Re: [nznog] TICSA and lawful intercept

On 6/09/2017, at 2:33 PM, Dave Mill wrote:

Hi again

On Mon, Sep 4, 2017 at 6:34 PM, Nathan Ward mailto:nznog(a)daork.net> wrote:

...

Perhaps some collaboration here would be useful, if others are looking at their own implementations of this stuff? I don’t imagine much could happen in terms of sharing hardware - unless the LFCs and other last mile providers offer some sort of “LI service”, but if someone is or is thinking about writing some software or something then collaboration seems like a good idea.

What Nathan mentions here about collaboration is where I have been heading but first a bit of an update on all of this.

Since my first post LI on NZNOG I've had a few off-list replies and a few chats with people on other mediums.

I'm treating all conversations as confidential but as a general summary.

-I've heard from a few ISPs or other network operators interested in my post and interested in some degree of collaboration. As Nathan suggests that is collaboration on coming up with a solution rather than sharing of actual hardware.

-Most people I've talked to are a bit surprised at ETSI now being required and most people were just assuming they are compliant by being able to offer pcaps on demand.

-I have previously reached out to the police by email regarding whether we can put together other (non-ETSI) options for LI but so far haven't had a response

-Potentially, interested organisations could arrange a meet up with the police LI people in Wellington and work together on a solution

-I have heard from NZ organisations that are either supplying tools/equipment to do LI or are interested in doing so

-Potentially (this is obviously completely unknown) if enough of us wished to do LI in the same manner we could convince the police and other government departments to accept a non ETSI format of LI? Again, feedback from the police here would be great.

In general, it seems like we should be forming some kind of working group where a group of us just start working towards the goal of being able to carry out police and other departments' LI requests in a cost-efficient manner and avoid fines or being non-compliant.

I think the next step from here is having the people I've already talked to agree that they can participate in a small group where their identity and organisation will be known and also for me to hear from other organisations that might be interested in working together on LI. Note, it is my understanding that you still have some LI obligations if you have less than 4000 customers..

The rest of your email was interesting and I’m generally in agreement, but, focussing on just this one thing for the minute.. What is the objection to ETSI format here? The format itself looks rather straightforward, if you can provide a PCAP for this today I think you could turn this in to the ETSI format in some sort of mediation device fairly easily - either streaming or as files on an SFTP/similar server. The only reason I haven’t started cutting code to do this is I don’t know how to go about validating the output yet, heh. My understanding is that the ETSI format typically includes L2 encapsulation if the data comes from a BNG/access node that supports “proper” LI. I’d be interested in understanding if this is a requirement. The thing that PCAP on demand certainly doesn’t do is the IRI stuff. The feeling I get right now is that that’s going to be pretty implementation specific in a lot of circumstances unless you’re buying a vendor solution. BNGs which have LI licenses and so on (and so probably export ETSI data for CC) are likely to support SNMPv3 IRI, which is good. In a PCAP/mirror port->ETSI situation you’re going to need to figure out how to get intercept related RADIUS messages or something similar where they need to go. Certainly not insurmountable, but, every network I work with would have a different solution for that, I’m sure. -- Nathan Ward