Re: [WISPA] CALEA compliance methods
On another subject Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. Can you please share your thoughts on where you think WISPA should stand on these issues? This is public list and your feedback is appreciated. That being the case, why should I still join? Because you can be as much a part of the direction of WISPA as any one else who is a member. Why would you ignore that opportunity to shape your industry? Scriv -- Blair Davis West Michigan Wireless ISP 269-686-8648 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods- For Clint
Clint, Thanks for the great information, in this and your other posts. One of the Linux guys here downloaded the opencalea package and started testing it. It sure is nice seeing the information it generates. And activity is picking up on the mailing list. I feel a glimmer of hope ... Adam - Original Message - From: Clint Ricker [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Wednesday, March 28, 2007 12:01 AM Subject: Re: [WISPA] CALEA compliance methods- For Clint Ralph, My apologies for the confusion. I think we are more or less on the same page method-wise for gathering that information; I made some assumptions that may have been applicable to your network. Now, as far as the pretty red package and bow for transferring the information to a law enforcement agency (LEA), I'll take a stab at that, although, as I'm not a lawyer, my usefulness is limited. Still, having paid for and read through the spec, it's not all that complicated of a red package. I don't think that it's worth the $10,000+ commercial solutions are going for. However, I've not been able (yet) to track down the actual transmission to the LEA, other than it is over some sort of VPN, so I am missing that piece of the puzzle. But the format itself is seems fairly simple to implement and, indeed, is already at least somewhat implemented with opencalea. Good resources to look at: - OpenCALEA (http://www.opencalea.org/) OpenCALEA is an initiative to create an open source platform to comply with CALEA. The mailing list is a very good resource. The software is rough, but already covers the basic needs of most ISPS to a point except the actual handoff to the law enforcement agency (LEA) OpenCALEA Overview (PDF) (http://www.nanog.org/mtg-0702/presentations/karir.pdf) PDF overview of OpenCalea along with some conceptual network diagrams. Draft Specification (http://contributions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006-084R8.doc) Reference specification for data portion of CALEA. Is functionally the same as the current (pay required) Baller Herbst Law Group CALEA Page (http://www.baller.com/calea.html) Great page with most of the important links. Look here for legal explanation, especially in the Plain Language Summary section. Cisco CALEA Webinar (http://www.opastco.org/docs/SP_CALEA_Webinar.ppt) CALEA Standards (http://www.askcalea.net/standards.html) Official list of standards CALEA interface. -- Notes from the above 1. The commercial packages are effectively devices that query a radius/authentication server and sniff on the network and then format the information to send to the law enforcement agency. No real magic. 2. OpenCALEA already has the basics of the system, although it doesn't seem to have any support (yet) for the authentication (AAA) portion. Future features will possibly include handoff to the LEA and more complex infrastructure for handling a wide, disparate network. 3. The only real requirements are 1. That the tap happens 2. The tap gathers both authentication/control information AND a complete capture of the session 3. That the output of 2 gets formatted according the the standard 4. That the information be transmitted to the LEA (seemingly through a VPN). 4. Based on 3, most of the equipment/solutions out there are heavily overengineered (see Cisco Webinar for an example). Most of the solutions are geared to a process that can be managed across carrier networks with subscribers into the millions. This is overkill for most WISPS :) On a given WISP of 1,000 subs, how often is a CALEA order actually going to happen? Infrequently enough that having to do some manual work each time is better than a high upfront cost (by manual work, I mean turning on a monitoring port/tap and manually initiating a VPN to the law enforcement agency as necessary). -- Clint Ricker Kentnis Technologies 800.783.5753 On 3/27/07, Ralph [EMAIL PROTECTED] wrote: Hello Clint. You are confusing me. When I mention MT, I said routers, not CPE. We don't use non type accepted CPE and therefore don't have MT in any form at the customer end. However our site routers and even the edge router ARE MT- even the edge router. Those are what I am talking about. I didn't say anything about putting any certain number of units in. And I really don't see how that would turn into hundreds of monitoring nodes. I'd just as soon only have to mess with it at one or two places. Our network is fed from two different points, but from the same provider. This provider told another WISP in the area (that he also upstreams) that he would not be able to do CALEA capture for us, but has now publicly said that he can. We'll have to see how that goes as it develops. If he will, then that makes him an even more valuable provider. Cisco's CALEA solution is at the router level. This seems to be the most logical place to do the tap- especially if the equipment/license/whatever is costly
Re: [WISPA] CALEA compliance methods
On Mon, 26 Mar 2007 22:09:23 -0700, Marlon K. Schafer wrote Mark, your info is 3 years old We have to be ready to tap our lines. Even IMs. marlon I think you missed my point, Marlon... That being that not even the government is a reliable source of information about what the government wants and demands. www.askcalea.com is direct from their mouths. Yes, it's old, but then the site is still considered live. THE FCC is saying one thing, a different agency is saying another. Concurrently. I have been attempting for how long now, to get across to you people that this whole CALEA flap for ISP's is NOT LAW, but opinion from the FCC, where it's attempting to write law instead of Congress. It's a mess, because it's NOT LAW, only Congress can write law and it has yet to write a law that says we have to do squat. Frankly, I think every broadband ISP should file and say we will never be compliant and just let them TRY to shut down every ISP in the country. It's about time we told THEM where to get off, rather than being lambs to the slaughter. But no. WISPA leads the charge to slaughter it's own industry by begging to be regulated out of existence. Just three years ago, the WISP industry and WISPA was going to show the world just how scrappy, independent and courageous we were. We did alright. We turned into worms and mashed ourselves into the pavement instead. One can only imagine the reaction if some actual competitive threat came along. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Mark, wispa wrote: I have been attempting for how long now, to get across to you people that this whole CALEA flap for ISP's is NOT LAW, but opinion from the FCC, where it's attempting to write law instead of Congress. It's a mess, because it's NOT LAW, only Congress can write law and it has yet to write a law that says we have to do squat. Did you even bother to read the press release mentioned in your recent post? http://www.askcalea.com/docs/20040317.fbi.release.pdf As quoted from the press release mentioned above; Congress enacted CALEA in 1994 to help the nation's law enforcement community maintain its ability to use court-authorized electronic surveillance as an important investigative tool in an era of new telecommunications technologies and services. Today, electronic surveillance plays a vitally important role in law enforcement's ability to ensure national security and public safety. Also quoted from the same press release; Specifically, the petition requests the FCC establish rules that formally identify services and entities covered by CALEA, so both law enforcement and industry are on notice with respect to CALEA obligations and compliance. The petition makes this request because disagreements continue between industry and law enforcement over whether certain services are subject to CALEA. The petition requests the FCC find “broadband access” and “broadband telephony” to be subject to CALEA. Got any links for these other places you speak of? Below is a link to the latest report about CALEA and the reclassification of Wireless Providers as information services in case anyone is interested in reading. Page 18 and 19 make for some interesting reading. ;-) http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-30A1.pdf Regards, Dawn DiPietro -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. It is part of the 2 biggest communications laws - TA96 and the Comm. Act of 19 Begun and held at the City of Washington on Tuesday, the twenty-fifth day of January, one thousand nine hundred and ninety-four An Act To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, TITLE I--INTERCEPTION OF DIGITAL AND OTHER COMMUNICATIONS SEC. 101. SHORT TITLE. This title may be cited as the `Communications Assistance for Law Enforcement Act'. Communications Act of 1934 (amended by the Telecommunications Act of 1996) Pub. L. No. 104-104, 110 Stat. 5647 (1996); 47 U.S.C. § 151 http://www4.law.cornell.edu/uscode/47/ch5schI.html /et seq/.; 47 U.S.C. §§ 153 http://www4.law.cornell.edu/uscode/47/153.html, 251 http://www4.law.cornell.edu/uscode/47/251.html, 252 http://www4.law.cornell.edu/uscode/47/252.html, 253 http://www4.law.cornell.edu/uscode/47/253.html, and 255 http://www4.law.cornell.edu/uscode/47/255.html and amended by the Communications Assistance for Law Enforcement Act, (CALEA) 47 USC §§ 1001-1010 http://www.law.cornell.edu/uscode/html/uscode47/usc_sup_01_47_10_9_20_I.html The Communications Act of 1934 created the FCC and gave this new agency the power to regulate telephones and radio. The 1996 Act amends the 1934, but is actually much longer. The purpose of the law was to encourage competition, but it also has a vast regulatory scheme. //*ACE v. CALEA*/ http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf/*, No. 05-1404*, U.S. Court of Appeals for the D.C. Circuit, Decided June 9, 2006 This case involves a statutory interpretation of 47 USC § 1002 http://www.law.cornell.edu/uscode/html/uscode47/usc_sec_47_1002000-.html. This law provides that a telecommunications carrier shall ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of being expeditiously isolated and accessed by the government pursuant to a court order or other lawful authorization. The communication must be able to be accessed before, during, or immediately after the transmission of a wire or electronic communication. An exception in section 1002 excludes from this requirement information services; or equipment, facilities, or services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers. In September of 2005, the FCC issued an Order (FCC 05-153) that stated that broadband and VoIP (Voice over Internet Protocol) providers were covered (at least in part) by CALEA's definition of telecommunications carriers. Implementation of this Order (required by May 14, 2007) would necessitate colleges and universities that are broadband or VoIP providers to redesign their networks at a cost estimated to be over $450* per student in tuition fees. Given these high stakes, the America Council on Education (ACE) challenged the order, and this decision, which upheld the FCC Order is the result of the litigation. In a 2-1 decision, the Court of Appeals for the DC Circuit agreed with the FCC that providers of both broadband and VoIP serve as replacements for a substantial functionality of local telephone exchange service. This is key, as the definition of a telecommunications carrier in 47 USC § 1001(8) includes those providers that substantially replaces traditional transmission or switching. The court also found CALEA differed from the Telecom Act by not using the phrases telecommunications carrier and information services as mutually exclusive terms. The court found the FCC interpretation of the law reasonable. The court did state that if the case had been reviewed /de novo/, the ACE argument might have been found to be the more persuasive one. The U.S. Court of Appeals for the District of Columbia Circuit issued a decision on June 9, 2006 in the lawsuit brought by the American Council on Education (ACE) challenging the FCC's CALEA rules. Nor does our interpretation of section 332 of the Communications Act and its implementing regulations here alter either our decision in the CALEA proceeding to apply CALEA obligations to all wireless broadband Internet access providers, including mobile wireless providers, or our interpretations of the
Re: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 07:31:56 -0400, Dawn DiPietro wrote Mark, wispa wrote: I have been attempting for how long now, to get across to you people that this whole CALEA flap for ISP's is NOT LAW, but opinion from the FCC, where it's attempting to write law instead of Congress. It's a mess, because it's NOT LAW, only Congress can write law and it has yet to write a law that says we have to do squat. Did you even bother to read the press release mentioned in your recent post? http://www.askcalea.com/docs/20040317.fbi.release.pdf As quoted from the press release mentioned above; Congress enacted CALEA in 1994 to help the nation's law enforcement community maintain its ability to use court-authorized electronic surveillance as an important investigative tool in an era of new telecommunications technologies and services. Today, electronic surveillance plays a vitally important role in law enforcement's ability to ensure national security and public safety. Also quoted from the same press release; Specifically, the petition requests the FCC establish rules that formally identify services and entities covered by CALEA, so both law enforcement and industry are on notice with respect to CALEA obligations and compliance. The petition makes this request because disagreements continue between industry and law enforcement over whether certain services are subject to CALEA. The petition requests [WINDOWS-1252?] the FCC find broadband access and broadband telephony to be subject to CALEA. Ok... here's an old joke. What's the difference between dogs and cats? The dog looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... You must be a god!. The cat looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... I must be a god!. We're saying EXACTLY the same thing, but the perspective is different. Read up on CALEA itself. There's absolutely NOTHING in it that even remotely addresses ISP's. It addresses TAPPING TELEPHONE CONVERSATIONS. Nothing else. It is VERY specific. When it was written, broadband didn't even EXIST, how COULD they have written a law that applies to it? It's as if Congress wrote a law that regulates the maintenance schedules on trains. Along comes OSHA, and demands that the DOT rule that the law must apply to trucking, as well, even though the whole concept is absurd. Congress knew it would NEVER get away with just wholesale handing it's shopping list of demands to industry for changes in the way it's equipment worked, and making industry PAY for it. Duhhh. That would never have made it past... well... even a kangaroo court. And the telcos would have fought it, collectively, with all thier legal muscle. Over the years, the FCC has (correctly) and and consistently insisted we are NOT telecommunications services or providers. Now, it suddenly says we ARE, but only for purposes of CALEA. Ohhh, could you park that decision on anything closer to what resembles vapor? I doubt it. Even worse, since the law didn't apply to us, it doesn't pay for what it OBVIOUSLY has to pay for. The FCC cannot just spend money, Congress has to do that. So, along comes the FCC and says WE have to pay for it. I've said this before, I'll say it again, the FCC threw in the most egregious demands they could think of (like requiring us to pay for it), in order to ensure this would LOSE in a legal challenge, since they weren't inclined to continue arguing with the FBI and DOJ. So, instead of defending what was defensible, they sidestepped and tossed the mess in our laps, and we're just sitting here taking it without so much as a word of protest. Gee, we must look like real shmucks to them by now. EVERYONE fights or at least ARGUES back when they do stuff... well, except for us. We beat on our own people for objecting. MAn, READ THE PUBLIC COMMENTS ON EVERYTHING THE FCC DOES! Fear to tell them they're wrong? Heck no, they say it every possible way they can think of! Had Congress tried CALEA without paying for it initially, the fight would have been HUGE, CALEA would have been tossed out in court on very firm ground I am sure. The FCC doesn't write law. It can't. The DOJ and FBI have NO END TO THE LIST OF DEMANDS, their wishes are infinitely long. But just because they WANT it doesn't mean they get it, at our expense. You and I pay taxes, so that when the government wants something, it has to debate, vote, and pony up and pay in the public budget for it. If we, the people, were not protected by the Constitution, the police would just stop us and demand we fill their car with gas, buy them new tires, tune it up, repaint their cars, use OUR building for their office, provide them internet for free, the list goes on and on and on. After all, we have to have cops
Re: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
I bet the technical aspects of how to comply will be emerging soon. I understand the wispa calea meeting went very well. So there must be some good news. Adam Greene wrote: Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- George Rogato Welcome to WISPA www.wispa.org http://signup.wispa.org/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Mark, Wireless providers DO have to comply with CALEA whether you like it or not. As quoted from the link I sent you earlier; Nor does our interpretation of section 332 of the Communications Act and its implementing regulations here alter either our decision in the CALEA proceeding to apply CALEA obligations to all wireless broadband Internet access providers, including mobile wireless providers, or our interpretations of the provisions of CALEA itself. As the Commission found, and the U.S. Court of Appeals for the D.C. Circuit affirmed, the purposes and intent of CALEA are strikingly different than those of the 1996 Telecommunications Act, which is embedded in the Communications Act. As the Court noted, “CALEA--unlike the 1996 Act--is a law-enforcement statute . . . (requiring telecommunications carriers to enable ‘the government’ to conduct electronic surveillance) . . . . The Communications Act (of which the Telecom Act is part), by contrast, was enacted ‘[f]or the purpose of regulating interstate and foreign commerce in communication by wire and radio’ . . . . The Commission's interpretation of CALEA reasonably differs from its interpretation of the 1996 Act, given the differences between the two statutes.”121 Thus, our interpretation of the separate statutory provisions in section 332 of the Communications Act, whose purposes closely track those of the Telecommunications Act of 1996 and the Communications Act generally, in no way affects our determination that mobile wireless broadband Internet access service providers are subject to the CALEA statute.122 Here is the link again so you can read it if you choose to do so. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-30A1.pdf Regards, Dawn DiPietro wispa wrote: On Tue, 27 Mar 2007 07:31:56 -0400, Dawn DiPietro wrote Mark, wispa wrote: I have been attempting for how long now, to get across to you people that this whole CALEA flap for ISP's is NOT LAW, but opinion from the FCC, where it's attempting to write law instead of Congress. It's a mess, because it's NOT LAW, only Congress can write law and it has yet to write a law that says we have to do squat. Did you even bother to read the press release mentioned in your recent post? http://www.askcalea.com/docs/20040317.fbi.release.pdf As quoted from the press release mentioned above; Congress enacted CALEA in 1994 to help the nation's law enforcement community maintain its ability to use court-authorized electronic surveillance as an important investigative tool in an era of new telecommunications technologies and services. Today, electronic surveillance plays a vitally important role in law enforcement's ability to ensure national security and public safety. Also quoted from the same press release; Specifically, the petition requests the FCC establish rules that formally identify services and entities covered by CALEA, so both law enforcement and industry are on notice with respect to CALEA obligations and compliance. The petition makes this request because disagreements continue between industry and law enforcement over whether certain services are subject to CALEA. The petition requests [WINDOWS-1252?] the FCC find “broadband access” and “broadband telephony” to be subject to CALEA. Ok... here's an old joke. What's the difference between dogs and cats? The dog looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... You must be a god!. The cat looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... I must be a god!. We're saying EXACTLY the same thing, but the perspective is different. Read up on CALEA itself. There's absolutely NOTHING in it that even remotely addresses ISP's. It addresses TAPPING TELEPHONE CONVERSATIONS. Nothing else. It is VERY specific. When it was written, broadband didn't even EXIST, how COULD they have written a law that applies to it? It's as if Congress wrote a law that regulates the maintenance schedules on trains. Along comes OSHA, and demands that the DOT rule that the law must apply to trucking, as well, even though the whole concept is absurd. Congress knew it would NEVER get away with just wholesale handing it's shopping list of demands to industry for changes in the way it's equipment worked, and making industry PAY for it. Duhhh. That would never have made it past... well... even a kangaroo court. And the telcos would have fought it, collectively, with all thier legal muscle. Over the years, the FCC has (correctly) and and consistently insisted we are NOT telecommunications services or providers. Now, it suddenly says we ARE, but only for purposes of CALEA. Ohhh, could you park that decision on anything closer to what resembles vapor? I doubt it. Even worse, since the law
Re: [WISPA] CALEA compliance methods
The best stratergy to take towards CALEA is to get familiar and get ready to comply. If for some reason it turns out some don't have to comply, then no loss. If it turns out that we all have to comply, then we're ahead of the game. Think positive! Dawn DiPietro wrote: Mark, Wireless providers DO have to comply with CALEA whether you like it or not. As quoted from the link I sent you earlier; Nor does our interpretation of section 332 of the Communications Act and its implementing regulations here alter either our decision in the CALEA proceeding to apply CALEA obligations to all wireless broadband Internet access providers, including mobile wireless providers, or our interpretations of the provisions of CALEA itself. As the Commission found, and the U.S. Court of Appeals for the D.C. Circuit affirmed, the purposes and intent of CALEA are strikingly different than those of the 1996 Telecommunications Act, which is embedded in the Communications Act. As the Court noted, “CALEA--unlike the 1996 Act--is a law-enforcement statute . . . (requiring telecommunications carriers to enable ‘the government’ to conduct electronic surveillance) . . . . The Communications Act (of which the Telecom Act is part), by contrast, was enacted ‘[f]or the purpose of regulating interstate and foreign commerce in communication by wire and radio’ . . . . The Commission's interpretation of CALEA reasonably differs from its interpretation of the 1996 Act, given the differences between the two statutes.”121 Thus, our interpretation of the separate statutory provisions in section 332 of the Communications Act, whose purposes closely track those of the Telecommunications Act of 1996 and the Communications Act generally, in no way affects our determination that mobile wireless broadband Internet access service providers are subject to the CALEA statute.122 Here is the link again so you can read it if you choose to do so. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-30A1.pdf Regards, Dawn DiPietro wispa wrote: On Tue, 27 Mar 2007 07:31:56 -0400, Dawn DiPietro wrote Mark, wispa wrote: I have been attempting for how long now, to get across to you people that this whole CALEA flap for ISP's is NOT LAW, but opinion from the FCC, where it's attempting to write law instead of Congress. It's a mess, because it's NOT LAW, only Congress can write law and it has yet to write a law that says we have to do squat. Did you even bother to read the press release mentioned in your recent post? http://www.askcalea.com/docs/20040317.fbi.release.pdf As quoted from the press release mentioned above; Congress enacted CALEA in 1994 to help the nation's law enforcement community maintain its ability to use court-authorized electronic surveillance as an important investigative tool in an era of new telecommunications technologies and services. Today, electronic surveillance plays a vitally important role in law enforcement's ability to ensure national security and public safety. Also quoted from the same press release; Specifically, the petition requests the FCC establish rules that formally identify services and entities covered by CALEA, so both law enforcement and industry are on notice with respect to CALEA obligations and compliance. The petition makes this request because disagreements continue between industry and law enforcement over whether certain services are subject to CALEA. The petition requests [WINDOWS-1252?] the FCC find “broadband access” and “broadband telephony” to be subject to CALEA. Ok... here's an old joke. What's the difference between dogs and cats? The dog looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... You must be a god!. The cat looks at you and says you give me everything, provide me with home, care, medicine, food, take care of all my needs... I must be a god!. We're saying EXACTLY the same thing, but the perspective is different. Read up on CALEA itself. There's absolutely NOTHING in it that even remotely addresses ISP's. It addresses TAPPING TELEPHONE CONVERSATIONS. Nothing else. It is VERY specific. When it was written, broadband didn't even EXIST, how COULD they have written a law that applies to it? It's as if Congress wrote a law that regulates the maintenance schedules on trains. Along comes OSHA, and demands that the DOT rule that the law must apply to trucking, as well, even though the whole concept is absurd. Congress knew it would NEVER get away with just wholesale handing it's shopping list of demands to industry for changes in the way it's equipment worked, and making industry PAY for it. Duhhh. That would never have made it past... well... even a kangaroo court. And the telcos would have fought it, collectively, with all thier legal muscle. Over the years, the FCC has (correctly) and and
Re: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 14:07:51 -0400, Adam Greene wrote Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. EVen if tomorrow, CALEA vanished, it is true that we need the capabilities of doing this. Thanks for pointing that out. The problem lies in that the CALEA technical discussion revolves around unknown technical requirements / capabilities. We can only discuss it in sort of a theoretical concept. At the moment, my abilities are ... well, they don't exist. Nothing in the software / hardware on my network, AT ANY POINT can be modified to do this. I would have to go to my upstream and ask them to mirror or log or otherwise catch the traffic, since that is the only present single point ot exist where all traffic in / out of my network passes. And that won't be for long, as I'll soon have multiple providers and dynamic routing. I can't even do policy based routing at the moment to force all the traffic from one client to anywhere. However, none of this really matters. We don't know what the demands are technically. The theoretical requirements are that we intercept at the CPE. Who the bloody heck has CPE that can do that? Few WISP's do. The vast majority do not. Further, if CALEA requirements apply to WISP's, then CALEA requirements apply to WISP equipment providers, just like they do to telco equipment providers. Another can of worms, entirely. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. To add to that, I welcome the conversation about not compliance, since that's a very specific and detailed demand, but simply about how to assist LEA's in catching bad guys. That's something a good lot of us will eventually end up doing. I just don't believe it is proper or right for me to be an unpaid lackey who is forced to do whatever they want out of my own pocket. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 14:17:09 -0400, Dawn DiPietro wrote Mark, Wireless providers DO have to comply with CALEA whether you like it or not. As quoted from the link I sent you earlier; Nor does our interpretation of section 332 of the Communications Act and its implementing regulations here alter either our decision in the CALEA proceeding to apply CALEA obligations to all wireless broadband Internet access providers, including mobile wireless providers, or our interpretations of the provisions of CALEA itself. As the Commission found, and the U.S. Court of Appeals for the D.C. Circuit affirmed, the purposes and intent of CALEA are strikingly different than those of the 1996 Telecommunications Act, which is [WINDOWS-1252?] embedded in the Communications Act. As the Court noted, CALEA- -unlike the 1996 Act--is a law-enforcement statute . . . [WINDOWS-1252?] (requiring telecommunications carriers to enable the government to conduct electronic surveillance) . . . . The Communications Act (of [WINDOWS-1252?] which the Telecom Act is part), by contrast, was enacted [f] or the purpose of regulating interstate and foreign commerce in [WINDOWS-1252?] communication by wire and radio . . . . The Commission's interpretation of CALEA reasonably differs from its interpretation [WINDOWS-1252?] of the 1996 Act, given the differences between the two statutes.121 Thus, our interpretation of the separate statutory provisions in section 332 of the Communications Act, whose purposes closely track those of the Telecommunications Act of 1996 and the Communications Act generally, in no way affects our determination that mobile wireless broadband Internet access service providers are subject to the CALEA statute.122 Here is the link again so you can read it if you choose to do so. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-30A1.pdf Dawn, respectfully... But, please understand my point. Tomorrow, the FCC COULD reverse it's opinion and we'd be exempt. JUST LIKE THAT, without a single court decision, without a single sentence from Congress, etc. In fact, WE WERE EXEMPT until 2006, when the FCC changed its mind. So, what kind of law applies ... or doesn't... Depending on the whim of unelected beaurocrats? CALEA isn't that vague. It's just misapplied. I maintain that the FCC is in error in it's interpretation of what is a telecommunications provider and we should be shouting it at them at 36dbm and 102 decibels. In fact, EVERY ISP, NSP, etc, organization should be snowing the FCC under in objections. And maybe some legal efforts, too. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] CALEA compliance methods
I have posted a couple of messages over on the Mikrotik forum over the last month or so. Mikrotik first basically said why should we care- we are in Latvia. After a little pressure from users, they began to ask for more information about the subject. I'm not at all knowledgeable enough to discuss the technical specs of the format, but I'm sure there are some folks around that are. Let's get MT users and prospective users rallied and do what we can to ebcourage MT to comply. It can only help us more and should also create a yardstick for other manufacturers. Here is a link to the threads http://forum.mikrotik.com/search.php?mode=resultssid=723d81c229563812d900d2 0b3a31a900 Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 27, 2007 1:08 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] CALEA compliance methods
Mark, Right or wrong, Congress regularly delegates rule-making to the various agencies. They pass laws that are purposely vague and/or broad and they empower the various agencies (and the courts, ultimately) to fill in the blanks. It's questionable Constitutionally, if you believe that we should follow the original intent of the Constitution...but that cat left the bag decades ago. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of wispa Sent: Tuesday, March 27, 2007 3:20 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 14:17:09 -0400, Dawn DiPietro wrote Mark, Wireless providers DO have to comply with CALEA whether you like it or not. As quoted from the link I sent you earlier; Nor does our interpretation of section 332 of the Communications Act and its implementing regulations here alter either our decision in the CALEA proceeding to apply CALEA obligations to all wireless broadband Internet access providers, including mobile wireless providers, or our interpretations of the provisions of CALEA itself. As the Commission found, and the U.S. Court of Appeals for the D.C. Circuit affirmed, the purposes and intent of CALEA are strikingly different than those of the 1996 Telecommunications Act, which is [WINDOWS-1252?] embedded in the Communications Act. As the Court noted, CALEA- -unlike the 1996 Act--is a law-enforcement statute . . . [WINDOWS-1252?] (requiring telecommunications carriers to enable 'the government' to conduct electronic surveillance) . . . . The Communications Act (of [WINDOWS-1252?] which the Telecom Act is part), by contrast, was enacted '[f] or the purpose of regulating interstate and foreign commerce in [WINDOWS-1252?] communication by wire and radio' . . . . The Commission's interpretation of CALEA reasonably differs from its interpretation [WINDOWS-1252?] of the 1996 Act, given the differences between the two statutes.121 Thus, our interpretation of the separate statutory provisions in section 332 of the Communications Act, whose purposes closely track those of the Telecommunications Act of 1996 and the Communications Act generally, in no way affects our determination that mobile wireless broadband Internet access service providers are subject to the CALEA statute.122 Here is the link again so you can read it if you choose to do so. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-30A1.pdf Dawn, respectfully... But, please understand my point. Tomorrow, the FCC COULD reverse it's opinion and we'd be exempt. JUST LIKE THAT, without a single court decision, without a single sentence from Congress, etc. In fact, WE WERE EXEMPT until 2006, when the FCC changed its mind. So, what kind of law applies ... or doesn't... Depending on the whim of unelected beaurocrats? CALEA isn't that vague. It's just misapplied. I maintain that the FCC is in error in it's interpretation of what is a telecommunications provider and we should be shouting it at them at 36dbm and 102 decibels. In fact, EVERY ISP, NSP, etc, organization should be snowing the FCC under in objections. And maybe some legal efforts, too. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 15:29:18 -0400, Jeff Broadwick wrote Mark, Right or wrong, Congress regularly delegates rule-making to the various agencies. They pass laws that are purposely vague and/or broad and they empower the various agencies (and the courts, ultimately) to fill in the blanks. But CALEA wasn't vague. They used as precise of wording as they could in 1994 and there wasn't an iota of doubt as to what they wanted and who they wanted it from. It's questionable Constitutionally, if you believe that we should follow the original intent of the Constitution...but that cat left the bag decades ago. Time for some stuffing the cat BACK, then. Gee, every day I read some man or woman died serving me in some far off place. And we're afraid to say NO! to the overreaching fat sow in DC? Forget that noise, as my dad used to say when he thought my arguments were weak. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Likewise, although assistance from manufacturors is nice, it is not requisite and in some ways may complicate matters since you can end up with hundreds of different monitoring nodes and several different interfaces unless you have complete uniformity across your network. Generally, the easiest and most cost effective approach is to place taps at key points in your network that give you access to traffic. If you backhaul all of your wireless traffic to a central points, a single tap at the central point can monitor all of the traffic from the wireless cells. The tapping process itself does not need to be expensive or complicated. Any decent switch (if it doesn't, you probably shouldn't be using it to begin with) has some sort of port mirroring built in that can easily function as a tap. If not, ethernet and fiber taps are fairly cheap ($100-$200 or so on the second hand market). The tap can be hooked into a server running tcpdump or similiar software or various commercially available. This provides complete compliance for a fairly reasonable cost. Having a tap on each wireless access point, etc...needlessly complicates the whole affair and increases cost drastically. If you are doing backhaul via an Internet T1 or similiar, the upstream carrier may be doing some of this for you. However, you do have to analyze carefully to ensure that you are compliant in this situation. Note that this actually is a good idea to have even without CALEA as you can get a good idea as to what traffic is actually running on your network and can better track down virus/hackers/other malicious traffic. - I have posted a couple of messages over on the Mikrotik forum over the last month or so. Mikrotik first basically said why should we care- we are in Latvia. After a little pressure from users, they began to ask for more information about the subject. I'm not at all knowledgeable enough to discuss the technical specs of the format, but I'm sure there are some folks around that are. Let's get MT users and prospective users rallied and do what we can to ebcourage MT to comply. It can only help us more and should also create a yardstick for other manufacturers. Here is a link to the threads http://forum.mikrotik.com/search.php?mode=resultssid=723d81c229563812d900d2 0b3a31a900 Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 27, 2007 1:08 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla
Re: [WISPA] CALEA compliance methods
Mark, Enough with the analogies. CALEA is law - not once but twice - 1934 and 1996. Courts have upheld the FCC decision on what CALEA covers. The same laws that give the DOJ the right to wiretap, gives the FCC the right to create guidelines. I don't like it, any more than I like ATT letting the NSA tap every thing that runs through it's pipes or any more than I like the Patriot Act (which only helps strengthen the FCC and DOJ's right to decide what can and cannot be wiretapped). But there it is. How about we just concentrate on being compliance in the next 45 days? Regards, Peter Radizeski RAD-INFO, Inc. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
I've been looking over OpenCALEA - I can't really see any reason for a NON-VOIP provider that it wouldn't do everything properly needed from a Linux command prompt on a 700mhz old HP Presario, all for a cost of less than $100 for a used computer. And when OpenCALEA is done, it will solve 99% of our problems, minus potential network design issues (routed vs. bridged) but even those can eventually be overcome. Now VOIP, maybe needs more in OpenCALEA to work, but why argue, let's just help make OpenCALEA work, if we NEED to do it, it's cheap, available and we're compliant should their opinion actually become fact. Already the FBI's accused of abusing their powers of the Patriot Act, but let's face it. Whether we like it or not EVENTUALLY the NEED to wiretap broadband connections WILL emerge. The bad guys aren't going to go away any time soon. So whether this year we're an information service, if every wired (DSL, Cable, etc) is wiretappable, and we are not, the bad guys will FLOCK to our networks.And then we will be forced in 1,2 years to do it anyways. I do NOT advocate spending hundreds of thousands to do this. I DO advocate developing a free solution like OpenCALEA and maybe even seeing it ported to Windows for those ISPs who don't have linux help at hand. It's inevitable guys, how can YOUR upstream give them YOUR customers information from an IP address? We can't sit around hoping to pawn this task off on someone else. When the FBI calls your upstream and asks them to tap Tony Montana's broadband connection, and they say, who the heck is that, that's XYZ Wireless ISP? Then they call you and ask, and you say We can't do it. And those ISPs who NAT their customers can't rely on the upstream for help. So then what? Big media press release that Wireless ISPs are the reason criminals are getting away with fraud, identity theft, etc. I'm not saying this will happen, but logically, what choice IS there other than having the ability to do this? - Original Message - From: Clint Ricker [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 3:31 PM Subject: Re: [WISPA] CALEA compliance methods Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Likewise, although assistance from manufacturors is nice, it is not requisite and in some ways may complicate matters since you can end up with hundreds of different monitoring nodes and several different interfaces unless you have complete uniformity across your network. Generally, the easiest and most cost effective approach is to place taps at key points in your network that give you access to traffic. If you backhaul all of your wireless traffic to a central points, a single tap at the central point can monitor all of the traffic from the wireless cells. The tapping process itself does not need to be expensive or complicated. Any decent switch (if it doesn't, you probably shouldn't be using it to begin with) has some sort of port mirroring built in that can easily function as a tap. If not, ethernet and fiber taps are fairly cheap ($100-$200 or so on the second hand market). The tap can be hooked into a server running tcpdump or similiar software or various commercially available. This provides complete compliance for a fairly reasonable cost. Having a tap on each wireless access point, etc...needlessly complicates the whole affair and increases cost drastically. If you are doing backhaul via an Internet T1 or similiar, the upstream carrier may be doing some of this for you. However, you do have to analyze carefully to ensure that you are compliant in this situation. Note that this actually is a good idea to have even without CALEA as you can get a good idea as to what traffic is actually running on your network and can better track down virus/hackers/other malicious traffic. - I have posted a couple of messages over on the Mikrotik forum over the last month or so. Mikrotik first basically said why should we care- we are in Latvia. After a little pressure from users, they began to ask for more information about the subject. I'm not at all knowledgeable enough to discuss the technical specs of the format, but I'm sure there are some folks around that are. Let's get MT users and prospective users rallied and do what we can to ebcourage MT to comply. It can only help us more and should also create a yardstick for other manufacturers. Here is a link to the threads http://forum.mikrotik.com/search.php?mode=resultssid=723d81c229563812d900d2 0b3a31a900 Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 27, 2007 1:08 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Hi, While I appreciate Mark's comments and point of view, I for one would like
Re: [WISPA] CALEA compliance methods
Clint Ricker wrote: Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Wouldn't it be cool, and cheap, if it was just that easy? Here's your encrypted access to xxx customers radio / port, it's yours to monitor...? Maybe a CALEA button that we can turn on at will Somehow I doubt it will be this easy. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] CALEA compliance methods- For Clint
Hello Clint. You are confusing me. When I mention MT, I said routers, not CPE. We don't use non type accepted CPE and therefore don't have MT in any form at the customer end. However our site routers and even the edge router ARE MT- even the edge router. Those are what I am talking about. I didn't say anything about putting any certain number of units in. And I really don't see how that would turn into hundreds of monitoring nodes. I'd just as soon only have to mess with it at one or two places. Our network is fed from two different points, but from the same provider. This provider told another WISP in the area (that he also upstreams) that he would not be able to do CALEA capture for us, but has now publicly said that he can. We'll have to see how that goes as it develops. If he will, then that makes him an even more valuable provider. Cisco's CALEA solution is at the router level. This seems to be the most logical place to do the tap- especially if the equipment/license/whatever is costly. The fewer costly licenses that need to be bought, the better it is for the small guy. We are very small (make that tiny). We all know that a decent switch can mirror a port. We also know how to sniff packets. What we don't know is how to package this data up with a nice pretty red bow the way Joe Law wants it. As far as I understand it, this is what Cisco is saying they will do (although I'm sure it will not be free). Imagestream is promising something as well. Those of us who don't use Cisco or Imagestream have to hope that our hardware provider will come up with a way, too. Aren't we really on the same page, here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clint Ricker Sent: Tuesday, March 27, 2007 3:31 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Likewise, although assistance from manufacturors is nice, it is not requisite and in some ways may complicate matters since you can end up with hundreds of different monitoring nodes and several different interfaces unless you have complete uniformity across your network. Generally, the easiest and most cost effective approach is to place taps at key points in your network that give you access to traffic. If you backhaul all of your wireless traffic to a central points, a single tap at the central point can monitor all of the traffic from the wireless cells. The tapping process itself does not need to be expensive or complicated. Any decent switch (if it doesn't, you probably shouldn't be using it to begin with) has some sort of port mirroring built in that can easily function as a tap. If not, ethernet and fiber taps are fairly cheap ($100-$200 or so on the second hand market). The tap can be hooked into a server running tcpdump or similiar software or various commercially available. This provides complete compliance for a fairly reasonable cost. Having a tap on each wireless access point, etc...needlessly complicates the whole affair and increases cost drastically. If you are doing backhaul via an Internet T1 or similiar, the upstream carrier may be doing some of this for you. However, you do have to analyze carefully to ensure that you are compliant in this situation. Note that this actually is a good idea to have even without CALEA as you can get a good idea as to what traffic is actually running on your network and can better track down virus/hackers/other malicious traffic. - I have posted a couple of messages over on the Mikrotik forum over the last month or so. Mikrotik first basically said why should we care- we are in Latvia. After a little pressure from users, they began to ask for more information about the subject. I'm not at all knowledgeable enough to discuss the technical specs of the format, but I'm sure there are some folks around that are. Let's get MT users and prospective users rallied and do what we can to ebcourage MT to comply. It can only help us more and should also create a yardstick for other manufacturers. Here is a link to the threads http://forum.mikrotik.com/search.php?mode=resultssid=723d81c229563812d900d2 0b3a31a900 Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 27, 2007 1:08 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just
Re: [WISPA] CALEA compliance methods - 3rd party
There are 3rd party vendors, like IP Fabrics with CALEA compliance gear. For data it shouldn't be that big of a deal since the Edge Router (connecting your WAN with your upstream) should be able to be tapped, if you use what I will call a brand name (Cisco, Juniper, Redback, blah, blah and soon WISPA's vendor member, Image Stream). For VOIP, it is a bear. SIP streams have to be hooked at many different points. So 3rd party gear built for this might be preferred. Regards, Peter Radizeski RAD-INFO, Inc. Ralph wrote: As far as I understand it, this is what Cisco is saying they will do (although I'm sure it will not be free). Imagestream is promising something as well. Those of us who don't use Cisco or Imagestream have to hope that our hardware provider will come up with a way, too. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Thanks all for the interesting posts ... Regarding tapping at the edge between my upstream provider and me, I'm of the understanding that I need to be able to capture all of my customer's data, even that which passes between one customer and another, or between my customer and my mail server, or my customer and one of my other customers' colocated servers, etc. From that standpoint, the way I have been looking at it is to mirror the packets as close to the core of my network as possible, but no later than the first juncture where my customer's traffic can be routed or bridged to another customer or server. Since almost all of our customers have dedicated VLANs which terminate on a core layer 3 switch, for most of them I can just SPAN the corresponding layer 3 switch port. Some of them share a VLAN with other customers, though, so I will need to mirror a layer 2 switchport closer to the edge of my network for those. Regarding putting in a tap, is that something you put inline on the fiber / copper cable? If so, I wonder if that could be considered a completely compliant solution, as I was under the impression that the packet capture is not supposed to be noticeable to the customer at all. A tiny blip of downtime while I'm putting in the tap could theoretically be noticed I also have the impression (maybe wrongly) that we may need to be able to establish a VPN between the device capturing the traffic and the law enforcement agency, to pipe the data to them I agree it's really tough to know how to comply when the data format standards are simply not clear. That's why I'm really interested to hear from anyone who says they have a compliant solution already, to know what standard they are using I agree with those of us who are hoping that an open-source solution will be developed (for *nix or Windows) ... ... and here's an interesting document I found linked to from the Mikrotik threads: http://contributions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006-084R8.doc ... Adam - Original Message - From: Ralph [EMAIL PROTECTED] To: 'WISPA General List' wireless@wispa.org Sent: Tuesday, March 27, 2007 6:22 PM Subject: RE: [WISPA] CALEA compliance methods- For Clint Hello Clint. You are confusing me. When I mention MT, I said routers, not CPE. We don't use non type accepted CPE and therefore don't have MT in any form at the customer end. However our site routers and even the edge router ARE MT- even the edge router. Those are what I am talking about. I didn't say anything about putting any certain number of units in. And I really don't see how that would turn into hundreds of monitoring nodes. I'd just as soon only have to mess with it at one or two places. Our network is fed from two different points, but from the same provider. This provider told another WISP in the area (that he also upstreams) that he would not be able to do CALEA capture for us, but has now publicly said that he can. We'll have to see how that goes as it develops. If he will, then that makes him an even more valuable provider. Cisco's CALEA solution is at the router level. This seems to be the most logical place to do the tap- especially if the equipment/license/whatever is costly. The fewer costly licenses that need to be bought, the better it is for the small guy. We are very small (make that tiny). We all know that a decent switch can mirror a port. We also know how to sniff packets. What we don't know is how to package this data up with a nice pretty red bow the way Joe Law wants it. As far as I understand it, this is what Cisco is saying they will do (although I'm sure it will not be free). Imagestream is promising something as well. Those of us who don't use Cisco or Imagestream have to hope that our hardware provider will come up with a way, too. Aren't we really on the same page, here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clint Ricker Sent: Tuesday, March 27, 2007 3:31 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Likewise, although assistance from manufacturors is nice, it is not requisite and in some ways may complicate matters since you can end up with hundreds of different monitoring nodes and several different interfaces unless you have complete uniformity across your network. Generally, the easiest and most cost effective approach is to place taps at key points in your network that give you access to traffic. If you backhaul all of your wireless traffic to a central points, a single tap at the central point can monitor all of the traffic from the wireless cells. The tapping process itself does not need to be expensive or complicated. Any decent switch (if it doesn't, you probably shouldn't be using it to begin with) has some sort
Re: [WISPA] CALEA compliance methods
Blair, Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. Another case of Doth protest too much. Regards, Dawn DiPietro -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Blair Davis wrote: Because at WISPA, we don't have to all think the same and have the same opinions all in step. We're not clones. We're individuals who each have our own beliefs and run our operation individually, sometimes uniquely And fortunately WISPA is an organization made up of individuals who do NOT want to make you think a certain way. WISPA doesn't want to run your business or tell you how to run your business. We're just working for the common ground that will benefit all wisps, not just some wisps. Another good thing is, with such as small membership, those who decide to participate can have an impact or effect. And as I understand it there is many openings on various committees. As for 477, CALEA, and certified equipment, that all came out of the FCC's horses mouths. All we can do is help people comply. But you don't see WISPA wanting to deny membership to those that does NOT comply. I Believe if WISPA was to go down the path of dictating what a wispa member was required to do, it would be wrong. We would loose our individualism and that won't teach us anything new. I've fought this thinking in the board room. We are not here to alienate each other but to find a common ground. If you have a real difference of opinion, rather than hold it against anyone or keep it to yourself, you should express your self and not hold it against anyone for disagreeing or having a different opinion. I think most people here are not going to loose their respect for each other over a difference of opinion. Anyways WISPA is an opportunity to participate. Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. That being the case, why should I still join? -- Blair Davis West Michigan Wireless ISP 269-686-8648 -- George Rogato Welcome to WISPA www.wispa.org http://signup.wispa.org/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
On Tue, 27 Mar 2007 19:20:15 -0400, Blair Davis wrote I've been watching this discussion for a bit. Up front, I have to say I agree with Mark. Say the FBI and DOJ wanted a way to track any automobile in the country in real time, (so the bad guys can't hide their movements). They go to the DOT and the the DOT decides that the way to do this is to require every auto in the country to have a GPS and cellular modem in it. So the DOT mandates this, but doesn't provide any funding for it. Instead, they expect the auto owners to pay for the equipment and the cellular company's to provide the service for free. Just how many of you will go for this? Do you think the cellular company's will go for it? The example above is EXACTLY the same as the CALEA requirements being applied to us. Pretty good analogy, except that it would be more like having the cellular providers provide BOTH the equipment and service, but that's just quibbling around the edges. If they want to pay for it, fine. For my network, they can expect to pay about $40K to replace my MESH based AP's for me And, I don't know how much it will cost to fix my automated sign-up system for mobile and hot-spot users, (because it works with the MESH AP's only). I'm not even sure that hot-spots can EVER be made compliant. What about my 30min per day free stuff for tourists to check their e- mail? Right now, I can locate a person to a tower. Not to an individual CPE. And I see no way to do so without wholesale equipment replacement. I'll bet there are others in the same spot. I know that at least 10 to 20% of my customers have wireless AP's in their home. No way can I gaurantee that traffic I intercept is actually from or to the individual in question. I don't think we're being asked to do this, mind you, but it leads to the question of whether LEA should be attempting to bend network operations to their notion of what surveillance is, or should they change what they see as serveillance to how the services work. Again, this whole mess is a result of the FCC applying a PHONE SERVICE INTERCEPT law to a service that is NOT analogous and doesn't work the same way. On another subject Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. That being the case, why should I still join? Let me state up front, that I argued for the formation of WISPA. I still believe in the idea of a trade organization for the industry I am in. I don't believe that was a mistake. WISPA will have regular elections to choose leadership. However, the leadership in place is in place, and will be a for a while yet. Unless we're arguing to remove leadership, which I think would be a terrible blow, an extremely divisive action, the idea is that we have to work with the leadership that exists as of right now. Some time ago, I formally cancelled my membership, and made it clear that when I believe that the leadership will make some effort to represent what I consider the interests of their myriad small members, I will again at least financially support WISPA. Does the stated leadership's stand on this reflect the the majority / minority of the member's views? I don't know. I don't really know WHAT the WISPA membership in general thinks. I don't know what the WISP industry in general thinks. Unfortunately, I really don't think that the volunteer leadership has the time or energy or resources to dig deep, engage in informed debate, and make sure that all views and ideas are well heard, and then get some kind of consensus of the views of the industry or membership. That's just the nature of the beast, for a startup organization that's small and driven by volunteers. Thus, WISPA has represented in DC what the views of the individuals are that both can and have gone to DC in our behalf. Being a volunteer driven organization, the only people who can serve are those who have the time, the money, and the drive, to become leadership. That leaves the vast majority of us out - me included. Peter suggested that people run for leadership of WISPA with contrarian views. I'm not really sure that's the solution. With the way it operates now, we'd just end up with a leadership bitterly divided within itself, and still probably not understanding or knowing the real guts of the industry itself, and still not really representting the industry. I do not see leadership of WISPA as being a tool for activism or agendas. For the most part, the WISPA leadership has asked the membership for input on much of what it has done. Sometimes, even important stuff doesn't get more than a
Re: [WISPA] CALEA compliance methods
George As to form 477 and CALEA, no, no one has spoken of making membership contingent on their position on these issues. But, I do recall a discussion, on this list, 'Dealing with bad players', starting on Feb 8, that basically proposed requiring the use of stickered equipment to be a member. Not sure what became of it. George Rogato wrote: Blair Davis wrote: Because at WISPA, we don't have to all think the same and have the same opinions all in step. We're not clones. We're individuals who each have our own beliefs and run our operation individually, sometimes uniquely And fortunately WISPA is an organization made up of individuals who do NOT want to make you think a certain way. WISPA doesn't want to run your business or tell you how to run your business. We're just working for the common ground that will benefit all wisps, not just some wisps. Another good thing is, with such as small membership, those who decide to participate can have an impact or effect. And as I understand it there is many openings on various committees. As for 477, CALEA, and certified equipment, that all came out of the FCC's horses mouths. All we can do is help people comply. But you don't see WISPA wanting to deny membership to those that does NOT comply. I Believe if WISPA was to go down the path of dictating what a wispa member was required to do, it would be wrong. We would loose our individualism and that won't teach us anything new. I've fought this thinking in the board room. We are not here to alienate each other but to find a common ground. If you have a real difference of opinion, rather than hold it against anyone or keep it to yourself, you should express your self and not hold it against anyone for disagreeing or having a different opinion. I think most people here are not going to loose their respect for each other over a difference of opinion. Anyways WISPA is an opportunity to participate. Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. That being the case, why should I still join? -- Blair Davis West Michigan Wireless ISP 269-686-8648 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Sounds vagely familiar, Like I said, from my opinion, wispa would not be an industry association Remember once had a guy selling jock straps with the wispa logo thinking that was a good idea too. Blair Davis wrote: George As to form 477 and CALEA, no, no one has spoken of making membership contingent on their position on these issues. But, I do recall a discussion, on this list, 'Dealing with bad players', starting on Feb 8, that basically proposed requiring the use of stickered equipment to be a member. Not sure what became of it. George Rogato wrote: Blair Davis wrote: Because at WISPA, we don't have to all think the same and have the same opinions all in step. We're not clones. We're individuals who each have our own beliefs and run our operation individually, sometimes uniquely And fortunately WISPA is an organization made up of individuals who do NOT want to make you think a certain way. WISPA doesn't want to run your business or tell you how to run your business. We're just working for the common ground that will benefit all wisps, not just some wisps. Another good thing is, with such as small membership, those who decide to participate can have an impact or effect. And as I understand it there is many openings on various committees. As for 477, CALEA, and certified equipment, that all came out of the FCC's horses mouths. All we can do is help people comply. But you don't see WISPA wanting to deny membership to those that does NOT comply. I Believe if WISPA was to go down the path of dictating what a wispa member was required to do, it would be wrong. We would loose our individualism and that won't teach us anything new. I've fought this thinking in the board room. We are not here to alienate each other but to find a common ground. If you have a real difference of opinion, rather than hold it against anyone or keep it to yourself, you should express your self and not hold it against anyone for disagreeing or having a different opinion. I think most people here are not going to loose their respect for each other over a difference of opinion. Anyways WISPA is an opportunity to participate. Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. That being the case, why should I still join? -- Blair Davis West Michigan Wireless ISP 269-686-8648 -- George Rogato Welcome to WISPA www.wispa.org http://signup.wispa.org/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Inline wispa wrote: On Tue, 27 Mar 2007 19:20:15 -0400, Blair Davis wrote I've been watching this discussion for a bit. Up front, I have to say I agree with Mark. Say the FBI and DOJ wanted a way to track any automobile in the country in real time, (so the bad guys can't hide their movements). They go to the DOT and the the DOT decides that the way to do this is to require every auto in the country to have a GPS and cellular modem in it. So the DOT mandates this, but doesn't provide any funding for it. Instead, they expect the auto owners to pay for the equipment and the cellular company's to provide the service for free. Just how many of you will go for this? Do you think the cellular company's will go for it? The example above is EXACTLY the same as the CALEA requirements being applied to us. Pretty good analogy, except that it would be more like having the cellular providers provide BOTH the equipment and service, but that's just quibbling around the edges. If they want to pay for it, fine. For my network, they can expect to pay about $40K to replace my MESH based AP's for me And, I don't know how much it will cost to fix my automated sign-up system for mobile and hot-spot users, (because it works with the MESH AP's only). I'm not even sure that hot-spots can EVER be made compliant. What about my 30min per day free stuff for tourists to check their e- mail? Right now, I can locate a person to a tower. Not to an individual CPE. And I see no way to do so without wholesale equipment replacement. I'll bet there are others in the same spot. I know that at least 10 to 20% of my customers have wireless AP's in their home. over 50% for me. We set them up for free if they buy them from us or if they have it there at the time of the install. No way can I gaurantee that traffic I intercept is actually from or to the individual in question. I don't think we're being asked to do this, mind you, My reply to this is Yet. but it leads to the question of whether LEA should be attempting to bend network operations to their notion of what surveillance is, or should they change what they see as serveillance to how the services work. Again, this whole mess is a result of the FCC applying a PHONE SERVICE INTERCEPT law to a service that is NOT analogous and doesn't work the same way. Again, not directed at you, Mark, but to all what about hot spots? On another subject Two months ago, we were ready to join WISPA. At the time, I felt that WISPA had proven its longevity and was becoming a mature voice for the WISP's. But, after the form 477 issue, FCC sticker issue, and now the CALEA issue, I'm pretty sure that I disagree with the majority of the members on what stance should be taken on these issues. That being the case, why should I still join? Let me state up front, that I argued for the formation of WISPA. I still believe in the idea of a trade organization for the industry I am in. I don't believe that was a mistake. WISPA will have regular elections to choose leadership. However, the leadership in place is in place, and will be a for a while yet. Unless we're arguing to remove leadership, which I think would be a terrible blow, an extremely divisive action, the idea is that we have to work with the leadership that exists as of right now. I agree. And, I'm not advocating anything like that. Some time ago, I formally cancelled my membership, and made it clear that when I believe that the leadership will make some effort to represent what I consider the interests of their myriad small members, I will again at least financially support WISPA. I was planning on joining. I'd discussed it with my partner, and he had agreed. But, now, I'm not sure that WISPA is for the small WISP. Does the stated leadership's stand on this reflect the the majority / minority of the member's views? I don't know. I don't really know WHAT the WISPA membership in general thinks. I don't know what the WISP industry in general thinks. Neither do I know this. I'd like to. Unfortunately, I really don't think that the volunteer leadership has the time or energy or resources to dig deep, engage in informed debate, and make sure that all views and ideas are well heard, and then get some kind of consensus of the views of the industry or membership. But, if I'm going to support WISPA with my $$, I will have to know that they represent MY best interests when they speak to the gov. Don't really worry about anything else they do, but want to be sure that they don't mis-represent me to the gov. That's just the nature of the beast, for a startup organization that's small and driven by volunteers. Thus, WISPA has represented in DC what the views of the individuals are that both can and have gone to DC in our behalf. Being a volunteer
Re: [WISPA] CALEA compliance methods
Mark, Right in time. WISPA will be having elections in the very near future. Now is the time to join WISPA and be eligible to cast your vote or run for a board seat. Membership is a very low 250.00 per year. And you get to vote! Try the new automated sign up: http://signup.wispa.org/wispa-newacct.html :) wispa wrote: . WISPA will have regular elections to choose leadership. However, the leadership in place is in place, and will be a for a while yet. Unless we're arguing to remove leadership, which I think would be a terrible blow, an extremely divisive action, the idea is that we have to work with the leadership that exists as of right now. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- George Rogato Welcome to WISPA www.wispa.org http://signup.wispa.org/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
We're close guys. Just waiting to get a doc fine tuned and double checked. marlon - Original Message - From: George Rogato [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 11:14 AM Subject: Re: [WISPA] CALEA compliance methods I bet the technical aspects of how to comply will be emerging soon. I understand the wispa calea meeting went very well. So there must be some good news. Adam Greene wrote: Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING they happen to wish for, and the wish lists from the swamp on the Potomac are so large they boggle the mind. And don't give me the we play dead for regulatory favors in the future crap. Nothing we do will buy us one MOMENT's worth of consideration, in EITHER direction. Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- George Rogato Welcome to WISPA www.wispa.org http://signup.wispa.org/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods- For Clint
to hope that our hardware provider will come up with a way, too. Aren't we really on the same page, here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clint Ricker Sent: Tuesday, March 27, 2007 3:31 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Just as a general rule, CALEA monitoring is not something that you need to--or want to--do at each individual CPE or router. Likewise, although assistance from manufacturors is nice, it is not requisite and in some ways may complicate matters since you can end up with hundreds of different monitoring nodes and several different interfaces unless you have complete uniformity across your network. Generally, the easiest and most cost effective approach is to place taps at key points in your network that give you access to traffic. If you backhaul all of your wireless traffic to a central points, a single tap at the central point can monitor all of the traffic from the wireless cells. The tapping process itself does not need to be expensive or complicated. Any decent switch (if it doesn't, you probably shouldn't be using it to begin with) has some sort of port mirroring built in that can easily function as a tap. If not, ethernet and fiber taps are fairly cheap ($100-$200 or so on the second hand market). The tap can be hooked into a server running tcpdump or similiar software or various commercially available. This provides complete compliance for a fairly reasonable cost. Having a tap on each wireless access point, etc...needlessly complicates the whole affair and increases cost drastically. If you are doing backhaul via an Internet T1 or similiar, the upstream carrier may be doing some of this for you. However, you do have to analyze carefully to ensure that you are compliant in this situation. Note that this actually is a good idea to have even without CALEA as you can get a good idea as to what traffic is actually running on your network and can better track down virus/hackers/other malicious traffic. - I have posted a couple of messages over on the Mikrotik forum over the last month or so. Mikrotik first basically said why should we care- we are in Latvia. After a little pressure from users, they began to ask for more information about the subject. I'm not at all knowledgeable enough to discuss the technical specs of the format, but I'm sure there are some folks around that are. Let's get MT users and prospective users rallied and do what we can to ebcourage MT to comply. It can only help us more and should also create a yardstick for other manufacturers. Here is a link to the threads http://forum.mikrotik.com/search.php?mode=resultssid=723d81c229563812d900d2 0b3a31a900 Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 27, 2007 1:08 PM To: WISPA General List Subject: Re: [WISPA] CALEA compliance methods Hi, While I appreciate Mark's comments and point of view, I for one would like to also start looking for ways to possibly comply with CALEA in a cost-effective way. I'm afraid that if the conversation here is limited to whether we should comply or not, we might lose the opportunity to share with each other about technical implementation. Don't get me wrong, I'm not suggesting that the conversation about whether to comply should be halted, just that some room be given to those of us who also want to speak about implementation. I'm still interested if anyone has any point of view about any of the compliance methods that I discussed in my original post, from a technical standpoint. Thanks, Adam - Original Message - From: wispa [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, March 27, 2007 1:16 PM Subject: Re: [WISPA] CALEA compliance methods On Tue, 27 Mar 2007 08:21:53 -0400, Peter R. wrote Mark, CALEA IS LAW. There are interpretations of that law, but they have been upheld by courts. YOu're arguing against things I'm not saying. CALEA is not the opinion of the DOJ or FCC. It is not far-reaching (like say the Patriot Act) or secret and possibly illegal like the NSA-ATT wiretapping / surveillance. The whole idea that WE are covered under CALEA is just FCC opinion, which is as changeable and variable as the wind. The ruling is capricious and founded on VAPOR, not substance. I just cannot believe you approve of unfunded federal mandates for public purposes. CALEA was not. Misapplying CALEA is. This is not OSHA mandates. This is not the same as requiring that a tower service company require their climbers to use a safety system. Not even close. If the federal government is justified with making us provide, AT OUR EXPENSE, law enforcement services, then we're one little itty bitty non- existent step from from being mandated to do ANYTHING
Re: [WISPA] CALEA compliance methods
Adam, Regarding tapping at the edge between my upstream provider and me, I'm of the understanding that I need to be able to capture all of my customer's data, even that which passes between one customer and another, or between my customer and my mail server, or my customer and one of my other customers' colocated servers, etc. From that standpoint, the way I have been looking at it is to mirror the packets as close to the core of my network as possible, but no later than the first juncture where my customer's traffic can be routed or bridged to another customer or server. Since almost all of our customers have dedicated VLANs which terminate on a core layer 3 switch, for most of them I can just SPAN the corresponding layer 3 switch port. Some of them share a VLAN with other customers, though, so I will need to mirror a layer 2 switchport closer to the edge of my network for those. This definitely seems true, and I'm not certain how you even deal with traffic between two clients on the same AP other than not allow that scenario (without coming through a central router). There are many advantages to running a session-based approach to subscriber management; CALEA, I think, will just add another reason to take that approach. Regarding putting in a tap, is that something you put inline on the fiber / copper cable? If so, I wonder if that could be considered a completely compliant solution, as I was under the impression that the packet capture is not supposed to be noticeable to the customer at all. A tiny blip of downtime while I'm putting in the tap could theoretically be noticed Yes, they do go inline. Usually, they have one in and two outputs and have a failsafe mechanism where, if they lose power or otherwise fail, will still function. For inline taps, they would have to be setup from the get-go; this is best done in a maintenance window, in any case, since the ideal tapping point would have all of your customers traffic flowing through it, meaning that a tap insertion will momentarily cause a major disruption. Using port mirroring on a switch bypasses this, but isn't always an option. I also have the impression (maybe wrongly) that we may need to be able to establish a VPN between the device capturing the traffic and the law enforcement agency, to pipe the data to them Yes, this seems to be the case, although some places stated this as preferred. This is the only aspect, however, that I've not been able to find specifics of. On the good side, I've not seen anything official in the sense that it is in the actual law or the spec, meaning, in a legal sense, it may not be a requirement. I agree it's really tough to know how to comply when the data format standards are simply not clear. That's why I'm really interested to hear from anyone who says they have a compliant solution already, to know what standard they are using Take a look at the opencalea project (opencalea.org). Their application, although crude, does the packet captures and dumps to the basic format that is specified. -- Clint Ricker Kentnis Technologies 800.783.5753 I agree with those of us who are hoping that an open-source solution will be developed (for *nix or Windows) ... ... and here's an interesting document I found linked to from the Mikrotik threads: http://contributions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006-084R8.doc ... Adam - Original Message - From: Ralph [EMAIL PROTECTED] To: 'WISPA General List' wireless@wispa.org Sent: Tuesday, March 27, 2007 6:22 PM Subject: RE: [WISPA] CALEA compliance methods- For Clint Hello Clint. You are confusing me. When I mention MT, I said routers, not CPE. We don't use non type accepted CPE and therefore don't have MT in any form at the customer end. However our site routers and even the edge router ARE MT- even the edge router. Those are what I am talking about. I didn't say anything about putting any certain number of units in. And I really don't see how that would turn into hundreds of monitoring nodes. I'd just as soon only have to mess with it at one or two places. Our network is fed from two different points, but from the same provider. This provider told another WISP in the area (that he also upstreams) that he would not be able to do CALEA capture for us, but has now publicly said that he can. We'll have to see how that goes as it develops. If he will, then that makes him an even more valuable provider. Cisco's CALEA solution is at the router level. This seems to be the most logical place to do the tap- especially if the equipment/license/whatever is costly. The fewer costly licenses that need to be bought, the better it is for the small guy. We are very small (make that tiny). We all know that a decent switch can mirror a port. We also know how to sniff packets. What we don't know is how to package this data up with a nice pretty red bow the way Joe Law wants it. As far as I
Re: [WISPA] CALEA compliance methods
On Mon, 26 Mar 2007 19:49:43 -0400, Adam Greene wrote Hi, As a new member of WISPA I am reading with interest all of the postings about CALEA from the past few weeks. Thankfully, we have designed our network in such a way that all customer IP traffic passes through at least one Cisco switch before it can be bridged to any other customer or routed to the Internet, so I think we'll be able to SPAN all customer traffic and from there manipulate the data streams and hand them off to law enforcement. The only exception to this case might be our Waverider CCU's, which are routing packets between various end-users. I am going to contact them to see what their take is on implementing LI -- we might need to stop using the CCU's as routers. The main questions I have for the forum are ... assuming we can at least make a copy of a given customer's traffic without the customer realizing it (i.e. non-intrusively), how are we going to be able to format the data to be able to hand it off to law enforcement? We obviously want to do this in the most cost-effective way possible (read: open source solution). http://www.opencalea.org/ definitely looks promising, but it is just getting off the ground as far as I can tell. I wonder if there are any other groups out there working on this. As far as compliance standards go, as far as I can tell, the one that most fits us might be ATIS -T1.IPNA -ISP data, but I'm still confused about that. When I visit http://www.askcalea.net/standards.html, I see a link for Wireline: PTSC T1.IAS which takes me to https://www.atis.org/docstore/product.aspx?id=22665. Is this all the same as ATIS -T1.IPNA -ISP? Somehow I don't have the feeling that paying $164.00 for this standard is going to help get me in the right direction We do have a couple savvy Linux guru-types in house that could deploy a good open-source solution and keep it updated, I think. But I don't think we're up to developing such a solution ourselves from scratch. I did find a device made by a company called Solera (http://www.voip-news.com/feature/solera-calea-voip-packet-capture- 031907/) which looks like it could be cost-effective (read: ~$7000.00) for a small ISP (read: ~1,000 customers) like us. Obviously we would prefer open source, but at least it was a relief to see that we might be able to avoid the $40,000 - $100,000 solutions I've been hearing about from TTP's and other (larger) ISPs. Matt Liotta, you mentioned that you have the ability to provide lawful intercept in compliance with CALEA for our single-homed downstream ISP customers assuming there is no NAT involved. Would you be willing to share some details about the solution you've been able to come up with? I do see the opportunity that this whole CALEA thing could provide to some ISP's who figure out a way to develop a cost-effective solution and then offer consulting services or **affordable** TTP services to other companies ... I also read with interest the Baller law group's Key Legal and Technical Requirements and Options for CALEA (http://www.baller.com/pdfs/BHLG-CTC_CALEA_Memo.pdf) that Peter Radizeski forwarded to the list. I had not taken seriously the possibility of filing a section 109(b) petition, but if we do due diligence and really do not find an affordable solution to deploy on our network, I think we may have to seriously consider that (for example, the part about asking to be considered compliant as long as we can meet most of LI's requirements, if not all of them). Please excuse the long and rambling post ... I'm just having a hard time finding out how to grab a hold of this CALEA beast. Hi, let me quote from www.askcalea.com On March 17, 2004, we published a press release regarding our joint petition. Q: Does the petition for CALEA rulemaking propose to apply CALEA to all types of online communication, including instant messaging and visits to websites? A: No. The petition proposes CALEA coverage of only broadband Internet access service and broadband telephony service. Other Internet-based services, including those classified as information services such as email and visits to websites, would not be covered. Q: Does the petition propose extensive retooling of existing broadband networks that could impose significant costs? A: No. The petition contends that CALEA should apply to certain broadband services but does not address the issue of what technical capabilities those broadband providers should deliver to law enforcement. CALEA already permits those service providers to fashion their own technical standards as they see fit. If law enforcement considers an industry technical standard deficient, it can seek to change the standard only by filing a special deficiency petition before the Commission. It is the FCC, not law enforcement, that decides whether any capabilities should be added to the
Re: [WISPA] CALEA compliance methods
On Mon, 26 Mar 2007 19:49:43 -0400, Adam Greene wrote extracting a snippet from Adam's interesting prose A: No. The petition proposes CALEA coverage of only broadband Internet access service and broadband telephony service. Other Internet-based services, including those classified as information services such as email and visits to websites, would not be covered. /snip On Mon, 26 Mar 2007 wispa wrote in reply: extracting a relevant portion of the reply Read this carefully, it says that website visits, IM, etc, are NOT included in the information you must capture. Yeah, yeah, it says the companies that provide those services need not be compliant - if that's the case, then that data is not included in the required types. Only specific types of information, mostly being VIOP calls are detailed. Since VOIP calls are tapped at the provider's end, it appears that really IS NO INCLUDED DATA that needs to be tapped at the ISP's end, unless somehow we're supposed to find peer to peer voice data buried in the packet flow or something. Of course, this conflicts to some degree with other information published elsewhere... and here, too. I'm not sure it doesn't conflict with the FCC's and FBI's recent comments, too. /snip Mark Koskenmaki Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 I think the assertion that website visits, IM, etc, are not included actually is a statement that those subject to the provisions of CALEA are not defined by whether or not they offer visits to websites or IM capability, but rather whether or not they offer broadband internet access. Such as an Internet access provider who does not qualify as a broadband provider (dial-up?) is not subject to the provisions of CALEA, even though they may enable the public to utilize email over their networks, whereas a provider of broadband internet access is subject to those provisions, simply because they offer broadband, but not because their users have email capability. It is then up to the LEA's and courts to determine what they want to sniff, which may or may not include the email, IM, web site visits, etc... Of course, IANAL. John Vogel -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] CALEA compliance methods
Mark, your info is 3 years old We have to be ready to tap our lines. Even IMs. marlon - Original Message - From: wispa [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, March 26, 2007 8:54 PM Subject: Re: [WISPA] CALEA compliance methods On Mon, 26 Mar 2007 19:49:43 -0400, Adam Greene wrote Hi, As a new member of WISPA I am reading with interest all of the postings about CALEA from the past few weeks. Thankfully, we have designed our network in such a way that all customer IP traffic passes through at least one Cisco switch before it can be bridged to any other customer or routed to the Internet, so I think we'll be able to SPAN all customer traffic and from there manipulate the data streams and hand them off to law enforcement. The only exception to this case might be our Waverider CCU's, which are routing packets between various end-users. I am going to contact them to see what their take is on implementing LI -- we might need to stop using the CCU's as routers. The main questions I have for the forum are ... assuming we can at least make a copy of a given customer's traffic without the customer realizing it (i.e. non-intrusively), how are we going to be able to format the data to be able to hand it off to law enforcement? We obviously want to do this in the most cost-effective way possible (read: open source solution). http://www.opencalea.org/ definitely looks promising, but it is just getting off the ground as far as I can tell. I wonder if there are any other groups out there working on this. As far as compliance standards go, as far as I can tell, the one that most fits us might be ATIS -T1.IPNA -ISP data, but I'm still confused about that. When I visit http://www.askcalea.net/standards.html, I see a link for Wireline: PTSC T1.IAS which takes me to https://www.atis.org/docstore/product.aspx?id=22665. Is this all the same as ATIS -T1.IPNA -ISP? Somehow I don't have the feeling that paying $164.00 for this standard is going to help get me in the right direction We do have a couple savvy Linux guru-types in house that could deploy a good open-source solution and keep it updated, I think. But I don't think we're up to developing such a solution ourselves from scratch. I did find a device made by a company called Solera (http://www.voip-news.com/feature/solera-calea-voip-packet-capture- 031907/) which looks like it could be cost-effective (read: ~$7000.00) for a small ISP (read: ~1,000 customers) like us. Obviously we would prefer open source, but at least it was a relief to see that we might be able to avoid the $40,000 - $100,000 solutions I've been hearing about from TTP's and other (larger) ISPs. Matt Liotta, you mentioned that you have the ability to provide lawful intercept in compliance with CALEA for our single-homed downstream ISP customers assuming there is no NAT involved. Would you be willing to share some details about the solution you've been able to come up with? I do see the opportunity that this whole CALEA thing could provide to some ISP's who figure out a way to develop a cost-effective solution and then offer consulting services or **affordable** TTP services to other companies ... I also read with interest the Baller law group's Key Legal and Technical Requirements and Options for CALEA (http://www.baller.com/pdfs/BHLG-CTC_CALEA_Memo.pdf) that Peter Radizeski forwarded to the list. I had not taken seriously the possibility of filing a section 109(b) petition, but if we do due diligence and really do not find an affordable solution to deploy on our network, I think we may have to seriously consider that (for example, the part about asking to be considered compliant as long as we can meet most of LI's requirements, if not all of them). Please excuse the long and rambling post ... I'm just having a hard time finding out how to grab a hold of this CALEA beast. Hi, let me quote from www.askcalea.com On March 17, 2004, we published a press release regarding our joint petition. Q: Does the petition for CALEA rulemaking propose to apply CALEA to all types of online communication, including instant messaging and visits to websites? A: No. The petition proposes CALEA coverage of only broadband Internet access service and broadband telephony service. Other Internet-based services, including those classified as information services such as email and visits to websites, would not be covered. Q: Does the petition propose extensive retooling of existing broadband networks that could impose significant costs? A: No. The petition contends that CALEA should apply to certain broadband services but does not address the issue of what technical capabilities those broadband providers should deliver to law enforcement. CALEA already permits those service providers to fashion their own technical standards as they see fit. If law enforcement considers an industry technical standard deficient, it can seek to change
