Many network operators have a regulatory requirement to incorporate Lawful Interception (LI) capabilities into their networks, so that Law Enforcement Agencies (LEAs) can perform authorized electronic surveillance of specific target individuals.
What constitutes a suitable intercept varies across jurisdictions; while some agencies will still accept pcap files of a target’s traffic that is delivered after an event, it is increasingly common for agencies to mandate intercepts in a format that can better withstand scrutiny in court. There are two sets of standards that have been defined for this purpose: CALEA (which is used in North America) and ETSI (which is used in Europe and the Asia Pacific).
Both standards are much more onerous for the operator than simply delivering pcap captures. The intercepted traffic must be delivered to the LEAs in real time without any loss, over an encrypted channel. The intercept must be accompanied by a stream of ‘Intercept Related Information’ (IRI), which contains metadata about the communication session itself. Individual IP sessions or VOIP calls for a target must have their own unique identifier, and each intercepted packet must be tagged with a sequence number to allow LEAs to detect missing or reordered segments. There are distinct ETSI standard encapsulations for intercepted packets that are defined for different communication methods, for example IP, VOIP, mobile data, and email.
In New Zealand, the government has mandated that all network operators with at least 4,000 customers must be able to perform LI on demand and the intercepts produced must conform to the ETSI standards. When this requirement was made public, many operators in New Zealand realized they had several problems:
- The ETSI standards are complex (as stated above); most operators didn’t have the development resources available to do anything in-house.
- The existing vendor solutions cost at least NZD 100,000 plus ongoing licensing costs, which would bankrupt most small and medium-sized operators. Some larger operators did buy vendor solutions, only to find the vendor’s definition of LI was incompatible with the ETSI standards demanded by the LEAs.
- No open source solutions existed for LI at that time, so there was no ‘cheap’ alternative to the vendors.
- The financial penalties for not complying with the required LI standards were prohibitively high, so the operators could not take the risk of ignoring the problem.
Academic community comes to the rescue
At this point, the NZNOG community banded together and found a way to solve the problem. The operators would contribute money into a funding pool managed by the University of Waikato, and the University’s WAND research group would apply its expertise in network packet capture to develop software the operators could use to become LI-compliant. Thirteen organizations, including Retail Service Providers, Internet Exchanges and Internet advocacy groups, have since contributed money to fund the project.
The developers and operators agreed that the resulting software must be open-source and freely available to any operator that needed it. Furthermore, being open-source, the software could be independently verified as being free of any malicious backdoors, which is not possible with current vendor black-box solutions.
As a result, OpenLI came into existence, with the aim of becoming the world’s first open-source implementation of the ETSI standards for lawful intercept.
OpenLI uses a centralized provisioner to coordinate intercepts on multiple distributed collector instances. An operator can place an OpenLI collector at each major PoP in their network and feed potentially interceptable traffic into a capture interface on the collector, as well as any traffic that OpenLI would need to track session state (for example RADIUS for IP sessions, SIP for VOIP calls, GTP for mobile data sessions). Both intercepted packets and the corresponding IRIs are encoded as ETSI records by the collectors and passed on to a mediator to be forwarded on to the appropriate agency.
The first public release of OpenLI occurred in January 2019 and provided a minimally compliant system that operators would be able to use to meet their legal requirements in New Zealand. Since then, we have continued to expand the capabilities of OpenLI to enable it to integrate with existing vendor equipment (for example, being able to convert Jmirror intercepts into ETSI-compliant output) and make the software easier to use and integrate into an operator network (for example, adding a REST API for starting and stopping intercepts). We have also added the ability to write intercepts to pcap files so that OpenLI can be used in places where the LEAs are not equipped to receive a live ETSI stream.
Throughout the development process, we’ve been regularly working directly with the operators: assisting with deployments, getting sample packet captures from them to use for testing or debugging, and discussing additional features that we should be supporting. There are now multiple successful deployments within New Zealand and the feedback that we have received from operators so far has been very positive.
Help us take OpenLI to the world
Our next goal is to encourage the adoption of OpenLI by operators outside of New Zealand. We believe that there must be other operators in the APNIC region who are faced with LI obligations that are similar to what we have in New Zealand and could, therefore, benefit from our work.
If you are an operator interested in adopting OpenLI, we would love to hear from you. We are also very interested in hearing from organizations (operators or otherwise) that would like to sponsor the OpenLI project so that we can continue to maintain and improve the OpenLI software for the benefit of all operators.
Shane Alcock is the lead developer of OpenLI and has worked for the WAND network research group at the University of Waikato as a research programmer for over 15 years.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.