MAG-c lawful intercept

The lawful intercept (LI) solution is implemented on the MAG-c and on the User Plane (UP). The MAG-c and the UP share a private key to allow decryption of LI PFCP IEs. This topic describes the LI implementation, the content of LI notifications, and how to configure LI on the MAG-c.

LI is a legally sanctioned, official access to private communications. To provide intercepted private communications to law enforcement officials, a service provider or network operator collects communication of a private subscriber or organization using an LI security process.

LI typically consists of the following interfaces, irrespective of the access technology:

  • administrative interface – supports LI target provisioning
  • information-related interface – provides event information related to subscribers
  • contents-of-communications interface – sends mirrored packets to the LI gateway (LIG)

The MAG-c architecture supports administrative and information related interfaces on the MAG-c and the contents-of-communication interface on each UP.

The MAG-c provides a centralized location to provision all LI targets, and instructs the UP to perform LI for specific target subscribers by sending encrypted LI PFCP IEs through the Sx interface. The MAG-c and the UP share a private key to allow decryption of LI PFCP IEs.

To allow the LI target to remain anonymous, every subscriber PFCP session includes encrypted LI PFCP IEs.

MAG-c LI solution for wireline application

Understand the tools to use and guidelines to follow when configuring MAG-c LI for wireline applications.

For wireline (BNG) application, the following criteria apply for the MAG-c LI:

  • Perform all target provisioning for LI on the MAG-c through SSH CLI.
  • The MAG-c sends log events related to LI targets via the SNMPv3 interface.
  • Each BNG-UP can be configured to send mirrored traffic according to the mirror destination type: SAP, SDP, or IP-UDP SHIM.
Use the following command on the MAG-c to activate an LI target.
configure li target

For wireline subscribers, use the following command with the subscriber keyword to configure the target source. The name (ID) must match the subscriber ID returned from RADIUS, which is VSA Alc-Subsc-ID-Str [11].

configure li target source id subscriber name

You can also use this command to configure other settings, including the ingress, egress, intercept ID, and session ID.

MAG-c LI solution for FWA applications

Get an overview of the guidelines and steps to configure MAG-c LI for wireless applications.

MAG-c configuration requirements

As defined in 3GPP, LI for fixed wireless application (FWA) can be IRI-only, CC-only, or both. The provisioning of IRI and CC are two separate procedures on the MAG-c. If only IRI or CC provisioning is required, perform the applicable procedure for the IRI or CC only. If both IRI and CC are required, you must configure both.

For each subscriber, perform the provisioning as follows:

Note: The LI administrator cannot predetermine if the FWA RG is only 4G capable, only 5G capable, or both. For this reason, Nokia recommends configuring both 4G and 5G LI. This guarantees the lawful interface, regardless of the connected access of the subscriber.

UP configuration requirements

The UP requires a minimal set of LI configurations to support MAG-c LI. The mirror destination ID is a key parameter that the MAG-c sends to the UP. You must configure matching mirror destination IDs on the UP and the MAG-c.

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide for more information and configuration guidelines.

Configuring FWA LI IRI for 5G RGs

Perform the procedure described in this topic to configure the FWA LI IRI solution for 5G RGs.

For 5G RGs, the LI solution for FWA is based on 3GPP Release 15 TS 33.127 and TS 33.128. This may include RGs that are 5G capable and have the ability to fallback to 4G radio access.

The following requirements apply when configuring FWA LI IRI for 5G RGs:

  • Based on TS 33.128, the LI_X1 interface used to provision LI targets requires an associated TLS server profile. The LI_X1 interface only supports IRI over TLS. See Configuring FWA LI CC for 4G and 5G RGs for more information about CC.

  • The LI_X2 interface is the IRI interface and is also TLS based. This requires a TLS client profile configuration.

Perform the following steps to configure FWA LI IRI for 5G RGs:

  1. Configure the LI targets using the LI_X1 interface with an associated TLS server profile.
  2. Configure the LI_X2 interface with an associated TLS client profile for the IRI interface.

Configuring FWA LI IRI for 4G RGs

Perform the procedure described in this topic to configure FWA LI IRI for 4G RGs.

For 4G (LTE) RGs, the LI solution for FWA is based on 3GPP Release 15 TS 33.107 and TS 33.108.

Perform the following steps to configure FWA LI IRI for 4G RGs:

  1. Use SSH and the following CLI command to configure the IRI destination.
    configure li mobile-gateway df-peer id df2-addr addr df2-port port
  2. Associate the FWA LI target type (for example, IMSI) and the ID (for example, IMSI number) with the IRI (DF2) peer.
    configure li mobile-gateway target type id value peer df-peer-id
  3. Optional: Use TLS to enable the IRI interface. The IRI interface uses the TPKT protocol based on TS 33.108.

Configuring FWA LI CC for 4G and 5G RGs

Perform the procedure described in this topic to configure the FWA LI CC solution for both 4G and 5G RGs.

Call Content (CC) data-packet mirroring for both 4G and 5G LI uses the same configuration. The following apply for CC:

  • CC provisioning for FWA subscribers on the MAG-c is through SSH CLI. You can specify either the International Mobile Subscriber Identity (IMSI) or Mobile Station International Subscriber Directory Number (MSISDN) as the target for both 4G and 5G subscribers.
  • The MAG-c instructs the UP to perform LI on the subscriber session via the Sx interface. Each UP sends LI mirrored packets according to the configured mirror destination type: SAP, SDP, or IP-UDP SHIM.

Perform the following steps to configure LI for both 4G and 5G RGs on the MAG-c using SSH CLI:

  1. Configure the LI target source with the imsi or the msisdn option to enable CC LI for a specific FWA subscriber.
    Note: Use the imsi option for both IMSI and SUPI.
    configure li target source id imsi imsi-number
    configure li target source id msisdn msisdn-number
  2. Configure additional settings, including the ingress, egress, intercept ID, and session ID.
    configure li target source

Additional information for 3GPP IRI messages

Use the following command to customize the 3GPP IRI message for 4G and 5G. For 4G, the command customizes the operator ID within a 4G IRI message, as defined in 3GPP TS 33.107. For 5G, the command customizes the domain ID (DID) field, as defined in ETSI 103 221-2.

configure li mobile-gateway operator-id
Use the following command to change the 3GPP 4G IRI message network element ID (NEID), as defined in 3GPP TS 33.107.
configure li mobile-gateway iri ne-id
For 5G, use the following command to change the interception point ID (IPID), as defined in ETSI 103 221-2.
configure li mobile-gateway 5g-iri-ip-id
The IPID uses TLV type 7 and the encoding for the different values is expressed as a sub-TLV within the TLV as follows.
Table 1. IPID encoding
Type=7 Length=x Value
Type Length Value

The length field is two bytes and represents the length of the TLV.

The value field is two bytes and the type of the sub-TLV in the value field can have the following values:
  • Type 0 – reserved
  • Type 1 – IPv4 address
  • Type 2 – IPv6 address
  • Type 3 – string

The value of the sub-TLV in the value field represents an IPv4 address, IPv6 address, or customized string.

IPID encoding for IPv4 address 18.52.86.255 (hexadecimal 12 34 56 FF)

Table 2. IPID encoding example
Type=7 Length=x Value
Type=1 Length=4 bytes Value=12 34 56 FF

Alternative MAG-c LI solution through the UP

It is possible to provision LI targets on the UP, although it is not recommended for a number of reasons. Users must understand the risks and requirements before considering this option.

Note:

Although Nokia does not recommend it, you can provision the LI target directly on the UP by using the subscriber ID on the UP. However, each time a subscriber logs on to the MAG-c, the UP assigns the subscriber a different subscriber ID. The following methods help the LIG identify the UP where the subscriber is located and the new subscriber ID on the UP.

Using RADIUS accounting messages is one method to help to locate the subscriber and subscriber ID on the UP. Use the up-info, up-subscriber-id, and subscriber-id commands in the following context to configure the MAG-c to include RADIUS attributes in the accounting messages.
configure mobile-gateway profile charging bng-charging radius session include-attribute

The MAG-c and the BNG-UP have the following responsibilities for the LI functionality:

  • When configured to perform LI, the MAG-c reports the subscriber and LI events.
  • The BNG-UP provisions LI targets and supports mirroring of LI packets.

In addition to using RADIUS, the MAG-c also reports the subscriber and LI events through SNMPv3 to the LI mediation gateway. The LI mediation gateway uses the reported subscriber ID to enable LI on the BNG-UP.

The BNG-UP creates a new subscriber ID every time the subscriber logs on. For more information about LI on the BNG-UP, see 7750 SR and VSR BNG CUPS User Plane Function Guide.

Subscriber ID and IP address notifications for LI meditation devices

Review these guidelines and options for enabling MAG-c notifications to the LI mediation gateway about LI and subscriber events.

The MAG-c notifies the LI mediation gateway about the LI and subscriber events. Some key parameters in the notifications include the BNG-UP subscriber ID and the BNG-UP IP address. The LI mediation gateway uses the key parameters to provision the LI targets (using the subscriber ID) directly on the BNG-UP (using the IP address).

The MAG-c writes the following information in logs and includes it in RADIUS accounting messages:

  • real subscriber name; for example, John Smith
  • auto-generated BNG-UP subscriber ID; for example, 549
  • BNG-UP IP address; for example, 3.3.3.3

The following example displays a MAG-c log.

MAG-c log

767 2020/08/07 13:24:41.990 UTC WARNING: MOBILE_CUPS_BNG #2003 Base CUPS-BNG
           
"CUPS BNG new subscriber created: Sub-Id '549', externally assigned alias (if any)
'John Smith', UP IP 3.3.3.3"

The following example shows VSAs in a MAG-c RADIUS accounting message.

VSAs in a MAG-c RADIUS accounting message

Alc-Subsc-Id-Str = John Smith
Alc-UP-Ip-Address = 3.3.3.3
Alc-UP-Subscriber-Id = 549

The LI mediation gateway uses the information in the log and in the accounting message to detect possible LI targets. If the information points to an LI target, the LI mediation gateway sends an SNMPv3 command to the IP address of the BNG-UP, to set up an LI target on the subscriber ID on the BNG-UP.

Note: The BNG-UP automatically prepends _cups_ to the auto-generated subscriber ID; for example, _cups_549.

See 7750 SR and VSR BNG CUPS User Plane Function Guide for more information about the BNG-UP LI target provisioning and LI packet mirroring.

See 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information about LI access through SNMPv3.