Merits CALEA Compliance Architecture and Platform, OpenCALEA

1
Merits CALEA Compliance Architecture and
Platform,OpenCALEA

• Mary Eileen McLaughlin,
• Merit - Director Technical Operations
• Manish Karir,
• Merit - Research and Development

2
Agenda

• Merits CALEA decision
• Technical compliance experiment goals
• Merits approach
• Experiments to test software and network
  functionality
• Results
• OpenCALEA Toolset description
• Case studies for data integrity
• Next steps

3
Merits CALEA Decision

• Merit believes it will need to be Gateway
  compliant for CALEA
• Will need to have a device at the ingress/egress
  points of our network, to/from the public
  Internet
• In other words, where traffic enters or leaves
  AS-237
• About 9 sites including private peering points
• Rationale for compliance at the gateways
• Merit is interconnected to the public Internet at
  various places.
• Merit supports its connection to the Internet
  because it owns connectivity equipment as well
• Merit purchases commodity Internet service from
  various public Internet providers, that is
  delivered over its facilities .
• Merits interconnected network is a private
  network, however, because Merit limits the
  availability of its services to only its Members
  and Affiliate Members.
• cont.

4
Merits CALEA Decisioncont.

• LEAs can, under CALEA, request surveillance of
  traffic where it connects to public Internet
• Not within a private network, i.e., between two
  universities on our network
• This presentation isnt about the legal
  pros/cons, or the expectations of law, or the
  challenges
• Its about what are we doing relative to the
  above conditions

5
Experimentation Goals

• Develop an experimental reference architecture as
  a model for CALEA compliance
• Determine what level of compliance is possible at
  a reasonable price point
• Experiment with simple hardware/software in order
  to determine suitability for compliance
• How well will this solution scale (10G cards,
  multiple sites) compared to price/performance of
  commercial solutions
• Gain a technical understanding of what is
  required to be CALEA compliant

6
Approach

• Build and deploy a packet capture platform
• Experimental Architecture 1 -- Dell Precision
  GX260 Workstation, 2 GIGE interfaces for
  management and sampling, Pentium 4 3GHz, 1GB
  RAM, Linux
• Experimental Architecture 2 -- Dell PowerEdge860
  1U server, Dual Pentium 2.8GHz, 1 GIGE
  interface(mgmt), 1myricom 10GIGE adapter, 1GB
  RAM, Linux
• Tcpdump/tethereal for packet capture -- both
  depend on pcap library,
• Iperf as the traffic generator
• Test ability to capture a single data stream in
  the presence of varying amounts of live
  background network traffic
• Metrics packet loss, cost

7
Experiment 1 Architecture
8
Experiment 1 Methodology

• Background traffic for the duration of the test
  190-225Mbps (Sunday evening load)
• Repeat for higher traffic load 400Mbps (Monday
  afternoon)
• Test
• Send data from source to sink using iperf
• Attempt to capture traffic stream at capture
  device (full packet captures not just headers)
• Measure actual number of packets transmitted at
  the source and compare with number of full
  packets captured
• Measure for Small/Medium/Large UDP flow

9
Experiment 1 Results
10
Experiment 1 Conclusions

• Less than 1 (0.6 - 0.7) of the packets are
  missing at the capture device (at a load of
  roughly 200Mbps).
• This appears to hold at least to an aggregate
  load level of 400Mbps (bidirectional traffic
  mirrored onto a single port)
• Losses are NOT in the packet capture process but
  in the datapath itself.
• A UDP stream along the same path at 380Kbps
  experienced roughly the same packet loss,
  implying that the simple hardware/software
  solution holds promise for at least the lower
  rate uplink capacities (definitely for OC-3,
  sub-GIGE type rates) .
• Total cost of hardware/software 1000

11
Experiment 2 Architecture
12
Experiment 2 Methodology

• Scale up experiment 1 architecture to links that
  carry over 2Gbps of traffic
• Use of better hardware platform Dell 1U server
• 10GiGE Myricom Ethernet Adapter
• Test ability to deliver the captured packets to
  LEA
• Simple custom software which operates similar to
  tcpdump but additionally can transmit packets to
  LEA
• Test ability to operate in the presence of
  complications. (Such as VLANS 40vlans mirrored
  on single interface)
• Measure ability to capture higher bitrate streams
  in presence of higher background traffic

13
Experiment 2 Results

• UDP stream with average background network load
  of 2.3-2.4 Gbps

14
Experiment 2 Results

• UDP stream with average background network load
  of gt 2.5Gbps

15
Experiment 2 Conclusions

• Return Path Characteristics are Important -
  otherwise there can be packet loss on path to
  LEA.
• Check for MTU -- Encapsulation can lead to packet
  size gt 1,500Bytes. (MTU should be able to
  support jumbo frames on the path to LEA).
• Packet capture at gt 2Gbps network load appears
  to be feasible.
• Hardware/software cost 2,500 (server 1300
  10Gige I/F card, 1200)
• Need to Verify Is there any data impairment
  during the capture/transfer/writing process?
• (See final slides for partial answer.)

16
OpenCALEA Software Toolset

• Tap Tool
• Tap Perform packet capture
• Receive packets via libpcap interface
• Create new UDP packet in appropriate format
• Encapsulate captured packet into new packet
• Timestamp information to UDP packet
• Send to LEA collection IP address
• Send the packet header information on separate
  UDP port
• Example Usage
• ./tap -d 198.108.62.77 -i any -c -f "host
  198.108.62.77 and port 5001"

17
OpenCALEA Software Toolset

• LEA Receiver Tool (Consistent with standard)
• Example of LEA collection function
  implementation lea_collect
• Receive UDP packets sent by tap
• Remove encapsulation
• Create standard libpcap packet based on
  timestamps and encapsulated packet
• Write packet to file
• Write packet header information sent by tap
• Example Usage
• ./lea_collect -f capture-file.pcap

18
OpenCALEA Software Toolset

• User Front End (in development)
• calea_controller
• Responsible for initiating a tap on remote tap
  devices but issuing the appropriate command
• calea_collector
• Responsible for listening for commands from
  calea_controller and initiating the tap with the
  appropriate filters

19
Case Study Capturing Web Browsing Traffic

• Question Is there any data impairment during
  the capture/transfer/writing process?
• Web Browsing
• http//www.opencalea.org
• Google search example
• Capture traffic to/from IP address
• Background network traffic load 2.4Gbps
• Tap is to filter IP-address and port 80
• Tap forwards stream to LEA Collector where it is
  saved to disk
• Analyze saved file using tools, e.g., tcpxtract
  in order to examine accessed web pages

20
Capturing Web Browsing Traffic
Test performed to validate integrity of packets
captured.
Web Page Reconstructed from Intercepted Packets
21
Capturing Web Browsing Traffic
Test performed to validate integrity of packets
captured.
Web Page Reconstructed from Intercepted Packets
22
Case Study Capturing Instant Messenger
Conversations

• Capture traffic to/from IP address
• Background network traffic load gt 2.5 Gbps
• Tap is to filter IP-address and AIM port
• Tap forwards stream to LEA Collector where it is
  saved to disk
• This saved file is then analyzed using tcpdump in
  order to extract the ASCII text within

23
Case Study Capturing Instant Messenger Traffic
24
Case Study Capturing Instant Messenger Traffic
25
Conclusions

• A cost-effective CALEA solution was developed and
  tested
• The solution has performed well in initial
  testing
• The solution appears to be
• Consistent with technical requirements
• Cost effective
• Practical
• Merit plans to use this solution for CALEA
  compliance

26
Next Steps

• Merit will file its Compliance document by
  February 12th
• Continue to fine-tune OpenCALEA software, and
  develop user interface
• Software release in mid-February
• Draft SSI document March 1 and release to
  community (Quilt, StateNets, etc.)
• Commentary welcomed
• SSI to be filed by March 14th
• Compliance by May 14th