16 - lte-epc training lawfulinterception vf avril2012
DESCRIPTION
LTE EPC TrainingTRANSCRIPT
LTE/EPC training – Orange cities
Lawful Interception
France Telecom group restricted
Orange Labs
Lawful Interception
Lionel THUAL Orange Labs CORE/M2V/SID
mainly based on a previous version of Jean-Philippe JESTIN(now FT/OF/DTF/DRIMS/IRS/ICC)27/04/2012
Agenda
� Lawful Interception definition� Principles
� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex: IMS)
� Security requirements
� Implementation for EPS (Evolved Packet System)
France Telecom group restrictedLTE/EPC training/année/auteur – p2
� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration
� RFP responses (Cisco, Ericsson, Huawei, NSN)
Principles
� Lawful Interception is one of the national obligations imposed to operators
� Other obligations: Emergency Number, Portability, Data Retention…etc
� LI is very often mistaken for Data Retention. The objective of DR is to store session data's for all subscribers.
� LI principle is to duplicate in real time the traffic of one target, and to send it to Authorities. IRI (Intercepted Related Informations)
Lawful Interception definition
France Telecom group restricted
to send it to Authorities. IRI (Intercepted Related Informations) and CC (Content of Communications) are delivered.
� Main standardization bodies:� 3GPP SA3-LI for Mobile and IMS, � ETSI TC LI as the leading body, � ETSI TISPAN for NGN networks
� Lawful Interception is today implemented in all architectures:� Circuit Network: PLMN and PSTN� IP Network: Mobile Data, Internet� IMS
LTE/EPC training/année/auteur – p3
Generic Reference Model
Lawful Interception definition
France Telecom group restricted
� 2 Domains:
– LEA : Law Enforcement Agencies (Authorities)
– Operator
� 2 interface types
– HI: Handover Interface between Operator and LEA domains
– INI: INternal Interfaces in Operator Domain
HI - Handover Interface (1/2)
� Historically standardized in ETSI ES 201.671. Delivery to Authorities is made in TDM
� Other standards have been defined for IP delivery definition:� ETSI TC LI committee:
�ETSI TS 102.232-1: Handover specification for IP delivery
�ETSI TS 102.232-2: Specific details for Email (Unified Messaging) Services
�ETSI TS 102.232-3: Specific details for Internet Access Services
Lawful Interception definition
France Telecom group restrictedOrange Labs - Research & Development -presentation title – date
�ETSI TS 102.232-3: Specific details for Internet Access Services�ETSI TS 102.232-4: Specific details for Layer 2 Services�ETSI TS 102.232-5: Specific details for IP Multimedia Services�ETSI TS 102.232-6: Specific details for PSTN/ISDN Services�ETSI TS 102.232-7: Specific details for Mobile Services
� 3GPP SA3 LI committee:
�3GPP TS 33.108: Mobile CS, Mobile PS (GPRS, EPC), IMS, I-WLAN
HI - Handover Interface (2/2)
� HI is structured in 3 logical interfaces:� Hi1: Administrative information
• LIID (Lawful Interception Identifier),• Start/End, Hi2/Hi3 destination• Hi1 interface can be manual or electronic
� Hi2: Intercept Related Information (IRI)• LIID, CIN (Communication Identity Number)
Lawful Interception definition
France Telecom group restricted
• Type of IRI : BEGIN, END, CONTINUE, REPORT• Informations relative to session/signalization events• Certain type of Content (Ex : SMS)
� Hi3: Content of Communication• CC• LIID, CIN
Orange Labs - Research & Development -presentation title – date
Internal Interfaces� Internal Interfaces in operator domain are not standardized, and are thus
proprietary,� These interfaces are named INI-1, INI-2, INI-3 in ETSI standard, and X1, X2, X3 in
3GPP standard.
X1ADMF
Lawful Interception definition
France Telecom group restrictedOrange Labs - Research & Development -presentation title – date
Reference Model for LI in ETSI 102.258
DF2
DF3
X2
X3
Lawful Interception suppliers� Lawful Interception business is shared between 3 types of suppliers:
� IAP (Intercept Access Points) suppliers
� Located in operator domain � Host IRI-IIF, CCTF and CC-IIF� IIF functions can be either additional softwarein existing nodes, or dedicated probes� Ex: Cisco, E///, NSN, ALU…etc
Lawful Interception definition
France Telecom group restrictedOrange Labs - Research & Development -presentation title – date
� Mediation Platform suppliers
� Located in operator domain � Host ADMF, DF2 and DF3� Ex: Verint, Utimaco, SS8, Aqsacom, E///, ALU
– LEMF suppliers
� Located in LEA domain� Ex: ATIS, Thales, Area, Verint …etc
DF2 DF3ADMF
Network Interception (Circuit)
PSTNtarget
CAA
CAA
LEMF
IAP
MediationPlatform
HI2 HI3
Lawful Interception definition
France Telecom group restrictedIntercept Acces Point
PLMN
target
LEMF
MSC
MSC
IAP
IAP
Network Interception (Data)
LEMFInternet
Web
IAPSGSNGGSN
Lawful Interception definition
France Telecom group restrictedIntercept Acces Point
LEMF
MediationPlatform
IAP
Mobile PS
Wi-Fi
Internet Broadband
IAP
IAP
HI2HI3
PF Wi-Fi
BRAS
Service Interception (Ex: IMS)
LEMF
MediationPlatform
Internet
Service Domain
HI2HI3
X2X3
Mobile
IAP
Lawful Interception definition
France Telecom group restricted
Note : Residential and Business services are today intercepted !!
LEMFWi-Fi
Internet Broadband
Mobile PS
Security Requirements (1/3)
� LI equipments (Mediation Platform and IAP) have obviously many security constraints
� Main security requirements:
� Role: Super User dedicated for LI configuration. Other Users are not
allowed to access to LI informations
Target identities encrypted in logs
Implementation for EPS
France Telecom group restricted
� Target identities encrypted in logs
� Lawful Interception Database encrypted
� Implementation of Consistency Checking between Mediation Platform
(ADMF) and IAPs.
�ADMF compares periodically the list of interceptions configured on ADMF
and IAPs.
�If some differences are detected, ADMF orders on IAPs the suppression
or the creation of the interceptions.
Security Requirements (2/3)
� LI solution must prevent detection by unauthorized entities:� to ensure that the intercept subject is unable to detect that it is being
intercepted:• able to check IP addresses, traceroute, RTT evaluation…• able to check if unusual signalling is occuring on the CPE• able to detect degradation or interruptions in service• the intercept mechanism should not involve noticeable special requests or
Implementation for EPS
France Telecom group restricted
re-routing. If possible CC interception should be done along the normal content path.
� prevent unauthorized activation of interception:elements with access to intercept capabilities and related information should be carefully controlled & only accesses by authorized personnel:
• interfaces to provision or control LI should have cryptographic authentification, and be able to correlate the identity of the principals with the action they are attempting to perform.
• carefull design to avoid unauthorized activation of interceptions.
Security Requirements (3/3)
� Information protection:� Non disclosure of target information (from any operational
management station, management protocols, CLI, traces, dump)…� Non disclosure of IRI:
• Transmission of INI2/X2 shall be done in a secure manner (routing through the network isolated from other traffics. IRI shall not be transmitted "en-clair" over the production network.
Implementation for EPS
France Telecom group restricted
� Non Disclosure of CC:• shall be done in a secure manner.• no transmission over the production network in "en-clair" form.
� Logging & auditing are used to detect unauthorized attempts to access the intercept capability. Logs files may be controlled, retrieved and maintained by the ADMF in a secure manner. These log files should not be stored on the interception devices, to avoid being viewed or detected
� Measures must be taken to monitor whatever failures possibly impacting interception's system.
Agenda� Lawful Interception definition
� Principles
� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex : IMS)
� Security requirements
� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC
France Telecom group restrictedLTE/EPC training/année/auteur – p15
� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration
�RFP responses (CISCO, Ericsson, Huawei, NSN)
Architecture for E-UTRAN Access� Interception is made on MME, S-GW and PDN-GW� Target identities: IMSI, MSISDN, ME, Intercepting Area (on-going
standardization)� Interception on PDN-GW is a national option, but shall be implemented in
case of roaming.
HI2
LEA DomainOperator Domain
Implementation for EPS
France Telecom group restricted
Hi3
HI2DF2
DF3
LEMF
Architecture for Non-3GPP Access� Interception is made on PDN-GW only
Implementation for EPS
France Telecom group restricted
Hi3
HI2DF2
DF3LEMF
LEA DomainOperator Domain
Provision of IRI (Intercept Related Informations)
� following events applicable to MME, and sent on X2 interface:
� Attach/Detach� Tracking Area Update� UE requested PDN connectivity� UE requested PDN disconnection
X2 DF2
Implementation for EPS
France Telecom group restricted
� following events applicable to Serving GW and PDN-GW, and sent on X2 interface:
� Bearer activation (Default and Dedicated Bearer)� Start of Intercept with bearer active� Bearer modification� Bearer deactivation� UE requested Bearer Resource Modification
X2
DF2
X2
Elements availables in MME's IRI when Attach/Detach/Tracking Area Update events
Attach Detach
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p19
Tracking Area Update
Elements availables in MME's IRI when PDN connection/disconnection
PDN Connectivity Request PDN disconnection Request
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p20
Elements available in SGW IRI when Bearer Activation
Event generated for both default & dedicated bearer (a unique correlation number per bearer)
Only in case of default bearer activation
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p21
N/A for Bearer Active Event
Only in case of dedicatedbearer activation
Elements available in SGW IRI when Bearer deactivation
Event generated for both default & dedicated bearer (a unique correlation number per bearer)
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p22
Only in case of default bearer activation
Elements available in SGW IRI when Bearer Modification
PGW initiated modification UE initiated modification
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p23
Mapped from Flow QoS with octet 1 =0
Present in case of failure
Provision of CC (Content of Communications)
� Based on duplication of packets. Duplicated packets with an additional header are sent to DF3
� CC sent by Serving GW and PDN-GW are identical
Implementation for EPS
France Telecom group restricted
� Informations contained in the header:� Target identity (LIID)� Correlation Number� TimeStamp� Direction (MO or MT)� Target location
DF3
CC/X3 on SGW
� Target identity: IMSI, MSISDN, MEI� Intercepted data packets� LI header will contain the following information:
� Intercept-id LIID� Timestamp� Sequence Number
Implementation for EPS
France Telecom group restrictedLTE EPC training/année/auteur – p25
� Sequence Number� IP packet direction� Correlation number (charging-id + intercept node-id)
EPS Data Events sent on Handover Interface� Mapping between EPS events and HI2 recors type(3GPP
TS 33.108)
E-UTRANAccess
Implementation for EPS
France Telecom group restricted
Non 3GPPAccess
Roaming Architecture
� Home Routed Traffic.Home Network is able to intercept, but no localization information available on PDN-GW
Implementation for EPS
France Telecom group restrictedVisited LEA
LEMFHome LEA
LEMF
DF2 DF3
X2
X2X3
HI3HI2
DF2 DF3
X3X2
HI2 HI3
Roaming Architecture� Local Breakout
No CC Interception possible in Home Network. H-PCRF could provide IRI (under study in 3GGP)
Implementation for EPS
France Telecom group restrictedVisited LEA
LEMF
DF2 DF3
X2
X2X3
HI3HI2
Agenda� Lawful Interception definition
� Principles
� Existing Networks and Services intercepted• Circuit Networks (PSTN, PLMN)• Data Internet• Services (Ex : IMS)
� Security requirements
� Implementation for EPS (Evolved Packet System)� Architecture� Provision of IRI and CC
France Telecom group restrictedLTE/EPC training/année/auteur – p29
� Provision of IRI and CC� EPS Data Events sent on Handover Interface� Roaming configuration
�RFP responses (CISCO, Ericsson, Huawei, NSN)
RFP responsesCISCO HUAWEI
UGW9811ERICSSON NSN
EPC Nodes involved& configuration needed
MME : ASR5000SGW : ASR5000PGW : ASR5000
MME : USN9810SGW : UGW9811PGW : UGW9811
MME, SGW and PGW but no information on equipments
MME : Flexi NSSGW: Flexi NGPGW: Flexi NG
Mediation Platform(3rd party or not ?)
X1, X2, X3 interfaces open to any 3rd party Mediation PlatformAQSACOM, UTIMACO, VERINT, SS8
LIG (Lawful Interception Gateway)Mediation Platform imposed by Huawei.But MME IOT with ETI, Verint ,
LI-IMSMediation Platform imposed by Ericsson
LIG (Lawful Interception Gateway)Mediation Platform imposed by NSN
France Telecom group restricted
VERINT, SS8 ETI, Verint , Utimaco ,SS8
Interception criteria IMSI, MSISDN, ME
IMSI, MSISDN, ME
IMSI, MSISDN, ME
IMSI, MSISDN, ME
Security capabilities IPsec on X1, X2, X3
IPsec on X1, X2, X3
IPsec/SSH on X1, X2 and X3 Role-based authority control.C. Checking
IPsec/SSH on X1, X2 and X3 Consistency Checking supported
IRI compliancy to 3GPP TS 33.108
Compliant Compliant Compliant Compliant
Thank You
France Telecom group restricted
Thank You