Lawful Interception
This chapter provides information about lawful interception.
Topics in this chapter include:
Applicability
The information and the configuration in this chapter are based on SR OS Release 22.2.R1. Lawful interception (LI) is supported in MD-CLI in SR OS Release 19.10.R1 and later.
Overview
This chapter provides configuration examples to commission LI in MD-CLI and does not serve the purpose to provide LI architectural or configuration recommendations.
Basic knowledge of the SR OS LI architecture is required.
Lawful interception shows a high-level diagram depicting the mechanism.

- CSP: communications service provider
- RG: residential gateway
- AN: access network
- IRI: intercept related information
- CC: content of communication
- LEA: law enforcement agency
- LEMF: law enforcement monitoring facilities
The mediation element depicted in Lawful interception is used to normalize various vendors' INI interfaces to standardized HI interfaces for the LEMF. The industry uses various terms for the mediation element such as LI Mediation (LIM), Mediation Device (MD), and LI Gateway (LIG). For the remainder to this chapter, the term LIG will be used to refer to the mediation element.
Configuration
First, the network administrator commissions the system for LI and afterward, the LI administrator provisions the LI sources.
Network administrator commissions the system for LI
- Create a local AAA profile for LI administration access
- Create local LI administrators including their access, method of access, and local AAA profile
- Create a mirror destination for copied packets where the destination address is the LI gateway
- [Optional] Update the boot option file (BOF) configuration:
- [Option 1] Enable LI separate in the BOF. This configuration allows only users with LI access rights to be able to access the LI configuration region. All other user types are locked out of the LI configuration region.
- [Option 2] Enable LI local save. The configuration enables the system to save the running LI configuration into the flash as an encrypted file.
When the local LI administrator is configured and after an optional update of the BOF configuration and a reboot, an LI administrator can access the LI configuration region.
The different steps in the procedure to commission the system for LI are described in more detail in the following sections.
Create a local AAA profile for LI
An LI user and profile must be configured before the LI separate flag is enabled in the BOF.
The local AAA profile "li" is created, as follows:
[pr:/configure system security aaa local-profiles]
A:admin@latest-BNG2# info
profile "li" {
}
The following is an example of some common entries for the LI profile:
[pr:/configure system security aaa local-profiles profile "li"]
A:admin@latest-BNG2# info
default-action deny-all
entry 10 {
action permit
match "edit-config li exclusive"
}
entry 20 {
action permit
match "li"
}
entry 30 {
action permit
match "show li"
}
entry 40 {
action permit
match "admin save li"
}
entry 50 {
action permit
match "quit-config"
}
entry 60 {
action permit
match "edit-config private"
}
entry 70 {
action permit
match "configure system security user-params local-user"
}
entry 80 {
action permit
match "tools perform security"
}
entry 90 {
action permit
match "show li"
}
entry 100 {
action permit
match "commit"
}
entry 110 {
action permit
match "validate”
}
entry 120 {
action permit
match "admin save"
}
entry 130 {
action permit
match "info"
}
entry 140 {
action permit
match "back"
}
Create a local LI administrator
LI administrators are local users and are associated with the configured LI profile. In the following example, local LI administrator "liadmin" is created.
!(pr)[/configure system security user-params local-user]
A:admin@latest-BNG2# info
user "liadmin" {
password "$2y$10$tKCwYWx/m9uffwGCJIYls.vh/340TU3Rn6RR1Qxt2zEQPlUOIAJJG"
access {
console true
netconf true
li true
}
console {
member ["li"]
}
}
Create a mirror destination for LI use
In this example, the mirror destination uses an LI IP UDP shim header, as shown in Shim header format.

The mirror destination routing instance is a VPRN with ID 1. The LI Gateway (LIG) is at 192.168.2.1 while the source IP address placed into the outer IP header of the copied packets is 192.168.1.1. Both source and destination UDP port use 11111. The header used is IP UDP shim (which allows an LI header to indicate the intercept ID, the session ID, and the direction of the mirrored packet).
!(pr)[/configure mirror]
A:admin@latest-BNG2# info
mirror-dest "1" {
admin-state enable
encap {
layer-3-encap {
header-type ip-udp-shim
direction-bit true
router-instance "1"
gateway {
ip-address {
source 192.168.1.1
destination 192.168.2.1
}
udp-port {
source 11111
destination 11111
}
}
}
}
}
Update BOF configuration (optional)
- li separate
- and li local-save
The li separate option separates the LI configuration region access from the normal administrator. The requirement of separating LI access is typically determined by local jurisdictions.
*[pr:/bof]
A:admin@latest-BNG2# info
li {
separate true
}
A system reboot is required for any changes to li separate to take effect.
A:admin@eng-BNG-2# admin save bof
A:admin@latest-BNG2# /admin reboot now
The li local-save option allows the LI configuration to be saved to persistent storage (for example, on a compact flash device) locally on the system.
*[pr:/bof]
A:admin@latest-BNG2# info
li {
local-save true
}
A system reboot is required for any changes to li local-save to take effect.
A:admin@eng-BNG-2# admin save bof
A:admin@latest-BNG2# /admin reboot now
*[pr:/bof]
A:admin@latest-BNG2# info
li {
separate true
local-save true
}
A system reboot is required for any changes to li separate or to li local-save to take effect.
A:admin@eng-BNG-2# admin save bof
A:admin@latest-BNG2# /admin reboot now
Log in as the LI administrator and edit the LI configuration
When the LI administrator is created (and, optionally, the BOF is updated and the system is rebooted), the LI configuration region is accessible to the LI administrator. When the LI administrator logs in as the "liadmin" user, the prompt shows "liadmin" as the user:
A:liadmin@latest-BNG2#
The following command is used to edit the LI configuration:
A:liadmin@latest-BNG2# edit-config li exclusive
The li option is needed to edit the LI configuration region. The LI administrator has the choice to configure in private or exclusive mode. For more information about private and exclusive configuration mode, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR MD-CLI User Guide. Nokia recommends to use exclusive mode for LI configuration to allow one LI administrator at a time to make LI configuration changes.
Additional LI infrastructure setup
When the system is commissioned with LI users and a LIG mirror destination for LI, the LI administrator provisions the rest of the LI infrastructure pieces. The following configuration examples are described:
- Update the LI administrator password
- [Optional] Create additional local LI users
- Configure the LI log, for the Intercept Related Information (IRI) interface, either using SNMPv3 or NETCONF
- Associate the LI source to the mirror destination, for mirroring to the Content of Communication (CC) Interface
- Add an LI source object to contain future LI targets
The preceding steps are described in more detail in the following sections.
Update the LI administrator password
The normal non-LI network administrator created the LI administrator user account including the password . The LI administrator should change the password the first time that they log in. The following command changes the LI administrator password. In this example, the LI administrator is "liadmin" and an example new password is configured. Note that the new password is not a recommended password, but just an example for illustration.
[/]
A:liadmin@latest-BNG2# password
Enter current password: TheInitialPassword
Enter new password: NewSecretPassword
Re-enter new password: NewSecretPassword
Add additional LI users to the system (optional)
The LI administrator creates new LI users including the username and password first in the main config region. In this example, the LI administrator has created two additional local user accounts: "liuser1" and "liuser2" with profile "li-user" which has less access rights compared to an li admin, as follows:
!(pr)[/configure system security user-params local-user]
A:admin@latest-BNG2# info
user "liuser1" {
password "UpdateThis"
access {
console true
netconf true
li true
}
console {
member ["li-user"]
}
}
user "liuser2" {
password "UpdateThis"
access {
console true
netconf true
li true
}
console {
member ["li-user"]
}
}
The following is an example of an LI profile for li-user. Compared to the profile "li" used for LI administrator users, this "li-user" profile does not contain entry 70. This difference in the profiles ensures that non-administrator LI users cannot edit or create other users.
[pr:/configure system security aaa local-profiles profile "li-user"]
A:admin@latest-BNG2# info
default-action deny-all
entry 10 {
action permit
match "edit-config li exclusive"
}
entry 20 {
action permit
match "li"
}
entry 30 {
action permit
match "show li"
}
entry 40 {
action permit
match "admin save li"
}
entry 50 {
action permit
match "quit-config"
}
entry 60 {
action permit
match "edit-config private"
}
entry 80 {
action permit
match "tools perform security"
}
entry 90 {
action permit
match "show li"
}
entry 100 {
action permit
match "commit"
}
entry 110 {
action permit
match "validate”
}
entry 120 {
action permit
match "admin save"
}
entry 130 {
action permit
match "info"
}
entry 140 {
action permit
match "back"
}
Afterward, the new LI users log in using the password provided for them and they should change the password using the following command. Note that the new password is not a recommended password, but just an example for illustration.
[/]
A:liuser1@latest-BNG2# password
Enter current password: TheInitialUser1Password
Enter new password: NewSecretUser1Password
Re-enter new password: NewSecretUser1Password
Set up an LI event log
- Logging Events: the time, the date, and the user accessing the LI configuration region
- Configuration Changes Events: every CLI command that is entered in the LI configuration region
- Functional Events: for example, when a subscriber has logged in to the BNG and the LI source becomes active and is actively mirroring to the CC interface
The two methods available to transmit LI log events are SNMP and NETCONF. Nokia recommends to send log events through either SNMP or NETCONF, not both.
Send log events through SNMP
The system management-interface snmp function is enabled in the main config region, as follows:
!*(pr)[/configure system management-interface snmp]
A:liadmin@latest-BNG2# info detail
admin-state enable
packet-size 9216
streaming {
admin-state disable
}
The SNMP LI log event server is configured as follows. In this example, the name of the snmp-trap-group is "1".
!*(pr)[/configure log snmp-trap-group "1"]
A:liadmin@latest-BNG2# info detail
trap-target "LIG" {
address 192.168.1.1
port 162
version snmpv3
notify-community "li"
security-level privacy
replay false
}
LI is enabled to send LI log events to snmp-trap-group "1". The log-id "1" must match the snmp-trap-group "1".
A:liadmin@latest-BNG2# info
li {
log {
log-id "1" {
source {
li true
}
destination {
snmp {
}
}
}
}
}
Send log events through NETCONF
To send LI log events through NETCONF, the system management-interface netconf function is enabled in the main config region, as follows:
[pr:/configure system management-interface netconf]
A:liadmin@latest-BNG2# info
admin-state enable
LI is enabled to send LI log events as NETCONF stream, as follows:
!*(pr:li)[/]
A:liadmin@latest-BNG2# info
li {
log {
log-id "1" {
netconf-stream "li"
source {
li true
}
destination {
netconf {
}
}
}
}
}
Set up an LI source
An LI source is required to later add specific LI targets.
The LI source requires the mirror destination to already be provisioned. The mirror destination "1" was created by the network administrator in Create a mirror destination for LI use. Depending on the user AAA profile "li", it is possible for the LI administrator to create new mirror destinations. The mirror destination "1" must be referenced in the LI source, as follows:
!*(pr:li)[/]
A:liadmin@latest-BNG2# info
li {
li-source "1" {
}
LI events for subscriber management
As depicted in Lawful interception, AAA RADIUS accounting records are transmitted over the INI2 interface. RADIUS accounting is used for subscriber management LI which helps identify the time the subscriber logged on and off. The RADIUS accounting messages can be sent over a AAA accounting server acting as a proxy or the SR OS node can send duplicate accounting records directly to the LIG.
LI target provisioning
The system is now ready to perform LI. LI targets such as SAPs and subscribers can be added to the LI source.
!*(pr:li)[/li li-source "1"]
A:liadmin@latest-BNG2# info
subscriber "li-source-00" {
ingress true
egress true
intercept-id 1
session-id 1
}
Conclusion
Because the industry is migrating to model driven (MD) management interfaces, Nokia’s LI application supports MD-CLI in SR OS Release 19.10.R1 and later. For service providers migrating to MD management interfaces, Nokia’s LI application is migration ready and also provides tools to help this migration process. Therefore, operators can be assured of MD migration including the LI features. This chapter also provides guidance for operators that are commissioning new SR OS products using the MD-CLI.