In my last entry I talked about Active vs. Passive intercept and the use of probes from a high level perspective. In this entry I want to identify a couple of cautions with regard to the use of probes to intercept VoIP calls.
Probes can be useful in VoIP LI solutions when positioned appropriately in the network. Typically they will need to be deployed to capture both the content (near the edge of the network) and the signaling (near the core). However, even with the appropriate positioning of probes they most likely won't be able to capture all call scenarios.
One of those scenarios includes calls that are forwarded or redirected off of the carrier's VoIP network to the PSTN (or any other network for that matter). In this scenario, the target has forwarded his phone to a number off of the VoIP carrier's network. An associate then calls the target's phone, the target's network determines that this call is forwarded to a number off of its' network and immediately redirects the call back out to the PSTN for proper termination. In this scenario the call content only reaches the gateway at the edge of the network and a probe solution wouldn't be able to access it.
Another area of caution includes the carrier's responsibility to provide Dialed Digit Extraction (DDE). DDE was one of the Punchlist requirements established with J-STD-025A. This requires that any DTMF digits entered during a call be identified, isolated and sent to the LEA as Call Data. Preferably these digits are extracted from the in-band content so that they can't be spoofed. Most probes don't have any DSP resources and therefore can not extract these digits and send them to the LEA as required by J-STD.
Just a few more reasons to make sure any investment in an LI implementation is comprehensive in nature and covers all scenarios, not just most.
Till next time ...
Tuesday, February 27, 2007
Friday, February 9, 2007
Doesn't a Probe actively intercept traffic?
When deciding on the proper technique for implementing an LI solution, quite often the question of "Active" vs. "Passive" comes up, especially in IP based networks. In order to understand what this means we have to understand that in lawful intercept parlance, Active and Passive have their own meanings.
An active solution is one in which the Mediation/Delivery Function has a defined interface with an Access Function (network element: router, SBC, switch etc.) that allows provisioning of target information, the exchange of session information and the replication of communication traffic (example: Cisco SII). This interface is called "active" because the network element (AF) is actively identifying and replicating target traffic based on requests from the Mediation Function (MF). Since the connections between the AF and MF are typically IP based, no special connectivity is needed and the AFs can be activated very quickly.
A passive solution employs a probe (sniffer) to identify and replicate traffic. To gain access to network traffic the probe requires either a network tap (like NetOptics) or a "SPAN" type of interface. The probe then uses the same targeting information to dynamically identify and replicate traffic. It isn't called a passive solution because it isn't actively working; it is passive because it isn't an inherent part of the active network and it sits outside of the network looking in.
Both solutions have pros and cons; an active solution is quickly implemented but only works on certain models and may require software upgrades. Probes can be expensive but are easily moved around a network and don't care about software releases or models of equipment.
Active = network element with support for a lawful intercept interface
Passive = probe attached to the network but not actively involved with network switching
Till next time ...
An active solution is one in which the Mediation/Delivery Function has a defined interface with an Access Function (network element: router, SBC, switch etc.) that allows provisioning of target information, the exchange of session information and the replication of communication traffic (example: Cisco SII). This interface is called "active" because the network element (AF) is actively identifying and replicating target traffic based on requests from the Mediation Function (MF). Since the connections between the AF and MF are typically IP based, no special connectivity is needed and the AFs can be activated very quickly.
A passive solution employs a probe (sniffer) to identify and replicate traffic. To gain access to network traffic the probe requires either a network tap (like NetOptics) or a "SPAN" type of interface. The probe then uses the same targeting information to dynamically identify and replicate traffic. It isn't called a passive solution because it isn't actively working; it is passive because it isn't an inherent part of the active network and it sits outside of the network looking in.
Both solutions have pros and cons; an active solution is quickly implemented but only works on certain models and may require software upgrades. Probes can be expensive but are easily moved around a network and don't care about software releases or models of equipment.
Active = network element with support for a lawful intercept interface
Passive = probe attached to the network but not actively involved with network switching
Till next time ...
Thursday, February 1, 2007
Filing date for CALEA "Monitoring Report" upon us
Everyone involved in CALEA and Lawful Intercept should be well aware of the May 14 CALEA compliance deadline for "facilities-based broadband" and "inter-connected VoIP" providers. But one of the other intermediary dates is fast approaching (only 11 days to go). February 12th is the deadline for the filing of Monitoring reports. And as such I thought a quick refresher and review of this form and its' purpose might be useful.
Back on December 12th the OMB (in compliance with the Reduction in Paperwork Act) authorized the FCC to move forward with requiring service providers to file Monitoring reports. The FCC's declaration of the approved dates and the forms themselves can be found at the link below.
http://www.fcc.gov/Daily_Releases/Daily_Digest/2006/dd061214.html
and look for:
Released: 12/14/2006. OMB APPROVES CALEA COMPLIANCE MONITORING REPORT FOR PROVIDERS OF FACILITIES-BASED BROADBAND INTERNET ACCESS AND INTERCONNECTED VOIP SERVICE; REPORTS ARE DUE FEBRUARY 12, 2007. (DA No. 06-2513). (Dkt No 04-295). PSHSB. Contact: Thomas J. Beers at (202) 418-0952 DA-06-2513A1.doc DA-06-2513A2.doc DA-06-2513A3.doc DA-06-2513A1.pdf DA-06-2513A2.pdf DA-06-2513A3.pdf DA-06-2513A1.txt DA-06-2513A2.txt DA-06-2513A3.txt
The reason for the Monitoring Report (445 form) filing is so that law enforcement understands the progress being made by carriers to reach compliance. In the late 90's when carriers were working to reach compliance for the first CALEA deadline(s), law enforcement had no idea where everyone stood until the deadline was reached. This time they are requiring "progress" reports to give them a better idea of where things stand.
For a 445 filing, there are 3 relevant documents:
DA-06-2513A1 - this describes the ruling and the fact that the Office of Management and Budget has now fulfilled the requirements of the Reduction in Paperwork Act (the item that held the dates up to begin with) and the reports can now be filed
DA-06-2513A2 - This is the instructions document. This describes each of the lines in the actual 455 form, what should be filled in, where copies are to be sent and by when.
DA-06-2513A3 - This is the 445 Form itself. This is a brief 4 page document with 12 line items (the first 7 really don't count) to fill in and a small glossary. No essay questions, no multiple choice, no true/false, just simple questions as described below.
Form 445 Questions:
1 -7 Contact information: Name, State, FCC #, 499 Id, affiliate names, parent company, address
8. Will your networks be compliant by May 14?
Type of facilities
9. Which networks will not be compliant?
Type of facilities
Expected date to reach compliance
Reasons for delay
10. Compliance Method(s) being used
Industry standard
Proprietary/custom
Consultation with DOJ
TTP If so which one?
11. What items are causing delays?
Type of Equipment
Installation
Manufacturer
Other
Mediation Actions being taken to resolve the delays
12. Signature of company officer
So all in all pretty simple. Take a look and feel free to comment. Till next time ...
Back on December 12th the OMB (in compliance with the Reduction in Paperwork Act) authorized the FCC to move forward with requiring service providers to file Monitoring reports. The FCC's declaration of the approved dates and the forms themselves can be found at the link below.
http://www.fcc.gov/Daily_Releases/Daily_Digest/2006/dd061214.html
and look for:
Released: 12/14/2006. OMB APPROVES CALEA COMPLIANCE MONITORING REPORT FOR PROVIDERS OF FACILITIES-BASED BROADBAND INTERNET ACCESS AND INTERCONNECTED VOIP SERVICE; REPORTS ARE DUE FEBRUARY 12, 2007. (DA No. 06-2513). (Dkt No 04-295). PSHSB. Contact: Thomas J. Beers at (202) 418-0952 DA-06-2513A1.doc DA-06-2513A2.doc DA-06-2513A3.doc DA-06-2513A1.pdf DA-06-2513A2.pdf DA-06-2513A3.pdf DA-06-2513A1.txt DA-06-2513A2.txt DA-06-2513A3.txt
The reason for the Monitoring Report (445 form) filing is so that law enforcement understands the progress being made by carriers to reach compliance. In the late 90's when carriers were working to reach compliance for the first CALEA deadline(s), law enforcement had no idea where everyone stood until the deadline was reached. This time they are requiring "progress" reports to give them a better idea of where things stand.
For a 445 filing, there are 3 relevant documents:
DA-06-2513A1 - this describes the ruling and the fact that the Office of Management and Budget has now fulfilled the requirements of the Reduction in Paperwork Act (the item that held the dates up to begin with) and the reports can now be filed
DA-06-2513A2 - This is the instructions document. This describes each of the lines in the actual 455 form, what should be filled in, where copies are to be sent and by when.
DA-06-2513A3 - This is the 445 Form itself. This is a brief 4 page document with 12 line items (the first 7 really don't count) to fill in and a small glossary. No essay questions, no multiple choice, no true/false, just simple questions as described below.
Form 445 Questions:
1 -7 Contact information: Name, State, FCC #, 499 Id, affiliate names, parent company, address
8. Will your networks be compliant by May 14?
Type of facilities
9. Which networks will not be compliant?
Type of facilities
Expected date to reach compliance
Reasons for delay
10. Compliance Method(s) being used
Industry standard
Proprietary/custom
Consultation with DOJ
TTP If so which one?
11. What items are causing delays?
Type of Equipment
Installation
Manufacturer
Other
Mediation Actions being taken to resolve the delays
12. Signature of company officer
So all in all pretty simple. Take a look and feel free to comment. Till next time ...
Subscribe to:
Posts (Atom)
