Post on 18-Dec-2015
Overview of CALEA Conformance Proposed Standard
PTSC-LAES-2006-084R6
Manish Karir,
Merit – Research and Development
Outline
1. Architectural Assumptions – Internet Access Service Provider Model– Electronic Surveillance Model– Vocabulary Building
2. CALEA Functions– Functional Breakdown of Components– Architecture, Interfaces and Intercept Access
Points
3. CALEA conformance– Timing Requirements– CmII/CmC Packet Formats and Encapsulation– General IASP Requirements
4. Re-Cap and Conclusions
Internet Access Services Model
Source: PTSC-LAES-2006-084R6
Internet Access and Services ModelThree Aspects to Gaining Access
1. Reg-F - Registration Function:» The act of a user getting access to the
network (e.g. login/authentication of any sort)
2. Res-F - Reservation Function:» The user requesting resources from the
network (e.g. requesting an IP address, temporary addresses are not included)
3. PT-F - Packet Transfer Function:» Transfer of Layer-3 packets to/from the
Internet
Electronic Surveillance ModelComponents and Responsibilities
1. Service Provider AdministrationResponsible for the Access and Delivery
Functions2. Access Function (AF)
Consists of one or more Intercept Access Points (IAPs)
3. Delivery Function (DF)Transfer of data from the Access
Function to the Collection Function
4. Law Enforcement AdministrationControls the LEA collection function
5. Collection Function (CF)Location where the communication
intercepts are stored
Law EnforcementResponsibility
Internet Access Service Provider Responsibility
Electronic Surveillance Model
Source: PTSC-LAES-2006-084R6
More Definitions /Acronyms LI - Lawful Intercept CmII - Communication Identifying Information
(e.g. packet headers…but more…) CmC - Communication Content (e.g. the packets) IAP - Intercept Access Point Combinations:
– AACmII - Access Associated CmII– CACmII - Content Associated CmII– CmC-IAPs - The point in the network where
communication content is intercepted– CmII-IAPs - The point in the network where
communication headers are intercepted– Note: CmC-IAPs might be different from CmII-
IAPs
The 3 Key Concepts1. CmC - Communication Content
– Captured at CmC-IAPs, full packets– Packets are passed to Delivery
Function(DF)– The DF transfers these to the LEA
Collection Function (CF)
2. AACmII - Access Associated CmII– Essentially login/logout and authorization
activity– DHCP IP address assigned– Information provided to CF via the DF cont.
The 3 Key Conceptscont.
3. CACmII - Content Associated CmII - 2 methods– Intercept packet stream to/from subject
and extract IP header information, port information is optional,(but might be authorized) finally deliver all header information to DF or deliver summary records
– Sample subjects flows such that no flow can exist without being sampled and deliver summary records to LEA
Functional Breakdown
CmC/CmII Access Function (AF):– Responsible for identifying/isolating
CmC/CmII for the subject and presenting it to the MF/DF
CmC/CmII Mediation Function (MF):– Responsible for the presentation of
captured information into the appropriate format for delivery to LEA
CmC/CmII Deliver Function (DF):– Responsible transmitting data from IASP to
the collection function of the LEA
Functional Lawful Intercept Architecture
Source: PTSC-LAES-2006-084R6
DFApplication
7
6
5
4
3
2
1
A-PDU
DF -DM (A-PDU)
IASPDomain
A-PDUDemarcation
Point
Delivery Method
OSIProtocol Stack
CmC & CmII
Delivery Function
A-PDU = Application Protocol Data Unit (formatted for ŌeÕinterface)DF-DM (A -PDU) = encapsulated A - PDU sent by the Delivery Function Õs Delivery Method
ŌeÕ
PhysicalDemarcation
Point
CF
Application7
6
5
4
3
2
1
LEA
Domain
CollectionFunction
Delivery
Method
OSIProtocol Stack A -A -PDU C mC & C mII
Packet Delivery Interface DF-CF Interface
Source: PTSC-LAES-2006-084R6
Intercept Access Points
Delivery Timing Requirements1. Event Timestamps: Each intercepted message
should contain an accurate timestamp – CmII: timestamp should be accurate to within
200ms– CmC: timestamps need to be provided with
each packet
2. Event Timing: Intercepted messages should be sent to LEA within specified time window– CmII should be sent by the DF to the CF within
8 seconds 95% of the time– CmC: ???
Timing Requirements
Source: PTSC-LAES-2006-084R6
T1 is dependent in IASPT2 is jointly determined by IASP and LEA by choice of agreed upon protocols and facilities
CmII Access Messages
Access Messages: Notify LEA of access related functions performed by the subject including:
Access Attempt (login) - subject begins the network authentication process
Access Accepted - sent when subject has successfully authenticated with network AAA
Access Failed - user provides invalid username/ password or MAC address
cont.
CmII Access Messagescont.
Access Session End (logout) - subject initiates disconnect
Access Rejected - network rejects login attempt e.g. user is already logged in somewhere else and network does not allow multiple logins
Signaling Message Report - (RADIUS, DIAMETER, etc.) may be used in place of the previous messages
CmII Packet Data Messages
Packet Data Messages: Notify LEA of data related events performed by the subject
Packet Data Session Start - sent when subject completes login and and IP address has been assigned
Packet Data Session Failed - login is successful but no IP address, e.g. DHCP pool exhausted
Packet Data Session End - session timeout
CmII Packet Data Messages
Packet Data Messages: Notify LEA of data related events performed by the subject
Packet Data Session Already Established - when surveillance starts after subject login
Packet Data Header Report - packet header reports on a per-packet basis
Packet Summary Report - periodic summary reports of packet header data
Example CmII Message Formats
Information Element M/O/C Condition
Case Identity MIAP System Identity MTime Stamp MContent Identifier MHeader Set M
Access AcceptedCmII Message
Information Element M/O/C Conditions
Case Identity M
IAP System Identity M
Time Stamp M
Subscriber Identity M
Access Method C Provide when known.
Network Access Node Identity C Provide when known.
IP Address C Provide when known.
Access Session Identity M
Access Session Characteristics C Provide when known.
Location Information C Provide when reasonably available and lawfullylawfully authorized.
Protocol Signal O
Packet Header Data Report CmII Message
CmC Message Delivery Options SCTE Datagram Format ATIS IAS Datagram
– Encapsulation Approach - one packet per encapsulated datagram
– UDP/IP based encapsulation; TCP or other transport protocols are optional
– IC-APDU - Protocol Data Unit Approach - multiple packets per Datagram
We focus on the IAS Datagram approach as it is the simplest
IAS Datagram Encapsulation Approach One intercepted packet in
each encapsulated UDP datagram
Src IP is the address of DF Dst IP is address of CF
Port numbers in UDP header may be agreed upon by LEA and IASP
ContentID field is ASCII value that allows correlation between CmC and CmII
Encapsulation IP Header
Encapsulation UDP Header
Content ID
Time Stamp
Intercepted Packet
**Timestamp is RFC3339 compliant: YYYY-MDDThh:mm:ss.sssZ**Intercepted Packet includes all headers
IAS Datagram - APDU Approach
A simple extension of theencapsulation approach, to include multiple intercepted packets in a single encapsulated packet.
Encapsulation IP Header
Encapsulation UDP Header
Number of CmC-APDUs
Length of 1st CmC-APDU
Length of 2nd CmC-APDU
Length of last CmC-APDU
1st CmC-APDU
2nd CmC-APDU
Last CmC-APDU
Content ID
Time Stamp
Sequence Number
Intercepted Packet
Subject IdentificationTwo Aspects
1. Login Identification:
– When network requires authentication prior to use
– CmC and CmII is performed only after subject has been identified on the network
– After login; subject can be identified via unique IP address or session identifier assigned to subject during login
cont.
Subject IdentificationTwo Aspects, cont.
2. Equipment Identification:
– When network does not require authentication prior to use
– Subject is identified via unique address or interface
– Intercept in this scenario may be based on MAC address, IP address or physical/logical port
Six IASP Requirements
1. Privacy: IASP shall not monitor or permanently record subjects communications
2. Isolation: IASP shall ensure that only the subjects communication is intercepted
3. Transparency: IASP shall perform the intercept in a manner such that the subject cannot reasonably detect that intercept is being performed
cont.
Six IASP Requirementscont.
4. Encryption/Compression: IASP shall deliver the intercept data unencrypted or provide the LEA with encryption method and keys. IASP shall provide data uncompressed or identify means to decompress
5. Security/Integrity: IASP shall ensure unaltered delivery of intercept data. Security is to be negotiated between IASP and LEA
6. Performance/Quality: IASP should be able to perform multiple intercepts at the same time
Re-cap and Conclusions
• This is a simplified overview of the standard- Not a substitute for a detailed reading
and interpretation.• This is a broad introduction to the draft
standard. - Terminology used- Rough of the structure of the
proposed standardcont.
Re-cap and Conclusions – Remember:
1. The standard itself is unclear in certain areas, for example:– The use of encryption by IASP to protect
the CmC– Specifics such as what is the caseID and
how is it different from content identifier, IAP system identity, subscriber ID etc.
– Implementation details such as what are the sizes of the various fields in the packet headers, what are the timing requirements for CmC delivery
2. Important to remember that it is still a “draft” standard and subject to revision.