noteworthy wrote: By: Steven Bellovin, Columbia University; Matt Blaze, University of Pennsylvania; Ernest Brickell, Intel Corporation; Clinton Brooks, NSA (retired); Vinton Cerf, Google; Whitfield Diffie, Sun Microsystems; Susan Landau, Sun Microsystems; Jon Peterson, NeuStar; John Treichler, Applied Signal Technology June 13, 2006 For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with the telephone system -- such as E9111 and the graceful accommodation of wiretapping -- should be able to be done readily with VoIP as well.
Thanks for posting this. I've been doing a lot of VoIP work @ work and this is both certainly relevent and not something I've seen elsewhere. Having skimmed it, let me make two observations: 1. My interpretation of the FCC's limit of CALEA to "interconnected" and "broadband" VoIP is to say that CALEA compliance is only required if the VoIP provider is interconnected with the PSTN (which eliminiates the problems described in this paper) or the VoIP provider is also providing their customers with physical internet access (which also eliminates the problems described in this paper). My understanding is that the FBI knows tapping p2p VoIP is hard and they can't easily require it. 2. The reality that Internet CALEA compliance is hard isn't stopping people from trying. And, yes, I think that a single snmp message that configures a tap with nothing more then password protection is insanely insecure. With a designated physical tap network, with carefully crafted packet filters, this could be done, but how many times are people going to get that wrong? A lot... Its worth noting that temporarily, these Cisco routers can't tap IPv6. RE: Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP |