MAG-c lawful intercept

The lawful intercept (LI) solution is implemented on the MAG-c and on the User Plane (UP). The MAG-c and the UP share a private key to allow decryption of LI PFCP IEs. This topic describes the LI implementation, the content of LI notifications, and how to configure LI on the MAG-c.

LI is a legally sanctioned, official access to private communications. To provide intercepted private communications to law enforcement officials, a service provider or network operator collects communication of a private subscriber or organization using an LI security process.

LI typically consists of the following interfaces, irrespective of the access technology:

administrative interface – supports LI target provisioning
information-related interface – provides event information related to subscribers
contents-of-communications interface – sends mirrored packets to the LI gateway (LIG)

The MAG-c architecture supports administrative and information related interfaces on the MAG-c and the contents-of-communication interface on each UP.

The MAG-c provides a centralized location to provision all LI targets, and instructs the UP to perform LI for specific target subscribers by sending encrypted LI PFCP IEs through the Sx interface. The MAG-c and the UP share a private key to allow decryption of LI PFCP IEs.

To allow the LI target to remain anonymous, every subscriber PFCP session includes encrypted LI PFCP IEs.

MAG-c LI solution for wireline application

Understand the tools to use and guidelines to follow when configuring MAG-c LI for wireline applications.

For wireline (BNG) application, the following criteria apply for the MAG-c LI:

Perform all target provisioning for LI on the MAG-c through SSH CLI.
The MAG-c sends log events related to LI targets via the SNMPv3 interface.
Each BNG-UP can be configured to send mirrored traffic according to the mirror destination type: SAP, SDP, or IP-UDP SHIM.

Use the following command on the MAG-c to activate an LI target.

configure li target

For wireline subscribers, use the following command with the subscriber keyword to configure the target source. The name (ID) must match the subscriber ID returned from RADIUS, which is VSA Alc-Subsc-ID-Str [11].

configure li target source id subscriber name

You can also use this command to configure other settings, including the ingress, egress, intercept ID, and session ID.

MAG-c LI solution for FWA applications

Get an overview of the guidelines and steps to configure MAG-c LI for wireless applications.

MAG-c configuration requirements

As defined in 3GPP, LI for fixed wireless application (FWA) can be IRI-only, CC-only, or both. The provisioning of IRI and CC are two separate procedures on the MAG-c. If only IRI or CC provisioning is required, perform the applicable procedure for the IRI or CC only. If both IRI and CC are required, you must configure both.

For each subscriber, perform the provisioning as follows:

under LI_X1 for 5G, to enable 5G IRI – see Configuring FWA LI IRI for 5G RGs
using SSH CLI (configure li mobile-gateway target) for 4G, to enable 4G IRI – see Configuring FWA LI IRI for 4G RGs
using SSH CLI (configure li target) to enable CC for both 4G and 5G RGs – see Configuring FWA LI CC for 4G and 5G RGs

Note: The LI administrator cannot predict if an IMSI is from a 4G or a 5G RG. For this reason, Nokia recommends configuring both 4G and 5G LI. This guarantees the lawful interface, regardless of the connected access of the subscriber.

UP configuration requirements

The UP requires a minimal set of LI configurations to support MAG-c LI. The mirror destination ID is a key parameter that the MAG-c sends to the UP. You must configure matching mirror destination IDs on the UP and the MAG-c.

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide for more information and configuration guidelines.

Configuring FWA LI IRI for 5G RGs

Perform the procedure described in this topic to configure the FWA LI IRI solution for 5G RGs.

For 5G RGs, the LI solution for FWA is based on 3GPP Release 15 TS 33.127 and TS 33.128. This may include RGs that are 5G capable and have the ability to fallback to 4G radio access.

The following requirements apply when configuring FWA LI IRI for 5G RGs:

Based on TS 33.128, the LI_X1 interface used to provision LI targets requires an associated TLS server profile. The LI_X1 interface only supports IRI for CC; see Configuring FWA LI CC for 4G and 5G RGs for more information.
The LI_X2 interface is the IRI interface and is also TLS based. This requires a TLS client profile configuration.

Perform the following steps to configure FWA LI IRI for 5G RGs:

Configure the LI targets using the LI_X1 interface with an associated TLS server profile.
Configure the LI_X2 interface with an associated TLS client profile for the IRI interface.

Configuring FWA LI IRI for 4G RGs

Perform the procedure described in this topic to configure FWA LI IRI for 4G RGs.

For 4G (LTE) RGs, the LI solution for FWA is based on 3GPP Release 15 TS 33.107 and TS 33.108.

Perform the following steps to configure FWA LI IRI for 4G RGs:

Use SSH and the following CLI command to configure the IRI destination.

configure li mobile-gateway df-peer id df2-addr addr df2-port port

Associate the FWA LI target type (for example, IMSI) and the ID (for example, IMSI number) with the IRI (DF2) peer.
```
configure li mobile-gateway target type id value peer df-peer-id
```
Optional: Use TLS to enable the IRI interface. The IRI interface uses the TPKT protocol based on TS 33.108.

Configuring FWA LI CC for 4G and 5G RGs

Perform the procedure described in this topic to configure the FWA LI CC solution for both 4G and 5G RGs.

Call Content (CC) data-packet mirroring for both 4G and 5G LI uses the same configuration. The following apply for CC:

CC provisioning for FWA subscribers on the MAG-c is through SSH CLI, using the IMSI number for the target source ID for both 4G and 5G subscribers.
The MAG-c instructs the UP to perform LI on the subscriber session via the Sx interface. Each UP sends LI mirrored packets according to the configured mirror destination type: SAP, SDP, or IP-UDP SHIM.

Perform the following steps to configure LI for both 4G and 5G RGs on the MAG-c using SSH CLI:

Use the following command to enable CC LI for a specific FWA subscriber, using the imsi keyword for both IMSI and SUPI.
```
configure li target source id imsi id
```
Use the source command to configure additional settings, including the ingress, egress, intercept ID, and session ID.

Alternative MAG-c LI solution through the UP

It is possible to provision LI targets on the UP, although it is not recommended for a number of reasons. Users must understand the risks and requirements before considering this option.

Note:

Although Nokia does not recommend it, you can provision the LI target directly on the UP by using the subscriber ID on the UP. However, each time a subscriber logs on to the MAG-c, the UP assigns the subscriber a different subscriber ID. The following methods help the LIG identify the UP where the subscriber is located and the new subscriber ID on the UP.

Using RADIUS accounting messages is one method to help to locate the subscriber and subscriber ID on the UP. Use the up-info, up-subscriber-id, and subscriber-id commands in the following context to configure the MAG-c to include RADIUS attributes in the accounting messages.

configure mobile-gateway profile charging bng-charging radius session include-attribute

The MAG-c and the BNG-UP have the following responsibilities for the LI functionality:

When configured to perform LI, the MAG-c reports the subscriber and LI events.
The BNG-UP provisions LI targets and supports mirroring of LI packets.

In addition to using RADIUS, the MAG-c also reports the subscriber and LI events through SNMPv3 to the LI mediation gateway. The LI mediation gateway uses the reported subscriber ID to enable LI on the BNG-UP.

The BNG-UP creates a new subscriber ID every time the subscriber logs on. For more information about LI on the BNG-UP, see 7750 SR and VSR BNG CUPS User Plane Function Guide.

Subscriber ID and IP address notifications for LI meditation devices

Review these guidelines and options for enabling MAG-c notifications to the LI mediation gateway about LI and subscriber events.

The MAG-c notifies the LI mediation gateway about the LI and subscriber events. Some key parameters in the notifications include the BNG-UP subscriber ID and the BNG-UP IP address. The LI mediation gateway uses the key parameters to provision the LI targets (using the subscriber ID) directly on the BNG-UP (using the IP address).

The MAG-c writes the following information in logs and includes it in RADIUS accounting messages:

real subscriber name; for example, John Smith
auto-generated BNG-UP subscriber ID; for example, 549
BNG-UP IP address; for example, 3.3.3.3

The following example displays a MAG-c log.

MAG-c log

767 2020/08/07 13:24:41.990 UTC WARNING: MOBILE_CUPS_BNG #2003 Base CUPS-BNG
           
"CUPS BNG new subscriber created: Sub-Id '549', externally assigned alias (if any)
'John Smith', UP IP 3.3.3.3"

The following example shows VSAs in a MAG-c RADIUS accounting message.

VSAs in a MAG-c RADIUS accounting message

Alc-Subsc-Id-Str = John Smith
Alc-UP-Ip-Address = 3.3.3.3
Alc-UP-Subscriber-Id = 549

The LI mediation gateway uses the information in the log and in the accounting message to detect possible LI targets. If the information points to an LI target, the LI mediation gateway sends an SNMPv3 command to the IP address of the BNG-UP, to set up an LI target on the subscriber ID on the BNG-UP.

Note: The BNG-UP automatically prepends _cups_ to the auto-generated subscriber ID; for example, _cups_549.

See 7750 SR and VSR BNG CUPS User Plane Function Guide for more information about the BNG-UP LI target provisioning and LI packet mirroring.

See 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information about LI access through SNMPv3.