Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Lifting the Lid on Lawful Intercept

75 vues

Publié le

Lifting the Lid on Lawful Intercept

Publié dans : Internet
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Lifting the Lid on Lawful Intercept

  1. 1. Lifting the Lid on Lawful Intercept Shane Alcock University of Waikato New Zealand shane.alcock@waikato.ac.nz
  2. 2. © The University of Waikato • Te Whare Wānanga o Waikato Introductions ● Research Programmer at the University of Waikato ○ Specialist in packet capture and analysis ○ Most of my work ends up as open source ○ Recently, developing software to assist with lawful intercept ● Unlike other LI experts... ○ I don’t work in law enforcement ○ I don’t work for a commercial LI vendor ○ I can be much more transparent about the LI process
  3. 3. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) ● Legal and authorised interception of telecommunications ○ Mandated by governments ○ Aim is to investigate or prevent criminal activity ● Requested by Law Enforcement Agencies (LEAs) ○ Police, Intelligence Services, National security agencies ● Actioned by network operators
  4. 4. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) ● Targeted at a specific user ● Supported by a lawfully issued warrant ● Severe penalties for failure to comply ○ Be prepared ahead of time!
  5. 5. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) LEA Network Operator Warrant
  6. 6. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) Warrant Configuration LI System
  7. 7. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) Warrant LI System Configuration AAA SIP IP
  8. 8. © The University of Waikato • Te Whare Wānanga o Waikato Lawful Intercept (LI) Warrant LI System Configuration AAA SIP IP Meta-data (IRI) Communication Contents (CC)
  9. 9. © The University of Waikato • Te Whare Wānanga o Waikato Standards ● Two widely recognised standards for LI ○ CALEA / ATIS: used in USA ○ ETSI: used almost everywhere else ● Not as simple as just sending a pcap to the LEA! ○ Standards ensure the intercept can withstand scrutiny in court
  10. 10. © The University of Waikato • Te Whare Wānanga o Waikato ETSI Requirements ● Intercepted traffic must be streamed to LEAs in real time ○ Encrypted TCP sessions over public Internet ○ Closed physical connections for very sensitive intercepts
  11. 11. © The University of Waikato • Te Whare Wānanga o Waikato ETSI Requirements ● Two separate handovers ○ Separate encrypted TCP session for each handover ○ One handover for meta-data ○ One for intercepted communications / packets
  12. 12. © The University of Waikato • Te Whare Wānanga o Waikato ETSI Requirements ● Custom record format to label and sequence recorded data ○ Unique LIID provided by the LEA ○ Each session or call must also have a unique CIN ○ Sequence numbers per CIN to identify lost data ● Format is defined by many pages of ASN.1
  13. 13. © The University of Waikato • Te Whare Wānanga o Waikato ETSI Requirements ● All communication by a target must be delivered to the LEA ○ No packet loss allowed ● Protect privacy of other network users ○ No interception of traffic for anyone other than the target
  14. 14. © The University of Waikato • Te Whare Wānanga o Waikato ETSI Requirements ● Target cannot detect that the intercept is taking place ○ Communication must continue uninterrupted ○ No noticeable changes in routing or latency
  15. 15. © The University of Waikato • Te Whare Wānanga o Waikato OpenLI ● Open source software for ETSI-compliant LI ○ Designed and maintained by me (mostly) ○ Low cost alternative to buying solutions from an LI vendor ○ Runs of Linux + commodity server hardware ○ Target audience: smaller operators ○ Deployed in production by operators in NZ ○ Can convert some network vendor LI formats into ETSI https://openli.nz
  16. 16. © The University of Waikato • Te Whare Wānanga o Waikato IP Lawful Intercept with OpenLI Warrant REST API Requests AAA SIP Meta-data (IRI) Communication Contents (CC) OpenLI Provisioner OpenLI Collector OpenLI Mediator Intercept InstructionsAgency Details Intercepted Data
  17. 17. © The University of Waikato • Te Whare Wānanga o Waikato OpenLI ● Multiple collectors can be distributed throughout a network ○ One per BNG or customer aggregation point ● Collector uses AAA protocols to determine target IP ○ Only intercepts packets for that session ○ Tracks dynamic IP changes ● Mediator is the only external-facing component ○ Makes outbound connections to the LEAs
  18. 18. © The University of Waikato • Te Whare Wānanga o Waikato Alternatives ● Specialist LI vendors ○ Many companies offering LI solutions to choose from ○ Costs will be high and ongoing ○ Commercial-grade support ○ Provisioning and mediation included in the system ○ Good option for large carriers with money to spend
  19. 19. © The University of Waikato • Te Whare Wānanga o Waikato Alternatives ● LI licenses for networking hardware ○ Cisco, Juniper, Nokia, etc. ○ Can be used for the collection phase ○ Still require a third-party mediator, as output is not ETSI compliant Image credit: Jim Bryson
  20. 20. © The University of Waikato • Te Whare Wānanga o Waikato The LI Deployment Checklist ▢ Determine the LI standards that apply to your network ○ Enquire with the relevant LEAs ○ Is the ETSI standard required? ○ Choose a vendor that meets the required standard
  21. 21. © The University of Waikato • Te Whare Wānanga o Waikato The LI Deployment Checklist ▢ Security of your LI platform ○ LI is very sensitive infrastructure ○ Some vendors may not be allowed in your region ○ Also consider if you trust certain vendors ○ Internal security plan ○ Control access to the LI provisioning system ○ Audit logs of intercepts created and halted
  22. 22. © The University of Waikato • Te Whare Wānanga o Waikato The LI Deployment Checklist ▢ Budgeting ○ Who pays for the LI equipment and software? ○ Who pays for support and maintenance? ○ Account for time to learn, integrate and validate LI system
  23. 23. © The University of Waikato • Te Whare Wānanga o Waikato The LI Deployment Checklist ▢ Testing and validation ○ How do you confirm that the LI system is working? ○ Internally -- is there a validation mechanism available ○ Coordination with LEAs to test production system ○ Plan for regular monitoring to detect disruption
  24. 24. © The University of Waikato • Te Whare Wānanga o Waikato The LI Deployment Checklist ▢ Upkeep and support ○ LI systems will require continuous maintenance ○ Adapting to new technologies, e.g. 5G ○ Updating to conform to changes in standards ○ Again, who pays and what is the budget?
  25. 25. © The University of Waikato • Te Whare Wānanga o Waikato Interested in OpenLI? ● Learn more: ○ https://openli.nz ○ https://github.com/wanduow/openli ○ Email: openli-support@waikato.ac.nz ● I would love to learn more about the LI situation here ○ Public information is scarce ○ Allow me to ensure OpenLI is compliant with LEA requirements ○ Conversations would be off the record
  26. 26. © The University of Waikato • Te Whare Wānanga o Waikato Thank you! ● Questions?

×