- 規範簡介
CALEA全稱Communications Assistance for Law Enforcement Act.是美國的一個通信管理法案,根據該法案許多通信設備商制定了聯合監聽規範。
2006年10月2日消息,ATIS與美國通信工業協會(TIA)聯合發佈了一項他們共同制定的標準ANSI/J-STD-025-B-2006“合法授權的電子監視”。
該項文件最初作爲行業標準J-STD-025-B於2004年發佈,最近該標準被認可爲美國國家標準(ANS)。該標準將用於取代先前的行業標準J-STD-025-B。
該標準的目的是推進電信服務提供商(TSP)滿足CALEA 103部分中所規定的協助能力要求,並幫助確保這些協助能力要求的有效性和行業內的廣泛執行。附加能力已經包括在ANSI/J-STD-025-B-2006中,用於幫助管理cdma2000寬帶分組數據服務合法授權電子監視的執法機構(LEA)。該標準提供了一個在CALEA 107(公法103-414)部分下的“安全港(safe harbor)”。
ANSI/J-STD-025-B-2006由ATIS無線技術和系統委員會、ATIS分組技術和系統委員會以及TIA TR-45共同制定。
由於網上下載J-STD-025-B-2006需要55美金,後與CDMA相關同事聯繫,得到2004年發佈行業標準J-STD-025-B文檔分析如下:
該規範分三個部分來闡述監聽的功能和要求。從用戶角度,從網絡角度,從實現的角度,一層層具體的介紹了監聽的功能。
美標描述了監聽的主要內容:
1)非呼叫相關業務,提供監聽目標與呼叫無關的信息
2)呼叫相關業務,提供與監聽目標相關的標識呼叫的信息
3)呼叫和非呼叫相關業務,提供監聽目標和網絡中與呼叫相關的信息
4)內容監聽
監聽功能的網絡參考圖如下:
圖1 CALEA監聽結構邏輯
- AF提供對監聽目標通信和標識呼叫信息的訪問,即正常的網元位置。AF典型的包含了如下的功能:
1)提供監聽目標的標識呼叫信息,並可以將信息交給DF
2)提供監聽目標的呼叫內容,並可以將信息交給DF
3)對監聽操作進行保護
- DF將監聽目標的通信和標識呼叫的信息交付給CF。DF功能典型包括如下功能:
1)通過來自AF的一個或多個通道獲取監聽目標的呼叫內容
2)通過一個或多個CCC向CF交付監聽目標的呼叫內容
3)從一個或多個通道接受監聽目標標識呼叫信息或者分組模式的內容信息,並通過一個或多個CDC交付給CF
4)確保標識的呼叫信息和呼叫內容是交付給了正確的LEA
5)複製並交給監聽目標的標識呼叫信息和呼叫內容信息到一個或多個CF
6)保護監聽操作
- CF收集監聽目標的標識呼叫信息和呼叫內容信息並交給LEA。CF包含如下典型的功能
1)接受和處理每一個監聽目標的呼叫內容信息
2)接受和處理每一個監聽目標相關的信息
- SPAF負責控制TSP的電子監聽功能。
- LEAF負責控制LEA的電子監聽功能。
對比國標監聽標準的X1、X2、X3接口,分析如下
- Service Provider’s Administration 相當於中國監聽的X1 接口、ETSI 監聽的HI1 接口
- Delivery 與Collection 之間的E 接口又包括兩部分:
- CD(Call Data):相當於中國監聽的X2 接口、ETSI 監聽的HI2 接口
- CC(Call Content):相當於中國監聽的X3 接口、ETSI 監聽的HI3 接
J-STD-025-B標準主要是描述e接口的功能和要求。對於e接口主要由呼叫內容和呼叫數據兩個邏輯通道組成。即Call Content Channel 和Call Data Channel。
分組數據LAES(Lawfully Authorized Electronic Surveillance Protocol)服務支持下列的監聽功能:
-
-
- 呼叫標識信息(IMSI,NAI,IPv4地址),
- 呼叫內容和標識呼叫的信息。
-
- 分組數據會話的監聽事件
1 分組數據會話的建立:IPv4地址、NAI、IMSI用於標識一個分組數據會話;簡單Ipv6,使用64位唯一前綴標識用戶分組數據會話。
CDMA2000分組數據會話建立事件消息在如下事件觸發機制下發送:
- 簡單Ipv4服務的PPP會話成功建立
- 簡單Ipv4、簡單Ipv6和移動Ipv4服務的PPP會話建立失敗
- 移動IPv4的用戶註冊成功或失敗。
- Router Advertisement with the /64 globally unique prefix that is assigned to the subject after successful PPP negotiation for Simple IPv6.---簡單Ipv6服務PPP協商成功後,使用分配的/64全局唯一前綴的路由器廣告。
- Router Advertisement with the /64 globally unique prefix that is assigned to the subject in response to a Router Solicitation from the subject for Simple IPv6.---簡單Ipv6服務,從對象響應路由器請求的,使用分配的/64全局唯一前綴的路由器廣告
消息參數如下:
表1 cdma2000PacketDataSessionEstablishment Message Parameters
|
Parameter |
MOC |
Usage |
|
CaseIdentity |
M |
Identifies the intercept subject. |
|
IAPSystemIdentity |
C |
Include to identify the system containing the IAP when the underlying data carriage does not imply that system. |
|
TimeStamp |
M |
Identifies the date and time that the event was detected. |
|
SubjectIPAddress |
M |
Provide the IP address assigned for the session: - The IPv4 address allocated by the PDSN for Simple IPv4 access, or, -the /64 globally unique prefix assigned to the inter-cept subject by the PDSN for Simple IPv6 access, or; - The Home IPv4 address assigned by the Home Agent. If establishment fails, a NULL value is provided. |
|
SubjectIdentity |
C |
Observed identity or identities of the intercept subject. Provide known identities. |
|
IPAssignment |
C |
Provide when known to indicate a static or dynamic IP assignment: -Dynamic assignment for Simple IPv4. - Static or dynamic assignment for Mobile IPv4. |
|
HaIPAddress |
C |
IPv4 address of the HA, only provided for Mobile IPv4 access. |
|
FaCoA |
C |
Foreign Agent provided Care of Address, only provided for Mobile IPv4 access. |
|
CorrelationNumber |
C |
Unique number for each established packet data session for correlating CC and CII when CII and CC are both reported. |
|
LocationInformation |
C |
Provide for established packet data sessions, when authorized, to identify location information for the intercept subject’s MS. |
|
SessionEstablishmentFailure |
C |
Provide when session establishment fails and include the reason for failure when known. Examples include: - Mobile IPv4 rejected by the PDSN; - Mobile IPv4 rejected by the HA; - Access rejected by the home network; - PPP establishment unsuccessful. |
|
CCAddress |
C |
Provide when content is being delivered, to identify the particular IP address and port number of the LEA used to deliver contents for a packet data session. |
2 分組數據會話的終止
CDMA2000分組數據會話終止事件消息將在如下事件觸發下發送:
- 用戶的PPP會話釋放;
- 檢點Ipv6前綴有效期過期;
- 移動IPv4的解註冊;
- 移動Ipv4註冊撤回;
- 移動Ipv4的邦定信息刪除(HA)
參數如下:
表2 cdma2000PacketDataSessionTermination Message Parameters
|
Parameter |
MOC |
Usage |
|
CaseIdentity |
M |
Identifies the intercept subject. |
|
IAPSystemIdentity |
C |
Include to identify the system containing the IAP when the underlying data carriage does not imply that system. |
|
TimeStamp |
M |
Time and date that the event was detected. |
|
SubjectIPAddress |
M |
Provide the IP address assigned for the session: - The IPv4 address allocated by the PDSN for Simple IPv4 access, or, -the /64 globally unique prefix assigned to the inter-cept subject by the PDSN for Simple IPv6 access, or; - The Home IPv4 address assigned by the Home Agent. |
|
HaIPAddress |
C |
IPv4 address of the HA, only provided for Mobile IPv4 access. |
|
FaCoA |
C |
Foreign Agent provided Care of Address, only provided for Mobile IPv4 access. |
|
CorrelationNumber |
C |
Unique number for each packet data session for correlating CC and CII when CII and CC are both reported. |
|
LocationInformation |
C |
Provide, when authorized, to identify location infor-mation for the intercept subject’s MS. |
|
SessionTerminationReason |
C |
Provide the reason (e.g., release indicator or Acct-Term cause) for closing the packet data session, when known. |
3 分組數據監聽啓動:
CDMA分組數據監聽啓動事件消息在如下事件的觸發下發送:
- 用戶會話已經建立,此時監聽被啓動。
消息參數如下:
表3 cdma2000PacketDataInterceptStart Message Parameters
|
Parameter |
MOC |
Usage |
|
CaseIdentity |
M |
Identifies the intercept subject. |
|
IAPSystemIdentity |
C |
Include to identify the system containing the IAP when the underlying data carriage does not imply that system. |
|
TimeStamp |
M |
Time and date that the event was detected. |
|
SubjectIPAddress |
M |
Provide the IP address assigned for the session: - The IPv4 address allocated by the PDSN for Simple IPv4 access; or -the /64 globally unique prefix assigned to the inter-cept subject by the PDSN for Simple IPv6 access; or - The Home IPv4 address assigned by the Home Agent. |
|
SubjectIdentity |
C |
Observed identity or identities of the intercept subject. Provide known identities. |
|
IPAssignment |
C |
Provide when known to indicate a static or dynamic IP assignment: -Dynamic assignment for Simple IPv4; - Static or dynamic assignment for Mobile IPv4. |
|
HaIPAddress |
C |
IPv4 address of the HA, only provided for Mobile IPv4 access. |
|
FaCoA |
C |
Foreign Agent provided Care of Address, only provided for Mobile IPv4 access. |
|
CorrelationNumber |
C |
Unique number for each packet data session for correlating CC and CII when CII and CC are both reported. |
|
LocationInformation |
C |
Provide, when authorized, to identify location infor-mation for the intercept subject’s MS. |
|
CCAddress |
C |
Provide when content is being delivered, to identify the particular IP address and port number of the LEA used to deliver contents for a packet data session. |
4 分組數據服務系統
CDMA2000分組數據服務系統事件消息在如下事件觸發下發送:
- 歸屬HAAA接收到接入請求和計費(開始)請求消息
- HA收到了移動IPv4 註冊請求消息
消息參數如下:
表4 cdma2000PacketDataServingSystem Message Parameters
|
Parameter |
MOC |
Usage |
|
CaseIdentity |
M |
Identifies the intercept subject. |
|
IAPSystemIdentity |
C |
Include to identify the system containing the IAP when the underlying data carriage does not imply that system. |
|
TimeStamp |
M |
Time and date that the event was detected. |
|
SubjectIPAddress |
C |
Provides the IPv4 address assigned for the session: -The Home IPv4 address used for the Mobile IPv4 session; - The Dynamic IPv4 address allocated by the PDSN for Simple IPv4 access, or; -The /64 globally unique prefix assigned to the intercept subject by the PDSN for Simple IPv6 access. |
|
SubjectIdentity |
C |
Observed identity or identities of the intercept subject. Provide known identities. |
|
ServingSystemIdentity |
M |
Identifies the entity that is currently serving the intercept subject. |
|
HaIPAddress |
C |
IPv4 address of the HA, only provided for Mobile IPv4 access. |
|
FaCoA |
C |
Foreign Agent provided Care of Address, only provided for Mobile IPv4 access. |
5 分組報文過濾器
CDMA2000分組數據報文過濾器事件消息在如下事件觸發後發送:
- 收到MS發送的建立、添加新PF的信令
- 收到MS發送的修改PF的信令
- 收到MS釋放或刪除PF的信令;
- 輔連接和相應的PF一起被釋放時(適用於RevC版本)
消息參數如下:
表5 cdma2000PacketDataPacketFilter Message Parameters
|
Parameter |
MOC |
Usage |
|
CaseIdentity |
M |
Identifies the intercept subject. |
|
IAPSystemIdentity |
C |
Include to identify the system containing the IAP when the underlying data carriage does not imply that system. |
|
TimeStamp |
M |
Time and date that the event was detected. |
|
SubjectIPAddress |
M |
Provide the IP address assigned for the session: - the IPv4 address allocated by the PDSN for Simple IPv4 access; -the /64 globally unique prefix assigned to the inter-cept subject by the PDSN for Simple IPv6 access; or - the Home IPv4 address assigned by the Home Agent. |
|
SubjectIdentity |
C |
Observed identity or identities of the intercept subject. Provide known identities. |
|
HaIPAddress |
C |
IPv4 address of the HA, only provided for Mobile IPv4 access. |
|
FaCoA |
C |
Foreign Agent provided Care of Address, only provided for Mobile IPv4 access. |
|
PacketFilterInformation |
M |
Provide packet filter information. Traffic Flow Template (TFT) option for the subject IP address as signaled by the MS. See [TIA-835] standards. |
|
CorrelationNumber |
C |
Unique number for each packet data session for correlating CC and CII when CII and CC are both reported. |
6 監聽內容:
使用CLIC(cdma2000® lawful interception correlation)頭封裝信息,交付分組域的通信內容。每一個發送到LEA的數據流監聽信息報文都要帶一個CLIC頭。
CLIC頭參數如下:
表6 cdma2000® CLICHeader Parameters
|
Parameter |
MOC |
Usage |
|
cdma2000CCModuleID |
M |
Module identifier for cdma2000® communication content |
|
CLICHeaderVersion |
M |
Identifies the version number of the CLIC header |
|
CaseIdentity |
M |
Identifies the intercept subject |
|
CorrelationNumber |
C |
Unique number for each established packet data session for correlating CC and CII when CII and CC are both reported. Required when intercepted sessions may be aggregated over the same CC Address (LEA IP Address and Port Number). |
|
TimeStamp |
C |
Time and date that the event was detected. Required when timing is not included in the protocol header (e.g., not needed with RTP). |
|
SequenceNumber |
C |
Sequence Number is an increasing sequence number for the interception of IP packets. At a minimum, the sequence number should be unique per packet data session. Not required when a transport protocol is used that provides sequencing (e.g., SCTP, TCP). |
|
IPPacketDirection |
O |
Indicates the direction of the IP packet (from the intercept subject or to the intercept subject). |
沒有要求對1和2接口的數據信息加密。以及沒有確定1和2接口的密碼驗證方式。
CALEA說明通過TCP/IP方式承載CDC和CCC通道。
- cdma2000® Abstract Syntax for Packet Data CII Delivery
CDMA2000CIIModule {iso(1) member-body(2) us(840) ti(113737) laes(2) tr45(0) cdma2000(1) cii(0) version-1(0)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CaseIdentity, Timestamp
FROM Laesp-j-std-025-b{iso(1) member-body(2) us(840) ti(113737) laes(2) tr45(0) j-std-025(0) j-std-025-b(2) version-1(0)};
CDMA2000LAESMessage::= SEQUENCE
{
cdma2000ModuleId [0] CDMA2000CIIModule,
cdma2000LAESMessageType[1] CDMA2000LAESMessageType
}
CDMA2000LAESMessageType::=CHOICE
{
cdma2000PacketDataSessionEstablishment[0] CDMA2000PacketDataSessionEstablishment,
cdma2000PacketDataSessionTermination [1] CDMA2000PacketDataSessionTermination,
cdma2000PacketDataInterceptStart [2] CDMA2000PacketDataInterceptStart,
cdma2000PacketDataServingSystem [3] CDMA2000PacketDataServingSystem,
cdma2000PacketDataPacketFilterInfo [4] CDMA2000PacketDataPacketFilterInformation
}
-- message definitions
CDMA2000PacketDataSessionEstablishment ::= SEQUENCE
{
caseIdentity [0] CaseIdentity,
iapSystemIdentity [1] SystemIdentity OPTIONAL,
timeStamp [2] TimeStamp,
subjectIPAddress [3] IpAddress,
subjectIdentity [4] SubjectId OPTIONAL,
ipAssignment [5] IpAssignment OPTIONAL,
haIPAddress [6] IpAddress OPTIONAL,
faCoA [7] IpAddress OPTIONAL,
correlationNumber [8] CorrelationNumber OPTIONAL,
locationInformation [9] Location OPTIONAL,
failureReason [10] SessionEstablishmentFailure OPTIONAL,
ccAddress [11] CCAddress OPTIONAL
}
CDMA2000PacketDataSessionTermination ::= SEQUENCE
{
caseIdentity [0] CaseIdentity,
iapSystemIdentity [1] SystemIdentity OPTIONAL,
timeStamp [2] TimeStamp,
subjectIPaddress [3] IpAddress,
haIPaddress [4] IpAddress OPTIONAL,
faCoA [5] IpAddress OPTIONAL,
correlationNumber [6] CorrelationNumber OPTIONAL,
locationInformation [7] Location OPTIONAL,
terminationReason [8] SessionTerminationReason OPTIONAL
}
CDMA2000PacketDataInterceptStart ::= SEQUENCE
{
caseIdentity [0] CaseIdentity,
iapSystemIdentity [1] SystemIdentity OPTIONAL,
timeStamp [2] TimeStamp,
subjectIPaddress [3] IpAddress,
subjectIdentity [4] SubjectId OPTIONAL,
ipAssignment [5] IpAssignment OPTIONAL,
haIPaddress [6] IpAddress OPTIONAL,
faCoA [7] IpAddress OPTIONAL,
correlationNumber [8] CorrelationNumber OPTIONAL,
locationInformation [9] Location OPTIONAL,
ccAddress [10] CCAddress OPTIONAL
}
CDMA2000PacketDataServingSystem ::= SEQUENCE
{
caseIdentity [0] CaseIdentity,
iapSystemIdentity [1] SystemIdentity OPTIONAL,
timeStamp [2] TimeStamp,
subjectIPaddress [3] IpAddress OPTIONAL,
subjectIdentity [4] SubjectId OPTIONAL,
servingSystemIdentity [5] SystemIdentity,
haIPaddress [6] IpAddress OPTIONAL,
faCoA [7] IpAddress OPTIONAL
}
CDMA2000PacketDataPacketFilterInformation ::= SEQUENCE
{
caseIdentity [0] CaseIdentity,
iapSystemIdentity [1] SystemIdentity OPTIONAL,
timeStamp [2] TimeStamp,
subjectIPaddress [3] IpAddress,
subjectIdentity [4] SubjectId OPTIONAL,
haIPaddress [5] IpAddress OPTIONAL,
faCoA [6] IpAddress OPTIONAL,
packetFilterInformation [7] SET OF PacketFilterInformation,
correlationNumber [8] CorrelationNumber OPTIONAL
}
--parameter definitions
CCAddress ::= SEQUENCE
{
leaIPAddress [0] IpAddress,
leaPortNumber [1] PortNumber
}
--The CCAddress (LEA IP Address and Port Number) for delivery of content
--associated with the packet data communication session is pre-provisioned
--based on mutual agreement between the LEA and the carrier for the
--CaseIdentity.
--A single CCAddress may be used to deliver content for all packet data
--sessions (associated with a caseIdentity) or a unique CCAddress may be
--used for each packet data session.
CorrelationNumber ::= OCTET STRING
IpAddress ::= CHOICE
{
ipV4 [1] IPvalue,
ipV6 [2] IPvalue,
none [3] NULL
}
IpAssignment ::= ENUMERATED
{
static (1),
dynamic (2),
unknown (3)
}
IPvalue ::= OCTET STRING (SIZE(4..16))
--this field will be coded in binary.
LocationInformation ::= OCTET STRING
-- The Location information shall be encoded with Cell
-- Identifier information as specified in TIA/IS-2001.
PacketFilterInformation ::= OCTET STRING
-- Formatted as defined by Packet Filter Content SubOption in
-- TIA-835-C.
PortNumber ::= INTEGER
-- The ports used are pre-provisioned based on mutual
-- agreement between the LEA and the TSP. The well-known
-- ports (0-1023) should not be used.
SessionFailureReason ::= VisibleString
SessionTerminationReason ::= VisibleString
SubjectId ::= SET
{
nai [1] OCTET STRING,
msid [2] OCTET STRING
--The MSID shall be encoded with an IMSI as specified in
-- TIA/IS-2001.
}
SystemIdentity ::= CHOICE
{
ipV4 [1] IPvalue,
ipV6 [2] IPvalue,
fqdn [3] OCTET STRING
-- trailing “.” may not be included.
}
END --of CDMA2000CIIModule
- WiMAX NWG CALEA進展情況
在NWG R1.5中,新增了LI警用監聽相關的subteam,並提供了一個NWG協議的TOC文檔,僅僅是一個文檔框架,在後續討論中補充。
Intel在NWG論壇中提交一個contribution---《01003_r000_Lawful_Interception_Intel》,用於描述其對CALEA的理解,提供了CALEA監聽網絡參考模型(NRM),如下圖所示:
在WiMAX網絡中引入兩個功能實體:
- LIA:LI Agent,存在與ASN中,用於監聽用戶通信相關信息;
- LIS:LI Server,CSN中的功能實體,提供與外部的LIC接口功能,同時負責根據監控用戶分佈,決定服務LIA。
基本LI過程描述,如下圖所示:
- The basic idea is for the LIS to first identify the MS in question based on the input from the law enforcement agency
- this can happen using photographs of the user, telephone number, IP address or other means
- beyond the scope of NWG
- once the MS is identified, the LIA for the MS is then identified by LIS.
- Once the LIA is identified, the LIA sends the security association for the MS session to the LIS which then sends this to the law enforcement.
- Then the LIA encapsulates the MS session packets into a tunnel and sends it to the LIS which then sends it to the LIA.
- When a handover happens, the LI context is transferred from the serving ASN’s LIA to the target ASN’s LIA.
- The target ASN’s LIA now establishes the tunnel with the LIS and continues to forward the data of the MS to the LIS.
- This way the LIS and LEA continue to get the data for the MS despite of the MS handover.
- At some point the LEA may decide to terminate the LI session.
