The following text is copyright 2006 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Are VoIP & CALEA incompatible?

 

By Scott Bradner

 

Last week I wrote about the potential impact of the new FCC wiretapping rules on enterprise network managers; this week the subject is the impact of some of these same rules on the Internet itself.  A new report shows that it may be nearly impossible to implement comprehensive wiretapping of voice over IP (VoIP) without reengineering and rebuilding most of the existing Internet in the US.  Not only would such a reengineering be extremely costly it would also relegate the US to second or third class players when it comes to Internet-related technological innovation.

 

As I mentioned in passing last week, the same FCC orders (http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-153A1.pdf and http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-56A1.pdf) that extended the Communications Assistance for law Enforcement (CALEA) (http://www.epic.org/privacy/wiretap/calea/calea_law.html) to Internet service providers and enterprise networks also extends CALEA to cover interconnected VoIP service providers.  By "interconnected" the FCC means a VoIP service that can connect calls to and from the existing telephone networks.

 

A new report issued by the Information Technology Association of America (ITAA) examines the "Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP."  (http://www.itaa.org/news/docs/CALEAVOIPreport.pdf)  I do not know much about the ITAA, and did not learn much from their web site (http://www.itaa.org/) other than their claim to be "the nationŐs leading information technology (IT) trade association."  But I do know, or at least know of, many of the authors of the report.  A very impressive collection of security and Internet experts indeed.

 

The report explains VoIP and why it is not your father's phone network.  In your father's phone network, after it had been reengineered at great cost but withy little user visibility, wiretapping is done quite easily by functions within the phone switches.  But VoIP when running over the Internet does not follow the same model at all.  For example, instead of having your voice exchanges run through phone switches in VoIP the data packets that carry your voice can run directly between the two phones engaged in the call.  The path these packets take will often have little in common with the path that the packets used to start and stop the call take.  The path the voice packets take will generally be through routers not under control of the VoIP provider.  In this case, even if those routers were equipped to perform wiretapping they would not know what traffic to intercept.  Another difficulty, not mentioned in the report, is that traffic paths in the Internet are almost always asymmetric - traffic in different directions takes different paths - this means that there are very few places in the network where an intercept would get the whole conversation.

 

Of course, you could reengineer the Internet in the US to keep this from happening.  That would only cost an astronomical amount but would also destroy the ability of Internet users to create new applications.  I'm sure the phone companies would love to help - such an Internet would be their dream network.  I say "in the US" because there is no reason to think that much of the rest of the world is dumb enough to destroy the innovative power of the Internet just to enable wiretapping that might wind up not being all that useful because the real bad guys would just encrypt their communications.

 

There is a lot more in this report and I recommend it highly - too bad the FCC will likely ignore what it has to say.

 

disclaimer: Ignoring Harvard is what some people do as a hobby but the above is my opinion to ignore - not Harvard's.