The OpenLI Project
OpenLI is a Lawful Intercept software solution written by the WAND Network Research Group at the University of Waikato. OpenLI implements the ETSI standards for the interception of IP and IP Multimedia services.
Development of OpenLI has been funded by a group of NZ services providers who came together in response to an email by Dave Mill to the NZNOG mail list. The primary aim was to meet the requirements of New Zealand's TICSA legislation, but the ETSI standards that have been implemented by OpenLI are also used in many other jurisdictions worldwide, so we expect OpenLI to be of value to international users as well.
How does OpenLI work?
The software is built on top of the libtrace packet processing library and is available under the GPLv3 license. The software implementation takes packet capture directly from the network and packages it into a format suitable for transmission to a law enforcement agency. OpenLI does not attempt to decrypt or inspect the contents (i.e. post-TCP or -UDP headers) of the intercepted packets (excluding SIP and RADIUS packets, which we need to fully parse to identify the appropriate packets to intercept for the target user's session).
The OpenLI Security Model
While security is ultimately the responsibility of the OpenLI user, OpenLI has been designed specifically to limit the potential attack surface that is exposed outside of the deployer's internal domain. A typical OpenLI deployment should be easy to protect through good firewalling and security practices. Almost all interactions with a running OpenLI deployment will use the REST API on the provisioner, which can be authenticated and limited to only necessary personnel.