First, some background. Congress enacted CALEA in 1994. CALEA's purpose was to provide a way of intercepting voice communications from digital telephone networks to aid in Law Enforcement Agencies (LEA) in investigations.
In 2005, the Federal Communications Commission (FCC) issued a First Report and Order on CALEA in response to a joint petition from the Department of Justice, FBI and Drug Enforcement Agency to expand CALEA intercept coverage to include providers of interconnected voice-over-IP (VoIP) services. The First Report and Order required facilities-based Internet services and VoIP broadband providers to be compliant by May 14, 2007.
The FCC describes an intercept process whereby Call Identifying Information (CII) is extracted from the communications stream. However, the FCC is leaving the creation of CII standards to the communications industry. Once the requested information is obtained, it's sent to the requesting LEA.
On May 12, 2006, the FCC issued a CALEA Second Report and Order, which confirmed the feasibility of the compliance deadline and provided additional information, including reporting plans for networks covered by CALEA. According to an FCC Public Notice issued Dec. 14, 2006, networks that are not CALEA exempt must file a Monitoring Report (FCC Form 445) by Feb. 12, 2007. A second FCC Public Notice requires System Security and Integrity plans to be filed by March 12, 2007.
A consortium led by the American Council on Education (ACE) and Educause challenged the FCC's position that facilities-based Internet services and VoIP were covered under CALEA, arguing that they fell under the exempt category of Information Services. The U.S. Court of Appeals for the District of Columbia Circuit ruled in favor of the FCC 2-1 but did reaffirm that certain networks could be exempt.
The determination of what makes a network exempt, however, is not quite clear. A self-contained network that has absolutely no possible method to pass traffic to the Internet is clearly a private network and therefore not subject to CALEA. If an Internet connection was the sole CALEA determinant, the exempt/nonexempt question would not be an issue. However, that's not the case.
The CALEA tests
There are essentially two tests to determine whether or not a network connected to the Internet is exempt or not from CALEA. Note that this doesn't mean that the data is exempt from monitoring; it only aids in determining where the monitoring takes place.
The first question to answer is whether or not the network is private or not. As most corporate networks are not publicly accessible, they would be exempt from CALEA. On the other hand, an ISP by definition operates a large publicly accessible network and therefore would be expected to fall under CALEA.
But what of those networks caught in the middle, such as wireless hotspots, hotels and public libraries? As public Internet access points, clearly these kinds of networks are not private. However, the First Report and Order specifies that the FCC doesn't consider these to be facilities-based broadband ISPs and therefore are exempt from CALEA.
If an institution offers no network access to those not associated with it (such as in the college case, where access is given only to faculty, staff and students), it can be argued that it is therefore a private network. If public access is offered through the college library, that does not negate the institution's private status, according to one view.
What about public wireless access at such institutions? Here the issue gets a bit grayer. Referring back to the college example again, ACE has suggested that if the access is incidental to the nature of the network, then it may not negate its private status. The degree of access that exceeds its incidental nature isn't stated.
The second test revolves around the Internet connection itself. The connection can be considered a combination of two entities: the circuit and the customer premise electronics. It's important to reiterate that the link between a private and public network falls under CALEA requirements; the question here is which end is responsible for fulfilling those requirements.
In the circuit case, if the end site owns the circuit to the ISP (such as in the case of perhaps a dark fiber connection to an ISP's point of presence), then the end site may be subject to CALEA. If the end site leases the line, it may be subject still, but if the ISP owns the circuit outright, the ISP must provide the monitoring, not the end site.
With regard to the customer site electronics, the test becomes more ambiguous. From a networking point of view, one interpretation could easily be that the compliance test depends on whoever manages the network electronics handling the Internet route tables for the local network (the border router).
However, CALEA isn't that clear. The First Report and Order doesn't limit the equipment to routers, listing "routers, soft switches and other equipment that may provide addressing and intelligence functions for packet-based communications to manage and direct the communications, along to their intended destinations." In an IP network, this includes routers but doesn't appear to exclude Layer 2 switches. A Layer 2 switch uses intelligence to direct communications to intended destinations based on Media Access Control addressing. In that sense, if the ISP manages a customer premise Layer 2 switch and the circuit, then the CALEA obligations would fall on the ISP.
Determining exemption status is obviously not trivial. However, some comfort may be taken in realizing that there are many facing this process. Whatever decision is taken, it's good practice to document the decision process and the reasons for determining your network's status.
Finally, this analysis should not be construed as legal advice, rather it's one networker's view of CALEA. Remember, this is not purely a network engineering determination; the institution's legal office needs to make the call, based in part on correct technical input.
CALEA's technical details
If it's determined that your network isn't exempt, from a technical standpoint, what does that mean for your network? Essentially, when an intercept request is made by an LEA, the stream of VoIP traffic to and from a particular user is provided to law enforcement. Therefore, at minimum some sort of packet-capturing device is necessary.
Originally, some interpreted the expanded CALEA to require interception at every port within the network. FCC Commissioner Deborah Tate later clarified that edge interception -- that is, the connection between private and public networks -- was all that was necessary. Providing port monitoring capabilities at every uplink could have been costly and not trivial to implement.
The methodology for traffic interception at the edge could be the same as used by intrusion-detection and intrusion-prevention systems. Whether inline or via a mirrored port, a device capable of analyzing and recording selected traffic at the edge is needed. While the FCC won't specify technical requirements, one would think that adding a signature to a Snort IDS to trigger a tcpdump script to take a trace of all voice-related traffic on that IP address would be an acceptable solution. This trace may then be delivered to the LEA.
If CII is desired, the IP address would need to be associated with a particular machine, necessitating additional work. Static IP assignment records or Dynamic Host Configuration Protocol logs can be used to match an IP address to a computer. Those networks that rely on Network Address Translation would have to search the NAT logs, as well determine the correct internal IP address related to the voice traffic of interest.
There is also the option of contracting the services of a trusted third party. Such services, such as VeriSign's NetDiscovery services, handle the CALEA technical and reporting requirements. This may be a preferred route for those companies lacking technical expertise or manpower and desiring a turnkey solution.
Finally, some may opt to handle the CALEA compliance by removing that aspect of the network that nullifies exempt status. Whether that means eliminating public access, contracting with an ISP to provide managed services, or other actions, the pros and cons of any decision must be carefully weighted.
While CALEA as applied to packet networks may seem somewhat confusing now, time and experience will bring clarity to some of the questions. The goal today is to ensure compliance within the act as best as possible from both technological and operational standpoints, or provide a reasonable explanation for exemption.
Greg Schaffer is the director of network services at Middle Tennessee State University. He has over 15 years of experience in networking, primarily in higher education. He can be reached at newtnoise@comcast.net.