Router Installation and Configuration Manual/Configuring CALEA Intercepts

From ImageStream Router Documentation

< Router Installation and Configuration Manual
Revision as of 19:00, 27 August 2009 by Syoder (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ImageStream's CALEA architecture has three basic components. Intercept management tasks are performed by the Inetics Configmgr process. Each intercept has a tap process to capture data and deliver the information to an lea_collector process for local storage or delivery to a Trusted Third Party or Law Enforcement Agency.

Several new scripts and Inetics wan.conf commands were added to the 4.2.10-11 release to support CALEA intercepts. Intercept configuration is handled by the "tap_edit" script. This script stores the confidential information for each intercept in an encrypted file. Configmgr uses a new wan.conf command called "run" to run the "tap_run" script which decrypts the intercept configuration file and runs the tap process. The tap process uses libpcap and standard pcap/tcpdump filters to capture data. The data is then delivered to an lea_collector process via a UDP socket and a custom packet format. The lea_collector process can store the data to a pcap/tcpdump file and/or retransmit the original packet on another network interface/VPN to facilitate delivery to a Trusted Third Party or Law Enforcement Agency. The lea_collector cannot be run on the router if pcap file storage is required. ImageStream has a special arrangement with Intelleq which allows ImageStream routers to deliver i ntercept data without running the lea_collector on the router.

Detailed command syntax:

The command syntax for the tap is:

tap -i interface -x content-id -y case-id -z iap-system-id [-d dest-ip] [-c] [-m cmc-port] [-n cmii-port] [-f capture-filter]

The interface should be the interface to listen in on. Content-id, case-id, iap-system-id are assigned by the LEA. This setup will not use these IDs since they're only transmitted in the CMII stream. Only the CMC full packet capture is used. the dest-ip is the IP address of the collector.

The CMC port is assigned by you. The capture-filter is a tcpdump style filter. In most cases we'll use a "host <IP>" filter, an "ether host <MAC>" filter or both.

To provide confidentiality the "tap_edit" and "tap_run" scripts can be used to keep each intercept configuration in a separate encrypted file in the /etc/taps directory.

The tap_edit script accepts a filename as its argument. Each intercept should be given a unique filename. The script takes care of decryption and encryption.

tap_edit filename

The configuration file uses the same arguments as the tap command line. Each argument needs to be placed on a separate line:

-i interface -x content-id -y case-id -z iap-system-id -d dest-ip -c -m cmc-port -n cmii-port -f capture-filter


The "tap_run" script is needed to decrypt the configuration file and invoke the tap program. This script should be run using the wan.conf "run" command.

run tap_run filename


For the collector side:

The command syntax for the collector is:

lea_collector -t cmii-capture-file [-f capture-file> [-m cmc-port] [-n cmii-port] [-x cooked-format] [-o output interface]

Capture files should not be specified on a router without an attached hard drive to avoid filling up the ramdisk. Instead routers should use the -o option to mirror the incoming CMC data to the specified output interface.

The CMII summary data is not used - only the actual CMC packet content is redirected to the output interface.

Cooked format is never used.

Complete 2 client example:

Clients will connect to the collector router using OpenVPN client/server mode and will be given dynamically assigned IPs starting with 192.168.99.2 through 192.168.99.254. Each client will be assigned a unique username/password combination to allow connection to the VPN.

Clients will transmit CMC data (full packet captures) to the collector router on incrementing port numbers starting at 6001. Client 2 will use 6002 for its port, etc. CMII summary data will be transmitted on incrementing port numbers starting at 7001. This data will be sent over the OpenVPN encrypted tunnel to the collector router at 192.168.99.1.


Router 1 (collector) wan.conf file:

interface Ethernet0 description Internet facing interface ip address <your IP and netmask> ! interface Ethernet1 description LEA collector facing interface no ip address ! interface Tunnel0 description Encrypted tunnel to clients tunnel mode openvpn server 192.168.99.0 255.255.255.0 tunnel options --dev-type tap ip address 192.168.99.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 <your default gateway> !

  1. Put OpenVPN users/passwords here

user client1 password clientpassword1 user client2 password clientpassword2 !

  1. Commands to run a collector process for each client and redirect the output to eth1 (Ethernet1)

run lea_collection -m 6001 -n 7001 -o eth1 run lea_collection -m 6002 -n 7002 -o eth1


Client 1 LEA assigned content-id: 1234, case-id: 5678, iap-system-id: 9999 Intercept target IP is 86.55.21.253

wan.conf file:

interface Ethernet0 description Internet facing interface ip address <client 1's IP and netmask> ! interface Ethernet1 description Tap facing interface no ip address ! interface Tunnel0 tunnel mode openvpn client username client1 password clientpassword1 tunnel destination <collector router's IP> tunnel options --dev-type tap ! ip route 0.0.0.0 0.0.0.0 <client 1's default gateway> !

  1. Tap all data for host 86.55.21.253 on eth0 (Ethernet0) sending the data to 192.168.99.1 using ports
  2. 6001 and 7001.

run tap -i eth0 -x 1234 -y 5678 -z 9999 -d 192.168.99.1 -c -m 6001 -n 7001 -f "host 86.55.21.253"

Alternate method using the tap_edit/tap_run commands to encrypt and hide the configuration:

Type the following from the command line: tap_edit client1

Enter the following into the file placing each command line option on its own line:

-i eth0 -x 1234 -y 5678 -z 9999 -d 192.168.99.1 -c -m 6001 -n 7001 -f "host 86.55.21.253"

Replace the "run tap" command in wan.conf with:

run tap_run client1


Client 2 LEA assigned content-id: 1234, case-id: 5678, iap-system-id: 9998 Intercept target IP is 76.55.21.21

wan.conf file:

interface Ethernet0 description Internet facing interface ip address <client 2's IP and netmask> ! interface Ethernet1 description Tap facing interface no ip address ! interface Tunnel0 tunnel mode openvpn client username client1 password clientpassword1 tunnel destination <collector router's IP> tunnel options --dev-type tap ! ip route 0.0.0.0 0.0.0.0 <client 1's default gateway> !

  1. Tap all data for host 76.55.21.21 on eth0 (Ethernet0) sending the data to 192.168.99.1 using ports
  2. 6002 and 7002.

run tap -i eth0 -x 1234 -y 5678 -z 9998 -d 192.168.99.1 -c -m 6002 -n 7002 -f "host 76.55.21.21"

Alternate method using the tap_edit/tap_run commands to encrypt and hide the configuration:

Type the following from the command line: tap_edit client2

Enter the following into the file placing each command line option on its own line:

-i eth0 -x 1234 -y 5678 -z 9998 -d 192.168.99.1 -c -m 6002 -n 7002 -f "host 76.55.21.21"

Replace the "run tap" command in wan.conf with:

run tap_run client2


Personal tools
Router software releases