120 likes | 270 Vues
Communications Assistance for Law Enforcement Act (CALEA). CDMA Development Group – International Roaming Team Meeting. March 2006 Curtis Owings Telecom Design Engineer II Network Access Gateways – Network Development. Audience and Purpose. Audience The CDG IRT members and associates.
E N D
Communications Assistance for Law Enforcement Act (CALEA) CDMA Development Group – International Roaming Team Meeting March 2006 Curtis Owings Telecom Design Engineer II Network Access Gateways – Network Development
Audience and Purpose Audience • The CDG IRT members and associates. Purpose • This presentation discusses CALEA at a high level and it’s impacts to in data roaming environments. In particular it provides insight to the challenges of CALEA in international roaming conditions. It’s purpose is only to present some of the questions CALEA raises and overview of Sprint’s current and future solutions. Disclaimer • I am not a lawyer. This presentation should be in no way be taken has authoritative for Sprint’s position on CALEA or as legal advice. • Official information about CALEA can be found conveniently at http://www.calea.org
Problem Statement While originally drafted to provide for voice line tapping by Legal Agencies, CALEA now also applies to data. In Mobile IP environments it is easy to tap connections at the Home Agent. This works well on your own network… But it breaks down somewhat when data roaming.
MIP inbound is easy • When a US subscriber is roaming and a tap is required by Law Enforcement, no problem. The Home carrier can just tap the Home Agent.
Tracking a MIP foreign sub is a little harder • Tapping a data roamer on your network requires you to intercept the call much earlier. In Sprint’s case we’ve decided to err on the side of caution and tap the PDSN’s as well.
SIP inbound can be easy • Simple IP subscribers coming back in to your network can be tapped as easily as MIP subs provided you use L2TP tunneling.
Tracking a SIP foreign sub is still a little harder • Tapping a SIP data roamer on your network requires you to tap the PDSN as well.
Simple IP without L2TP • And of course SIP without L2TP requires tapping at the PDSN for both home and visiting subscribers. Or at least, it seems you would tap there.
Closing comments • Do other countries have similar requirements? Is a discussion about a standard desired? • Sprint’s solution is not necessarily required by US law enforcement agencies, it is designed to exceed the requirements. • A network designer tasked with meeting CALEA requirements on a fresh network should consider tapping all the PDSN’s—perhaps even skipping HA taps. • While discussed simply here, tapping traffic has a large number of considerations for which each carrier would have to evaluate (security of the data collected, managing the taps and collection hardware, potential impacts to call path, data integrity and recovery, etc.) • I’m happy to capture questions and get back to you. The CALEA systems were designed and built by peers whom helped me write this presentation, but I would have to lean on their expertise for any detail questions. Curtis.L.Owings@mail.sprint.com
More detail for the seriously curious • The intercept function is viewed as five broad categories: access, delivery, collection, service provider administration, and law enforcement administration. • The Access Function (AF), through its constituent Intercept Access Points (IAPs), is responsible for providing access to an intercept subject’s communications, call-identifying information (CII), or both • Cisco 6506 and Datacom Systems VERSAtap 16 / FiberTap perform part of the Access Functions. Verint Systems Fast Filter Unit (FFU) and Smart Analyzer Unit (SAU) provide the rest of the Access Functions abilities.
More definitions The Access Function typically includes the ability: • to access intercept subject’s call-identifying information unobtrusively and make the information available to the Delivery Function; • to access intercept subject call content unobtrusively and make the call content available to the Delivery Function; and • to protect (e.g., prevent unauthorized access, manipulation, and disclosure) intercept controls, intercepted call content and callidentifying information consistent with TSP security policies and practices. The Delivery Function (DF) is responsible for delivering intercepted communications and call-identifying information to one or more Collection Functions (CF). • Verint Systems Mediation Device and subsystems perform the Delivery Functions. The Delivery Function typically includes the ability: • to accept call content for each intercept subject over one or more channels from the Access Function(s); • to deliver call content for each intercept subject over one or more call content channels (CCCs) to a Collection Function; • to accept call-identifying or packet-mode content information for each intercept subject over one or more channels and deliver that information to the Collection Function over one or more call detail channels (CDCs); • to ensure that the call-identifying information and call content delivered to a Collection Function is authorized for a particular LEA; • to duplicate and deliver authorized call-identifying information and content for the intercept subject to one or more Collection Functions (up to a total of five); and • to protect (e.g., prevent unauthorized access, manipulation, and disclosure) intercept controls, intercepted call content and callidentifying information consistent with TSP security policies and practices. The Collection Function is responsible for collecting lawfully authorized intercepted communications (i.e., call content) and call-identifying information for an LEA. The Collection Function is the responsibility of the LEA. The Collection Function typically includes the ability: • to receive and process call content information for each intercept subject; and • to receive and process information regarding each intercept subject (e.g., call associated or non-call associated). The Service Provider Administration Function is responsible for controlling telecommunications service provider (TSP) electronic surveillance functions. Sprint is the TSP. Verint Systems Global Systems Administration performs the Service Provider Administration Functions. The Law Enforcement Administration Function (LEAF) is responsible for controlling LEA electronic surveillance functions. The Law Enforcement Administration Function is the responsibility of the LEA.