16 - LTE-EPC Training LawfulInterception VF Avril2012

LTE/EPC training Orange cities
Lawful Interception
Lionel THUAL Orange Labs CORE/M2V/SID
mainly based on a previous version of Jean-Philippe JESTIN
(now FT/OF/DTF/DRIMS/IRS/ICC)
27/04/2012
Orange Labs
France Telecom group restricted
Agenda
Lawful Interception definition

Principles
Existing Networks and Services intercepted
Circuit Networks (PSTN, PLMN)
Data Internet
Services (Ex: IMS)
Security requirements
Implementation for EPS (Evolved Packet System)

Architecture
Provision of IRI and CC
EPS Data Events sent on Handover Interface
Roaming configuration
RFP responses (Cisco, Ericsson, Huawei, NSN)
LTE/EPC training/anne/auteur p2
Principles
Lawful Interception is one of the national obligations imposed to

operators

LI is very often mistaken for Data Retention. The objective of DR

is to store session data's for all subscribers.
LI principle is to duplicate in real time the traffic of one target, and
to send it to Authorities. IRI (Intercepted Related Informations)
and CC (Content of Communications) are delivered.
Main standardization bodies:

Other obligations: Emergency Number, Portability, Data Retentionetc
3GPP SA3-LI for Mobile and IMS,

ETSI TC LI as the leading body,
ETSI TISPAN for NGN networks
Lawful Interception is today implemented in all architectures:

Circuit Network: PLMN and PSTN

IP Network: Mobile Data, Internet
IMS
Generic Reference Model
2 Domains:
LEA : Law Enforcement Agencies (Authorities)
Operator
2 interface types
HI: Handover Interface between Operator and LEA domains
INI: INternal Interfaces in Operator Domain
HI - Handover Interface (1/2)

Historically standardized in ETSI ES 201.671. Delivery to Authorities is

made in TDM
Other standards have been defined for IP delivery definition:
ETSI TC LI committee:
ETSI TS 102.232-1: Handover specification for IP delivery
ETSI TS 102.232-2: Specific details for Email (Unified

Messaging) Services
ETSI TS 102.232-3: Specific details for Internet Access Services
ETSI TS 102.232-4: Specific details for Layer 2 Services
ETSI TS 102.232-5: Specific details for IP Multimedia Services
ETSI TS 102.232-6: Specific details for PSTN/ISDN Services
ETSI TS 102.232-7: Specific details for Mobile Services
3GPP SA3 LI committee:

3GPP TS 33.108: Mobile CS, Mobile PS (GPRS, EPC), IMS, I-WLAN
Orange Labs - Research & Development presentation title date
HI - Handover Interface (2/2)

HI is structured in 3 logical interfaces:

Hi1: Administrative information

LIID (Lawful Interception Identifier),
Start/End, Hi2/Hi3 destination
Hi1 interface can be manual or electronic
Hi2: Intercept Related Information (IRI)

LIID, CIN (Communication Identity Number)
Type of IRI : BEGIN, END, CONTINUE, REPORT
Informations relative to session/signalization events
Certain type of Content (Ex : SMS)
Hi3: Content of Communication

CC
LIID, CIN
Internal Interfaces
Internal Interfaces in operator domain are not standardized, and are thus
proprietary,
These interfaces are named INI-1, INI-2, INI-3 in ETSI standard, and X1, X2, X3 in
3GPP standard.
ADMF
X1
X2
DF2
DF3
X3
Reference Model for LI in ETSI 102.258

Lawful Interception suppliers

Lawful Interception business is shared between 3 types of suppliers:

IAP (Intercept Access Points) suppliers
Located in operator domain

Host IRI-IIF, CCTF and CC-IIF
IIF functions can be either additional software
in existing nodes, or dedicated probes
Ex: Cisco, E///, NSN, ALUetc
Mediation Platform suppliers
Located in operator domain

Host ADMF, DF2 and DF3
Ex: Verint, Utimaco, SS8, Aqsacom, E///, ALU
LEMF suppliers
Located in LEA domain

Ex: ATIS, Thales, Area, Verint etc
ADMF
DF2
DF3
Network Interception (Circuit)

CAA
IAP
target
PSTN
Mediation
Platform
CAA
MSC
HI2
HI3
PLMN
IAP
MSC
target
IAP
Intercept Acces Point
LEMF
Network Interception (Data)

Web
SGSN
GGSN
IAP
PF Wi-Fi
Mobile
PS
IAP
Wi-Fi
Internet
Broadband
BRAS
IAP
Intercept Acces Point
IAP
Mediation
Platform
HI2
HI3
LEMF
Service Interception (Ex: IMS)

Service
Domain
IAP
Mobile
PS
Wi-Fi
X2
X3
Mediation
Platform
HI2
HI3
Internet
Broadband
Note : Residential and Business services are today intercepted !!

LEMF
Implementation for EPS
Security Requirements (1/3)

LI equipments (Mediation Platform and IAP) have obviously

many security constraints
Main security requirements:

Role: Super User dedicated for LI configuration. Other Users are not
allowed to access to LI informations
Target identities encrypted in logs
Lawful Interception Database encrypted
Implementation of Consistency Checking between Mediation Platform

(ADMF) and IAPs.
ADMF compares periodically the list of interceptions configured on ADMF
and IAPs.
If some differences are detected, ADMF orders on IAPs the suppression
or the creation of the interceptions.

LI solution must prevent detection by unauthorized entities:

to ensure that the intercept subject is unable to detect that it is being

intercepted:
able to check IP addresses, traceroute, RTT evaluation

able to check if unusual signalling is occuring on the CPE
able to detect degradation or interruptions in service
the intercept mechanism should not involve noticeable special requests or
re-routing. If possible CC interception should be done along the normal
content path.
prevent unauthorized activation of interception:

elements with access to intercept capabilities and related information
should be carefully controlled & only accesses by authorized
personnel:
interfaces to provision or control LI should have cryptographic
authentification, and be able to correlate the identity of the principals with
the action they are attempting to perform.
carefull design to avoid unauthorized activation of interceptions.

Information protection:
Non disclosure of target information (from any operational

management station, management protocols, CLI, traces, dump)
Non disclosure of IRI:
Transmission of INI2/X2 shall be done in a secure manner (routing through
the network isolated from other traffics. IRI shall not be transmitted "enclair" over the production network.
Non Disclosure of CC:

shall be done in a secure manner.
no transmission over the production network in "en-clair" form.
Logging & auditing are used to detect unauthorized attempts to

access the intercept capability. Logs files may be controlled, retrieved
and maintained by the ADMF in a secure manner. These log files
should not be stored on the interception devices, to avoid being
viewed or detected
Measures must be taken to monitor whatever failures

possibly impacting interception's system.
Agenda

Principles
Data Internet
Services (Ex : IMS)

Architecture
RFP responses (CISCO, Ericsson, Huawei, NSN)
Architecture for E-UTRAN Access

Interception is made on MME, S-GW and PDN-GW
Target identities: IMSI, MSISDN, ME, Intercepting Area (on-going
standardization)
Interception on PDN-GW is a national option, but shall be implemented in
case of roaming.
Operator Domain
LEA Domain
HI2
DF2
LEMF
DF3
Hi3
Architecture for Non-3GPP Access

Interception is made on PDN-GW only
DF2
HI2
DF3
Hi3
LEMF
Operator Domain
LEA Domain
Provision of IRI (Intercept Related Informations)

following events applicable to MME, and sent on X2

interface:

Attach/Detach
Tracking Area Update
UE requested PDN connectivity
UE requested PDN disconnection
X2
DF2
following events applicable to Serving GW and PDN-GW,

and sent on X2 interface:

Bearer activation (Default and Dedicated Bearer)

Start of Intercept with bearer active
Bearer modification
Bearer deactivation
UE requested Bearer Resource Modification
X2
DF2
X2
Elements availables in MME's IRI when

Attach/Detach/Tracking Area Update events
Attach
Detach
Tracking Area Update
LTE EPC training/anne/auteur p19
Elements availables in MME's IRI when

PDN connection/disconnection
PDN Connectivity Request
PDN disconnection Request
Elements available in SGW IRI when

Bearer Activation
Event generated for both default & dedicated bearer (a unique
correlation number per bearer)
Only in case of default bearer activation
N/A for Bearer Active Event
Only in case of dedicated

bearer activation

Bearer deactivation
Event generated for both default & dedicated bearer (a unique
correlation number per bearer)
Only in case of default bearer activation

Bearer Modification
PGW initiated modification
UE initiated modification
Mapped from Flow QoS with octet 1 =0

Present in case of failure
Provision of CC (Content of Communications)

Based on duplication of packets. Duplicated packets with an

additional header are sent to DF3
CC sent by Serving GW and PDN-GW are identical
Informations contained in the header:

Target identity (LIID)

Correlation Number
TimeStamp
Direction (MO or MT)
Target location
DF3
CC/X3 on SGW
Target identity: IMSI, MSISDN, MEI
Intercepted data packets
LI header will contain the following information:
Intercept-id LIID
Timestamp
Sequence Number
IP packet direction
Correlation number (charging-id + intercept node-id)

Mapping between EPS events and HI2 recors type(3GPP

TS 33.108)
E-UTRAN
Access
Non 3GPP
Access
Roaming Architecture
Home Routed Traffic.

Home Network is able to
intercept, but no localization
information available on PDNGW
X2
X2
X3
X2
X3
DF2
HI2
Visited LEA
DF3
DF2
HI2
HI3
LEMF
Home LEA
DF3
HI3
LEMF
Roaming Architecture
No CC Interception possible in
Home Network. H-PCRF could
provide IRI (under study in 3GGP)
Local Breakout
X2
X2
X3
DF2
HI2
Visited LEA
DF3
HI3
LEMF
Agenda

Principles
Data Internet
Services (Ex : IMS)

Architecture
RFP responses (CISCO, Ericsson, Huawei, NSN)
RFP responses
CISCO
HUAWEI
UGW9811
ERICSSON
NSN
EPC Nodes involved

& configuration
needed
MME : ASR5000
SGW : ASR5000
PGW : ASR5000
MME : USN9810
SGW : UGW9811
PGW : UGW9811
MME, SGW and

PGW but no
information on
equipments
MME : Flexi NS
SGW: Flexi NG
PGW: Flexi NG
Mediation Platform
(3rd party or not ?)
X1, X2, X3
interfaces open
to any 3rd party
Mediation
Platform
AQSACOM,
UTIMACO,
VERINT, SS8
LIG (Lawful
Interception
Gateway)
Mediation
Platform imposed
by Huawei.
But MME IOT with
ETI, Verint ,
Utimaco ,SS8
LI-IMS
Mediation
Platform
imposed by
Ericsson
LIG (Lawful
Interception
Gateway)
Mediation
Platform
imposed by
NSN
Interception criteria
IMSI, MSISDN,
ME
IMSI, MSISDN,
ME
IMSI, MSISDN,
ME
IMSI, MSISDN,
ME
Security capabilities
IPsec on X1, X2,

X3
IPsec on X1, X2,

X3
IPsec/SSH on
X1, X2 and X3
Role-based
authority
control.
C. Checking
IPsec/SSH on
X1, X2 and X3
Consistency
Checking
supported
IRI compliancy to
3GPP TS 33.108
Compliant
Compliant
Compliant
Compliant
Thank You

16 - LTE-EPC Training LawfulInterception VF Avril2012

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

16 - LTE-EPC Training LawfulInterception VF Avril2012

Загружено:

Авторское право:

Доступные форматы

LTE/EPC training Orange cities

Lawful Interception definition

Implementation for EPS (Evolved Packet System)

RFP responses (Cisco, Ericsson, Huawei, NSN)

France Telecom group restricted

Lawful Interception definition

Lawful Interception is one of the national obligations imposed to

LI is very often mistaken for Data Retention. The objective of DR

Other obligations: Emergency Number, Portability, Data Retentionetc

3GPP SA3-LI for Mobile and IMS,

Lawful Interception is today implemented in all architectures:

Circuit Network: PLMN and PSTN

France Telecom group restricted

Lawful Interception definition

Generic Reference Model

Lawful Interception definition

HI - Handover Interface (1/2)

Historically standardized in ETSI ES 201.671. Delivery to Authorities is

ETSI TS 102.232-2: Specific details for Email (Unified

3GPP SA3 LI committee:

Orange Labs - Research & Development presentation title date

France Telecom group restricted

Lawful Interception definition

HI - Handover Interface (2/2)

HI is structured in 3 logical interfaces:

Hi1: Administrative information

Hi2: Intercept Related Information (IRI)

Hi3: Content of Communication

Orange Labs - Research & Development presentation title date

France Telecom group restricted

Lawful Interception definition

Orange Labs - Research & Development presentation title date

Reference Model for LI in ETSI 102.258

Lawful Interception definition

Lawful Interception suppliers

Lawful Interception business is shared between 3 types of suppliers:

IAP (Intercept Access Points) suppliers

Located in operator domain

Mediation Platform suppliers

Located in operator domain

Located in LEA domain

France Telecom group restricted

Lawful Interception definition

Network Interception (Circuit)

Intercept Acces Point

France Telecom group restricted

Lawful Interception definition

Network Interception (Data)

Intercept Acces Point

France Telecom group restricted

Lawful Interception definition

Service Interception (Ex: IMS)

Note : Residential and Business services are today intercepted !!

Implementation for EPS

Security Requirements (1/3)

LI equipments (Mediation Platform and IAP) have obviously

Main security requirements:

Target identities encrypted in logs

Lawful Interception Database encrypted

Implementation of Consistency Checking between Mediation Platform

Implementation for EPS

Security Requirements (2/3)

LI solution must prevent detection by unauthorized entities: