Lawful Interception Overview Lawful Interception Overview

Introduction LI deals with two ‘products’, these are; Contents of Communications (CC) and Intercept Related Information (IRI). Contents of awful Interception (LI) is a requirement placed upon Communications is exactly what it sounds like: the voice, video service providers to provide legally sanctioned official or message contents. Intercept Related Information refers to the access to private communications. With the existing L signalling information, the source and destination of the call etc. Public Switched Telephone Network (PSTN), Lawful Figure 1 shows the logical flow of Intercept Related Information Interception is performed by applying a physical ‘tap’ on (IRI) and Contents of Communications (CC) from its collection the telephone line of the target in response to a warrant from in the Public Network to the handover interface to the Law a Law Enforcement Agency (LEA). However, Voice over IP Enforcement Monitoring Facility (LEMF) as defined by ETSI. In (VoIP) technology has enabled the mobility of the end-user, North America CALEA (Communications Assistance for Law so it is no longer possible to guarantee the interception of Enforcement Act) requires operators to provide LI capabilities. The calls based on tapping a physical line. network architecture and handover specifications are based on the Whilst the detailed requirements for LI may differ from one jurisdiction PacketCable™ surveillance model shown in Figure 2 below, the to another, the general requirements are the same. The LI system general architectural similarities can be seen. must provide transparent interception of specified traffic only and the subject must not be aware of the interception. The service PacketCable Telecommunication Service Provider provided to other users must not be affected during interception. Intercept Access Intercept Access (for Call Data) (for Call Content) PSTN CMS MG Architecture Overview Service Intercept Access Subscriber Provider Delivery Function (for Call Content) Although the detail of LI may vary from country to country we CM/MTA Administration CMTS can look at the general logical and physical requirements and Lawful also explain much of the common terminology used. The primary Authorization Demarcation Point purpose of the service provider network is to enable private Law Collection Enforcement Function communications between individuals; any LI functionality built into Administration the network must not affect the normal service to those individuals. Law Enforcement Agency

The architecture requires a distinct separation of the Public AI145

Telecom Network (PTN) and the networks used for distribution and Figure 2 – PacketCable™ Surveillance Model processing of LI information. The interfaces between the PTN and the Law Enforcement Monitoring Facility (LEMF) are standardised Figure 3 below shows the high-level functions and interfaces as within a particular territory. defined by ETSI, the Mediation Function (MF) provides standardized interfaces, HI2 – Intercept Related Information, and HI3 – Call

Public Network Contents, from the Public Telecom Network to the LEA Network. LEA Network Network Operator's Administration HI1 Administration Function HI1 Function (ADMF) IIF Internal Intercept Function IRI Mediation INI1 Intercept Related Function HI2 Information (IRI) Communication Communication Content of Node Node Communication (CC) CC Mediation INI2,INI3 INI2,INI3 Function HI3 Mediation Internal Network Function Public Telecom Network Interfaces INI LI Handover Interface HI (MF) LEMF HI2, HI3 LEA Network

AI144

LEMF LEMF Figure 1 - General Network Arrangements for Interception (ETSI)

AI146

Figure 3 - Distinction between PTN and Law Enforcement Network

Lawful Interception Overview Page 2 www.newport-networks.com © 2006 Newport Networks Ltd [email protected] Basic Elements of LI in a Public Telecom Public Telecoms Network Network Secure Connection Tasking Data There are three primary elements required within the public network Interception Data to achieve Lawful Interception, these are: Web Based GUI  An Internal Intercept Function (IIF) located in the network nodes.

 A Mediation Function (MF) between the PTN and LEMF. 1460 SBC  An Administration Function (ADMF) to manage orders for (IIF) interception in the PTN. Backup Administration Unit LI Administration Function (ADMF) Internal Intercept Function (IIF) These functions are located within the network nodes and are responsible for generating the Intercept Related Information (IRI) 1460 and Contents of Communications (CC). SBC (IIF)

Backup Mediation Unit LI Mediation Function Mediation Function (MF) (MF) This function clearly delineates the PTN from the LEMF. It HI2 - Intercept Related Information communicates with the IIFs using Internal Network Interfaces (INIs) HI3 - Contents of Communication which can be proprietary. The MF communicates to one or more LEMFs through locally standardized interfaces: the Handover Interfaces (HI2 and HI3).

Administration Function (ADMF) Law Enforcement Law Enforcement Monitoring Facility Agency (LEA) This function handles the serving of interception orders and (LEMF)

AI174 communicates with the IIFs and MF though an Internal Network Interface. Figure 4 –Example Physical Architecture Figure 4 above shows the physical elements of the LI system, their Implementing LI within an VoIP Network logical functions and the interfaces to the LEMF. One of the primary problems that service providers face when LI Administration Function (ADMF) is typically implemented on managing VoIP and multimedia calls is the separation of the a hardened Management Unit; it provides a secure method to signalling and media streams. In other words it is quite possible enable traffic to be targeted and routed. The ADMF uses a secure that the two streams may take completely different paths through connection to one or more of the IIFs and to one or more Mediation the network. In addition, even when they do pass through the Units. The ADMF is often backed up by a warm standby, which same device, it may not be aware of the relationship between the replicates all data between the units. streams. Some devices within the network are however specifically LI Mediation Function (MF) performs the mediation and delivery designed to understand and manage the separate signalling and functions, it is typically implemented on a hardened Mediation media streams – session border controllers. Typically located at Unit; it receives generic formatted IRI and CC data from one or the borders of the service provider’s network, these offer an ideal more IIFs and translates it into the country specific format for the location to implement the IIF as they receive Intercept Related Handover Interfaces (HI2 & HI3) to the LEMF. The MF receives Information from the signalling stream and can intercept Contents target details from the ADMF and validates the received IRI and of Communication directly from the media stream. CC data to ensure that only the warranted data is passed to the LEMF. The MF usually supports the forwarding of intercepted traffic to many LEMF interfaces simultaneously. The Mediation Unit is often backed up by a slave unit which takes over in case of failure of the primary unit.

Lawful Interception Overview Page 3 www.newport-networks.com © 2006 Newport Networks Ltd [email protected] Internal Intercept Function (IIF) is most effective when implemented execute a number of access, security and quality management in hardware within the network nodes in order to provide the most roles; they offer an ideal location to implement a Lawful Intercept effective and rapid detection without incurring additional software solution. Carrier class SBCs already offer the levels of redundancy processing and delays which may allow the presence of the intercept and resilience to provide ‘five 9s’ availability, further endorsing to be detected. The IIF collects Intercept Related Information (IRI) their suitability for the location of the IIF. and Contents of Communication (CC) ask requested by the ADMF, and converts these to a generic format which is passed to the MF. Terminology Administration Functions ADMF Administration Function The ADMF must only be accessed by authorized users. It will CALEA Communications Assistance for Law Enforcement Act manage the deployment of tasks to the other LI elements. CC Contents of Communication Tasking Targets – Each target will require a Warrant ID and Case ETSI European Telecommunications Standards Institute ID assigned by the LEA. Each case may require IRI or CC or both to be intercepted. Each task is assigned a start date and an end HI Handover Interface date, upon which the case will expire. IIF Internal Intercept Function Auditing Tasks – The ADMF is typically responsible for auditing INI Internal Networks Interface the network of IIFs to ensure that the target lists match; differences IRI Intercept Related Information should be automatically reconciled. LEA Law Enforcement Agency Mediation Function Configuration – Each interface to the LEMF must LEMF Law Enforcement Monitoring Facility be individually specified to match the required standard output. LI Lawful Interception Information Volatility MF Mediation Function Essential target information must be encrypted by the ADMF PSTN Public Switched Telephone Network and any information stored in the IIF in encoded form, thereby PTN Public Telecom Network preventing unauthorized access to sensitive warrant information. VoIP Voice over IP Any information stored within the IIF should be stored in volatile memory, so that this information is erased if a component of the References network node is removed or powered down. Only the encrypted ETSI TS 101 331 - Telecommunications security; Lawful database of the ADMF should be maintained during power-down Interception (LI) Requirements of Law Enforcement Agencies situations. ETSI TR 101 943 - Telecommunications security; Lawful In the event of a link failure between the MF and the LEMF the Interception (LI); Concepts of Interception in a Generic Network intercept products may be buffered for a short time in memory only. Architecture Any long term failure of the interface will result in intercept products being lost – this information must not be spooled to permanent ETSI TS 101 671 - Telecommunications security; Lawful storage. Interception (LI); Handover interface for the lawful interception of telecommunications traffic Conclusion PKT-SP-ESP1.5-I01-050128; PacketCable™ 1.5 Specifications; Recently it has become increasingly clear that VoIP services will Electronic Surveillance be expected to provide Lawful Intercept and Emergency Call A summary of the ETSI LI specs is located at: Handling services to the same level experienced in the PSTN. http://portal.etsi.org/li/Summary.asp The FCC in North America for example has mandated that both Current ETSI specs can be downloaded from: emergency calls and Lawful Intercept must be available. Whilst not http://portal.etsi.org/li/status.asp all countries mandate this capability, any network operator building Current PacketCable™ specs can be found at: a publicly available voice or multimedia over IP service today will http://www.packetcable.com/specifications/ need to plan a network which is flexible enough to implement these regulatory services in the future. Session border controllers are being deployed at strategic points within VoIP networks to

Lawful Interception Overview Page 4 www.newport-networks.com © 2006 Newport Networks Ltd [email protected] www.newport-networks.com [email protected]

The Newport Networks’ logo is a registered trademark of Newport Networks Ltd. MediaProxy™ and SignallingProxy™ are trademarks of Newport Networks Ltd. ©2006 Newport Networks Limited. All rights reserved. Whilst every effort has been made to ensure that the information included in this publication is accurate at the time of going to press, Newport Networks Ltd assumes no responsibility for the accuracy of the information. Newport Networks Ltd reserves the right to change their specifications at any time without prior notice. Some features described in this document may be planned for future releases and may not be available in the current product. Newport Networks Ltd reserves the right to modify its product development schedule without notice and does not guarantee that any feature or product mentioned in this document will be produced or produced in the form described. 91-0087-01-0001-A