Hi again On Mon, Sep 4, 2017 at 6:34 PM, Nathan Ward wrote:

Perhaps some collaboration here would be useful, if others are looking at their own implementations of this stuff? I don’t imagine much could happen in terms of sharing hardware - unless the LFCs and other last mile providers offer some sort of “LI service”, but if someone is or is thinking about writing some software or something then collaboration seems like a good idea.

What Nathan mentions here about collaboration is where I have been heading but first a bit of an update on all of this. Since my first post LI on NZNOG I've had a few off-list replies and a few chats with people on other mediums. I'm treating all conversations as confidential but as a general summary. -I've heard from a few ISPs or other network operators interested in my post and interested in some degree of collaboration. As Nathan suggests that is collaboration on coming up with a solution rather than sharing of actual hardware. -Most people I've talked to are a bit surprised at ETSI now being required and most people were just assuming they are compliant by being able to offer pcaps on demand. -I have previously reached out to the police by email regarding whether we can put together other (non-ETSI) options for LI but so far haven't had a response -Potentially, interested organisations could arrange a meet up with the police LI people in Wellington and work together on a solution -I have heard from NZ organisations that are either supplying tools/equipment to do LI or are interested in doing so -Potentially (this is obviously completely unknown) if enough of us wished to do LI in the same manner we could convince the police and other government departments to accept a non ETSI format of LI? Again, feedback from the police here would be great. In general, it seems like we should be forming some kind of working group where a group of us just start working towards the goal of being able to carry out police and other departments' LI requests in a cost-efficient manner and avoid fines or being non-compliant. I think the next step from here is having the people I've already talked to agree that they can participate in a small group where their identity and organisation will be known and also for me to hear from other organisations that might be interested in working together on LI. Note, it is my understanding that you still have some LI obligations if you have less than 4000 customers.. Cheers Dave

Hi all, During the TICSA roadshow last month, there was a representative from the Police talking about the provision of the data from the interception. He made the point that solution using pcap and ftp is not acceptable due to delays in receiving the data and other reasons. They need the data faster than that. They also talked about the importance of the meta data surrounding the capture and that they are using the 2012 version of the standard rather than the latest because the support for the latest version isn’t there yet. So I agree with getting in touch with them before you start creating your own solution. The conversation needs to include how any proposed solution could be certified to stand up to Court scrutiny. Peter. Peter Ensor | Chief Architect Ultrafast Fibre T +64 (7) 8503880 M +64 (21) 02502772 E Peter.Ensor(a)ultrafast.co.nzmailto:Peter.Ensor(a)ultrafast.co.nz W ultrafastfibre.co.nzhttp://ultrafastfibre.co.nz/ ________________________________ Attention: This e-mail message is intended for the intended recipient only and it may contain Ultrafast Fibre Limited confidential or legally privileged information or both. No confidentiality or privilege is waived or lost if this email has been delivered to the wrong recipient. If you have received this email in error, please immediately delete it from your system and notify Ultrafast Fibre Limited. You must not disclose, copy or relay any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender and not Ultrafast Fibre Limited. This email has been checked for viruses. However, Ultrafast Fibre Limited makes no warranty that this email or any attachments are free from viruses or other conditions which may damage or interfere with recipient data, hardware or software. The recipient relies on its own procedures and assumes all risk of use and of opening any attachments. ________________________________ From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Wednesday, 6 September 2017 2:58 PM To: Dave Mill Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] TICSA and lawful intercept On 6/09/2017, at 2:33 PM, Dave Mill mailto:dave(a)mill.net.nz> wrote: Hi again On Mon, Sep 4, 2017 at 6:34 PM, Nathan Ward mailto:nznog(a)daork.net> wrote: Perhaps some collaboration here would be useful, if others are looking at their own implementations of this stuff? I don’t imagine much could happen in terms of sharing hardware - unless the LFCs and other last mile providers offer some sort of “LI service”, but if someone is or is thinking about writing some software or something then collaboration seems like a good idea. What Nathan mentions here about collaboration is where I have been heading but first a bit of an update on all of this. Since my first post LI on NZNOG I've had a few off-list replies and a few chats with people on other mediums. I'm treating all conversations as confidential but as a general summary. -I've heard from a few ISPs or other network operators interested in my post and interested in some degree of collaboration. As Nathan suggests that is collaboration on coming up with a solution rather than sharing of actual hardware. -Most people I've talked to are a bit surprised at ETSI now being required and most people were just assuming they are compliant by being able to offer pcaps on demand. -I have previously reached out to the police by email regarding whether we can put together other (non-ETSI) options for LI but so far haven't had a response -Potentially, interested organisations could arrange a meet up with the police LI people in Wellington and work together on a solution -I have heard from NZ organisations that are either supplying tools/equipment to do LI or are interested in doing so -Potentially (this is obviously completely unknown) if enough of us wished to do LI in the same manner we could convince the police and other government departments to accept a non ETSI format of LI? Again, feedback from the police here would be great. In general, it seems like we should be forming some kind of working group where a group of us just start working towards the goal of being able to carry out police and other departments' LI requests in a cost-efficient manner and avoid fines or being non-compliant. I think the next step from here is having the people I've already talked to agree that they can participate in a small group where their identity and organisation will be known and also for me to hear from other organisations that might be interested in working together on LI. Note, it is my understanding that you still have some LI obligations if you have less than 4000 customers.. The rest of your email was interesting and I’m generally in agreement, but, focussing on just this one thing for the minute.. What is the objection to ETSI format here? The format itself looks rather straightforward, if you can provide a PCAP for this today I think you could turn this in to the ETSI format in some sort of mediation device fairly easily - either streaming or as files on an SFTP/similar server. The only reason I haven’t started cutting code to do this is I don’t know how to go about validating the output yet, heh. My understanding is that the ETSI format typically includes L2 encapsulation if the data comes from a BNG/access node that supports “proper” LI. I’d be interested in understanding if this is a requirement. The thing that PCAP on demand certainly doesn’t do is the IRI stuff. The feeling I get right now is that that’s going to be pretty implementation specific in a lot of circumstances unless you’re buying a vendor solution. BNGs which have LI licenses and so on (and so probably export ETSI data for CC) are likely to support SNMPv3 IRI, which is good. In a PCAP/mirror port->ETSI situation you’re going to need to figure out how to get intercept related RADIUS messages or something similar where they need to go. Certainly not insurmountable, but, every network I work with would have a different solution for that, I’m sure. -- Nathan Ward

On Wed, Sep 6, 2017 at 2:57 PM, Nathan Ward wrote:

The rest of your email was interesting and I’m generally in agreement, but, focussing on just this one thing for the minute..

What is the objection to ETSI format here? The format itself looks rather straightforward, if you can provide a PCAP for this today I think you could turn this in to the ETSI format in some sort of mediation device fairly easily - either streaming or as files on an SFTP/similar server. The only reason I haven’t started cutting code to do this is I don’t know how to go about validating the output yet, heh.

Right now, I have less objections to ETSI than I did before. These are my own thoughts and not Inspire's. My objections are more regarding communications, cost and politics related rather than technological. Previously, it was implied (at a TICSA workshop) that any vendor ETSI LI solution costs at least 6 figures. However, since looking in to options it seems the price isn't necessarily going to be that high. So, previously I was trying to avoid the high costs that seemed to be associated with ETSI solutions. As Peter just stated, from the government's point of view they need something that can stand up in court. ETSI will do this. However, from the legislation, specifically section 10 and section 40, we should be able to do interception in a 'format that is acceptable to the network operator and the surveillance agency'. I have been trying to work on coming up with that arrangement for a long period of time but with no success. Section 40 mentions about a standard being gazetted in the future with *industry consultation*. Plus the police website right currently states 'Although no standards have been Gazetted yet, the European Telecommunications Standards Institute (ETSI) standards and specifications, specific to the type of service to be intercepted, are the standards we are currently working to.'. So, right now everything implies that whilst ETSI is preferred it is not currently the standard. In general, everything we read implies LI formats can be worked out between the industry and the police but in reality I don't believe that has occurred. Most people I have talked to recently assumed pcaps were still completely fine - including those that actually supply LI gear. So, in conclusion, maybe ETSI is the best format, and isn't as expensive as I had thought to achieve. However, it would have been nice if the parties involved had carried out more consultation with the industry and if were all made more aware that we are required to supply data in the ETSI format (assuming that is definitely required - which I am still unclear on). Moving on from my personal views, as Peter suggests, if we just form a group of us, and sit down with the 'powers that be', we can hopefully work out a solution that is acceptable to all. Cheers Dave

On Wed, Sep 6, 2017 at 3:43 PM, Chris Browning < chris.browning(a)lightwire.co.nz> wrote:

*Section 40 mentions about a standard being gazetted in the future with industry consultation. Plus the police website right currently states 'Although no standards have been Gazetted yet, the European Telecommunications Standards Institute (ETSI) standards and specifications, specific to the type of service to be intercepted, are the standards we are currently working to.'. So, right now everything implies that whilst ETSI is preferred it is not currently the standard.*

https://gazette.govt.nz/assets/pdf-cache/2017/final/ 2017-08-17_Gazette_83.pdf .

Pages 119 and 120 are of note. There has been a Gazette about this.

Thanks, that clears that part up. Its clear that we need to work towards ETSI. Cheers Dave

On Wed, Sep 6, 2017 at 4:17 PM, Ewen McNeill wrote:

On quick searching it's unclear if there is, eg, an existing open source implementation. The opentap.org mentioned at the end of that slide set appears to be gone (replaced by a non-English advertising site).

A year ago there was another open source implementation called release14. But that vanished since then. I have contacted them but nothing back. Being very cynical here, but there seems to be big money in LI and open source solutions don't seem to last very long... Dave

On Wed, Sep 6, 2017 at 4:28 PM, Michael Fincham wrote:

On Wed, 6 Sep 2017 16:23:38 +1200 Dave Mill wrote:

...

A year ago there was another open source implementation called release14. But that vanished since then. I have contacted them but nothing back.

Do you have a link to their code? I'd be interested to have a look at what they were doing.

Or do you mean "vanished" in the "disappeaed and took all the code with them" sense?

A year ago there was a published website. The system appeared to do LI in the ETSI format. You had to email them to get access to the project. I emailed them at the time. I never had a reply. Since then the website has gone - its now a GoDaddy holding page - http://release14.org/?reqp=1&reqr= An old page is here - https://web.archive.org/web/20160328205455/http://www.release14.org/ Someone else I've talked to has mentioned another FOSS LI project doing a similar vanishing act about 2 years ago. To be honest, I don't really know what to read in to that if anything. Dave

On Wed, 6 Sep 2017 16:35:39 +1200 Dave Mill wrote:

You had to email them to get access to the project. [...] To be honest, I don't really know what to read in to that if anything.

Seems like a case of "did not do Open Source very well" to me :/ Hopefully folks can ask around and see if anyone ever got a copy of the code, and under what license... -- Michael

HI all, OpenTap seems to have gone away some time ago, but here is an archived page on what they were about - all documents were database based and no longer available. https://web.archive.org/web/20060213173613/http://www.opentap.org:80/ There's an article here about using another open source project OpenSBC for LI. http://blog.tmcnet.com/third-screen/2008/12/opensbc_used_for_lawful_intercep... This submission by the TCF is interesting in it's support for Open Source: http://www.tcf.org.nz/assets/submissions/2016-08-tcf-submission-on-lawful-in... /Innovation by way of Open Source software and hardware must not be impeded by requiring the mandatory selection of ETSI certified solutions. Such that Service Providers selection and investment decisions in new technologies is restricted. // //Even where it can be afforded, investing $1,000,000 in LI solutions will have significant impacts on services as it will divert funds from other essential service elements such as customer and technical services. Where reasonable, new Open Source intercept ready applications should be acceptable// / cheers Gary On 06-Sep-17 4:51 PM, Gary Benner wrote:

Here's some names and contact details for Release14:

RELEASE14 LTD Company number 08254831 Active

*Josip Djuricic* Founder/Lead Developer at Release14.org System Engineer https://www.linkedin.com/in/jdjurici 21 Zagrebacka, 10291 Prigorje Brdovecko, Croatia

*Damir Franusic* https://twitter.com/jdjurici http://www.doyoubuzz.com/damir-franusic/cv/jobs/4sms damir.franusic(a)gmail.com

cheers

Gary

On 06-Sep-17 4:39 PM, Michael Fincham wrote:

...

On Wed, 6 Sep 2017 16:35:39 +1200 Dave Mill wrote:

...

You had to email them to get access to the project. [...] To be honest, I don't really know what to read in to that if anything. Seems like a case of "did not do Open Source very well" to me :/

Hopefully folks can ask around and see if anyone ever got a copy of the code, and under what license...

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

Agree about the mutually agreed standards. FYI, the correspondence from MBIE stated: “I would also like to reiterate that the final notice will be designed to allow security agencies and network operators to continue the practice of negotiating individual arrangements. The introduction of regulations is intended to signal the preferred format for intercepted data, while also providing flexibility for parties to reach an alternative solution that will assist with effective law enforcement.” For those you who are members of the TCF, your reps will have a copy of the TCF submission on the consultation if you want to read it. The date when it was gazetted is 17 August https://www.gazette.govt.nz/assets/pdf-cache/2017/2017-go4175.pdf?2017-08-17 10:00:43 Cheers, From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dave Mill Sent: Wednesday, 6 September 2017 3:38 PM To: Nathan Ward Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] TICSA and lawful intercept On Wed, Sep 6, 2017 at 2:57 PM, Nathan Ward mailto:nznog(a)daork.net> wrote: The rest of your email was interesting and I’m generally in agreement, but, focussing on just this one thing for the minute.. What is the objection to ETSI format here? The format itself looks rather straightforward, if you can provide a PCAP for this today I think you could turn this in to the ETSI format in some sort of mediation device fairly easily - either streaming or as files on an SFTP/similar server. The only reason I haven’t started cutting code to do this is I don’t know how to go about validating the output yet, heh. Right now, I have less objections to ETSI than I did before. These are my own thoughts and not Inspire's. My objections are more regarding communications, cost and politics related rather than technological. Previously, it was implied (at a TICSA workshop) that any vendor ETSI LI solution costs at least 6 figures. However, since looking in to options it seems the price isn't necessarily going to be that high. So, previously I was trying to avoid the high costs that seemed to be associated with ETSI solutions. As Peter just stated, from the government's point of view they need something that can stand up in court. ETSI will do this. However, from the legislation, specifically section 10 and section 40, we should be able to do interception in a 'format that is acceptable to the network operator and the surveillance agency'. I have been trying to work on coming up with that arrangement for a long period of time but with no success. Section 40 mentions about a standard being gazetted in the future with industry consultation. Plus the police website right currently states 'Although no standards have been Gazetted yet, the European Telecommunications Standards Institute (ETSI) standards and specifications, specific to the type of service to be intercepted, are the standards we are currently working to.'. So, right now everything implies that whilst ETSI is preferred it is not currently the standard. In general, everything we read implies LI formats can be worked out between the industry and the police but in reality I don't believe that has occurred. Most people I have talked to recently assumed pcaps were still completely fine - including those that actually supply LI gear. So, in conclusion, maybe ETSI is the best format, and isn't as expensive as I had thought to achieve. However, it would have been nice if the parties involved had carried out more consultation with the industry and if were all made more aware that we are required to supply data in the ETSI format (assuming that is definitely required - which I am still unclear on). Moving on from my personal views, as Peter suggests, if we just form a group of us, and sit down with the 'powers that be', we can hopefully work out a solution that is acceptable to all. Cheers Dave Peter Ensor | Chief Architect Ultrafast Fibre T +64 (7) 8503880 M +64 (21) 02502772 E Peter.Ensor(a)ultrafast.co.nzmailto:Peter.Ensor(a)ultrafast.co.nz W ultrafastfibre.co.nzhttp://ultrafastfibre.co.nz/ ________________________________ Attention: This e-mail message is intended for the intended recipient only and it may contain Ultrafast Fibre Limited confidential or legally privileged information or both. No confidentiality or privilege is waived or lost if this email has been delivered to the wrong recipient. If you have received this email in error, please immediately delete it from your system and notify Ultrafast Fibre Limited. You must not disclose, copy or relay any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender and not Ultrafast Fibre Limited. This email has been checked for viruses. However, Ultrafast Fibre Limited makes no warranty that this email or any attachments are free from viruses or other conditions which may damage or interfere with recipient data, hardware or software. The recipient relies on its own procedures and assumes all risk of use and of opening any attachments. ________________________________

On 6/09/2017, at 4:12 PM, Michael Fincham wrote:

This is also my personal view...

On Wed, 6 Sep 2017 15:37:49 +1200 Dave Mill wrote:

...

So, in conclusion, maybe ETSI is the best format, and isn't as expensive as I had thought to achieve.

Any acceptable format needs to have an open source implementation. That is a very hard reqiurement, from my point of view.

Unless this ETSI stuff can be produced using open source tooling we need to push back hard on it.

I’d like to write or use that code. The standards are open, so, if it is acceptable to agencies then it would be good to do. My understanding is that a lot of the vendor devices don’t work out of the box anyway and they need to do a bunch of dev. Why get someone else to do it? :-) -- Nathan Ward