CALEA Compliance, Yes You Can!
Lawful intercept compliance is an important tool for law enforcement to combat terrorism and domestic criminal activity in our communities. Service providers that are CALEA compliant are to be commended for doing their part to keep our communities safe.
IP Fabrics can provide the equipment and support needed for cost-effective, full CALEA compliance without external people managing equipment within your network. Unlike many CALEA solutions, the IP Fabrics DeepSweep CALEA Compliance and More solution can be used for a variety of monitoring, diagnostics, and analytics activities, turning a CALEA compliance cost sink into a revenue source.
A CALEA Law Overview
The Communications Assistance for Law Enforcement Act (CALEA) was put into law to facilitate law enforcement ability to conduct electronic surveillance. The law requires communications service providers to be able to deliver call signaling information and/or communications content when presented with a warrant. Penalties for non-compliance can reach thousands of dollars per day.
CALEA applies to all providers of public Voice over IP (VoIP) services and/or broadband internet access services. Psuedo-public networks like campus networks may also fall under CALEA. As a cable operator, if you are offering voice or internet services to your subscribers, CALEA applies to you.
The CALEA law can be found here: http://askcalea.fbi.gov/calea/103.html.
In general, Section 103 states that service provider solutions must be:
- Expeditious. Collect data from a subscriber concurrently with the transmission to or from the subscriber’s equipment (i.e. while the conversation/transfer is happening).
- Limited to warrant parameters. The information provided must isolate and deliver call identifying information (i.e. the call signaling) and also map that to the call content where the warrant allows. You can’t have anything in the delivery that isn’t within the rights of the warrant to have (i.e. no other IP streams from sources other than the subscriber(s) named in the warrant).
- Interoperable. Item (3) of section 103 specifies the output must be “in a format such that they can be transmitted by means of equipment, facilities, or services procured by the government”. This means the output must be interoperable with law enforcement collection systems. Standards bodies like ATIS (atis.org) and CableLabs have published standards that ensure interoperability with law enforcement collection systems. These standards are:
- T1.IAS. ATIS standard for broadband internet intercept
- T1.678. ATIS standard for voice over IP (VoIP) intercept
- Cable Broadband Intercept Specification (CBIS) from CableLabs®
While the government will not pay for the equipment and infrastructure costs associated with CALEA compliance, the government will reimburse the service provider for the costs involved with executing an intercept when a warrant is presented.
The Technology Behind CALEA compliance
There are three important functions that implement full CALEA compliance: Access, Mediation, and Collection.
A simplified reference diagram is shown to the left. CALEA terminology references three main functions for electronic surveillance – the access function (AF), mediation function (MF), and collection function (CF). The point of demarcation that divides the service provider responsibility from law enforcement responsibility is called the hand-off interface (HI).
The access function pulls the data streams involved in the warrant off of the network. The mediation function takes these raw streams, performs some analysis on the traffic to determine the call or connection event being performed, extracts the information allowed within the parameters of the warrant, then formats the information into a standard message format that the law enforcement collection function can understand.
The standardization protocols define the hand-off interface and ensure interoperability between what the service provider is sending and what the collection function can accept.
General purpose network infrastructure equipment like routers or cable head end equipment may list CALEA support or identify a “CALEA interface”, but in most cases, this CALEA interface is only the access function – the ability to extract raw IP stream traffic. The mediation and hand-off interface is not implemented and therefore the equipment does not provide CALEA compliance – only CALEA support.
The best way to understand if there is full CALEA compliance is to ask if the equipment supports T1.678 for voice over IP equipment and T1.IAS or CBIS for broadband internet. If the answer is “no”, then the equipment doesn’t provide full CALEA compliance.
The CALEA Compliance Process
The first step is to identify intercept points within your network so you are able to capture traffic from any subscriber on your network.
The next step is to identify access function (AF) capabilities at these intercept locations. For example network equipment may have mirror ports that can extract and deliver specific IP flows. If so, this port can be used for the access function. If the network equipment doesn’t support this, a simple Ethernet tap can be used to split off the entire traffic of a given Ethernet link. The IP Fabrics DeepSweep implements full CALEA compliance in a box – it’s capable of receiving input from any access function device and performing the mediation and hand-off, or you can feed the DeepSweep the entire 1GbE or 10GbE link from an Ethernet tap and it will perform the access, mediation, and hand-off.
If there are multiple remote locations that make up the intercept points, the IP Fabrics TunnelBox can be used as the access function to deliver the IP stream of interest back to a central location where the DeepSweep is. This provides a cost-effective solution for distributed networks with the additional benefit that the TunnelBox can be used to deliver troublesome IP streams to perform test and diagnostics.
Once everything is in place, do some tests. IP Fabrics can provide a test collection system that will validate proper operation. IP Fabrics can also help set up validation with the organization that can test compliance. IP Fabrics’ DeepSweep and our support staff have helped a multitude of network operators pass this validation with flying colors.
How IP Fabrics makes CALEA compliance fast, easy, and non-intrusive
IP Fabrics has been providing CALEA compliance solutions to hundreds of service providers, network operators, and trusted third parties for over seven years. Our equipment has been validated by the National Domestic Communications Assistance Center (NDCAC) numerous times within telephone, Ethernet, cable, wireless, and satellite network topologies.
IP Fabrics was involved in authoring the ATIS hand-off specifications that govern interoperability with law enforcement collection systems today. You can implement CALEA and remove the uncertainty of outside companies installing and maintaining external equipment within your network. You can use the IP Fabrics DeepSweep solution for CALEA, monitoring, diagnostics, and analytics capabilities that lower operational cost, provide faster customer response, predictive maintenance, and even enable new analytics services revenues.
The IP Fabrics DeepSweep™ along with our effective customer training and support makes taking control of your CALEA compliance solution fast, easy and inexpensive.