(RADIATOR) Session based Lawful Intercepts
Hugh Irvine
hugh at open.com.au
Mon Feb 26 19:18:33 CST 2007
Hello Robert -
Quite correct - my comments were directed at point 1) below.
There is a fourth option also which is just promiscuous scanning of
traffic as it goes by some sniffer type device.
regards
Hugh
On 27 Feb 2007, at 12:05, Robert Blayzor wrote:
> Hugh Irvine wrote:
>> Further to this, there are additional requirements over and above
>> Radiator.
>>
>> You will also need some sort of warrant insertion so that the user
>> authentication for the specific user returns the required attributes,
>> and you will also need some mediation device which will receive
>> the tap
>> data and package it according to your LI agency requirements.
>
>
> Not really. Actually lawful intercept works one of three ways.
>
> 1) Via return attributes supplied from the RADIUS server in the
> access-accept. (ie: the salt encrypted attributes in the link I
> provided) This tells the NAS/LAC to start sending packets to the
> device
> supplied.
>
> 2) Via a client side request to the NAS supplying the current
> session-id of the user (with the above attributes) COA.
>
> 3) Via SNMPv3 request with the appropriate MIB.
>
>
> The mediation device is optional depending on how you want to
> supply the
> data to the LEA. (at least the law is written that way). I believe
> (from what I've read) the intercepted traffic is just encapsulated
> into
> a UDP stream and sent to a port on the mediation device. One could
> probably just also sniff the port with tcpdump and capture the data
> and
> provide ot the LEA. That's the problem with CALEA right now, there is
> no one way of doing it, there is no enforced standard; and there
> probably should not be. There is a huge racket of consultants and
> software vendors right now collecting a ton of money for something so
> simple. (ie: capture packets and forward them).
>
> As an broadband provider that's 100% PPPoX with LI enabled bba
> routers,
> naturally RADIUS is our best fit. (no expensive probes required)
>
> --
> Robert Blayzor, BOFH
> INOC, LLC
> rblayzor\@(inoc.net|gmail.com)
> PGP: 0x66F90BFC @ http://pgp.mit.edu
> Key fingerprint = 6296 F715 038B 44C1 2720 292A 8580 500E 66F9 0BFC
>
> "Pinky, you've left the lens cap of your mind on again."
> - The Brain
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list