CALEA

From MikroTik Wiki
Revision as of 12:25, 24 May 2007 by Tully (talk | contribs) (CALEA)
Jump to: navigation, search

Communications Assistance for Law Enforcement Act requires the routers to have ability to intercept and log network traffic. RouterOS now provides this facility by means of firewall rules. RouterOS can also function as a data retention server if the additional calea package is installed.


CALEA features included in RouterOS

Multiple subject/multiple destination packet interception and streaming in following formats:

  • Call Content Connection (CCC) Interface according to PKT-SP-ES-DCI-I01-060914 (PacketCable 2.0 PacketCable Electronic Surveillance Delivery Function to Collection Function Interface Specification)
  • Call Content Connection (CCC) Interface according to ANSI/SCTE 24-13 2006 (IPCalblecom Electronic Surveillance Standard) that is approved method for Communication Content delivery to LEA according to ATIS-1000013.2007 (Lawfully Authorized Electronic Surveillance For Internet Access and Services)
  • TZSP format - for reception with 'Ethereal', tcpdump, trafr (sniffer stream reader for linux) - http://www.mikrotik.com/download.html


CALEA-server package

  • accepts multiple CCC streams (identified by destination port/source address/case id)
  • stores communication content according to "IP Network Access Intercept Requirements and Method"(FBI-WISPA draft) specified "full content" intercept requirements (without out-of-band events)
  • stores communication content of multiple subjects/cases
  • stores communication content in libpcap format
  • new libpcap file based on different conditions (interval/size/packet count)
  • generates hash for each pcap file (md5/sha1/sha256)

Intercepting Packet Flow

The IP Firewall filters now have two additional actions:

  • sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server
  • sniff-pc - generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea package installed

By selecting either action, the following options will be available:

  • sniff-id (Packet Cable protocol only) - packet stream case ID, that can be used to differentiate between separate traffic sets (e.g., between different users; or between client traffic and server traffic)
  • sniff-target - IP address of the data retention server
  • sniff-target-port - UDP port that the data retention server is listening on

Data Retention Server

The calea package provides an additional tool menu - /tool calea, that allows to save certain incoming data streams to a file. The server will create separate files for each packet stream (one data file and one hash file, if configured). The files will not grow indefinitely, but rather util a certain limit, after which a new set of files will be created for that stream. The limit is specified in size and extent of time, whichever is reached first.

Add a rule with the following properties:

  • case-id - case ID set by the intercepting router
  • intercept-ip - IP address of the intercepting router (IP address to receive the stream from)
  • intercept-port - UDP port to listen on (port to receive the stream on)
  • action - storage format (only pcap for now)
  • pcap-file-stop-interval - maximal interval between creating new fileset, if size limit is not reached earlier
  • pcap-file-stop-size - maximal filesize, in KiB
  • pcap-file-hash-method - hashing algorithm (md5 or sha1) for the data file (saved once the data file is completed and closed); no file is created if set to none
Retrieved from "https://wiki.mikrotik.com/index.php?title=CALEA&oldid=4619"