ISS World December 11, 2007

1. ACCELERATING NETWORK SURVEILLANCE Buffering for Reliable Intercept Delivery: Implementation of ATIS and CableLabs Standards Glen Myers ISS World December 11, 2007

2. Simple Definition Real-time delivery Law-enforcement collection system Mediation / delivery system Intercept packets are sent and deleted. Errors in transmission, link being down, or collection system being down cause lost intercept information. Buffered delivery Law-enforcement collection system Mediation / delivery system Groups of intercept packets (e.g., files) are sent, verified for accuracy and completeness, and only then deleted. Errors in transmission, link being down, or collection system being down do not lose intercept information.

3. Buffering solves several problems for both the service provider and law enforcement

4. Delivery Reliability A New Problem for Data Intercepts • Voice intercepts can withstand information loss • E.g., a UDP/RTP VoIP packet represents only 40-80 ms of speech • Voice coding methods can achieve good quality with even 1 to 5% packet loss • Data intercepts generally cannot tolerate any information loss • E.g., missing one packet in a stream of binary-encoded data will render the rest of the stream undecodeable • E.g., missing one packet in a compressed stream of text (e.g., much web mail) renders it “undecompressable” • E.g., a whole communication could exist in a single packet (e.g., a whole email message)

5. Unreliable Delivery • Packet loss results from • Congestion at queuing points • Bit errors • Purposeful drops (e.g., bandwidth management) • UDP lost packets are gone forever • TCP is significantly better but • TCP sessions can be reset by bandwidth managers • TCP congestion and retry can cause delivery system to overrun and drop packets prior to TCP • Temporary drop of a link, rebooting of collection system, etc still cause loss • VPN doesn’t help Routed traffic Law-enforcement collection system Mediation / delivery system

6. By the Way ... Mediation / delivery system Routed traffic IAP This is problematic. The buffering standards assume the mediation/delivery device is either integrated with, or tightly coupled to, the IAP(s). If packet loss could occur prior to the mediation/delivery device, you have a bigger problem.

7. Physical Models ATIS Model (ATIS-1000021) Mediation / delivery system Buffering function Law-enforcement collection system Can be separate or combined CBIS Model Mediation / delivery system Buffering function Law-enforcement collection system

8. The Buffering Pull Model Law enforcement agent • Each case is a sequence of files of LEA-specified granularity • All files have an accompanying secure hash digest • “Pulling” protocol is SFTP over SSH2 • Files don’t disappear until downloaded and verified • Interface is very secure • strong SSH2 authentication • data transfer is encrypted Case aaa Intercept information Case bbb Big file system Service provider premises Law enforcement agent

9. ATIS BF Case Directory Files of CmII messages in ASN.1 CmII form File granularity specifiable on a “case by case” basis • E.g., create a new CmII/CmC file pair every 15 minutes, or when one hits 1 megabyte Files of CmC packets in PCAP form (i.e., de-encapsulated from CmC form as appropriate) Intercept log • ASN.1 defined format • Record of each file completion above, including SHA-256 hash digest of file • Record of every file deletion

10. CBIS BIF Case Directory Subdirectory of CmC packets in PCAP form and SHA-256 hash files of each File granularity similar to ATIS BF or Subdirectory of packet header summaries in XML form and SHA-256 hash files of each Subdirectory of DHCP packets in PCAP form and event messages in XML form

11. What We Provide ATIS Models Law-enforcement collection system Buffering system 4 TB inside (2 TB with RAID 10) DeepSweep Law-enforcement collection system Integrated ATIS BF 2 TB inside (1 TB with RAID 1) CBIS Model Law-enforcement collection system CBIS BIF (same buffering system as above) DeepSweep with CBIS surveillance module 0.5 to 2 TB inside

12. Enough Disk Space? • LEA responsibility is downloading frequently and freeing up the space • Goal is 24 hours of buffering capability • 2 TB of after-RAID storage is a lot of space • For full-content (Title III) intercepts, capacity is about 180 intercepts of avg rate of 1 Mb/s for 24 hours • For pen-register intercepts, capacity is many 1000s • What if even this is not enough? • Get on the phone and tell your LEA(s) to download more frequently • Buffering system is cheap enough that a large service provider could buy “a bunch”

13. Other Benefits Besides the big one – reliable delivery • Don’t need to negotiate and install a dedicated link per intercept and/or per LEA • Don’t need pipes to match subject’s peak service bandwidth • Support of multiple LEAs is very easy • Eliminates law-enforcement’s other alternative of co-locating their collection equipment • Eliminates need for other elements, such as VPNs Law-enforcement collection system Mediation / delivery system E.g., need a 50 Mb/s pipe to LEA for subject X because his FTTH service can provide 50 Mb/s (even though his average usage is orders of magnitude lower) No new links, no new equipment; just provision buffering system with new case and credentials to it Mediation / delivery system Carnivore DCS3000 X VPN

14. Summary • Buffering is a simple elegant solution for reliability, security, and integrity of intercept delivery • It doesn’t solve the problem if mediation systems are remote from IAPs – this is a no-no for data intercepts • It is well shaken out and available • It is inexpensive • It is actually good for service providers and carriers