1 © 2007, Cisco Systems, Inc. All rights reserved. Craig Mulholland ([email protected]) EduCause LI Overview February 2007.

1© 2007, Cisco Systems, Inc. All rights reserved.

Craig Mulholland ([email protected])

EduCause LI Overview February 2007


Disclaimers

It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law

Customers are strongly advised to seek qualified legal counsel to advise them about the extent of their obligation under Lawful Intercept regulations and laws in each country in which they operate

The Contents of this Presentation Do Not Constitute Legal Advice nor Does Cisco Guarantee the Accuracy or Completeness of Such Information


Agenda

Regulatory Changes

T1.IAS - Lawful Intercept for Internet Access and Services (IAS) (US only)

Implementation Options

Service Independent Intercept (SII) Architecture


Regulatory Changes


Regulatory Changes

United States (US) –24 September 2005 – FCC issued First Order – CALEA applies to interconnected VoIP and facilities-based Broadband Internet Access

3 May 2006 – FCC issued Second Order – defers definitions to standards, affirms deadline

5 May 2006 – Appeals court oral arguments on First Order

9 June 2006 – Appeals court affirmed FCC decision to apply CALEA to interconnected VoIP and facilities-based broadband

Compliance Deadline:14 May 2007


Federal Communications Commission 445 12th Street, S.W. Washington, D. C. 20554 This is an unofficial announcement of Commission action. Release of the full text of a Commission order constitutes official action. See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).

News Media Information 202 / 418-0500 Internet: http://www.fcc.gov

TTY: 1-888-835-5322

FOR IMMEDIATE RELEASE: NEWS MEDIA CONTACT: August 5, 2005 Mark Wigfield, 202-418-0253 Email: [email protected]

FCC Requires Certain Broadband and VoIP Providers to Accommodate Wiretaps

Order Strikes Balance Between Law Enforcement, Innovation

Washington, D.C. – Responding to a petition from the Department of Justice, the Federal Bureau of Investigation, and the Drug Enforcement Agency, the Commission determined that providers of certain broadband and interconnected voice over Internet Protocol (VoIP) services must be prepared to accommodate law enforcement wiretaps, the Federal Communications Commission ruled today.

The Commission found that these services can essentially replace conventional telecommunications services currently subject to wiretap rules, including circuit-switched voice service and dial-up Internet access. As replacements, the new services are covered by the Communications Assistance for Law Enforcement Act, or CALEA, which requires the Commission to preserve the ability of law enforcement agencies to conduct court-ordered wiretaps in the face of technological change…..

Regulatory Changes


LI Architecture Requirements

Service Provider must be able to provide:Communication-Identifying Information (CmII)

Dialed Digits (Voice Calls)

Subject login (data)

Network Addresses (& ports??) (data)

Content of Communication (CC)

Audio Content of Voice Call

Packets to/from subject

Must be able to correlate Communication Identifying Information with Content of Communication


T1.IAS Lawful Intercept for Internet Access and Services


T1.IAS Lawful Intercept for Internet Access and Services (IAS)

Issue S086 - Ballot Closed 11/14/2006

-13 “YES” Votes - 8 with comments

- 3 “NO” Votes

- 3 abstentions

Interim Meeting Austin, 29 - 30 November to resolve Ballot comments

Law Enforcement “NO” votes unresolved - “buffering issue”

Default Ballot recommended at close of meeting

Default Ballot closed in January

-1 “Yes” vote changed to “No”

-1 “No” vote changed to “Yes”

Comment resolution scheduled for February meeting


T1.IAS divides the subject’s session into two states

The “Access Session” state - logon, logoff, and failure or rejection events during the logon process

The “Packet Session” state - subject has been granted access to the Internet and is ready to transfer data

Not all networks can report all events, eg. “always on” scenarios may not be able to report some access events

T1.IAS


What is Communication Identifying Information (CmII) for Internet Access??

Access Session Events – Access Attempt, Access Accepted, Access Failed, Access Session End, Access Rejected, Access Signaling Message Report

Packet Session Events - Packet Data Session Start, Packet Data Session Failed, Packet Data Session End, Packet Data Session Already Established, Packet Data Header Report, Packet Data Summary Report

Packet Data Header Report, and Packet Data Summary Report are used to report Packet Header information for Internet sites visited by the subject


Aggregation Router

Data Stream

T1.IAS - Communication Identifying Information (CmII)

CollectionFunction

LEA

AAA Server(Cisco Access

Registrar, Other)IRI

IRI MediationDevice

TargetSubscriber

AccessRequest

Access Attempt: Case ID, IAP, Time, Subscriber ID


Aggregation Router

CollectionFunction

LEA


Registrar, Other)IRI

IRI MediationDevice

TargetSubscriber

Access Accept

Access Accepted: Case ID, IAP, Time, Subscriber ID,

Access Session ID


Data Stream


Aggregation Router

CollectionFunction

LEA


Registrar, Other)


Intercept R

equest

TargetSubscriber

Intercepted D

ata

Data Stream

IRIMediationDevice

Packet Data Session Start: Case ID, IAP, Time, Subscriber ID,

Packet Session ID, IP Address


Aggregation Router

CollectionFunction

LEA


Registrar, Other)


Intercept R

equest

TargetSubscriber

Intercepted D

ata

Data Stream

IRIMediationDevice

Packet Data Header Report: Case ID, IAP, Time, Packet Session ID, IP Packet Headers

Packet Data Summary Report: Case ID, IAP, Time, Packet Session ID,

IP Packet Header Summary reports

OR


Aggregation Router

CollectionFunction

LEA


Registrar, Other)


Intercept R

equest

TargetSubscriber

Intercepted D

ata

Data Stream

IRI

CC

MediationDevice

Content Delivery,if authorized


T1.IAS - Issues

Buffering/Short term Storage – Law enforcement has requested buffering and file management, not included in standard

- Alternate standard for buffering in progress

IP Packet Headers – port numbers required as a result of ballot comment resolution

$$


Implementation Options


Passive Equipment

Involves placement of new equipment in strategic locations in the network to access ‘signaling’ and ‘content’ information of interest.

Pros:

Does not require changes to existing network element hardware and/or software

Cons:

Additional equipment required. Amount of equipment required can be reduced by physically moving equipment, as required.

Additional O&M costs

Not capable of intercepting information that remains local to the edge network element

Cost:

Passive equipment: $35K +++ ea.

Mediation Device: $75K + (based on number of subscribers)


Intercept Capable Network Elements

Adds interception capability to existing network elements

Pros:Reduced cost by leveraging existing infrastructure

Reduced O&M costs

Cons:Functionality may not be supported on all platforms in the network. If it is supported,

hardware upgrades (memory, processor, etc.) may be required

Interception introduces an impact to network element performance

Cost:Network element S/W licenses: $0 - $15K+ ea



Hybrid Combination of passive equipment and intercept support

Provides flexibility of passive equipment solution with cost advantages of intercept support on network elements

Augments network element intercept capability

Offloads network element for large bandwidth intercepts

Pros:

Most comprehensive and cost effective solution

Most flexible solution for CALEA compliance in multi-vendor network

Cons:

Somewhat higher O&M and equipment costs

Cost:

Network element S/W licenses: $0 - $15K+ ea

Passive equipment: $35K +++ ea.



Trusted Third Party (TTP) TTP becomes agent of record for Service Provider

Assumes all responsibilities and obligations

Pros:

Continued protection from criminal & civil liability

Reduces operating costs and conserves capital

Assumes risk and up-front investment (personnel, technology)

Future-proof services

Cons:

CALEA activities are handled by third party

TTP requires access (physical and admin) to your network

Cost:

Initial assessment/setup fee: $10K+ (depends on size of network)

Monthly service fee: $1.5K+ (depends on size of network)

Per intercept fee: Records production = $500?, Pen/Trap = $1000?,

Full Content = $1500? (Reimbursable by LEA)


Service Independent Intercept (SII) Architecture


Key Cisco SII Architecture Features

Standard architecture (same for voice or data)

Places control of LI on Mediation Device (instead of on call control equipment)

Separates lawful intercept control from call control

Common interface to Mediation Device and Call Control partners

Modular architecture, easily adapted to regional requirements through mediation device


InterceptRelatedInfo (IRI)

Generic View of the LI Architecture

LI AdministrationFunction

MediationDevice

InterceptingControlElement

(ICE)

Request

IRI

InterceptingNetworkElement

(INE)

Request Content

Service Provider

Request

Demarcation Point (SP, LEA

Responsibility)

Information for the Same Intercept May Be Sent to Multiple LEAs

CollectionFunction

Law EnforcementAgency (LEA)

CommunicationContent (CC)

Access Function (AF)/Intercept Access Point (IAP)

Cisco Equipment

3rd Party Equipment



MediationDevice

InterceptingControlElement

(ICE)

Request

IRI

InterceptingNetworkElement

(INE)

Request Content

Service Provider

CollectionFunction

Law EnforcementAgency (LEA)

CommunicationContent (CC)

Cisco Equipment

3rd Party Equipment

Voice - Call Agent Data - Radius, AAA

RADIUS Event Messages

SNMPv3RTP or UDP transport

for delivery

Configuration Commands

Voice - Edge router, Trunk G/WData – Access/Aggregation router

Cisco Service Independent Intercept

InterceptRelatedInfo (IRI)


Lawful Intercept Architecture Reference Model

Service Provider Functions

MD Provisioning Interface b

HI1(a)

e

IRI (e)

HI2(g)

User Content

c

fIntercepted Content (f)

HI3(h)

d

IETF—RFC 3924

User Content

Intercept Request (d)

HI3(h)

Law Enforcement Agency (LEA)

Law InterceptAdministration Function

Intercept RelatedInformation (IRI) IAP

Mediation Device (MD)

Content InterceptAccess Point (IAP)


Cisco Lawful Intercept Architecture IETF first draft June 2003

IETF second draft October 2003

Informational RFC 3924 adopted October 2004

Modular architecture—adapts to regional requirements via partner equipment (mediation device)

Key Features:Common architecture (SII) for voice and data

Separation of intercept control from call control (voice) and session control (data)

Controlled by mediation device

Standardized interface for mediation device to provision intercepts via SNMPv3


Admin (HI1)

1

9

Aggregation Router

RTP Stream

LI Architecture—Voice Intercept

Aggregation Router

CPE Adapter or IP Phone

CollectionFunction

LEA

LI AdministrationFunctionGatekeeper,

SIP Proxy,Call Agent

IRI6

CC11

Config3

7Call

Control

IRI5

Intercepted D

ata

10Interc

ept Request

8

CallControl

4

TargetSubscriber

CPE Adapter or IP Phone

MediationDevice

Ad

min

2


Admin (HI1)

1

12

Aggregation Router

Data Stream

LI Architecture—Data Intercept

CollectionFunction

LEA



Registrar, Other)IRI6

CC14

Config3

IRI5Mediation

Device

TargetSubscriber

Config3

AccessRequest

4AcctStart

9

10

11

Intercepted D

ata

13Interc

ept Request

7

Access Accept

8

Sniffer/Probe

Ad

min

2


1 © 2007, Cisco Systems, Inc. All rights reserved. Craig Mulholland ([email protected]) EduCause LI Overview February 2007.

Documents

cisco systems

access events

information slide

services slide

meeting slide

broadband internet access

content of communication

regulatory changes slide