This is a copy of an e-mail I received earlier today:
Has anyone heard about the FCC and CALEA have imposed a new law that requires ALL wireless/terrestrial internet provider to buy new very $$$$ equipment that allows the FED’s to track and intercept items from a given IP address. This equipment must be in place by end of May this year.
Its real and WISP’s are most certainly covered. The good news is that you can make a Canopy network compliant, though you’ll have to do some traffic engineering and add a probe in. The reason you will likely have to make network changes is that you are going to want to minimize the number of probes (glorified sniffers that talk to a mediation device) you need to deploy. The problem is that most of the Trust Third Parties charge per monitored device, so if you can ensure that one probe will see all traffic in your network, you can get by with just one instead of one per tower.
Make sure your running SM isolation on your AP’s and then VLAN each of the AP’s onto a different VLAN. Bring all your traffic into a central switch at your network core, and plug your probe into your managed (must be able to do port mirroring) switch. That way it can “hear” all of the traffic, but doesn’t set in line.
All you have to do is port mirroring on an ethernet switch facing your providers and peers. Dump the traffic to a collector that you can divert to law enforcement upon court order. Tell the FCC how you intend to do it. See if they agree. Merit’s interpretation is that they are not responsible for tapping intra-AS traffic (traffic that does not leave their network) so they only port mirror at outside transit and peering exchanges. They have a separate system that provides accounting and authentication for use of the tapping service. It’s all done with basically commodity hardware (ethernet switches, PCs as collectors) and open source software. Check out http://www.merit.edu/resources/calea/
To me it sounds like they want to intercept/mirror traffic to find out what’s going on and what a particular person is doing.
However, some upstream providers have stated that they meet the FCC/CALEA requirements and that the people that buy bandwidth off them do not need to comply.
If I’m doing 1:1 NAT across my network, etc. I would’ve assumed that I would need to install the equipment myself as well? Is this not the case?
If you read the posts from S.W.Y.S.S. it appears he is (1) A WISP operator. (2) Personally knows Sen John Mccain. (3) Also works for the government. (4) he got a call from the FBI CALEA in regards to his filing for CALEA compliance.
S.W.Y.S.S. “Yes, here is what happened.
Prior I was told by Mr. McCain to file the forms on time because he didn’t think he could get answers quick enough.
Today I received a call from the FBI CALEA group in Arlington County, Virginia telling me I did not have to worry about being CALEA compliant for them because I was not a carrier. I did not provide VOIP, (Not the same as re-selling) If I was not the carrier of the VOIP I was not required to be CALEA compliant for the FBI. Even if I re-sold VOIP services, I was not required to be compliant for CALEA on the FBI side the actual carrier was. Vonage, Packet8 etc…
They did tell me they could not send me the letter that I was not required to be compliant, that the FCC still had to do their part of the CALEA. The FBI only receives a copy of the form, The FCC also has their part for the filing. It’s a two agency FCC & FBI form share. I have to wait for them to send a note to the FCC they do not require me to be compliant and then the FCC should send me something.
But as far as the FBI was concerned, I have nothing more to worry about for them. I filed the form even that I had nothing on the form but the business name and my contact number, I filed on time. That’s all that was required. They can not fine you if you don’t know how to fill out the form. It’s up to them to decided if they want any more. The phone call lasted about 5 minutes, and that was it. They made a note of the phone call.
That’s interesting, though I’d be inclined to believe the local FBI office was mistaken, since the regulation is pretty clear that it covers broadband service providers.
I dont understand what the big deal is. What would we really need to “do” to become “compliant” to allow them to do this? Whats so hard about connecting a packet sniffer to ANY network?.. Especially when it all comes back to a single hardwired place???
Any ISP should have that covered in their TOS anyways… We do. If we suspect fraudulant activity, viruses, any other malicious activity, are requested by law enforment, or need to sniff for troubleshooting purposes, we have the right to sniff the network.
Quoted from FCC site: "carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities."
Am I misunderstanding something? Whats the big deal?
My question is what exactly are we required to log? I would imagine packet headers to be sufficient? If we captured all traffic on our network, the storage requirements would be ridiculous. Also, does anyone recommend an application for doing this? I use wireshark for sniffing, but I wouldn’t think it would be the best answer for ongoing monitoring. Does anyone know if Cisco IOS has a feature to dump ip headers to a log on a NFS or SMB share?
That's interesting, though I'd be inclined to believe the local FBI office was mistaken, since the regulation is pretty clear that it covers broadband service providers.
It is starting to look like you have to comply if you so much as throw up a free hot spot somewhere. They are also saying that if you use NAT then your upstream provider saying " we got CALEA covered " doesn't mean squat.
I dont understand what the big deal is. What would we really need to "do" to become "compliant" to allow them to do this? Whats so hard about connecting a packet sniffer to ANY network?.. Especially when it all comes back to a single hardwired place???
The big deal is in the details, its much more than simplying throwing a sniffer on to your network. You have to file the FCC Form 445 and the FCC Systems Security and Integrity Plan. Which includes designating someone to be the 24/7/365 law enforcement contact, a senior employee to certify the warrant, and you certify that you will hand the data to the LEA in an acceptable format. Also, depending on how you interpret the regulations, you may have to ensure that you prevent communication between customers that doesn't pass through your probe. The current format standard for voice intercept is called J-Standard. In addition, all of your activity to do the tap has to invisible, you have to be able to sustain at least two simultaneous taps, and if two different LEA's ask for a tap you can't reveal that fact to them. I suggest you talk to a lawyer and read some of the information on the FCC's and the FBI's CALEA web sites.
I’ve done some research and read some interesting articles. I’ve also spoke with someone who helped develop CALEA solution for where he works.
First things first…who is required:
* facilities-based broadband Internet providers, and * any interconnect VoIP provider that places calls to or from the PSTN.
Next, there are 3 methods of implementations a carrier may choose to follow:
1.Work with individual network equipment providers to come up with a solution for each piece of equipment.
2.Utilize a mediation/delivery function solution specifically designed to work with all network elements and provide compliance for lawful intercept
3.Engage a hosted provider and develop a solution with them
Solution 1 is the least likely to be attractive to carriers. It is virtually impossible and very impractical for carriers to try to work with all of their equipment vendors. Given the diverse nature of the problem, the process would be too cumbersome and too complex to come up with a solution in time to meet current lawful intercept requirements. And the complexity is certain to increase as modern networks evolve and new requirements are mandated.
Solution 2, working with companies that design and manufacture lawful intercept mediation platforms to meet lawful intercept requirements, is a more practical solution. These vendors are constantly keeping themselves abreast of the requirements, standards and technologies needed to keep carriers compliant with nationally mandated lawful intercept requirements. They typically work with all network element vendors to create lawful intercept compliant solutions for carriers.
Solution 3, outsourcing lawful intercept compliance requirements to a hosted lawful intercept solution provider is a choice that can reduce the effort needed to find/implement a solution and also reduce a carrier’s operational burden once that solution is in place. However, some carriers may not wish to give a third-party provider such high-level access to, and control of, their networks and their subscribers’ passwords, authentication mechanisms, profiles and accounting information. A hosted service is likely the best solution for small providers that will not have to execute many warrants and therefore cannot justify investment in both expertise and equipment to deal with law enforcement requirements.
We are a small-town WISP in Central Florida and we have 1 cluster on our own tower, with our equipment located in our tower house (router/firewall/switches, etc.) which is where we have multiple internet-ready T1 lines run into the tower house.
I just think it’s crazy that they can impose something so outrageous on a company so small. Do I need to fill out that form? I’m assuming the answer is yes. Then what’s the next step? Wait for them to tell me I need to comply?
We are a small-town WISP in Central Florida and we have 1 cluster on our own tower, with our equipment located in our tower house (router/firewall/switches, etc.) which is where we have multiple internet-ready T1 lines run into the tower house.
I just think it's crazy that they can impose something so outrageous on a company so small. Do I need to fill out that form? I'm assuming the answer is yes. Then what's the next step? Wait for them to tell me I need to comply?
Actually the first thing you should do is talk to a lawyer, preferably one familiar with telecom law. Anything you read here or other forum is not a substitute for legal advice.
Having said that you will need to fill out the form 445, its the one that was due last month. Basically you have to make a determination as to whether or not your network will be compliant by the deadline. I know many operators that won't compliant and they listed what the issues are that are keeping them from compliance and when they think they can afford to get them corrected. No one knows whether or not the FCC will really accept that, but most people I've talked to believe that its better than not filing or filing and claiming to be compliant when you aren't.
