Upload
frye
View
36
Download
2
Embed Size (px)
DESCRIPTION
EduCause LI Overview February 2007. Craig Mulholland ([email protected]). Disclaimers. It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law - PowerPoint PPT Presentation
Citation preview
1© 2007, Cisco Systems, Inc. All rights reserved.
Craig Mulholland ([email protected])
EduCause LI Overview February 2007
2© 2007, Cisco Systems, Inc. All rights reserved.
Disclaimers
It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law
Customers are strongly advised to seek qualified legal counsel to advise them about the extent of their obligation under Lawful Intercept regulations and laws in each country in which they operate
The Contents of this Presentation Do Not Constitute Legal Advice nor Does Cisco Guarantee the Accuracy or Completeness of Such Information
3© 2007, Cisco Systems, Inc. All rights reserved.
Agenda
Regulatory Changes
T1.IAS - Lawful Intercept for Internet Access and Services (IAS) (US only)
Implementation Options
Service Independent Intercept (SII) Architecture
4© 2007, Cisco Systems, Inc. All rights reserved.
Regulatory Changes
5© 2007, Cisco Systems, Inc. All rights reserved.
Regulatory Changes
United States (US) –24 September 2005 – FCC issued First Order – CALEA applies to interconnected VoIP and facilities-based Broadband Internet Access
3 May 2006 – FCC issued Second Order – defers definitions to standards, affirms deadline
5 May 2006 – Appeals court oral arguments on First Order
9 June 2006 – Appeals court affirmed FCC decision to apply CALEA to interconnected VoIP and facilities-based broadband
Compliance Deadline:14 May 2007
6© 2007, Cisco Systems, Inc. All rights reserved.
Federal Communications Commission 445 12th Street, S.W. Washington, D. C. 20554 This is an unofficial announcement of Commission action. Release of the full text of a Commission order constitutes official action. See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).
News Media Information 202 / 418-0500 Internet: http://www.fcc.gov
TTY: 1-888-835-5322
FOR IMMEDIATE RELEASE: NEWS MEDIA CONTACT: August 5, 2005 Mark Wigfield, 202-418-0253 Email: [email protected]
FCC Requires Certain Broadband and VoIP Providers to Accommodate Wiretaps
Order Strikes Balance Between Law Enforcement, Innovation
Washington, D.C. – Responding to a petition from the Department of Justice, the Federal Bureau of Investigation, and the Drug Enforcement Agency, the Commission determined that providers of certain broadband and interconnected voice over Internet Protocol (VoIP) services must be prepared to accommodate law enforcement wiretaps, the Federal Communications Commission ruled today.
The Commission found that these services can essentially replace conventional telecommunications services currently subject to wiretap rules, including circuit-switched voice service and dial-up Internet access. As replacements, the new services are covered by the Communications Assistance for Law Enforcement Act, or CALEA, which requires the Commission to preserve the ability of law enforcement agencies to conduct court-ordered wiretaps in the face of technological change…..
Regulatory Changes
7© 2007, Cisco Systems, Inc. All rights reserved.
LI Architecture Requirements
Service Provider must be able to provide:Communication-Identifying Information (CmII)
Dialed Digits (Voice Calls)
Subject login (data)
Network Addresses (& ports??) (data)
Content of Communication (CC)
Audio Content of Voice Call
Packets to/from subject
Must be able to correlate Communication Identifying Information with Content of Communication
8© 2007, Cisco Systems, Inc. All rights reserved.
T1.IAS Lawful Intercept for Internet Access and Services
9© 2007, Cisco Systems, Inc. All rights reserved.
T1.IAS Lawful Intercept for Internet Access and Services (IAS)
Issue S086 - Ballot Closed 11/14/2006
-13 “YES” Votes - 8 with comments
- 3 “NO” Votes
- 3 abstentions
Interim Meeting Austin, 29 - 30 November to resolve Ballot comments
Law Enforcement “NO” votes unresolved - “buffering issue”
Default Ballot recommended at close of meeting
Default Ballot closed in January
-1 “Yes” vote changed to “No”
-1 “No” vote changed to “Yes”
Comment resolution scheduled for February meeting
10© 2007, Cisco Systems, Inc. All rights reserved.
T1.IAS divides the subject’s session into two states
The “Access Session” state - logon, logoff, and failure or rejection events during the logon process
The “Packet Session” state - subject has been granted access to the Internet and is ready to transfer data
Not all networks can report all events, eg. “always on” scenarios may not be able to report some access events
T1.IAS
11© 2007, Cisco Systems, Inc. All rights reserved.
What is Communication Identifying Information (CmII) for Internet Access??
Access Session Events – Access Attempt, Access Accepted, Access Failed, Access Session End, Access Rejected, Access Signaling Message Report
Packet Session Events - Packet Data Session Start, Packet Data Session Failed, Packet Data Session End, Packet Data Session Already Established, Packet Data Header Report, Packet Data Summary Report
Packet Data Header Report, and Packet Data Summary Report are used to report Packet Header information for Internet sites visited by the subject
12© 2007, Cisco Systems, Inc. All rights reserved.
Aggregation Router
Data Stream
T1.IAS - Communication Identifying Information (CmII)
CollectionFunction
LEA
AAA Server(Cisco Access
Registrar, Other)IRI
IRI MediationDevice
TargetSubscriber
AccessRequest
Access Attempt: Case ID, IAP, Time, Subscriber ID
13© 2007, Cisco Systems, Inc. All rights reserved.
Aggregation Router
CollectionFunction
LEA
AAA Server(Cisco Access
Registrar, Other)IRI
IRI MediationDevice
TargetSubscriber
Access Accept
Access Accepted: Case ID, IAP, Time, Subscriber ID,
Access Session ID
T1.IAS - Communication Identifying Information (CmII)
Data Stream
14© 2007, Cisco Systems, Inc. All rights reserved.
Aggregation Router
CollectionFunction
LEA
AAA Server(Cisco Access
Registrar, Other)
T1.IAS - Communication Identifying Information (CmII)
Intercept R
equest
TargetSubscriber
Intercepted D
ata
Data Stream
IRIMediationDevice
Packet Data Session Start: Case ID, IAP, Time, Subscriber ID,
Packet Session ID, IP Address
15© 2007, Cisco Systems, Inc. All rights reserved.
Aggregation Router
CollectionFunction
LEA
AAA Server(Cisco Access
Registrar, Other)
T1.IAS - Communication Identifying Information (CmII)
Intercept R
equest
TargetSubscriber
Intercepted D
ata
Data Stream
IRIMediationDevice
Packet Data Header Report: Case ID, IAP, Time, Packet Session ID, IP Packet Headers
Packet Data Summary Report: Case ID, IAP, Time, Packet Session ID,
IP Packet Header Summary reports
OR
16© 2007, Cisco Systems, Inc. All rights reserved.
Aggregation Router
CollectionFunction
LEA
AAA Server(Cisco Access
Registrar, Other)
T1.IAS - Communication Identifying Information (CmII)
Intercept R
equest
TargetSubscriber
Intercepted D
ata
Data Stream
IRI
CC
MediationDevice
Content Delivery,if authorized
17© 2007, Cisco Systems, Inc. All rights reserved.
T1.IAS - Issues
Buffering/Short term Storage – Law enforcement has requested buffering and file management, not included in standard
- Alternate standard for buffering in progress
IP Packet Headers – port numbers required as a result of ballot comment resolution
$$
18© 2007, Cisco Systems, Inc. All rights reserved.
Implementation Options
19© 2007, Cisco Systems, Inc. All rights reserved.
Passive Equipment
Involves placement of new equipment in strategic locations in the network to access ‘signaling’ and ‘content’ information of interest.
Pros:
Does not require changes to existing network element hardware and/or software
Cons:
Additional equipment required. Amount of equipment required can be reduced by physically moving equipment, as required.
Additional O&M costs
Not capable of intercepting information that remains local to the edge network element
Cost:
Passive equipment: $35K +++ ea.
Mediation Device: $75K + (based on number of subscribers)
20© 2007, Cisco Systems, Inc. All rights reserved.
Intercept Capable Network Elements
Adds interception capability to existing network elements
Pros:Reduced cost by leveraging existing infrastructure
Reduced O&M costs
Cons:Functionality may not be supported on all platforms in the network. If it is supported,
hardware upgrades (memory, processor, etc.) may be required
Interception introduces an impact to network element performance
Cost:Network element S/W licenses: $0 - $15K+ ea
Mediation Device: $75K + (based on number of subscribers)
21© 2007, Cisco Systems, Inc. All rights reserved.
Hybrid Combination of passive equipment and intercept support
Provides flexibility of passive equipment solution with cost advantages of intercept support on network elements
Augments network element intercept capability
Offloads network element for large bandwidth intercepts
Pros:
Most comprehensive and cost effective solution
Most flexible solution for CALEA compliance in multi-vendor network
Cons:
Somewhat higher O&M and equipment costs
Cost:
Network element S/W licenses: $0 - $15K+ ea
Passive equipment: $35K +++ ea.
Mediation Device: $75K + (based on number of subscribers)
22© 2007, Cisco Systems, Inc. All rights reserved.
Trusted Third Party (TTP) TTP becomes agent of record for Service Provider
Assumes all responsibilities and obligations
Pros:
Continued protection from criminal & civil liability
Reduces operating costs and conserves capital
Assumes risk and up-front investment (personnel, technology)
Future-proof services
Cons:
CALEA activities are handled by third party
TTP requires access (physical and admin) to your network
Cost:
Initial assessment/setup fee: $10K+ (depends on size of network)
Monthly service fee: $1.5K+ (depends on size of network)
Per intercept fee: Records production = $500?, Pen/Trap = $1000?,
Full Content = $1500? (Reimbursable by LEA)
23© 2007, Cisco Systems, Inc. All rights reserved.
Service Independent Intercept (SII) Architecture
24© 2007, Cisco Systems, Inc. All rights reserved.
Key Cisco SII Architecture Features
Standard architecture (same for voice or data)
Places control of LI on Mediation Device (instead of on call control equipment)
Separates lawful intercept control from call control
Common interface to Mediation Device and Call Control partners
Modular architecture, easily adapted to regional requirements through mediation device
25© 2007, Cisco Systems, Inc. All rights reserved.
InterceptRelatedInfo (IRI)
Generic View of the LI Architecture
LI AdministrationFunction
MediationDevice
InterceptingControlElement
(ICE)
Request
IRI
InterceptingNetworkElement
(INE)
Request Content
Service Provider
Request
Demarcation Point (SP, LEA
Responsibility)
Information for the Same Intercept May Be Sent to Multiple LEAs
CollectionFunction
Law EnforcementAgency (LEA)
CommunicationContent (CC)
Access Function (AF)/Intercept Access Point (IAP)
Cisco Equipment
3rd Party Equipment
26© 2007, Cisco Systems, Inc. All rights reserved.
LI AdministrationFunction
MediationDevice
InterceptingControlElement
(ICE)
Request
IRI
InterceptingNetworkElement
(INE)
Request Content
Service Provider
CollectionFunction
Law EnforcementAgency (LEA)
CommunicationContent (CC)
Cisco Equipment
3rd Party Equipment
Voice - Call Agent Data - Radius, AAA
RADIUS Event Messages
SNMPv3RTP or UDP transport
for delivery
Configuration Commands
Voice - Edge router, Trunk G/WData – Access/Aggregation router
Cisco Service Independent Intercept
InterceptRelatedInfo (IRI)
27© 2007, Cisco Systems, Inc. All rights reserved.
Lawful Intercept Architecture Reference Model
Service Provider Functions
MD Provisioning Interface b
HI1(a)
e
IRI (e)
HI2(g)
User Content
c
fIntercepted Content (f)
HI3(h)
d
IETF—RFC 3924
User Content
Intercept Request (d)
HI3(h)
Law Enforcement Agency (LEA)
Law InterceptAdministration Function
Intercept RelatedInformation (IRI) IAP
Mediation Device (MD)
Content InterceptAccess Point (IAP)
28© 2007, Cisco Systems, Inc. All rights reserved.
Cisco Lawful Intercept Architecture IETF first draft June 2003
IETF second draft October 2003
Informational RFC 3924 adopted October 2004
Modular architecture—adapts to regional requirements via partner equipment (mediation device)
Key Features:Common architecture (SII) for voice and data
Separation of intercept control from call control (voice) and session control (data)
Controlled by mediation device
Standardized interface for mediation device to provision intercepts via SNMPv3
29© 2007, Cisco Systems, Inc. All rights reserved.
Admin (HI1)
1
9
Aggregation Router
RTP Stream
LI Architecture—Voice Intercept
Aggregation Router
CPE Adapter or IP Phone
CollectionFunction
LEA
LI AdministrationFunctionGatekeeper,
SIP Proxy,Call Agent
IRI6
CC11
Config3
7Call
Control
IRI5
Intercepted D
ata
10Interc
ept Request
8
CallControl
4
TargetSubscriber
CPE Adapter or IP Phone
MediationDevice
Ad
min
2
30© 2007, Cisco Systems, Inc. All rights reserved.
Admin (HI1)
1
12
Aggregation Router
Data Stream
LI Architecture—Data Intercept
CollectionFunction
LEA
LI AdministrationFunction
AAA Server(Cisco Access
Registrar, Other)IRI6
CC14
Config3
IRI5Mediation
Device
TargetSubscriber
Config3
AccessRequest
4AcctStart
9
10
11
Intercepted D
ata
13Interc
ept Request
7
Access Accept
8
Sniffer/Probe
Ad
min
2
31© 2007, Cisco Systems, Inc. All rights reserved.