(RADIATOR) Session based Lawful Intercepts

Hugh Irvine hugh at open.com.au
Mon Feb 26 19:18:33 CST 2007 

Hello Robert -

Quite correct - my comments were directed at point 1) below.

There is a fourth option also which is just promiscuous scanning of  
traffic as it goes by some sniffer type device.

regards

Hugh


On 27 Feb 2007, at 12:05, Robert Blayzor wrote:

> Hugh Irvine wrote:
>> Further to this, there are additional requirements over and above  
>> Radiator.
>>
>> You will also need some sort of warrant insertion so that the user
>> authentication for the specific user returns the required attributes,
>> and you will also need some mediation device which will receive  
>> the tap
>> data and package it according to your LI agency requirements.
>
>
> Not really.  Actually lawful intercept works one of three ways.
>
> 1)  Via return attributes supplied from the RADIUS server in the
> access-accept. (ie: the salt encrypted attributes in the link I
> provided)  This tells the NAS/LAC to start sending packets to the  
> device
> supplied.
>
> 2)  Via a client side request to the NAS supplying the current
> session-id of the user (with the above attributes) COA.
>
> 3)  Via SNMPv3 request with the appropriate MIB.
>
>
> The mediation device is optional depending on how you want to  
> supply the
> data to the LEA.  (at least the law is written that way).  I believe
> (from what I've read) the intercepted traffic is just encapsulated  
> into
> a UDP stream and sent to a port on the mediation device.  One could
> probably just also sniff the port with tcpdump and capture the data  
> and
> provide ot the LEA.  That's the problem with CALEA right now, there is
> no one way of doing it, there is no enforced standard; and there
> probably should not be.  There is a huge racket of consultants and
> software vendors right now collecting a ton of money for something so
> simple. (ie: capture packets and forward them).
>
> As an broadband provider that's 100% PPPoX with LI enabled bba  
> routers,
> naturally RADIUS is our best fit. (no expensive probes required)
>
> -- 
> Robert Blayzor, BOFH
> INOC, LLC
> rblayzor\@(inoc.net|gmail.com)
> PGP: 0x66F90BFC @ http://pgp.mit.edu
> Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E 66F9 0BFC
>
> "Pinky, you've left the lens cap of your mind on again."
>  - The Brain



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list