Lawful Interception

This chapter provides information about lawful interception.

Topics in this chapter include:

Applicability

The information and the configuration in this chapter are based on SR OS Release 22.2.R1. Lawful interception (LI) is supported in MD-CLI in SR OS Release 19.10.R1 and later.

Overview

This chapter provides configuration examples to commission LI in MD-CLI and does not serve the purpose to provide LI architectural or configuration recommendations.

Basic knowledge of the SR OS LI architecture is required.

Lawful interception shows a high-level diagram depicting the mechanism.

Figure 1. Lawful interception
where:
  • CSP: communications service provider
  • RG: residential gateway
  • AN: access network
  • IRI: intercept related information
  • CC: content of communication
  • LEA: law enforcement agency
  • LEMF: law enforcement monitoring facilities

The mediation element depicted in Lawful interception is used to normalize various vendors' INI interfaces to standardized HI interfaces for the LEMF. The industry uses various terms for the mediation element such as LI Mediation (LIM), Mediation Device (MD), and LI Gateway (LIG). For the remainder to this chapter, the term LIG will be used to refer to the mediation element.

Configuration

First, the network administrator commissions the system for LI and afterward, the LI administrator provisions the LI sources.

Network administrator commissions the system for LI

The procedure to commission the system for LI includes the following steps:
  • Create a local AAA profile for LI administration access
  • Create local LI administrators including their access, method of access, and local AAA profile
  • Create a mirror destination for copied packets where the destination address is the LI gateway
  • [Optional] Update the boot option file (BOF) configuration:
    • [Option 1] Enable LI separate in the BOF. This configuration allows only users with LI access rights to be able to access the LI configuration region. All other user types are locked out of the LI configuration region.
    • [Option 2] Enable LI local save. The configuration enables the system to save the running LI configuration into the flash as an encrypted file.
    Either one or both of the options can be enabled. Changing configuration flags in the BOF requires a reboot to take effect.

When the local LI administrator is configured and after an optional update of the BOF configuration and a reboot, an LI administrator can access the LI configuration region.

The different steps in the procedure to commission the system for LI are described in more detail in the following sections.

Create a local AAA profile for LI

An LI user and profile must be configured before the LI separate flag is enabled in the BOF.

The local AAA profile "li" is created, as follows:

[pr:/configure system security aaa local-profiles]
A:admin@latest-BNG2# info
    profile "li" {
    }

The following is an example of some common entries for the LI profile:

[pr:/configure system security aaa local-profiles profile "li"]
A:admin@latest-BNG2# info
    default-action deny-all
    entry 10 {
        action permit
        match "edit-config li exclusive"
    }
    entry 20 {
        action permit
        match "li"
    }
    entry 30 {
        action permit
        match "show li"
    }
    entry 40 {
        action permit
        match "admin save li"
    }
    entry 50 {
        action permit
        match "quit-config"
    }
    entry 60 {
        action permit
        match "edit-config private"
    }
    entry 70 {
        action permit
        match "configure system security user-params local-user"
    }
    entry 80 {
        action permit
        match "tools perform security"
    }
    entry 90 {
        action permit
        match "show li"
    }
    entry 100 {
        action permit
        match "commit"
    }
    entry 110 {
        action permit
        match "validate”
    }
    entry 120 {
        action permit
        match "admin save"
    }
    entry 130 {
        action permit
        match "info"
    }
    entry 140 {
        action permit
        match "back"
    }

Create a local LI administrator

LI administrators are local users and are associated with the configured LI profile. In the following example, local LI administrator "liadmin" is created.

!(pr)[/configure system security user-params local-user]
A:admin@latest-BNG2# info
    user "liadmin" {
        password "$2y$10$tKCwYWx/m9uffwGCJIYls.vh/340TU3Rn6RR1Qxt2zEQPlUOIAJJG"
        access {
            console true
            netconf true
            li true
        }
        console {
            member ["li"]
        }
    }

Create a mirror destination for LI use

In this example, the mirror destination uses an LI IP UDP shim header, as shown in Shim header format.

Figure 2. Shim header format

The mirror destination routing instance is a VPRN with ID 1. The LI Gateway (LIG) is at 192.168.2.1 while the source IP address placed into the outer IP header of the copied packets is 192.168.1.1. Both source and destination UDP port use 11111. The header used is IP UDP shim (which allows an LI header to indicate the intercept ID, the session ID, and the direction of the mirrored packet).

!(pr)[/configure mirror]
A:admin@latest-BNG2# info
    mirror-dest "1" {
        admin-state enable
        encap {
            layer-3-encap {
                header-type ip-udp-shim
                direction-bit true
                router-instance "1"
                gateway {
                    ip-address {
                        source 192.168.1.1
                        destination 192.168.2.1
                    }
                    udp-port {
                        source 11111
                        destination 11111
                    }
                }
            }
        }
    }

Update BOF configuration (optional)

The BOF offers two configuration options for LI:
  • li separate
  • and li local-save

The li separate option separates the LI configuration region access from the normal administrator. The requirement of separating LI access is typically determined by local jurisdictions.

*[pr:/bof]
A:admin@latest-BNG2# info
    li {
        separate true
    }

A system reboot is required for any changes to li separate to take effect.

A:admin@eng-BNG-2# admin save bof

A:admin@latest-BNG2# /admin reboot now

The li local-save option allows the LI configuration to be saved to persistent storage (for example, on a compact flash device) locally on the system.

Note: The permission to store the LI configuration locally on the system is typically determined by local jurisdictions.
*[pr:/bof]
A:admin@latest-BNG2# info
    li {
        local-save true
    }

A system reboot is required for any changes to li local-save to take effect.

A:admin@eng-BNG-2# admin save bof
A:admin@latest-BNG2# /admin reboot now
Note: The li separateoption and the li local-save option can be performed together and therefore require only one reboot. The configuration is as follows.
*[pr:/bof]
A:admin@latest-BNG2# info
    li {
        separate true
        local-save true
    }

A system reboot is required for any changes to li separate or to li local-save to take effect.

A:admin@eng-BNG-2# admin save bof
A:admin@latest-BNG2# /admin reboot now

Log in as the LI administrator and edit the LI configuration

When the LI administrator is created (and, optionally, the BOF is updated and the system is rebooted), the LI configuration region is accessible to the LI administrator. When the LI administrator logs in as the "liadmin" user, the prompt shows "liadmin" as the user:

A:liadmin@latest-BNG2#

The following command is used to edit the LI configuration:

A:liadmin@latest-BNG2# edit-config li exclusive

The li option is needed to edit the LI configuration region. The LI administrator has the choice to configure in private or exclusive mode. For more information about private and exclusive configuration mode, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR MD-CLI User Guide. Nokia recommends to use exclusive mode for LI configuration to allow one LI administrator at a time to make LI configuration changes.

Additional LI infrastructure setup

When the system is commissioned with LI users and a LIG mirror destination for LI, the LI administrator provisions the rest of the LI infrastructure pieces. The following configuration examples are described:

  • Update the LI administrator password
  • [Optional] Create additional local LI users
  • Configure the LI log, for the Intercept Related Information (IRI) interface, either using SNMPv3 or NETCONF
  • Associate the LI source to the mirror destination, for mirroring to the Content of Communication (CC) Interface
  • Add an LI source object to contain future LI targets

The preceding steps are described in more detail in the following sections.

Update the LI administrator password

The normal non-LI network administrator created the LI administrator user account including the password . The LI administrator should change the password the first time that they log in. The following command changes the LI administrator password. In this example, the LI administrator is "liadmin" and an example new password is configured. Note that the new password is not a recommended password, but just an example for illustration.

[/]
A:liadmin@latest-BNG2# password
Enter current password: TheInitialPassword
Enter new password: NewSecretPassword
Re-enter new password: NewSecretPassword

Add additional LI users to the system (optional)

The LI administrator creates new LI users including the username and password first in the main config region. In this example, the LI administrator has created two additional local user accounts: "liuser1" and "liuser2" with profile "li-user" which has less access rights compared to an li admin, as follows:

!(pr)[/configure system security user-params local-user]
A:admin@latest-BNG2# info
    user "liuser1" {
        password "UpdateThis"
        access {
            console true
            netconf true
            li true
        }
        console {
            member ["li-user"]
        }
    }
    user "liuser2" {
        password "UpdateThis"
        access {
            console true
            netconf true
            li true
        }
        console {
            member ["li-user"]
        }
    }

The following is an example of an LI profile for li-user. Compared to the profile "li" used for LI administrator users, this "li-user" profile does not contain entry 70. This difference in the profiles ensures that non-administrator LI users cannot edit or create other users.

[pr:/configure system security aaa local-profiles profile "li-user"]
A:admin@latest-BNG2# info
    default-action deny-all
    entry 10 {
        action permit
        match "edit-config li exclusive"
    }
    entry 20 {
        action permit
        match "li"
    }
    entry 30 {
        action permit
        match "show li"
    }
    entry 40 {
        action permit
        match "admin save li"
    }
    entry 50 {
        action permit
        match "quit-config"
    }
    entry 60 {
        action permit
        match "edit-config private"
    }
    entry 80 {
        action permit
        match "tools perform security"
    }
    entry 90 {
        action permit
        match "show li"
    }
    entry 100 {
        action permit
        match "commit"
    }
    entry 110 {
        action permit
        match "validate”
    }
    entry 120 {
        action permit
        match "admin save"
    }
    entry 130 {
        action permit
        match "info"
    }
    entry 140 {
        action permit
        match "back"
    }

Afterward, the new LI users log in using the password provided for them and they should change the password using the following command. Note that the new password is not a recommended password, but just an example for illustration.

[/]
A:liuser1@latest-BNG2# password
Enter current password: TheInitialUser1Password
Enter new password: NewSecretUser1Password
Re-enter new password: NewSecretUser1Password

Set up an LI event log

The LI event log provides log events of the LI operations including:
  • Logging Events: the time, the date, and the user accessing the LI configuration region
  • Configuration Changes Events: every CLI command that is entered in the LI configuration region
  • Functional Events: for example, when a subscriber has logged in to the BNG and the LI source becomes active and is actively mirroring to the CC interface

The two methods available to transmit LI log events are SNMP and NETCONF. Nokia recommends to send log events through either SNMP or NETCONF, not both.

Send log events through SNMP

The system management-interface snmp function is enabled in the main config region, as follows:

!*(pr)[/configure system management-interface snmp]
A:liadmin@latest-BNG2# info detail
    admin-state enable
    packet-size 9216
    streaming {
        admin-state disable
    }

The SNMP LI log event server is configured as follows. In this example, the name of the snmp-trap-group is "1".

!*(pr)[/configure log snmp-trap-group "1"]
A:liadmin@latest-BNG2# info detail
    trap-target "LIG" {
        address 192.168.1.1
        port 162
        version snmpv3
        notify-community "li"
        security-level privacy
        replay false
    }

LI is enabled to send LI log events to snmp-trap-group "1". The log-id "1" must match the snmp-trap-group "1".

A:liadmin@latest-BNG2# info
    li {
        log {
            log-id "1" {
                source {
                    li true
                }
                destination {
                    snmp {
                    }
                }
            }
        }
    }
Send log events through NETCONF

To send LI log events through NETCONF, the system management-interface netconf function is enabled in the main config region, as follows:

[pr:/configure system management-interface netconf]
A:liadmin@latest-BNG2# info
    admin-state enable

LI is enabled to send LI log events as NETCONF stream, as follows:

!*(pr:li)[/]
A:liadmin@latest-BNG2# info
    li {
        log {
            log-id "1" {
                netconf-stream "li"
                source {
                    li true
                }
                destination {
                    netconf {
                    }
                }
            }
        }
    }

Set up an LI source

An LI source is required to later add specific LI targets.

The LI source requires the mirror destination to already be provisioned. The mirror destination "1" was created by the network administrator in Create a mirror destination for LI use. Depending on the user AAA profile "li", it is possible for the LI administrator to create new mirror destinations. The mirror destination "1" must be referenced in the LI source, as follows:

!*(pr:li)[/]
A:liadmin@latest-BNG2# info
    li {
        li-source "1" {
        }
Note: When a mirror destination is referenced by an LI source, the mirror destination cannot be removed from the system.
LI events for subscriber management

As depicted in Lawful interception, AAA RADIUS accounting records are transmitted over the INI2 interface. RADIUS accounting is used for subscriber management LI which helps identify the time the subscriber logged on and off. The RADIUS accounting messages can be sent over a AAA accounting server acting as a proxy or the SR OS node can send duplicate accounting records directly to the LIG.

LI target provisioning

The system is now ready to perform LI. LI targets such as SAPs and subscribers can be added to the LI source.

Note: This would typically only be done when a legal warrant is issued in the appropriate jurisdiction.
The following is an example of adding a subscriber target to the LI source:
!*(pr:li)[/li li-source "1"]
A:liadmin@latest-BNG2# info
    subscriber "li-source-00" {
        ingress true
        egress true
        intercept-id 1
        session-id 1
    }

Conclusion

Because the industry is migrating to model driven (MD) management interfaces, Nokia’s LI application supports MD-CLI in SR OS Release 19.10.R1 and later. For service providers migrating to MD management interfaces, Nokia’s LI application is migration ready and also provides tools to help this migration process. Therefore, operators can be assured of MD migration including the LI features. This chapter also provides guidance for operators that are commissioning new SR OS products using the MD-CLI.