OpenLI: Lawful Intercept Without the Massive Price Tag

A2 | Fri 25 Jan | 1:30 p.m.–2:15 p.m.

Presented by

  • Shane Alcock

    Shane has been employed as a research programmer for the WAND network research group at the University of Waikato, Hamilton, New Zealand since 2005. His area of expertise is network traffic capture and analysis and has been a major contributor to a number of open source libraries that are designed to facilitate research projects in this field, including libtrace, libprotoident, libflowmanager, libtcpcsm and libwdcap. He has also written a significant portion of the code used in the Active Measurement Project (, including much of the data storage and event detection components of the AMP system. Peer-reviewed publications resulting from Shane's research have appeared at the Internet Measurement Conference and in ACM SIGCOMM Computer Communications Review, as well as other venues. Currently, Shane's time is primarily split between the OpenLI project ( and the STARDUST project ( The former attempts to provide open-source software that network operators can use to meet their lawful intercept requirements in countries where the ETSI standards for lawful intercept are in force. The latter is an upgrade of the capabilities of the UCSD Network Telescope to handle modern traffic rates and support providing live feeds of telescope data to external research partners.


Lawful intercept (LI) obligations for Internet service providers have changed significantly in the past few years. Whereas law enforcement agencies were previously willing to accept a simple pcap trace of customer traffic (typically delivered some number of hours or days of delay) for the requested time period as a valid intercept, new standards for LI, such as the ETSI LI standards, are much more onerous for operators to comply with. Specifically, intercepted traffic must be delivered to the agencies in real time, encapsulated within LI-specific headers and delivered alongside additional meta-data records that describe how and when the target was interacting with the operator's infrastructure (i.e. RADIUS servers, SIP servers, etc.). In New Zealand, all Internet service providers that have at least 4000 subscribers must be capable of delivering an ETSI-compliant intercept (live-streamed) upon receipt of a warrant from a law enforcement agency. Many hardware vendors offer licenses that will enable LI capabilities in their devices, but the cost of these licenses is extremely high. This creates a problem for smaller network operators: how can they meet their LI obligations without bankrupting themselves on vendor licenses? The OpenLI project is a collaboration between the WAND Network Research Group at the University of Waikato and a group of New Zealand network operators aimed at providing an alternative (and much cheaper) way for operators to meet their lawful intercept requirements as defined in New Zealand law. WAND provides the experience and programming expertise to develop an ETSI-compliant software solution that can be used by the operators to meet their LI obligations. In turn, the operators each contribute a relatively small sum of money to cover the cost of the programmer's time and provide access to realistic deployment environments and traffic workloads for testing. The eventual finished software will be released as open-source under a GPL license. This talk will cover a number of relevant topics, including: * The ETSI LI standards and why pcaps aren't good enough anymore. * The LI landscape in New Zealand specifically and how it led to OpenLI being started. * Why hasn't anyone tried to solve LI with OSS before? * Overview of other OSS that OpenLI is built upon. * Design and structure of the OpenLI software. * Interesting anecdotes about tricky problems we've had so far and how we've solved them. * Where the project is at right now. * What you can do to help out, if you are that way inclined. Linux Australia: YouTube: