OpenLI-NZ
diff --git a/‎doc/CollectorDoc.md‎
Lines changed: 52 additions & 1 deletion b/‎doc/CollectorDoc.md‎
Lines changed: 52 additions & 1 deletion
diff --git a/‎doc/ProvisionerDoc.md‎
Lines changed: 48 additions & 2 deletions b/‎doc/ProvisionerDoc.md‎
Lines changed: 48 additions & 2 deletions
diff --git a/‎doc/exampleconfigs/collector-example.yaml‎
Lines changed: 21 additions & 0 deletions b/‎doc/exampleconfigs/collector-example.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎doc/exampleconfigs/running-intercept-example.yaml‎
Lines changed: 44 additions & 0 deletions b/‎doc/exampleconfigs/running-intercept-example.yaml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/Makefile.am‎
Lines changed: 1 addition & 1 deletion b/‎src/Makefile.am‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/collector/alushim_parser.c‎
Lines changed: 54 additions & 31 deletions b/‎src/collector/alushim_parser.c‎
Lines changed: 54 additions & 31 deletions
diff --git a/‎src/collector/alushim_parser.h‎
Lines changed: 2 additions & 0 deletions b/‎src/collector/alushim_parser.h‎
Lines changed: 2 additions & 0 deletions
@@ -117,8 +117,11 @@ intercept targets across them.
 
 
 ### Nokia Mirror Configuration
+NOTE: Nokia mirrored traffic can also be handled using a UDP Sink (see below
+for more information).
+
 If you are using OpenLI to translate the intercept records produced by
-Alcatel-Lucent devices into ETSI-compliant output, any collectors that
+Nokia / Alcatel-Lucent devices into ETSI-compliant output, any collectors that
 are expected to receive mirrored copies of the Nokia intercept records need
 to be able to identify which packets are encapsulated records to be
 translated.
@@ -133,6 +136,9 @@ Note that in this context, the sink refers to the destination IP address
 and port of the mirrored Nokia traffic.
 
 ### Juniper Mirror Configuration
+NOTE: JMirror traffic can also be handled using a UDP Sink (see below
+for more information).
+
 If you are using Juniper Packet Mirroring (a.k.a. JMirror) to mirror intercepted
 traffic into an OpenLI collector, you will need to configure OpenLI with the
 IP address and port that the mirrored traffic is being sent to so that the
@@ -186,6 +192,40 @@ are not spoofed (maybe because the SIP is being generated from inside your
 network) and you are unable to include any of the more reliable fields in
 your SIP traffic.
 
+### UDP Sinks
+Many networking equipment vendors offer a limited lawful interception
+capability on their devices that can siphon copies of traffic for a
+particular network user (i.e. an intercept target) to a pre-defined destination.
+These streams typically encapsulate the captured traffic in IP/UDP, and may
+also include a small shim header at the beginning of the datagram payload.
+
+OpenLI collectors can act as the destination for these UDP streams, whereby
+the collector can be configured to listen on certain UDP ports for datagrams.
+We call these IP/port pairs "UDP sinks". Then, in the intercept configuration,
+tell OpenLI which UDP sinks will be the recipients of traffic for the target
+user. Finally, when you configure the mirroring on your router/device, set the
+destination to be the IP address and UDP port that you designated as the
+corresponding sink on your collector.
+
+The OpenLI collector will then assume any traffic delivered to it on the
+IP address and UDP port of the specified sink(s) must belong to the target
+of the associated intercept, and automatically intercept and encode each
+packet accordingly.
+
+Important notes:
+ * each UDP sink on a collector can only be associated with at most one
+   intercept at a time, but you may have multiple sinks attached to a single
+   intercept (e.g. to handle cases where inbound and outbound traffic were
+   mirrored separately).
+ * UDP sinks currently only support IP intercepts, not VoIP or email
+   intercepts.
+ * vendmirrorid configuration is not required for IP intercepts that use UDP
+   sinks, and in fact no checking of the intercept ID in the post-UDP shim
+   is performed at all.
+ * UDP sinks without an attached intercept will remain idle until an
+   intercept is assigned to it via the provisioner.
+
+
 ### Configuration Syntax
 All config options aside from the input configuration are standard YAML
 key-value pairs, where the key is the option name and the value is your chosen
@@ -303,6 +343,17 @@ elements:
 * ip -- the IP address of the device that received the mirrored traffic
 * port -- the port that the sink was listening on for mirrored traffic
 
+---
+
+UDP sinks are defined a YAML sequence with a key of `udpsinks:`. Each sequence
+item describes a single listening UDP sink instance and must contain the
+following three key-value elements:
+* listenaddr -- the IP address of the interface to consume UDP mirror traffic on
+* listenport -- the port number to receive UDP mirror traffic on
+* identifier -- an identifier string that is unique to this particular
+                collector (in case another collector is also listening on the
+                exact same IP address and port).
+
 
 ### Email interception options
 
 
@@ -242,6 +242,13 @@ used to identify the intercept target.
 * Static IPs -- if the target has a static IP (range), you can use this
   parameter to tell OpenLI which IPs belong to the target.
 
+Alternatively, you can configure your OpenLI collectors to act as the
+recipient for one of the vendor mirrored streams over UDP. If you wish to use
+this approach, you can tell OpenLI which of the collector UDP sinks you intend
+to use as a destination for the mirrored stream(s) and any packets that
+arrive at those UDP sinks will be de-encapsulated and intercepted as part of
+this IP intercept.
+
 If you are relying solely on the User as the target identification method, you
 will need to ensure that the OpenLI collectors receive a copy of all RADIUS
 traffic relating to the subscribers whose IP traffic will be passing that
@@ -639,21 +646,60 @@ Optional key-value elements for an IP intercept are:
                            mirroring platform for the target user.
                            (only for re-encoding ALU or JMirror intercepts as
                            ETSI)
+* `udpsinks`              -- the set of collector UDP sinks that should be
+                             used to intercept mirrored traffic for this
+                             intercept.
+
+`udpsinks:` are expressed as a YAML list: one list item per UDP sink that
+you want to attach to this intercept. Each list item is a YAML map containing
+the following key-value elements:
+
+    * `collectorid`         -- the collector instance that the UDP sink is
+                               running on. This should match the `identifier`
+                               field in the corresponding UDP sink configuration
+                               on that collector.
+    * `listenaddr`          -- the IP address that the UDP sink is listening on.
+    * `listenport`          -- the UDP port that the UDP sink is listening on.
+    * `sessionid`           -- the session ID (also known as CIN) to use when
+                               encoding traffic intercepted via this UDP sink.
+                               Only applies if the encapsulation format does
+                               not include a session ID already.
+    * `direction`           -- if the encapsulation format does not include
+                               a direction tag on each mirrored packet, packets
+                               received by this UDP sink will be tagged as
+                               travelling in this direction relative to the
+                               intercept target. Possible values are `from`,
+                               `to`, and `both` -- default is `both`.
+    * `encapsulation`       -- the format of the post-UDP shim header that
+                               precedes the mirrored packet content (if any).
+                               Supported values are `raw` (i.e. no shim),
+                               `jmirror`, `nokia` and `cisco`. Default is `raw`.
+    * `sourcehost`          -- if set, the UDP sink will only intercept packets
+                               that originate from this source IP address. May
+                               be set to `any` to allow any source IP (be
+                               careful!).
+    * `sourceport`          -- if set, the UDP sink will only intercept packet
+                               that have a source port matching this number.
+                               May be set to 0 to allow any source port
+                               number (be careful!).
+
+
 * `staticips`             -- a list of IP ranges that are known to have been
                            assigned to the target.
 
 `staticips:` are expressed as a YAML list: one list item per IP range that
 is associated with the target. Each list item is a YAML map containing the
 following key-value elements:
 
-* `iprange`               -- the IP range, expressed in CIDR notation. If a
+    * `iprange`               -- the IP range, expressed in CIDR notation. If a
                              single address (i.e. no subnet) is given, a /32
                              or /128 mask will be added automatically.
-* `sessionid`             -- the session ID (also known as CIN) to associate
+    * `sessionid`             -- the session ID (also known as CIN) to associate
                              with intercepts for this address range. See
                              example config for more information about the
                              meaning of this field.
 
+
 ---
 A VOIP intercept must contain the following key-value elements:
 
 
@@ -192,3 +192,24 @@ x2x3inputs:
  - listenaddr: 10.230.1.1
    listenport: 25000
    certfile: /etc/openli/openli-collector-crt.pem
+
+
+# List of IP/port pairs to act as sinks for intercepted traffic sent by
+# vendor equipment using the vendor's custom UDP-encapsulated format.
+#
+# Note: identifier should be unique to this collector, as it is used to
+# disambiguate between UDP sinks on other collectors that might just also
+# happen to be using the same RFC1918 addresses for UDP sinks.
+udpsinks:
+ - identifier: collector01
+   listenaddr: 10.230.1.200
+   listenport: 17870
+
+ - identifier: collector01
+   listenaddr: 10.230.1.200
+   listenport: 17871
+
+ - identifier: collector01
+   listenaddr: 10.230.1.200
+   listenport: 17872
+
@@ -148,6 +148,50 @@ ipintercepts:
    agencyid: "Police"           # ID of agency to send intercept to
    accesstype: "LAN"            # Access tech used by the target to access IP
 
+# This intercept is also consuming a FlowTapLite packet stream into an
+# ETSI-compliant intercept. In this case, we are using a UDP sink instance
+# on the collector to act as the destination for the mirrored stream.
+# Because the mirrored stream is being sent to the collector directly, we
+# do not need to provide the intercept ID using `vendmirrorid`, as we
+# can safely assume that any UDP packets arriving on the UDP sink from the
+# designated source belong to the intercept we are configuring here.
+# FlowTapLite does not include a post-UDP shim in its encapsulation, so
+# we configure it as `raw` in this case. Nokia, Juniper Mirroring, and Cisco
+# are all also supported encapsulation formats.
+
+ - liid: OAPP9321HN             # LIID, should be provided by requesting agency
+   authcountrycode: NZ          # Authorisation country code
+   deliverycountrycode: NZ      # Delivery country code
+   user: "lexluthor"            # Username identifying the target in your AAA
+   mediator: 6001               # ID of the mediator to send intercept via
+   agencyid: "Spooks"           # ID of agency to send intercept to
+   accesstype: "ADSL"           # Access tech used by the target to access IP
+   udpsinks:
+    - collectorid: "collector01"    # The collector where this sink is running
+      listenaddr: "10.230.1.200"    # The IP address where the sink is listening
+      listenport: 17870             # The UDP port where the sink is listening
+      encapsulation: "raw"          # No shim header to strip
+      direction: "to"               # Tag all traffic on this sink as "to the
+                                    # intercept target"
+      sessionid: 1200               # Use 1200 as the CIN for this intercept
+      sourcehost: "10.230.1.1"      # Only intercept packets coming from this IP
+      sourceport: 9999              # Only intercept packets where the source
+                                    # port is this number
+    - collectorid: "collector02"    # The collector where this sink is running
+      listenaddr: "10.230.1.200"    # The IP address where the sink is listening
+      listenport: 17872             # The UDP port where the sink is listening
+      encapsulation: "raw"          # No shim header to strip
+      direction: "from"             # Tag all traffic on this sink as "from the
+                                    # intercept target"
+      sessionid: 1200               # Use 1200 as the CIN for this intercept
+      sourcehost: "10.230.1.1"      # Only intercept packets coming from this IP
+      sourceport: 8888              # Only intercept packets where the source
+                                    # port is this number
+
+# ^ Note that some encapsulation formats include a session ID and/or direction
+# in their shim headers -- in those cases, OpenLI will use the values
+# derived from the headers rather than those provided in the configuration here.
+
 # This intercept will attempt to intercept all IP traffic for a mobile
 # phone user, using GTPv2 packets to detect the start and end of the target's
 # sessions. Note that the accesstype must be set to "mobile". The user field
 
@@ -90,7 +90,7 @@ openlicollector_SOURCES=collector/collector.c \
                 collector/sip_worker_redirection.c \
 				collector/sip_worker_redirection.h \
 				collector/x2x3_ingest.c collector/x2x3_ingest.h \
-				collector/x2x3_cond_attrs.c \
+				collector/x2x3_cond_attrs.c collector/udp_sink_worker.c \
                 $(PLUGIN_SRCS)
 
 openlicollector_LDADD = @ADD_LIBS@ -L$(abs_top_srcdir)/extlib/libpatricia/.libs 
 
@@ -60,7 +60,6 @@ static inline uint32_t alushim_get_interceptid(alushimhdr_t *aluhdr) {
 static inline int alushim_get_direction(alushimhdr_t *aluhdr) {
 
     uint32_t intid = ntohl(aluhdr->interceptid);
-
     /* In ETSI, 0 = from target, 1 = to target, 2 = unknown */
     /* In ALU, 0 = ingress (from subscriber), 1 = egress (to subscriber) */
 
@@ -83,38 +82,24 @@ static inline int alushim_get_direction(alushimhdr_t *aluhdr) {
     return 2;
 }
 
-int check_alu_intercept(colthread_local_t *loc,
-        libtrace_packet_t *packet, packet_info_t *pinfo,
-        coreserver_t *alusources, vendmirror_intercept_list_t *aluints) {
+uint8_t *decode_alushim_from_udp_payload(uint8_t *payload, uint32_t plen,
+        uint32_t *cin, uint8_t *dir, uint32_t *shimintid, uint32_t *bodylen) {
+
 
-    coreserver_t *cs;
-    vendmirror_intercept_t *alu, *tmp;
-    vendmirror_intercept_list_t *vmilist;
     uint16_t ethertype;
     alushimhdr_t *aluhdr = NULL;
-    uint32_t rem = 0, shimintid, cin;
     void *l3, *l2;
+    uint32_t rem = plen;
 
-    if ((cs = match_packet_to_coreserver(alusources, pinfo, 1)) == NULL) {
-        return 0;
-    }
-
-    /* Extract the intercept ID, direction and session ID */
-    aluhdr = (alushimhdr_t *)get_udp_payload(packet, &rem, NULL, NULL);
+    aluhdr = (alushimhdr_t *)payload;
     if (!aluhdr || rem < sizeof(alushimhdr_t)) {
-        return 0;
+        return NULL;
     }
 
-    shimintid = alushim_get_interceptid(aluhdr);
-
-    /* See if the intercept ID is in our set of intercepts */
-    HASH_FIND(hh, aluints, &shimintid, sizeof(shimintid), vmilist);
-    if (vmilist == NULL) {
-        return 0;
-    }
+    *shimintid = alushim_get_interceptid(aluhdr);
 
     /* Strip the extra headers + shim */
-    l2 = ((char *)aluhdr) + sizeof(alushimhdr_t);
+    l2 = ((uint8_t *)aluhdr) + sizeof(alushimhdr_t);
     rem -= sizeof(alushimhdr_t);
 
     /* TODO add support for layer 3 only intercepts? */
@@ -139,28 +124,67 @@ int check_alu_intercept(colthread_local_t *loc,
                 continue;
             case TRACE_ETHERTYPE_ARP:
                 /* Probably shouldn't be intercepting ARP */
-                return 0;
+                return NULL;
             case TRACE_ETHERTYPE_IP:
             case TRACE_ETHERTYPE_IPV6:
                 break;
             default:
-                return 0;
+                return NULL;
         }
         break;
     }
 
     if (!l3 || rem == 0) {
         logger(LOG_INFO,
-                "Warning: unable to find IP header of ALU-intercepted packet from mirror (ID: %u)",
-                cs->serverkey, shimintid);
-        return -1;
+                "Warning: unable to find IP header of ALU-intercepted packet from mirror (ID: %u)", *shimintid);
+        return NULL;
+    }
+
+    /* Use the session ID from the shim as the CIN */
+    *cin = ntohl(aluhdr->sessionid);
+    *dir = alushim_get_direction(aluhdr);
+    *bodylen = rem;
+    return l3;
+}
+
+int check_alu_intercept(colthread_local_t *loc,
+        libtrace_packet_t *packet, packet_info_t *pinfo,
+        coreserver_t *alusources, vendmirror_intercept_list_t *aluints) {
+
+    coreserver_t *cs;
+    vendmirror_intercept_t *alu, *tmp;
+    vendmirror_intercept_list_t *vmilist;
+    uint32_t rem = 0, shimintid, cin, bodylen;
+    void *l3;
+    uint8_t *payload = NULL;
+    uint8_t direction;
+
+    if ((cs = match_packet_to_coreserver(alusources, pinfo, 1)) == NULL) {
+        return 0;
+    }
+
+    /* Extract the intercept ID, direction and session ID */
+    payload = get_udp_payload(packet, &rem, NULL, NULL);
+    if (!payload || rem < sizeof(alushimhdr_t)) {
+        return 0;
+    }
+
+    l3 = decode_alushim_from_udp_payload(payload, rem, &cin, &direction,
+            &shimintid, &bodylen);
+    if (!l3) {
+        return 0;
+    }
+
+    /* See if the intercept ID is in our set of intercepts */
+    HASH_FIND(hh, aluints, &shimintid, sizeof(shimintid), vmilist);
+    if (vmilist == NULL) {
+        return 0;
     }
 
     /* Direction 0 = ingress (i.e. coming from the subscriber) */
 
     /* Use the session ID from the shim as the CIN */
     /* TODO double check that this will be available in the RADIUS stream */
-    cin = ntohl(aluhdr->sessionid);
 
     HASH_ITER(hh, vmilist->intercepts, alu, tmp) {
         if (pinfo->tv.tv_sec < alu->common.tostart_time) {
@@ -173,8 +197,7 @@ int check_alu_intercept(colthread_local_t *loc,
 
         /* Create an appropriate IPCC and export it */
         if (push_vendor_mirrored_ipcc_job(loc->zmq_pubsocks[0], &(alu->common),
-                trace_get_timeval(packet), cin, alushim_get_direction(aluhdr),
-                l3, rem) == 0) {
+                trace_get_timeval(packet), cin, direction, l3, bodylen) == 0) {
             /* for some reason, we failed to create or send the IPCC to
              * the sequencing thread? */
 
 
@@ -31,6 +31,8 @@
 #include "coreserver.h"
 #include "intercept.h"
 
+uint8_t *decode_alushim_from_udp_payload(uint8_t *payload, uint32_t plen,
+        uint32_t *cin, uint8_t *dir, uint32_t *shimintid, uint32_t *bodylen);
 int check_alu_intercept(colthread_local_t *loc,
         libtrace_packet_t *packet, packet_info_t *pinfo,
         coreserver_t *alusources, vendmirror_intercept_list_t *aluints);