When deciding on the proper technique for implementing an LI solution, quite often the question of "Active" vs. "Passive" comes up, especially in IP based networks. In order to understand what this means we have to understand that in lawful intercept parlance, Active and Passive have their own meanings.
An active solution is one in which the Mediation/Delivery Function has a defined interface with an Access Function (network element: router, SBC, switch etc.) that allows provisioning of target information, the exchange of session information and the replication of communication traffic (example: Cisco SII). This interface is called "active" because the network element (AF) is actively identifying and replicating target traffic based on requests from the Mediation Function (MF). Since the connections between the AF and MF are typically IP based, no special connectivity is needed and the AFs can be activated very quickly.
A passive solution employs a probe (sniffer) to identify and replicate traffic. To gain access to network traffic the probe requires either a network tap (like NetOptics) or a "SPAN" type of interface. The probe then uses the same targeting information to dynamically identify and replicate traffic. It isn't called a passive solution because it isn't actively working; it is passive because it isn't an inherent part of the active network and it sits outside of the network looking in.
Both solutions have pros and cons; an active solution is quickly implemented but only works on certain models and may require software upgrades. Probes can be expensive but are easily moved around a network and don't care about software releases or models of equipment.
Active = network element with support for a lawful intercept interface
Passive = probe attached to the network but not actively involved with network switching
Till next time ...
Subscribe to:
Post Comments (Atom)
2 comments:
Scott, would you not consider a "Span" or "Monitor" port on a router or switch to be an active Intercept since the traffic of interest is replicated by the router or switch processor and forward out the span/monitor port.
The probe then minutely filters the data based on the specifics of the warrant. The only true passive intercept is a tap where no packet replication is neccesary by anf of the Network infrastruce equipment.
Cheers,
Doug.
Good point Doug and I would agree with you if the terms "active" and "passive" were interpreted literally. However in LI speak, only a direct, LI specific interface is considered "active". And since a SPAN port is not LI specific and isn't controlled by the Delivery/Mediation Function directly, it isn't considered an "active" interface.
Thanks for your comment.
Post a Comment