290 likes | 463 Vues
Overview of CALEA Conformance Proposed Standard PTSC-LAES-2006-084R6. Manish Karir. Outline. Architectural Assumptions Internet Access Service Provider Model Electronic Surveillance Model Vocabulary Building CALEA Functions Functional Breakdown of Components
E N D
Overview of CALEA Conformance Proposed Standard PTSC-LAES-2006-084R6 Manish Karir
Outline • Architectural Assumptions • Internet Access Service Provider Model • Electronic Surveillance Model • Vocabulary Building • CALEA Functions • Functional Breakdown of Components • Architecture, Interfaces and Intercept Access Points • CALEA conformance • Timing Requirements • CmII/CmC Packet Formats and Encapsulation • General IASP Requirements • Re-Cap and Conclusions
Internet Access Services Model Source: PTSC-LAES-2006-084R6
Internet Access and Services ModelUser’sThree Steps to Gaining Access • Reg-F - Registration Function: • The act of a user getting access to the network (e.g. login/authentication of any sort) • Res-F - Reservation Function: • The user requesting resources from the network (e.g. requesting an IP address, temporary addresses are not included) • PT-F - Packet Transfer Function: • Transfer of Layer-3 packets to/from the Internet
Electronic Surveillance ModelComponents and Responsibilities • Service Provider Administration Responsible for the Access and Delivery Functions • Access Function (AF) Consists of one or more Intercept Access Points (IAPs) • Delivery Function (DF) Transfer of data from the Access Function to the Delivery Function • Law Enforcement Administration Controls the LEA collection function • Collection Function (CF) Location where the communication intercepts are stored Internet Access Service Provider Responsibility Law Enforcement Responsibility
Electronic Surveillance Model Source: PTSC-LAES-2006-084R6
More Definitions /Acronyms • LI - Lawful Intercept • CmII - Communication Identifying Information (e.g. packet headers…but more…) • CmC - Communication Content (e.g. the packets) • IAP - Intercept Access Point • Combinations: • AACmII - Access Associated CmII • CACmII - Content Associated CmII • CmC-IAPs - The point in the network where communication content is intercepted • CmII-IAPs - The point in the network where communication headers are intercepted • Note: CmC-IAPs might be different from CmII-IAPs
The 3 Key Concepts • CmC - Communication Content • Captured at CmC-IAPs, full packets • Packets are passed to Delivery Function(DF) • The DF transfers these to the LEA Collection Function (CF) • AACmII - Access Associated CmII • Essentially login/logout and authorization activity • DHCP IP address assigned • Information provided to CF via the DF cont.
The 3 Key Conceptscont. 3. CACmII - Content Associated CmII - 2 methods • Intercept packet stream to/from subject and extract IP header information, port information is optional,(but might be authorized) finally deliver all header information to DF or deliver summary records • Sample subjects flows such that no flow can exist without being sampled and deliver summary records to LEA
Functional Breakdown • CmC/CmII Access Function (AF): • Responsible for identifying/isolating CmC/CmII for the subject and presenting it to the MF/DF • CmC/CmII Mediation Function (MF): • Responsible for the presentation of captured information into the appropriate format for delivery to LEA • CmC/CmII Deliver Function (DF): • Responsible transmitting data from IASP to the collection function of the LEA
Functional Lawful Intercept Architecture Source: PTSC-LAES-2006-084R6
Packet Delivery Interface DF-CF Interface Source: PTSC-LAES-2006-084R6
Delivery Timing Requirements • Event Timestamps: Each intercepted message should contain an accurate timestamp • CmII: timestamp should be accurate to within 200ms • CmC: timestamps need to be provided with each packet • Event Timing: Intercepted messages should be sent to LEA within specified time window • CmII should be sent by the DF to the CF within 8 seconds 95% of the time • CmC: ???
Timing Requirements Source: PTSC-LAES-2006-084R6 T1 is dependent in IASP T2 is jointly determined by IASP and LEA by choice of agreed upon protocols and facilities
CmII Access Messages Access Messages: Notify LEA of access related functions performed by the subject including: • Access Attempt (login) - subject begins the network authentication process • Access Accepted - sent when subject has successfully authenticated with network AAA • Access Failed - user provides invalid username/ password or MAC address cont.
CmII Access Messagescont. • Access Session End (logout) - subject initiates disconnect • Access Rejected - network rejects login attempt e.g. user is already logged in somewhere else and network does not allow multiple logins • Signaling Message Report - (RADIUS, DIAMETER, etc.) may be used in place of the previous messages
CmII Packet Data Messages Packet Data Messages: Notify LEA of data related events performed by the subject • Packet Data Session Start - sent when subject completes login and and IP address has been assigned • Packet Data Session Failed - login is successful but no IP address, e.g. DHCP pool exhausted • Packet Data Session End - session timeout
CmII Packet Data Messages Packet Data Messages: Notify LEA of data related events performed by the subject • Packet Data Session Already Established - when surveillance starts after subject login • Packet Data Header Report - packet header reports on a per-packet basis • Packet Summary Report - periodic summary reports of packet header data
Example CmII Message Formats Packet Header Data Report CmII Message Access Accepted CmII Message
CmC Message Delivery Options • SCTE Datagram Format • ATIS • IAS Datagram • Encapsulation Approach - one packet per encapsulated datagram • UDP/IP based encapsulation; TCP or other transport protocols are optional • IC-APDU - Protocol Data Unit Approach - multiple packets per Datagram • We focus on the IAS Datagram approach as it is the simplest
IAS Datagram Encapsulation Approach • One intercepted packet in each encapsulated UDP datagram • Src IP is the address of DF Dst IP is address of CF • Port numbers in UDP header may be agreed upon by LEA and IASP • ContentID field is ASCII value that allows correlation between CmC and CmII **Timestamp is RFC3339 compliant: YYYY-MDDThh:mm:ss.sssZ **Intercepted Packet includes all headers
IAS Datagram - APDU Approach A simple extension of theencapsulation approach, to include multiple intercepted packets in a single encapsulated packet.
Subject IdentificationTwo Aspects • Login Identification: • When network requires authentication prior to use • CmC and CmII is performed only after subject has been identified on the network • After login; subject can be identified via unique IP address or session identifier assigned to subject during login cont.
Subject IdentificationTwo Aspects, cont. • Equipment Identification: • When network does not require authentication prior to use • Subject is identified via unique address or interface • Intercept in this scenario may be based on MAC address, IP address or physical/logical port
Six IASP Requirements • Privacy: IASP shall not monitor or permanently record subjects communications • Isolation: IASP shall ensure that only the subjects communication is intercepted • Transparency: IASP shall perform the intercept in a manner such that the subject cannot reasonably detect that intercept is being performed cont.
Six IASP Requirementscont. 4.Encryption/Compression: IASP shall deliver the intercept data unencrypted or provide the LEA with encryption method and keys. IASP shall provide data uncompressed or identify means to decompress 5.Security/Integrity: IASP shall ensure unaltered delivery of intercept data. Security is to be negotiated between IASP and LEA 6.Performance/Quality: IASP should be able to perform multiple intercepts at the same time
Re-cap and Conclusions • This is a simplified overview of the standard - Not a substitute for a detailed reading and interpretation. • This is a broad introduction to the draft standard. - Terminology used • Rough of the structure of the proposed standard cont.
Re-cap and Conclusions – Remember: • The standard itself is unclear in certain areas - for example: • The use of encryption by IASP to protect the CmC • Specifics such as what is the caseID and how is it different from content identifier, IAP system identity, subscriber ID etc. • Implementation details such as what are the sizes of the various fields in the packet headers, what are the timing requirements for CmC delivery • Important to remember that it is still a “draft” standard and subject to revision.