310 likes | 422 Views
EduCause LI Overview February 2007. Craig Mulholland (crmulhol@cisco.com). Disclaimers. It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law
E N D
EduCause LI Overview February 2007 Craig Mulholland (crmulhol@cisco.com)
Disclaimers • It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law • Customers are strongly advised to seek qualified legal counsel to advise them about the extent of their obligation under Lawful Intercept regulations and laws in each country in which they operate The Contents of this Presentation Do Not Constitute Legal Advice nor Does Cisco Guarantee the Accuracy or Completeness of Such Information
Agenda • Regulatory Changes • T1.IAS - Lawful Intercept for Internet Access and Services (IAS) (US only) • Implementation Options • Service Independent Intercept (SII) Architecture
Regulatory Changes • United States (US) – • 24 September 2005 – FCC issued First Order – CALEA applies to interconnected VoIP and facilities-based Broadband Internet Access • 3 May 2006 – FCC issued Second Order – defers definitions to standards, affirms deadline • 5 May 2006 – Appeals court oral arguments on First Order • 9 June 2006 – Appeals court affirmed FCC decision to apply CALEA to interconnected VoIP and facilities-based broadband • Compliance Deadline: • 14 May 2007
LI Architecture Requirements • Service Provider must be able to provide: • Communication-Identifying Information (CmII) • Dialed Digits (Voice Calls) • Subject login (data) • Network Addresses (& ports??) (data) • Content of Communication (CC) • Audio Content of Voice Call • Packets to/from subject • Must be able to correlate Communication Identifying Information with Content of Communication
T1.IAS • Lawful Intercept for Internet Access and Services (IAS) • Issue S086 - Ballot Closed 11/14/2006 • 13 “YES” Votes - 8 with comments • 3 “NO” Votes • 3 abstentions • Interim Meeting Austin, 29 - 30 November to resolve Ballot comments • Law Enforcement “NO” votes unresolved - “buffering issue” • Default Ballot recommended at close of meeting • Default Ballot closed in January • 1 “Yes” vote changed to “No” • 1 “No” vote changed to “Yes” • Comment resolution scheduled for February meeting
T1.IAS • T1.IAS divides the subject’s session into two states • The “Access Session” state - logon, logoff, and failure or rejection events during the logon process • The “Packet Session” state - subject has been granted access to the Internet and is ready to transfer data • Not all networks can report all events, eg. “always on” scenarios may not be able to report some access events
What is Communication Identifying Information (CmII) for Internet Access?? • Access Session Events – Access Attempt, Access Accepted, Access Failed, Access Session End, Access Rejected, Access Signaling Message Report • Packet Session Events - Packet Data Session Start, Packet Data Session Failed, Packet Data Session End, Packet Data Session Already Established, Packet Data Header Report, Packet Data Summary Report • Packet Data Header Report, and Packet Data Summary Report are used to report Packet Header information for Internet sites visited by the subject
LEA IRI IRI Collection Function AccessRequest Target Subscriber Data Stream T1.IAS - Communication Identifying Information (CmII) AAA Server (Cisco Access Registrar, Other) Mediation Device Access Attempt: Case ID, IAP, Time, Subscriber ID Aggregation Router
LEA IRI IRI Collection Function Access Accept Target Subscriber Data Stream T1.IAS - Communication Identifying Information (CmII) AAA Server (Cisco Access Registrar, Other) Mediation Device Access Accepted: Case ID, IAP, Time, Subscriber ID, Access Session ID Aggregation Router
LEA IRI Collection Function Intercept Request Intercepted Data Target Subscriber Data Stream T1.IAS - Communication Identifying Information (CmII) AAA Server (Cisco Access Registrar, Other) Mediation Device Packet Data Session Start: Case ID, IAP, Time, Subscriber ID, Packet Session ID, IP Address Aggregation Router
LEA IRI Collection Function Intercept Request Intercepted Data Target Subscriber Data Stream T1.IAS - Communication Identifying Information (CmII) AAA Server (Cisco Access Registrar, Other) Mediation Device Packet Data Header Report: Case ID, IAP, Time, Packet Session ID, IP Packet Headers OR Packet Data Summary Report: Case ID, IAP, Time, Packet Session ID, IP Packet Header Summary reports Aggregation Router
LEA IRI Collection Function CC Intercept Request Intercepted Data Target Subscriber Data Stream T1.IAS - Communication Identifying Information (CmII) AAA Server (Cisco Access Registrar, Other) Mediation Device Content Delivery, if authorized Aggregation Router
T1.IAS - Issues $$ • Buffering/Short term Storage – Law enforcement has requested buffering and file management, not included in standard • - Alternate standard for buffering in progress • IP Packet Headers – port numbers required as a result of ballot comment resolution
Passive Equipment • Involves placement of new equipment in strategic locations in the network to access ‘signaling’ and ‘content’ information of interest. • Pros: • Does not require changes to existing network element hardware and/or software • Cons: • Additional equipment required. Amount of equipment required can be reduced by physically moving equipment, as required. • Additional O&M costs • Not capable of intercepting information that remains local to the edge network element • Cost: • Passive equipment: $35K +++ ea. • Mediation Device: $75K + (based on number of subscribers)
Intercept Capable Network Elements • Adds interception capability to existing network elements • Pros: • Reduced cost by leveraging existing infrastructure • Reduced O&M costs • Cons: • Functionality may not be supported on all platforms in the network. If it is supported, hardware upgrades (memory, processor, etc.) may be required • Interception introduces an impact to network element performance • Cost: • Network element S/W licenses: $0 - $15K+ ea • Mediation Device: $75K + (based on number of subscribers)
Hybrid • Combination of passive equipment and intercept support • Provides flexibility of passive equipment solution with cost advantages of intercept support on network elements • Augments network element intercept capability • Offloads network element for large bandwidth intercepts • Pros: • Most comprehensive and cost effective solution • Most flexible solution for CALEA compliance in multi-vendor network • Cons: • Somewhat higher O&M and equipment costs • Cost: • Network element S/W licenses: $0 - $15K+ ea • Passive equipment: $35K +++ ea. • Mediation Device: $75K + (based on number of subscribers)
Trusted Third Party (TTP) • TTP becomes agent of record for Service Provider • Assumes all responsibilities and obligations • Pros: • Continued protection from criminal & civil liability • Reduces operating costs and conserves capital • Assumes risk and up-front investment (personnel, technology) • Future-proof services • Cons: • CALEA activities are handled by third party • TTP requires access (physical and admin) to your network • Cost: • Initial assessment/setup fee: $10K+ (depends on size of network) • Monthly service fee: $1.5K+ (depends on size of network) • Per intercept fee: Records production = $500?, Pen/Trap = $1000?, • Full Content = $1500? (Reimbursable by LEA)
Key Cisco SII Architecture Features • Standard architecture (same for voice or data) • Places control of LI on Mediation Device (instead of on call control equipment) • Separates lawful intercept control from call control • Common interface to Mediation Device and Call Control partners • Modular architecture, easily adapted to regional requirements through mediation device
Generic View of the LI Architecture Demarcation Point (SP, LEA Responsibility) Service Provider LI Administration Function Law Enforcement Agency (LEA) Intercept Related Info (IRI) Intercepting Control Element (ICE) Request Mediation Device Collection Function IRI Communication Content (CC) Content Request Information for the Same Intercept May Be Sent to Multiple LEAs Intercepting Network Element (INE) Request Access Function (AF)/ Intercept Access Point (IAP) Cisco Equipment 3rd Party Equipment
Cisco Service Independent Intercept Configuration Commands Service Provider LI Administration Function Voice - Call Agent Data - Radius, AAA Law Enforcement Agency (LEA) Intercept Related Info (IRI) Intercepting Control Element (ICE) Request Mediation Device Collection Function IRI Communication Content (CC) Content Request RTP or UDP transport for delivery RADIUS Event Messages Intercepting Network Element (INE) SNMPv3 Cisco Equipment Voice - Edge router, Trunk G/W Data – Access/Aggregation router 3rd Party Equipment
IETF—RFC 3924 Law Intercept Administration Function Law Enforcement Agency (LEA) HI1(a) MD Provisioning Interface b HI2(g) c Intercept Related Information (IRI) IAP Mediation Device (MD) HI3(h) e HI3(h) IRI (e) d f Intercepted Content (f) Intercept Request (d) Content Intercept Access Point (IAP) User Content User Content Service Provider Functions Lawful Intercept Architecture Reference Model
Cisco Lawful Intercept Architecture • IETF first draft June 2003 • IETF second draft October 2003 • Informational RFC 3924 adopted October 2004 • Modular architecture—adapts to regional requirements via partner equipment (mediation device) • Key Features: • Common architecture (SII) for voice and data • Separation of intercept control from call control (voice) and session control (data) • Controlled by mediation device • Standardized interface for mediation device to provision intercepts via SNMPv3
1 Admin (HI1) 2 Admin LEA Intercept Request 3 Config Call Control IRI Collection Function 8 7 5 11 IRI CC 6 10 Intercepted Data 4 CPE Adapter or IP Phone Call Control 9 Target Subscriber RTP Stream LI Architecture—Voice Intercept LI Administration Function Gatekeeper, SIP Proxy, Call Agent Mediation Device CPE Adapter or IP Phone Aggregation Router Aggregation Router
1 Admin (HI1) 2 Admin LEA Intercept Request 11 3 Config IRI Collection Function 7 10 5 14 IRI CC Config 6 13 4 3 Acct Start Sniffer/ Probe AccessRequest Intercepted Data 9 12 Access Accept 8 Target Subscriber Data Stream LI Architecture—Data Intercept LI Administration Function AAA Server (Cisco Access Registrar, Other) Mediation Device Aggregation Router