Standards Supported
OpenLI specifically implements the following ETSI standards:
ETSI TS 101 671 (v3.12.1)
ETSI TS 102 232-1 (v3.5.1)
ETSI TS 102 232-3 (v3.3.1)
ETSI TS 102 232-5 (v3.2.1)
ETSI TS 102 232-7 (v3.3.1)
Adding support for other ETSI standards, or for more recent versions of the ones that we do support, is possible. Please contact us if that is something that you require.
Features of OpenLI
Low Cost: OpenLI is designed to be a low cost alternative for small Internet Service Providers who have to meet government-mandated lawful interception requirements. The OpenLI software can run on a commodity x86 server running Linux and does not require any special hardware, aside from a NIC that supports modern high-performance packet capture methods (such as DPDK or XDP). The OpenLI software itself is free to acquire via the GPLv3 license, although paid support options are available for users that may require them (see below for more detail).
A Complete Flexible Solution: Unlike many other LI systems, OpenLI is not a complete, closed system or appliance, but acts as a set of applications that runs on standard servers. The idea is that the user can use their existing services for monitoring, configuration, backup and deployment to also manage and maintain their OpenLI deployment, rather than having to adapt their services to suit OpenLI. OpenLI can be configured using a simple REST API that is easy to integrate with existing web-based configuration systems, and uses standard systemd techniques for managing services and logging.
Distributed Architecture: OpenLI collector nodes may be distributed throughout your network, allowing you to spread the interception workload across multiple devices, as well as limit the potential impact of individual component failures. This can also help reduce the cost of the nodes, as their individual hardware requirements can remain modest.
Scalable to Multi-Gigabit Networks: While ultimately the performance of the OpenLI software is dependent on the hardware that it is run on, we have put considerable effort into optimising the software to successfully intercept traffic at high packet rates. Individual collector nodes can easily achieve 2Gbps of sustained interception, and additional collector nodes can be used to scale up to higher traffic rates if needed.
Accurate Realtime Data: As per the ETSI standards, OpenLI is capable of buffering intercepted records in the event of a temporary failure of a mediation device. Disk-backed buffering is available on the collector nodes to cover longer outages.
OpenLI supports a variety of high speed packet capture methods that can minimise the likelihood of data loss on the collector nodes, including XDP, DPDK and PF_RING. Packet capture can occur in parallel, and can therefore easily support interception at multi-gigabit traffic rates.
Compatible and Adaptive: OpenLI is able to receive and parse the vendor-specific LI formats produced by Juniper and Nokia networking equipment, and can convert interceptions taken using the LI features on those devices into ETSI-compliant output. Further extensions to support other vendor formats are possible; please contact us if this is something that you require.
OpenLI also supports writing intercepted traffic into regularly rotated pcap files instead of delivery using the ETSI-prescribed handovers, so you can continue to use OpenLI to conduct intercepts for agencies that are not able to receive and parse ETSI handovers.
Privacy: All inter-component communications within an OpenLI system can be encrypted using TLS. Intercept configuration, including target usernames or phone numbers, is stored on the provisioner component only within an encrypted database. Any requests made via the REST API can be restricted to users with suitable authentication credentials and there is no need for that API to be accessible outside of the user's internal network.
The collector nodes do not attempt to decrypt or inspect any application-layer packet contents, with the exception of the session protocols that must be inspected to be able to correlate subsequent traffic back to the intercept target (such as SIP, RADIUS or GTP traffic).
Communications that do not involve an active intercept target are never intercepted, and interception will cease as soon as the intercept instruction is withdrawn by the operator.
Security: While security is ultimately the responsibility of the OpenLI user, OpenLI has been designed specifically to limit the potential attack surface that is exposed outside of the deployer's internal domain. A typical OpenLI deployment should be easy to protect through good firewalling and security practices. Almost all interactions with a running OpenLI deployment will use the REST API on the provisioner, which can be authenticated and limited to only necessary personnel.
Low-Cost Annual Support Fees: The OpenLI team offers users the option of paying an annual support fee for software related issues with OpenLI, such as receiving assistance with any bugs or crashes or implementing minor feature requests. Please contact us if you wish to inquire further about this option.
There are other third-party companies that are able to offer assistance with deploying and maintaining OpenLI within your network. They can assist with choosing hardware to run the OpenLI components on, mirroring traffic into the OpenLI collector nodes and establishing tunnels to the agencies that need to receive interceptions from your network. If you need this type of support, again please reach out to us and we can put you in contact with someone who can help.
Continuous Development to meet the demands of our clients: The OpenLI software continues to be developed and maintained based on feedback from our existing users, and updated versions of the software are released regularly. You can follow our progress on the OpenLI Github repository.
We are happy to take suggestions for new features that you would like to see added to OpenLI, especially if the requester is willing to fund the development costs of that feature. In return, not only do you get the feature you want added to OpenLI but we'll also add you to our list of sponsors so everyone can appreciate your assistance.
Free Training Material: While we strive to make OpenLI as easy to deploy and use as possible, we concede that the learning curve can be somewhat steep for operators. We are currently working on a comprehensive series of tutorials that should teach you everything you need to know about OpenLI and lawful interception in general.
We are also more than happy to answer general questions about OpenLI and how it works -- do not hesitate to contact us if you would like further assistance.
Simple Download: The OpenLI source code can be found on GitHub. This is the best place to file bug reports or feature requests. We've also packaged OpenLI for Debian, Ubuntu, RHEL and Fedora. These packages can be downloaded from our repositories on Cloudsmith. See our OpenLI Wiki page for instructions.
We hope to add support for other packaging systems in the near future - watch this space!
Get OpenLI
The OpenLI source code can be found on GitHub. This is the best place to file bug reports or feature requests.
We've also packaged OpenLI for Debian, Ubuntu, RHEL and Fedora. These packages can be downloaded from our repositories on Cloudsmith. See our OpenLI Wiki page for instructions.
We hope to add support for other packaging systems in the near future - watch this space!
