16 - lte-epc training lawfulinterception vf avril2012

LTE/EPC training – Orange cities

Lawful Interception

France Telecom group restricted

Orange Labs

Lawful Interception

Lionel THUAL Orange Labs CORE/M2V/SID

mainly based on a previous version of Jean-Philippe JESTIN(now FT/OF/DTF/DRIMS/IRS/ICC)27/04/2012

Agenda

� Lawful Interception definition� Principles

� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex: IMS)

� Security requirements

� Implementation for EPS (Evolved Packet System)

France Telecom group restrictedLTE/EPC training/année/auteur – p2

� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration

� RFP responses (Cisco, Ericsson, Huawei, NSN)

Principles

� Lawful Interception is one of the national obligations imposed to operators

� Other obligations: Emergency Number, Portability, Data Retention…etc

� LI is very often mistaken for Data Retention. The objective of DR is to store session data's for all subscribers.

� LI principle is to duplicate in real time the traffic of one target, and to send it to Authorities. IRI (Intercepted Related Informations)

Lawful Interception definition


to send it to Authorities. IRI (Intercepted Related Informations) and CC (Content of Communications) are delivered.

� Main standardization bodies:� 3GPP SA3-LI for Mobile and IMS, � ETSI TC LI as the leading body, � ETSI TISPAN for NGN networks

� Lawful Interception is today implemented in all architectures:� Circuit Network: PLMN and PSTN� IP Network: Mobile Data, Internet� IMS

LTE/EPC training/année/auteur – p3

Generic Reference Model



� 2 Domains:

– LEA : Law Enforcement Agencies (Authorities)

– Operator

� 2 interface types

– HI: Handover Interface between Operator and LEA domains

– INI: INternal Interfaces in Operator Domain

HI - Handover Interface (1/2)

� Historically standardized in ETSI ES 201.671. Delivery to Authorities is made in TDM

� Other standards have been defined for IP delivery definition:� ETSI TC LI committee:

�ETSI TS 102.232-1: Handover specification for IP delivery

�ETSI TS 102.232-2: Specific details for Email (Unified Messaging) Services

�ETSI TS 102.232-3: Specific details for Internet Access Services


France Telecom group restrictedOrange Labs - Research & Development -presentation title – date

�ETSI TS 102.232-3: Specific details for Internet Access Services�ETSI TS 102.232-4: Specific details for Layer 2 Services�ETSI TS 102.232-5: Specific details for IP Multimedia Services�ETSI TS 102.232-6: Specific details for PSTN/ISDN Services�ETSI TS 102.232-7: Specific details for Mobile Services

� 3GPP SA3 LI committee:

�3GPP TS 33.108: Mobile CS, Mobile PS (GPRS, EPC), IMS, I-WLAN

HI - Handover Interface (2/2)

� HI is structured in 3 logical interfaces:� Hi1: Administrative information

• LIID (Lawful Interception Identifier),• Start/End, Hi2/Hi3 destination• Hi1 interface can be manual or electronic

� Hi2: Intercept Related Information (IRI)• LIID, CIN (Communication Identity Number)



• Type of IRI : BEGIN, END, CONTINUE, REPORT• Informations relative to session/signalization events• Certain type of Content (Ex : SMS)

� Hi3: Content of Communication• CC• LIID, CIN

Orange Labs - Research & Development -presentation title – date

Internal Interfaces� Internal Interfaces in operator domain are not standardized, and are thus

proprietary,� These interfaces are named INI-1, INI-2, INI-3 in ETSI standard, and X1, X2, X3 in

3GPP standard.

X1ADMF



Reference Model for LI in ETSI 102.258

DF2

DF3

X2

X3

Lawful Interception suppliers� Lawful Interception business is shared between 3 types of suppliers:

� IAP (Intercept Access Points) suppliers

� Located in operator domain � Host IRI-IIF, CCTF and CC-IIF� IIF functions can be either additional softwarein existing nodes, or dedicated probes� Ex: Cisco, E///, NSN, ALU…etc



� Mediation Platform suppliers

� Located in operator domain � Host ADMF, DF2 and DF3� Ex: Verint, Utimaco, SS8, Aqsacom, E///, ALU

– LEMF suppliers

� Located in LEA domain� Ex: ATIS, Thales, Area, Verint …etc

DF2 DF3ADMF

Network Interception (Circuit)

PSTNtarget

CAA

CAA

LEMF

IAP

MediationPlatform

HI2 HI3


France Telecom group restrictedIntercept Acces Point

PLMN

target

LEMF

MSC

MSC

IAP

IAP

Network Interception (Data)

LEMFInternet

Web

IAPSGSNGGSN


France Telecom group restrictedIntercept Acces Point

LEMF

MediationPlatform

IAP

Mobile PS

Wi-Fi

Internet Broadband

IAP

IAP

HI2HI3

PF Wi-Fi

BRAS

Service Interception (Ex: IMS)

LEMF

MediationPlatform

Internet

Service Domain

HI2HI3

X2X3

Mobile

IAP



Note : Residential and Business services are today intercepted !!

LEMFWi-Fi

Internet Broadband

Mobile PS

Security Requirements (1/3)

� LI equipments (Mediation Platform and IAP) have obviously many security constraints

� Main security requirements:

� Role: Super User dedicated for LI configuration. Other Users are not

allowed to access to LI informations

Target identities encrypted in logs

Implementation for EPS


� Target identities encrypted in logs

� Lawful Interception Database encrypted

� Implementation of Consistency Checking between Mediation Platform

(ADMF) and IAPs.

�ADMF compares periodically the list of interceptions configured on ADMF

and IAPs.

�If some differences are detected, ADMF orders on IAPs the suppression

or the creation of the interceptions.


� LI solution must prevent detection by unauthorized entities:� to ensure that the intercept subject is unable to detect that it is being

intercepted:• able to check IP addresses, traceroute, RTT evaluation…• able to check if unusual signalling is occuring on the CPE• able to detect degradation or interruptions in service• the intercept mechanism should not involve noticeable special requests or



re-routing. If possible CC interception should be done along the normal content path.

� prevent unauthorized activation of interception:elements with access to intercept capabilities and related information should be carefully controlled & only accesses by authorized personnel:

• interfaces to provision or control LI should have cryptographic authentification, and be able to correlate the identity of the principals with the action they are attempting to perform.

• carefull design to avoid unauthorized activation of interceptions.


� Information protection:� Non disclosure of target information (from any operational

management station, management protocols, CLI, traces, dump)…� Non disclosure of IRI:

• Transmission of INI2/X2 shall be done in a secure manner (routing through the network isolated from other traffics. IRI shall not be transmitted "en-clair" over the production network.



� Non Disclosure of CC:• shall be done in a secure manner.• no transmission over the production network in "en-clair" form.

� Logging & auditing are used to detect unauthorized attempts to access the intercept capability. Logs files may be controlled, retrieved and maintained by the ADMF in a secure manner. These log files should not be stored on the interception devices, to avoid being viewed or detected

� Measures must be taken to monitor whatever failures possibly impacting interception's system.

Agenda� Lawful Interception definition

� Principles

� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex : IMS)


� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC


� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration

�RFP responses (CISCO, Ericsson, Huawei, NSN)

Architecture for E-UTRAN Access� Interception is made on MME, S-GW and PDN-GW� Target identities: IMSI, MSISDN, ME, Intercepting Area (on-going

standardization)� Interception on PDN-GW is a national option, but shall be implemented in

case of roaming.

HI2

LEA DomainOperator Domain



Hi3

HI2DF2

DF3

LEMF

Architecture for Non-3GPP Access� Interception is made on PDN-GW only



Hi3

HI2DF2

DF3LEMF

LEA DomainOperator Domain

Provision of IRI (Intercept Related Informations)

� following events applicable to MME, and sent on X2 interface:

� Attach/Detach� Tracking Area Update� UE requested PDN connectivity� UE requested PDN disconnection

X2 DF2



� following events applicable to Serving GW and PDN-GW, and sent on X2 interface:

� Bearer activation (Default and Dedicated Bearer)� Start of Intercept with bearer active� Bearer modification� Bearer deactivation� UE requested Bearer Resource Modification

X2

DF2

X2

Elements availables in MME's IRI when Attach/Detach/Tracking Area Update events

Attach Detach


France Telecom group restrictedLTE EPC training/année/auteur – p19

Tracking Area Update

Elements availables in MME's IRI when PDN connection/disconnection

PDN Connectivity Request PDN disconnection Request



Elements available in SGW IRI when Bearer Activation

Event generated for both default & dedicated bearer (a unique correlation number per bearer)

Only in case of default bearer activation



N/A for Bearer Active Event

Only in case of dedicatedbearer activation

Elements available in SGW IRI when Bearer deactivation

Event generated for both default & dedicated bearer (a unique correlation number per bearer)



Only in case of default bearer activation

Elements available in SGW IRI when Bearer Modification

PGW initiated modification UE initiated modification



Mapped from Flow QoS with octet 1 =0

Present in case of failure

Provision of CC (Content of Communications)

� Based on duplication of packets. Duplicated packets with an additional header are sent to DF3

� CC sent by Serving GW and PDN-GW are identical



� Informations contained in the header:� Target identity (LIID)� Correlation Number� TimeStamp� Direction (MO or MT)� Target location

DF3

CC/X3 on SGW

� Target identity: IMSI, MSISDN, MEI� Intercepted data packets� LI header will contain the following information:

� Intercept-id LIID� Timestamp� Sequence Number



� Sequence Number� IP packet direction� Correlation number (charging-id + intercept node-id)

EPS Data Events sent on Handover Interface� Mapping between EPS events and HI2 recors type(3GPP

TS 33.108)

E-UTRANAccess



Non 3GPPAccess

Roaming Architecture

� Home Routed Traffic.Home Network is able to intercept, but no localization information available on PDN-GW


France Telecom group restrictedVisited LEA

LEMFHome LEA

LEMF

DF2 DF3

X2

X2X3

HI3HI2

DF2 DF3

X3X2

HI2 HI3

Roaming Architecture� Local Breakout

No CC Interception possible in Home Network. H-PCRF could provide IRI (under study in 3GGP)


France Telecom group restrictedVisited LEA

LEMF

DF2 DF3

X2

X2X3

HI3HI2

Agenda� Lawful Interception definition

� Principles

� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex : IMS)


� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC


� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration

�RFP responses (CISCO, Ericsson, Huawei, NSN)

RFP responsesCISCO HUAWEI

UGW9811ERICSSON NSN

EPC Nodes involved& configuration needed

MME : ASR5000SGW : ASR5000PGW : ASR5000

MME : USN9810SGW : UGW9811PGW : UGW9811

MME, SGW and PGW but no information on equipments

MME : Flexi NSSGW: Flexi NGPGW: Flexi NG

Mediation Platform(3rd party or not ?)

X1, X2, X3 interfaces open to any 3rd party Mediation PlatformAQSACOM, UTIMACO, VERINT, SS8

LIG (Lawful Interception Gateway)Mediation Platform imposed by Huawei.But MME IOT with ETI, Verint ,

LI-IMSMediation Platform imposed by Ericsson

LIG (Lawful Interception Gateway)Mediation Platform imposed by NSN


VERINT, SS8 ETI, Verint , Utimaco ,SS8

Interception criteria IMSI, MSISDN, ME

IMSI, MSISDN, ME

IMSI, MSISDN, ME

IMSI, MSISDN, ME

Security capabilities IPsec on X1, X2, X3

IPsec on X1, X2, X3

IPsec/SSH on X1, X2 and X3 Role-based authority control.C. Checking

IPsec/SSH on X1, X2 and X3 Consistency Checking supported

IRI compliancy to 3GPP TS 33.108

Compliant Compliant Compliant Compliant

Thank You


Thank You

16 - lte-epc training lawfulinterception vf avril2012

Documents

specific details

gpp ts

ip delivery etsi ts

mobile data

pstnisdn servicesetsi

ip multimedia servicesetsi

mobile services

wlanhi handover interface