Thursday, April 19, 2007

CALEA Mania

CALEA is the Communications Assistance for Law Enforcement Act. I wrote about CALEA three years ago in Excellent Coverage of Wiretapping:

CALEA requires telecommunications carriers to allow law enforcement "to intercept, to the exclusion of any other communications, all wire and electronic communications carried by the carrier" and "to access call-identifying information," among other powers.

A lot has happened since then. Basically, all facilities-based broadband access providers and interconnected VoIP service providers must be CALEA-compliant by 14 May 2007. This means a lot of companies, of all sizes, are scrambling to deploy processes and tools to collect information in accordance with the law, as well as filing the right reports with the FCC.

If you're affected by CALEA I don't think you'll learn much from this post. However, those who do not work for ISPs might like to know a little bit about what is happening. (Note: I am not personally affected, so this post is based on some research I did this morning.) This post CALEA Mediation provides a lot of details and links, and the Wikipedia entry is good (as long as no one makes crazy changes). WISPA's mailing lists have carried several extended threads on CALEA compliance for wireless ISPs. The definitive blog on CALEA appears to be Demystifying Lawful Intercept and CALEA, by Scott Coleman, Director of Marketing for Lawful Intercept at SS8 Networks.

What started me looking at CALEA again was the story Solera Networks' CALEA Compliance Device, which talked about this Solera Networks appliance. The article mentioned OpenCALEA, which was new to me.

I checked out OpenCALEA via SVN from its OpenCALEA Google code site. Jesse Norell was helpful in #calea on irc.freenode.net. I installed the code on two FreeBSD 6.x boxes, cel433 (the "sensor") and poweredge (the box a Fed might use to collect data).

First I started a collector on the "Fed" box.

poweredge:/usr/local/opencalea_rev38/bin# ./lea_collector -t /tmp/cmii.txt
-u richard -f /tmp/cmc.pcap

Next I started a "tap" on the sensor to watch port 6667 traffic.

cel433:/usr/local/opencalea_rev38/bin# ./tap -x x -y y -z z -f "port 6667"
-i dc0 -d 10.1.13.2 -c

As I typed traffic in an IRC channel on a connection watched by the tap...

13:25 < helevius> This is another CALEA test

...the tap sent traffic to the Fed box.

13:26:28.795644 IP cel433.taosecurity.com.62576 >
poweredge.taosecurity.com.6666: UDP, length 265
0x0000: 4500 0125 80ca 0000 4011 cdf8 0a01 0a02 E..%....@.......
0x0010: 0a01 0d02 f470 1a0a 0111 44ce 7800 0000 .....p....D.x...
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 3230 3037 ............2007
0x00a0: 2d30 342d 3139 5431 373a 3236 3a32 382e -04-19T17:26:28.
0x00b0: 3430 3600 015c 22aa c200 02b3 0acd 5e08 406..\".......^.
0x00c0: 0045 0000 64c3 8f40 003f 0635 8245 8fca .E..d..@.?.5.E..
0x00d0: 1c8c d3a6 0380 331a 0b4f bb43 bfc4 6a95 ......3..O.C..j.
0x00e0: e080 187f ffe4 cc00 0001 0108 0a52 0b91 .............R..
0x00f0: ad05 c1a5 e150 5249 564d 5347 2023 736e .....PRIVMSG.#sn
0x0100: 6f72 742d 6775 6920 3a54 6869 7320 6973 ort-gui.:This.is
0x0110: 2061 6e6f 7468 6572 2043 414c 4541 2074 .another.CALEA.t
0x0120: 6573 740d 0a est..
13:26:28.795810 IP cel433.taosecurity.com.54296 >
poweredge.taosecurity.com.6667: UDP, length 423
0x0000: 4500 01c3 80cb 0000 4011 cd59 0a01 0a02 E.......@..Y....
0x0010: 0a01 0d02 d418 1a0b 01af 3d00 7900 0000 ..........=.y...
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 7a00 0000 ............z...
0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 0000 0000 0000 3230 3037 ............2007
0x0120: 2d30 342d 3139 5431 373a 3236 3a32 382e -04-19T17:26:28.
0x0130: 3430 3678 0000 0000 0000 0000 0000 0000 406x............
0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01b0: 0000 00bf 0080 0508 1cca 8f45 03a6 d38c ...........E....
0x01c0: 8033 1a .3.

The traffic on port 6666 UDP is the content and the traffic on port 6667 UDP is a connection record of some kind.

After shutting down the tap and collector, I checked the files the collector created.

poweredge:/usr/local/opencalea_rev38/bin# cat /tmp/cmii.txt
x, y, z, 2007-04-19T17:26:28.406, 69.143.202.28, 69.143.202.28, 32819, 6656
x, y, z, 2007-04-19T17:26:28.514, 140.211.166.3, 140.211.166.3, 6667, 32768
x, y, z, 2007-04-19T17:26:34.195, 140.211.166.3, 140.211.166.3, 6667, 32768
x, y, z, 2007-04-19T17:26:34.196, 69.143.202.28, 69.143.202.28, 32819, 6656

CMII is Communications Identifying Information. Here's the content, which is saved in Libpcap form.

poweredge:/usr/local/opencalea_rev38/bin# tcpdump -n -r /tmp/cmc.pcap -X
reading from file /tmp/cmc.pcap, link-type EN10MB (Ethernet)
13:26:28.406000 IP 69.143.202.28.32819 > 140.211.166.3.6667:
P 1337672639:1337672687(48) ack 3295319520 win 32767

0x0000: 4500 0064 c38f 4000 3f06 3582 458f ca1c E..d..@.?.5.E...
0x0010: 8cd3 a603 8033 1a0b 4fbb 43bf c46a 95e0 .....3..O.C..j..
0x0020: 8018 7fff e4cc 0000 0101 080a 520b 91ad ............R...
0x0030: 05c1 a5e1 5052 4956 4d53 4720 2373 6e6f ....PRIVMSG.#sno
0x0040: 7274 2d67 7569 203a 5468 6973 2069 7320 rt-gui.:This.is.
0x0050: 616e 6f74 6865 7220 4341 4c45 4120 7465 another.CALEA.te
0x0060: 7374 0d0a st..


Jesse told me there's a lot of work to be done with this open source suite. The idea is to give businesses that can't afford a commercial CALEA solution the option of open source.

I plan to keep an eye on the OpenCALEA mailing list and try new versions as they are released.

2 comments:

Vivek Rajan said...

>> must be CALEA-compliant by 14 May 2007 >>

Wow, there is barely a month to go. Any idea how much progress has been made till date ?

Vietnam holiday said...
This comment has been removed by a blog administrator.