Our SP, as will all other SPs, will soon fall under CALEA requirements for data traffic. I've been reading up on CALEA for a while now and am rather stumped. Every presentation I can shows the a "mediation device" in the heart of the CALEA solution. The mediation device interacts with a AAA server to know on which device the target user is currently connected to. It then instructs that device to use the LI support to copy the MD on all the target's traffic which the MD then sends on to the appropriate LEA.
That's all fine and dandy on paper. What's the solution if you don't authenticate your users? For example what if you don't use PPPoE or PPPoA for your DSL customers? How will the MD learn where that user is? What about cable Internet? The user doesn't auth to the CMTS either. In fact the only time you auth on most SP networks nowadays is for dialup via PPP or SLIP. So, without authenticating your users, how does the MD find the target user?
Originally I assumed that I could simply identify the target's currently IP (easy for both cable or DSL), make it effectively static via an assignment in our DHCP server, and then create an ACL for it in the core. The ACL could be used by the LI commands to match the target's traffic and could then shunt that traffic off to the appropriate LEA. However this doesn't provide a solution for traffic to/from the target on the same access-layer aggregation device (ie, one cable customer to another on the same CMTS or one DSL customer to another on the same ATM router. I don't have a solution for that problem. One of our ATM routers (7206VXR) can support LI. Our other ATM routers (3660s) only seem to support LI in the 12.3 code train. None of the routers that are directly connected to our CMTSs support LI. Our access servers don't support LI because they are only 5300s and not 5350s or 5400s. Our new core (7600s) will support LI within the month.
Is their a way to meet CALEA requirements without the use of a MD or without using the MD in the way the presentations demonstrate? How are other SPs meeting CALEA requirements if they don't auth users?