January 23-26, 2007 Ft. Lauderdale, Florida Lawful Intercept Briefing LI for VoIP, IP Scott W. Coleman Dir. Of Marketing - LI SS8 Networks.

January 23-26, 2007• Ft. Lauderdale, Florida

Lawful Intercept Briefing

LI for VoIP, IP

Scott W. Coleman

Dir. Of Marketing - LI

SS8 Networks


SS8 Networks Overview

• Privately held company with 20+ years of operating history • 12 years providing Law Intercept solutions• Headquartered in San Jose, CA• Market leader in lawful intercept delivery function solution• 250 worldwide service provider customers• OEM relationship with some of the largest equipment vendors

(Lucent, Nortel, Alcatel)• Partnerships with many equipment providers

(Juniper, AcmePacket, NexTone, Sylantro, Cisco, Samsung)


What is Lawful Intercept?

• The targeted intercept of voice and data services, by a service provider on the behalf of Law Enforcement, when authorized by a court

• Uses:– Criminal - Investigation and Prosecution of criminal activity– Intelligence Gathering - Investigation of individuals for

Homeland security, anti-terrorism and other threats

• Tightly controlled in both approval and operation


CALEA – Areas of ResponsibilityPasses Legislation(CALEA)

Tasked with enforcement and implementation

Standards include:

J-STD-025A, BPacketCable,

T1.678, T1.IPNA

FBI

Dept of Justice

Industry Standards Body

Carriers

FCC

Congress

Equipment providers

Arbitrator between

Law Enforcement and service providers

Required to implement

CALEA solution in their networks.


Regulatory Events

• 2004 FBI, DOJ, DEA file joint petition asking FCC to clarify implementation of CALEA for Broadband and VoIP providers.

– “Information Services”

– VoIP in Cable environments

• August 2005 FCC issued “First Report and Order” deeming that “Facilities based broadband and inter-connected VoIP providers” must provide CALEA support within 18 months of the Order.

• May 2006 FCC issued “Second Report and Order” confirming that there would be no extensions and or exceptions

• June 9th, lawsuit on behalf of Service providers seeking to stall or alter the FCC report was denied by the DC Circuit Court

• 105 Filing – Security Policy and Procedure – March 12, 2007

• Monitoring Reports – February 12, 2007

• Compliance deadline of May 14th 2007

• Solution Certification – FBI/CIU


Types and Quantities of Warrants• Subpoena

– Call records (copies of phone bills).

– Up to 2 million of these are done on an annual basis.

• Pen Register or Trap and Trace

– Real time delivery of call data only (off-hook, ringing, answer, disconnect, call forward, hookflash etc.)

– Far fewer done than the subpoenas for call records (130,000)

• Title III

– Call Content included. Only 2600 done per year

– Only approved after a true need is demonstrated to the judge.

– Quite expensive for Law Enforcement.

• Monitored live 24 hours a day

• Ground team surveilling the target


CALEA Report Requirements for Congress

Department of Justice - CALEA

Federal and State

LEA

Congress

Department of Justice - FISA

Audit Report DOJ Inspector General – April

DOJ Attorney General Report - April

Admin. Office of US Courts – Wiretap Report - April


Intercept Statistics• 2004 Authorized Intercept Orders: 1,710

• Federal: 730 State: 980

• Four states accounted for 76% of intercept orders

• Average duration of 43 days

• Longest was 390 days

• 88% for portable devices (94% telephonic)

• Average cost of $63,011

• Foreign Intelligence Surveillance Act: 1,754 orders approved

New Jersey - 144

Florida - 72

New York - 347

California – 144


Intercept Applications by Offense Type

Narcotics76%

Other 5%

Robbery2%

Gambling5%

Homicide4%

Racketeering8%

.


How is Lawful Intercept performed?

• Identify the user

– Determine the target identifier (phone number, email address, IP address etc.)

• Wait for authentication

– When the target utilizes the network they must be authenticated. Watch for that event.

• Find the edge

– When the target authenticates, find the edge device closest to the target (so as not to miss any peer-to-peer transactions) and obtain a copy of the target’s communications.


Law EnforcementDomain

Service ProviderDomain

Xcipio

Lawful Intercept Network Architecture

Access Function Delivery Function Collection Function

Phone switches

SBC

Routers, data switches

VoIPCall Agent

Passive probe

Raw Network Data

Standards Based Delivery(J-STD, ETSI, PacketCable)

LEA

• Provisions the access functions with target identifying information

• Receives copies of target ‘s traffic• Correlates and converts raw target

traffic to standards based interface towards LEA

• Recording and storage of intercepted traffic

• Analysis tools to track, correlate and interpret intercepted traffic

• Access elements that provide connectivity to target’s voice & data communications

• Identifies and replicates target’s traffic• PSTN switches, SBC, routers, BRAS• SS8 passive probe


Standards


StandardsImpact:• Defined the components:

– Access Function (AF), Delivery Function (DF), Collection Function (CF)

• Defined the demarcation points and the need for interfaces • Created an environment where customization was reduced and

reproducible products could be built.

Standards in common use in the U.S.:

J-STD-25A – PunchlistJ-STD-25B – CDMA2000 wireless dataPacketCable – VoIP for Cable networks

T1.678 – VoIP for wireline, PTT, PoCETSI 33.108 – GPRS wireless dataATIS – T1.IPNA – ISP data (brand new)

ETSI 33.108 – GPRS wireless dataETSI 201.671 – TDM voice

International standards in common use:

ETSI 102.232, 102.233, 102.234 – ISP Data intercept (email, IP packets)




Defining the InterfacesAccess Function Delivery Function Collection Function

Phone switches

SBC

Routers, data switches

VoIPCall Agent

Passive probe

Raw Network Data

Standards B

ased D

elivery

(J-STD, E

TSI, Pack

etCable)

LEAINI-1

ProvisioningInternal Network Interface #1

INI-2Communication Data /

SignalingInternal Network Interface #2

INI-3Media Content

Internal Network Interface #3

HI-1

HI-2

HI-3

Data / SignalingHandover Interface #2

ProvisioningHandover Interface #1

Media ContentHandover Interface #3

Xcipio




Applying StandardsAccess Function Delivery Function Collection Function

LEA


Media ContentInternal Network Interface #3

Communication Data /Signaling


INI-2

INI-1INI-1Provisioning

Handover Interface #1

HI-3Media Content


Xcipio

INI-3

HI-2


HI-1

Standards only apply to HI-2 and

HI-3

Only exception is PacketCable that also defines INI-2

and INI-3


Methods for Lawful Intercept Active Approach

Work with the network equipment manufacturers to develop lawful intercept capability in the network elements.

Utilize existing network elements for lawful intercept Sometimes serious impact to network performance No need for additional hardware

Passive Approach Use passive probes or sniffers as Access Function to

monitor the network and filter target’s traffic Requires expensive additional hardware No impact to the network performance

Hybrid – utilizes both


Law Enforcement Agency

Service Provider Domain

DELIVERY FUNCTION

HI-2Admin (INI-1)

VoIP Active Intercept (Cisco SII)

HI-3

LI Administration Function

XCIPIO

Law Enforcement Monitoring Facility

Customer Premise

IAD

Target Subscriber

Customer Premise IAD

(SIP, H.323, or MGCP based Gateway)

SoftSwitchCisco BTS

CMTSCMTS

Pro

visi

on

ing

of

War

ran

t Admin HI-1

CallControl

RTP Stream

INI-2

CallControl

Xcipio LEMFDR-2400SNMPv3

RequestINI-1

Voice Packets

INI-3





SoftSwitchCisco BTS

PSTNCustomer Premise IAD

(SIP, H.323, or MGCP based Gateway)

Target Subscriber


MediaGatewayCMTS

XCIPIO SSDF

VoIP – Intercept at Trunk/Media Gateway (for Forwarded Calls)

CallControl

Voice Packets

INI-3

Forwarded Call

Call to Target

Pro

visi

on

ing

of

War

ran

t

HI-3

INI-1

CallForward to

PSTN

HI-2

INI-2

Admin HI-1

HI-2INI-2

SNMPv3INI-1

XCIPIO

Xcipio LEMFDR-2400


Target Subscriber



AAA Server

Router



Internet

Pro

visi

on

ing

of

War

ran

t

HI-2

INI-1 Admin

SNMPv3 Request

HI-1

Rad

ius

Authenticate

XCIPIOINI – 2 IRI

HI-3

Intercepted Data – INI-3

Data Stream/IP Access

Active Approach to IP Data Intercept


Target Subscriber



AAA Server

Router



Internet

Pro

visi

on

ing

of

War

ran

t

HI-2

INI-1 Admin

SNMPv3 Request

HI-1

Rad

ius

Authenticate

XCIPIOINI – 2 IRI

HI-3

Intercepted Data – INI-3

Passive Approach to IP Data Intercept

INI -1 Provisioning

Pro

vision

ing

ReportIntercepted

DataINI-3

Data Stream/IP Access


A bit about Xcipio




The Components of XcipioAccess Function Delivery Function Collection Function

LEA


Media ContentInternal Network Interface #3

Communication Data /Signaling


INI-2

INI-1INI-1Provisioning


HI-3Media Content


Xcipio

INI-3

HI-2


HI-1


Content Processorprocessing, routing,

replicating, identification, encapsulation, encryption and

delivery of content (packet and/or TDM voice) to law enforcement in real-time.

The Components of Xcipio

Physical LayerSun servers, Ethernet connectivity,

IP packets, switch matrix cards

LISSoftware release

LIS – Lawful Intercept ServerCore Software Application- real-time processing -

IE-2100Software module

PE-2200Software module

Intercept Engine Call data, call events, signaling

Provisioning Element Database, User Interface

User Interface Remote or local access to Xcipio

CP-2300Software moduleContent Processor

Filters, encapsulates content (IP, VoIP, TDM, HTTP etc.)

Primary Server

Passive probeTDM Switch MatrixIP Packet processing

LIS:Signaling stacks

(SIP,SS7), TCP/IP stacks, error logs, alarms, SNMP, Managed object structure

etc.

Intercept Engine:Receives call data, call

events, network signaling,INI-2 and HI-2

INI-2 HI-2

Provisioning Element:Database, supports User Interface, maintains all

warrant information, creates shared memory image of

intercept information

HI-1INI-1

HI-3INI-3


Summary• SS8 has over 12 years of experience providing Lawful Intercept solutions

internationally both directly and through partners.

– Current customers include government agencies and carriers that range from very large nationwide carriers to small rural carriers.

– We partner with many different network equipment vendors to deliver comprehensive LI solutions.

• In the US there is a deadline (May 14, 2007) that is approaching quickly and carriers need to address their obligations.

– Small carriers seem to be lagging in terms of meeting the deadline so to address that need, SS8 is designing cost effective programs to specifically for small carriers and enterprises.

– These programs address short term capital expenditures as well as long term operating costs.


Thank You

Scott W. Coleman

Dir. Of Marketing - LI

SS8 Networks

January 23-26, 2007 Ft. Lauderdale, Florida Lawful Intercept Briefing LI for VoIP, IP Scott W. Coleman Dir. Of Marketing - LI SS8 Networks.

Documents

target slide

florida standards

florida intercept statistics

florida intercept applications

samsung slide

operation slide

florida types

fcc report