CALEA, was [VOIPSEC] Re: Voipsec Digest, Vol 2, Issue 33

Geoff Devine gdevine at cedarpointcom.com
Mon Feb 28 20:27:50 CST 2005 

If you use an SBC, you have to use it for all calls or, as you point out, the wire tap can be detected.  If you believe that the subscriber IP address should be anonymized to preserve their privacy, you're going through an SBC in any case.
 
The large router corporation has been floating proposals around to pull the CALEA function into the router.  I haven't seen any proposal that addresses the corner cases caused by call redirection.  (Forwarding, transfer, call pickup...)  The VoIP model does not co-exist very well with the requirements of J-STD-025.
 
Geoff

________________________________

From: Christopher A. Martin [mailto:chris at infravast.com]
Sent: Mon 2/28/2005 9:03 PM
To: Geoff Devine; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Re: Voipsec Digest, Vol 2, Issue 33



I agree. The only problem that I see with using a session border controller
is that a change in the media st4ream for lawful intercept would be
detected, unless all media were forced to the SBC/carrier network...which
would be a huge source of inefficiency...

Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Geoff Devine
> Sent: Monday, February 28, 2005 7:47 AM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Re: Voipsec Digest, Vol 2, Issue 33
>
> "Robert Foxworth" <rfoxwor1 at tampabay.rr.com> writes:
>
> > A minor point, but it occurs to me that it is not clear as to
> > whether you meant (1) that the subject of the intercept order
> > should not be able to detect that the sniffing is taking place,
> > i. e. detect that the sniffing is even happening, or (2) that
> > the subject, and/or the others with lawful orders etc. be able
> > to capture the actual data stream itself.
>
> This isn't exactly a security topic but it's certainly related....
>
> The requirements of J-STD-025 are that:
> A) The user under surveillance must not be able to detect that they are
> under surveillance
>
> and
>
> B) The privacy of the surveillance must be maintained.  (Nobody but the
> ILEC switch administrator who installs the taps is supposed to know
> about it)
>
> CALEA requires that you provide a call content channel (voice) and a
> call detail channel (who they're talking to).  Historically, the CCC was
> always a T1 line and the CDC was a hairball ASN.1-encoded PDU over X.25
> or IP.
>
> The CableLabs PacketCable approach to solving this is to add a
> capability to the CMTS (the box that drives a group of cable modems) to
> put specific RTP flows in an envelope tagged by a unique correlation ID
> and fire the packets off to a Lawful Intercept Delivery Function (DF).
> These flows are signaled to the CMTS from the soft switch over a
> COPS-based QoS interface.  Media Gateways are required to have a similar
> capability to handle corner cases where a call is redirected to voice
> mail.  The soft switch, CMTS, and Media Gateway also signal the Lawful
> Intercept Delivery Function (DF) over a RADIUS interface to provide the
> CDC.
>
> This architecture was extended to handle SIP trunking between soft
> switch networks but the architecture falls over if the other network
> doesn't understand the PacketCable lawful intercept objects in the SIP
> signaling stream.  If a call comes in from a non-Cable SIP network like,
> say, Sprint and the call is forwarded back out the Sprint network,
> nobody is intercepting the call.  Eventually, they're going to be forced
> to introduce a session border controller into the mix to deal with that
> particular issue.
>
> Geoff
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list