OpenCALEA
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
[OpenCALEA] LEA collector
- From: Jesse Norell
- Date: Fri Mar 23 14:07:32 2007
I'm moving this piece to a new thread.
>From the IASP side, we make sure the system can handle numerous
simultaneous intercepts to numerous LEA's. The LEA side of things only
exacerbates that point, and it would be in our best interests to produce
an lea_collector that could be the actual tool used by an LEA for their
collection out of the box.
>From the LEA's point of view, they'll need to support (potentially many)
simultaneous intercepts, and I imagine will issue numerous intercepts
for the same caseID to different IASP's. I don't know how multiple ip
addrs would be handled (multiple subpoena's or all under one?), nor if
it should/would come into consideration. I would guess we'd at least
want to separate things out by IASP identifier, though, maybe:
/var/lib/opencalea/<caseID>/<IASP ID>/CmC.pcap
/var/lib/opencalea/<caseID>/<IASP ID>/CmII.txt
or even timestamp the file with the time lea_collector starts:
/var/lib/opencalea/<caseID>/<IASP ID>/CmC-<timestamp>.pcap
/var/lib/opencalea/<caseID>/<IASP ID>/CmII-<timestamp>.txt
While on the subject, thoughts on multiplexing there? The LEA will
likely want to filter out packets other than from IASP's they're
supposed to be receiving from, and CALEA requires encryption for all
practical purposes (Section 103.a.4.B requires delivery that protects
"information regarding the government's interception of communications
and access to call-identifying information", which plain-text
"opencalea" packets over the internet would not), so for now I'd guess
an external vpn connection is most appropriate; and maybe even
long-term. If we actually follow the ATIS standard, there's also
nothing in the CmC packets to identify the IASP (except you could embed
it in the ContentID) .. if there were any chance of overlap of ContentID
between different IASP's, then the LEA would have to either run multiple
collectors on different ports (or ip addrs) for each IASP, or be able to
distinguish by the source ip addr what caseid/IASP a packet relates
to.
So if we can make multiple running lea_collectors never collide with
each other (including pid/log files and whatever else), I think we
should be fine with the current design and an external vpn. To be safe,
you could even put the pid in the filenames:
/var/lib/opencalea/<caseID>/<IASP ID>/CmC-<timestamp>-<pid>.pcap
/var/lib/opencalea/<caseID>/<IASP ID>/CmII-<timestamp>-<pid>.txt
On Fri, 2007-03-23 at 13:09 -0400, Manish Karir wrote:
>
>
> > Also need to consider a directory structure for the capture files.
> > Maybe
> >
> > /var/lib/opencalea/<caseID>/CmC.pcap
> > /var/lib/opencalea/<caseID>/CmII.txt
>
> sounds good.
>
> the append versus override decision is a judgement call. I could
> go either way on that. Anyone else have any preferences on it?
>
--
Jesse Norell - jesse@kci.net
Kentec Communications, Inc.
|
