[VOIPSEC] CALEA Enforcement

Hadriel Kaplan HKaplan at acmepacket.com
Thu May 11 11:22:06 CDT 2006 

Not to get too off-topic, but the TISPAN H.248 Ia interface is not specific
to doing this on routers - it can be done on any BGF functional element, and
the only way it really works today (not that it is done today at all) is if
that functional element does more than open/close gates.  If the UE is
behind a NAT the BGF would have to do more, and if it's an LI interface it
would have to do more (I have yet to see a CCC interface that is purely
packet mirroring), and then there's the RTP/media-specific stuff service
providers do today in middle-boxes that TISPAN has yet to recognize needing
to be done.

Another point is "controlling" or relaying the media through double-NATing
(whether in a router or elsewhere) actually enables traffic engineering and
optimal routes that cannot be pragmatically achieved with just best-effort
routing or MPLS alone today.  But that's way off topic for this forum.

-hadriel


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Shai Mohaban
> Sent: Thursday, May 11, 2006 3:56 AM
> To: Geoff Devine; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] CALEA Enforcement
> 
> Geoff,
> 
> Running the media _ALWAYS_ through an SBC is one way but definitely not
> the only way and not even the best way. One other potential solution,
> which is also undetectable and is much better in terms of traffic
> engineering, optimal route, etc, is to deploy some LI capabilities in
> the edge routers (or the BRAS, etc). As far as I know LI is not required
> for internal calls (and this is not relevant at all in the residential
> market as there are no "internal" calls in this case) and virtually all
> external traffic, including the media, will go through the edge router.
> So the edge router can be controlled by some external signaling entity
> (P-CSCF, SBC, etc) and be provisioned in real time with flows that need
> to be duplicated. In fact the new NGN architectures from TISPAN and the
> ITU already have exactly this kind of control mechanism to open and
> close gates (using H.248 in the case of TISPAN). Extending those
> interfaces to enable LI should not be too difficult...
>

More information about the Voipsec mailing list