Food for thought. >>> >>> >>>From my Android phone on T-Mobile. The first nationwide 4G network. >>> >>> >>> >>> Original message >>>From: Byron Hooper >>>Date: 01/20/2013 3:00 PM (GMT-08:00) >>>To: nanog@nanog.org >>>Subject: CALEA options for small/midsize ISPs >>> >>> >>>Hello All, >>> >>>My company is looking at updating our CALEA set up. Our network has >>>changed appreciably since our initial rollout and I am looking at >>>utilizing >>>Cisco's Lawful Intercept. I'm wondering what people are using as >>>"Mediator >>>Devices", aka what the Cisco routers are sending the Lawful Intercept >>>stream to. >>> >>>Cisco's Lawful Intercept seems like a solid option since all it requires >>>for us is an IOS upgrade on our core routers and something to act as a >>>Mediator, but I'm also interested in solutions others are using. >>> >>> >>> >>>-- >>>Byron Hooper >>>Network Engineer >>>GWI >>>8 Pomerleau Street >>>Biddeford, ME 04005 >>>Office & Cell: (207) 602-1215 >>> >>> >>> >>> >> >> >> >> >> > > > >
Re: CALEA options for small/midsize ISPs
I agree with the TTP taking the IP traffic. They simply re-package it for the LEA. It's up to the LEA to take the traffic flow or not. If it's a true CALEA warrant, not a normal wire tap, the defense could argue they did not follow protocol. Justin -Original Message- From: Frank Bulk Date: Sunday, January 20, 2013 11:03 PM To: Justin Wilson , Subject: RE: CALEA options for small/midsize ISPs >Our Trusted Third Party (TTP) asked us to IP Traffic Export. As others >commented in this forum, the LEAs is not looking for SPs to replace their >entire networks to create an ideal CALEA-compliant environment. It's my >understanding that LEA will take a Cisco IP Traffic Export flow. > >Frank > >-Original Message- >From: Justin Wilson [mailto:li...@mtin.net] >Sent: Sunday, January 20, 2013 9:54 PM >To: nanog@nanog.org >Subject: Re: CALEA options for small/midsize ISPs > > I don't see any mention of CALEA. A traffic dump won't satisfy a >CALEA >warrant. > > Justin > > >-Original Message- >From: Frank Bulk >Date: Sunday, January 20, 2013 10:31 PM >To: 'Warren Bailey' , Byron Hooper >, >Subject: RE: CALEA options for small/midsize ISPs > >>Another option is the IP traffic export option. >>http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.h >>t >>ml >> >>Frank >> >>-Original Message- >>From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] >>Sent: Sunday, January 20, 2013 6:34 PM >>To: Byron Hooper; nanog@nanog.org >>Subject: RE: CALEA options for small/midsize ISPs >> >>We used Cisco for lawful intercept.. Their mibs are wanky and at the time >>only the 7206 was support for the LI functionality. Food for thought. >> >> >>From my Android phone on T-Mobile. The first nationwide 4G network. >> >> >> >> Original message >>From: Byron Hooper >>Date: 01/20/2013 3:00 PM (GMT-08:00) >>To: nanog@nanog.org >>Subject: CALEA options for small/midsize ISPs >> >> >>Hello All, >> >>My company is looking at updating our CALEA set up. Our network has >>changed appreciably since our initial rollout and I am looking at >>utilizing >>Cisco's Lawful Intercept. I'm wondering what people are using as >>"Mediator >>Devices", aka what the Cisco routers are sending the Lawful Intercept >>stream to. >> >>Cisco's Lawful Intercept seems like a solid option since all it requires >>for us is an IOS upgrade on our core routers and something to act as a >>Mediator, but I'm also interested in solutions others are using. >> >> >> >>-- >>Byron Hooper >>Network Engineer >>GWI >>8 Pomerleau Street >>Biddeford, ME 04005 >>Office & Cell: (207) 602-1215 >> >> >> >> > > > > >
RE: CALEA options for small/midsize ISPs
Our Trusted Third Party (TTP) asked us to IP Traffic Export. As others commented in this forum, the LEAs is not looking for SPs to replace their entire networks to create an ideal CALEA-compliant environment. It's my understanding that LEA will take a Cisco IP Traffic Export flow. Frank -Original Message- From: Justin Wilson [mailto:li...@mtin.net] Sent: Sunday, January 20, 2013 9:54 PM To: nanog@nanog.org Subject: Re: CALEA options for small/midsize ISPs I don't see any mention of CALEA. A traffic dump won't satisfy a CALEA warrant. Justin -Original Message- From: Frank Bulk Date: Sunday, January 20, 2013 10:31 PM To: 'Warren Bailey' , Byron Hooper , Subject: RE: CALEA options for small/midsize ISPs >Another option is the IP traffic export option. >http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.ht >ml > >Frank > >-Original Message- >From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] >Sent: Sunday, January 20, 2013 6:34 PM >To: Byron Hooper; nanog@nanog.org >Subject: RE: CALEA options for small/midsize ISPs > >We used Cisco for lawful intercept.. Their mibs are wanky and at the time >only the 7206 was support for the LI functionality. Food for thought. > > >From my Android phone on T-Mobile. The first nationwide 4G network. > > > > Original message >From: Byron Hooper >Date: 01/20/2013 3:00 PM (GMT-08:00) >To: nanog@nanog.org >Subject: CALEA options for small/midsize ISPs > > >Hello All, > >My company is looking at updating our CALEA set up. Our network has >changed appreciably since our initial rollout and I am looking at >utilizing >Cisco's Lawful Intercept. I'm wondering what people are using as >"Mediator >Devices", aka what the Cisco routers are sending the Lawful Intercept >stream to. > >Cisco's Lawful Intercept seems like a solid option since all it requires >for us is an IOS upgrade on our core routers and something to act as a >Mediator, but I'm also interested in solutions others are using. > > > >-- >Byron Hooper >Network Engineer >GWI >8 Pomerleau Street >Biddeford, ME 04005 >Office & Cell: (207) 602-1215 > > > >
Re: CALEA options for small/midsize ISPs
I don't see any mention of CALEA. A traffic dump won't satisfy a CALEA warrant. Justin -Original Message- From: Frank Bulk Date: Sunday, January 20, 2013 10:31 PM To: 'Warren Bailey' , Byron Hooper , Subject: RE: CALEA options for small/midsize ISPs >Another option is the IP traffic export option. >http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.ht >ml > >Frank > >-Original Message- >From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] >Sent: Sunday, January 20, 2013 6:34 PM >To: Byron Hooper; nanog@nanog.org >Subject: RE: CALEA options for small/midsize ISPs > >We used Cisco for lawful intercept.. Their mibs are wanky and at the time >only the 7206 was support for the LI functionality. Food for thought. > > >From my Android phone on T-Mobile. The first nationwide 4G network. > > > > Original message >From: Byron Hooper >Date: 01/20/2013 3:00 PM (GMT-08:00) >To: nanog@nanog.org >Subject: CALEA options for small/midsize ISPs > > >Hello All, > >My company is looking at updating our CALEA set up. Our network has >changed appreciably since our initial rollout and I am looking at >utilizing >Cisco's Lawful Intercept. I'm wondering what people are using as >"Mediator >Devices", aka what the Cisco routers are sending the Lawful Intercept >stream to. > >Cisco's Lawful Intercept seems like a solid option since all it requires >for us is an IOS upgrade on our core routers and something to act as a >Mediator, but I'm also interested in solutions others are using. > > > >-- >Byron Hooper >Network Engineer >GWI >8 Pomerleau Street >Biddeford, ME 04005 >Office & Cell: (207) 602-1215 > > > >
RE: CALEA options for small/midsize ISPs
Another option is the IP traffic export option. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.html Frank -Original Message- From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] Sent: Sunday, January 20, 2013 6:34 PM To: Byron Hooper; nanog@nanog.org Subject: RE: CALEA options for small/midsize ISPs We used Cisco for lawful intercept.. Their mibs are wanky and at the time only the 7206 was support for the LI functionality. Food for thought. >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Byron Hooper Date: 01/20/2013 3:00 PM (GMT-08:00) To: nanog@nanog.org Subject: CALEA options for small/midsize ISPs Hello All, My company is looking at updating our CALEA set up. Our network has changed appreciably since our initial rollout and I am looking at utilizing Cisco's Lawful Intercept. I'm wondering what people are using as "Mediator Devices", aka what the Cisco routers are sending the Lawful Intercept stream to. Cisco's Lawful Intercept seems like a solid option since all it requires for us is an IOS upgrade on our core routers and something to act as a Mediator, but I'm also interested in solutions others are using. -- Byron Hooper Network Engineer GWI 8 Pomerleau Street Biddeford, ME 04005 Office & Cell: (207) 602-1215
Re: CALEA options for small/midsize ISPs
On Fri, Jan 18, 2013 at 4:52 PM, Byron Hooper wrote: > Hello All, > > My company is looking at updating our CALEA set up. Our network has > changed appreciably since our initial rollout and I am looking at utilizing > Cisco's Lawful Intercept. I'm wondering what people are using as "Mediator > Devices", aka what the Cisco routers are sending the Lawful Intercept > stream to. > > Cisco's Lawful Intercept seems like a solid option since all it requires > for us is an IOS upgrade on our core routers and something to act as a > Mediator, but I'm also interested in solutions others are using. not that when I last looked there were some pretty serious speed/feed problems with this solution. (like 15kpps max) I believe packetforensics still ships boxes that do the intercept and I believe send data off to LEA in the right format: <http://packetforensics.com/products.safe> it'd require these to be in place between PE and CE though, which is 'ok' if you have an all fiber type deployment. > > > > -- > Byron Hooper > Network Engineer > GWI > 8 Pomerleau Street > Biddeford, ME 04005 > Office & Cell: (207) 602-1215
RE: CALEA options for small/midsize ISPs
We used Cisco for lawful intercept.. Their mibs are wanky and at the time only the 7206 was support for the LI functionality. Food for thought. >From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Byron Hooper Date: 01/20/2013 3:00 PM (GMT-08:00) To: nanog@nanog.org Subject: CALEA options for small/midsize ISPs Hello All, My company is looking at updating our CALEA set up. Our network has changed appreciably since our initial rollout and I am looking at utilizing Cisco's Lawful Intercept. I'm wondering what people are using as "Mediator Devices", aka what the Cisco routers are sending the Lawful Intercept stream to. Cisco's Lawful Intercept seems like a solid option since all it requires for us is an IOS upgrade on our core routers and something to act as a Mediator, but I'm also interested in solutions others are using. -- Byron Hooper Network Engineer GWI 8 Pomerleau Street Biddeford, ME 04005 Office & Cell: (207) 602-1215
Re: CALEA options for small/midsize ISPs
Are you looking at a Mediation box because you are doing VOIP? Other than Cisco I am familiar with DeepSweep. I have heard of Verint, Utimaco, and Pine Digital. However, no 1st hand knowledge or anything other than passing. :-) Justin -- Justin Wilson Aol & Yahoo IM: j2sw http://www.mtin.net/blog xISP News http://www.twitter.com/j2sw Follow me on Twitter http://www.thebrotherswisp.com/ - The Brothers WISP podcast -Original Message- From: Byron Hooper Date: Friday, January 18, 2013 4:52 PM To: Subject: CALEA options for small/midsize ISPs >Hello All, > >My company is looking at updating our CALEA set up. Our network has >changed appreciably since our initial rollout and I am looking at >utilizing >Cisco's Lawful Intercept. I'm wondering what people are using as >"Mediator >Devices", aka what the Cisco routers are sending the Lawful Intercept >stream to. > >Cisco's Lawful Intercept seems like a solid option since all it requires >for us is an IOS upgrade on our core routers and something to act as a >Mediator, but I'm also interested in solutions others are using. > > > >-- >Byron Hooper >Network Engineer >GWI >8 Pomerleau Street >Biddeford, ME 04005 >Office & Cell: (207) 602-1215 >
CALEA options for small/midsize ISPs
Hello All, My company is looking at updating our CALEA set up. Our network has changed appreciably since our initial rollout and I am looking at utilizing Cisco's Lawful Intercept. I'm wondering what people are using as "Mediator Devices", aka what the Cisco routers are sending the Lawful Intercept stream to. Cisco's Lawful Intercept seems like a solid option since all it requires for us is an IOS upgrade on our core routers and something to act as a Mediator, but I'm also interested in solutions others are using. -- Byron Hooper Network Engineer GWI 8 Pomerleau Street Biddeford, ME 04005 Office & Cell: (207) 602-1215
Re: CALEA options for a small ISP/ITSP
On Mon November 26 2012 09:38, Matthew Crocker wrote: > I have a CALEA appliance from BearHill that I 'rent'. It has been in my > network for years. I'm looking for other alternative solutions for CALEA > compliance with a small ISP. It looks like OpenCalea is a dead project. > What is everyone else using? > > My current solution is $1k/month and I rarely get subpoenas, I've never had > a wiretap one. > > My ISP network is a mix of Cisco and Juniper gear. I have a couple GigE > connections to my upstreams and push 300-400mbps through the network. > > I would think that wireshark pcap files would be enough :( > Believe Mikrotik boxes support CALEA, you might check www.mikrotik.com -- Larry Smith lesm...@ecsis.net
CALEA options for a small ISP/ITSP
I have a CALEA appliance from BearHill that I 'rent'. It has been in my network for years. I'm looking for other alternative solutions for CALEA compliance with a small ISP. It looks like OpenCalea is a dead project. What is everyone else using? My current solution is $1k/month and I rarely get subpoenas, I've never had a wiretap one. My ISP network is a mix of Cisco and Juniper gear. I have a couple GigE connections to my upstreams and push 300-400mbps through the network. I would think that wireshark pcap files would be enough :( Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com
FBI Presses for Amendment to CALEA to cover social networks
http://www.washingtonpost.com/business/technology/fbi-forming-communications-assistance-center-to-help-spy-on-americans/2012/05/24/gJQAFuuSnU_story.html -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: shell access to BGP router, CALEA tips??
Not sure if this is what you are looking for: http://www.traceroute.org/#Route%20Servers /as On 8 Jan 2012, at 22:31, David Prall wrote: > Both AT&T and Hurricane Electric have access for this. > > A quick list of them. > http://www.netdigix.com/servers.html > > Majority of these are telnet:// links. > > David > > -- > http://dcp.dcptech.com > > > > -Original Message- > From: N Rauhauser [mailto:neal.rauhau...@gmail.com] > Sent: Sunday, January 08, 2012 12:13 PM > To: nanog@nanog.org > Subject: shell access to BGP router, CALEA tips?? > > Ladies & Gentlemen, > > I wanted to check something on an IP address block this morning and, > much to my surprise, I don't have access to a single router that has a full > table in it - first time since 1999 this is the case. I see route views is > still happily serving up shells, but I'm curious to know if there are any > other viewpoints available. I am probably going to script something for > this particular problem, so I want boxes that have shell access, not > graphical looking glass type stuff. > > > I am also plunged into the world of lawful intercept after a long > absence. Other than providing muddled responses ten minutes before the > deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena > response since 2005 and I've not installed anything that needed to meet > requirements since 2009. Is there a good write up somewhere on the current > state of affairs? > > > > > > Neal Rauhauser >
RE: shell access to BGP router, CALEA tips??
Both AT&T and Hurricane Electric have access for this. A quick list of them. http://www.netdigix.com/servers.html Majority of these are telnet:// links. David -- http://dcp.dcptech.com -Original Message- From: N Rauhauser [mailto:neal.rauhau...@gmail.com] Sent: Sunday, January 08, 2012 12:13 PM To: nanog@nanog.org Subject: shell access to BGP router, CALEA tips?? Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser
shell access to BGP router, CALEA tips??
Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser
Re: ISP CALEA compliance
On 24 May 2007, at 06:01, Suresh Ramasubramanian wrote: Fully agree. But there's a bit more "system" about what's going on in the EU, and stronger privacy safeguards. The Council of Europe convention on cybercrime should be a good starting point, as should at least some of the presos here: Malcolm at LINX has a wealth of knowledge about the EU equivalents, retention policy and such on this site : ... http://publicaffairs.linx.net/news/
Re: ISP CALEA compliance
On 5/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: The ITU itself is likely irrelevant. However, those who run ISPs across either the left or right puddle are likely to be hit with CALEA-like issues within the next few years, when their countries adopt similar laws. And those who think the EU's stand on privacy of data will prevent a CALEA should consider the sorts of data-retention proposals that are getting floated over there. Fully agree. But there's a bit more "system" about what's going on in the EU, and stronger privacy safeguards. The Council of Europe convention on cybercrime should be a good starting point, as should at least some of the presos here: http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/agenda.phtml Look at Session 5, and the special post lunch session the council of europe organized The meeting was audiocast as well so if you dont mind running realplayer you should be able to listen to the panels as well -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP CALEA compliance
On Thu, 24 May 2007 09:01:26 +0530, Suresh Ramasubramanian said: > > On 5/24/07, Owen DeLong <[EMAIL PROTECTED]> wrote: > > The more I think about this, the more I think a refereed > > boxing^h^h^h^h^h^hpanel discussion between representatives > > from DHS, FBI, EFF, FCC, Verisign, Neustar, and ITU might > > be a good approach to this. > > Humor me.. but just where does ITU come into this whole mess? The ITU itself is likely irrelevant. However, those who run ISPs across either the left or right puddle are likely to be hit with CALEA-like issues within the next few years, when their countries adopt similar laws. And those who think the EU's stand on privacy of data will prevent a CALEA should consider the sorts of data-retention proposals that are getting floated over there. Yes - the laws themselves are politics. Being able to install compliant routers without breaking the budget is totally operational... ;) pgprqTJIMviTT.pgp Description: PGP signature
Re: ISP CALEA compliance
On 5/24/07, Owen DeLong <[EMAIL PROTECTED]> wrote: The more I think about this, the more I think a refereed boxing^h^h^h^h^h^hpanel discussion between representatives from DHS, FBI, EFF, FCC, Verisign, Neustar, and ITU might be a good approach to this. Humor me.. but just where does ITU come into this whole mess? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ISP CALEA compliance
The more I think about this, the more I think a refereed boxing^h^h^h^h^h^hpanel discussion between representatives from DHS, FBI, EFF, FCC, Verisign, Neustar, and ITU might be a good approach to this. Owen smime.p7s Description: S/MIME cryptographic signature
Re: ISP CALEA compliance
Martin Hannigan wrote: I had mentioned that both VeriSign and Neustar have people that are fluent in the technical and general legal issues as well as the legal aspects. It would seem to make more sense to solicit one of those organizations since NANOG is about operations, and not politics. The EFF is a political organization and these are not topics that make sense for NANOG, IMHO, the list, the program, or a BoF. Having the EFF explain CALEA at NANOG is like asking the Sierra Club to identify good sites for oil wells in forests. I took a look at EFF's CALEA FAQ at http://www.eff.org/Privacy/Surveillance/CALEA/?f=faq.html and they appear to have a pretty good handle on the technical issues. I can understand why VeriSign would prefer to leave EFF's viewpoint out of any discussion of CALEA, but I believe that VeriSign's perspective is just as political as EFF's. It's reasonable to think that VeriSign might employ people with better technical knowledge than EFF, but that doesn't mean that EFF's presentation would be less valuable than VeriSign's. Given their respective viewpoints (protecting individual rights and freedoms versus protecting corporate profits) maybe it would make sense to hear from both. Were EFF entirely clueless regarding the technical issues, I would agree that they should not be invited to NANOG, but that appears to not be the case.
Re: ISP CALEA compliance
> Having the EFF explain CALEA at NANOG is like asking the Sierra Club > to identify good sites for oil wells in forests. well, we have had the oil companies multiple times. randy
Re: ISP CALEA compliance
On Sat, May 12, 2007 at 10:43:15PM -0400, Martin Hannigan wrote: [snip] > Too bad the PC hasn't solicited a talk in this area. They ought to. Too bad that the collective-we choose to beat up the PC for not providing agenda information in advance, and then change tack to beat them up when the increased transparency of incremental information for confirmed talks doesn't cover current timely issues such as earthquake impact or regulatory vagaries. Rather than assuming, suggestions for ways to provide insight to agenda works-in-progress would be useful. Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: ISP CALEA compliance
Steve Bellovin said: I've tried hard to keep this discussion factual, with copious references. But I think I've run out of things to say that are even vaguely on-topic, so I'll shut up. Anytime the word CALEA is pops up here the threads tend to quickly degenerate into a large demonstration of a serious lack of knowledge. This is also not an area that is typically managed by operational people at the engineer level, it's a function run from regulatory and legal side of the business. Too bad the PC hasn't solicited a talk in this area. They ought to. There are at least two companies participating in NANOG that provide CALEA service bureaus, past employees of either with direct, relevant experience, and current employees of both that read the list. VeriSign: http://vcs-www.verisign.com/docs/netDiscovery/ NeuStar: http://www.neustar.biz/infrastructure/fcs.cfm (Formerly FiduciaNet) Best, -M<
Re: ISP CALEA compliance
William Allen Simpson wrote: Also, the gag order was ruled unconstitutional, so always inform your customer! They may be willing to work out attorney fees, and/or join you in a suppression hearing. Huh? You can tell a customer that you've had a CALEA subpoena served on you for his/her/it's traffic? Well, I guess it's a way to avoid having to be compliant since every customer will depart 5 seconds after you tell them. No need for the tap then. -- Jeff Shultz
