In this section:
Use the intercept and call data channel (CDC) commands to configure the parameters for lawful intercept (LI) processing on the SBC. Lawful interception is a means of conducting lawfully authorized electronic surveillance of communication against warranted users or subscribers.
Refer to the Lawful Intercept page and associated pages for an in-depth explanation of SBC LI functionality.
You must configure LI parameters within the default address context.
The SBC 7000 system supports creating IP Interface Groups containing sets of IP interfaces that are not "processor friendly" (i.e. carried on physical Ethernet ports served by separate processors). However, restrictions exist regarding the usage of such Interface Groups.
(This ability does not apply to the SBC 5400, which has only two physical media ports. You may configure the IP interfaces from the two physical ports within the same IP Interface Groups without restrictions.)
For complete details, refer to Configuring IP Interface Groups and Interfaces.
When configuring LI, you must be logged in as the 'calea' user. Refer to Managing SBC Core Users and Accounts for descriptions of users and permissions.
As the user 'calea', use the following command syntax to configure LI.
% set addressContext <default> intercept callDataChannel <callDataChannel> nodeNumber <integer>
Parameter | Length/Range | Description |
---|---|---|
| 1-23 | The user-configurable LI Call Data Control Channel name. See Call Data Channel Parameters tables below for details on the parameters within the CDC. |
| 0-9999999 | The unique global node number to assign to the SBC which is used by the LI server for identification purposes. |
As the user 'calea', use the following CLI syntax to establish the LI call data channel configuration:
% set addressContext <default> intercept callDataChannel <callDataChannel_name> diamNode <name> diameterPeer <calea Diameter peer name> diameterRealmRoute <calea realmRoute> dsrProtocolVersion <0 | 1> embedTapIdInCccId <enabled | disabled> interceptStandard <etsi | packetcable | packetcablePlusEtsi | packetcableVTwo | threeGpp> ipInterfaceGroupName <ipInterfaceGroup_Name> kaTimer <0-65535 seconds> liPolDipForRegdOodMsgs <disabled | enabled> mediaIpInterfaceGroupName <IP interface group name> mediationServer <server name> priIpAddress <IPv4 address> priMode <active | outofservice | standby> priPort <0-65535> priState <disabled | enabled> protocolTyperetries <value> rtcpInterception <disabled | enabled> secIpAddress <IP_Address> secMode <active | outofservice | standby> secState <disabled | enabled> signaling protocolType <tcp | tls | udp> tlsProfileName <TLS profile name> vendorId <none | groupTwoThousand | ss8 | utimaco | verint> sipTrunkGroupSupportedList <Trunk Group List> sipTrunkGroupExemptedList <Trunk Group List>
The following table describes the CDC parameters that determine the type of LI you are deploying. They must be configured for all types of LI.
Parameter | Description |
---|---|
| The intercept standard to use for this CDC.
|
| The protocol used by the mediation server for signaling interception.
|
| TLS Profile name used by this Signaling Port. |
| The vendor name of the LI server.
|
The following table identifies the interceptStandard
and vendorId
configuration combinations the SBC supports for each type of LI.
CDC Configuration Settings | LI Type | |
---|---|---|
interceptStandard | vendorId | |
packetcable/packetCablePlusEtsi | none/utimaco/verint | Legacy LI (default) |
packetcable | ss8 | PCSI LI |
threeGpp/etsi | none/utimaco/verint/groupTwoThousand | IMS LI |
| atos/none | PC 2.0 LI |
The following table lists the rest of the CDC parameters. Not all parameters apply to each type of LI; some parameters do not become available until you specify an interceptStandard
and vendorID
combination of an LI type to which they apply.
Parameter | Length/Range | Description | Applicable To |
---|---|---|---|
diamNode | Up to 23 characters |
Note: Diameter node configuration must be completed on the SBC by a user with |
|
diameterPeer | Up to 23 characters | Diameter peer configuration under the CDC object, specifically for the mediation server (DF) side of the Diameter X2 signaling interface for PC 2.0 LI deployments. A maximum of 16 Diameter peers can be configured within the CDC.
|
|
diameterRealmRoute | Up to 23 characters | Diameter realm route configuration under the CDC object, specifically for the mediation server (DF) side of the Diameter X2 signaling interface for PC 2.0 LI deployments. A maximum of 16 Diameter realm routes can be configured within the CDC.
|
|
| N/A | Signifies the intercepted X2 signaling protocol version towards the mediation servers. The default value 0 maintains backward compatibility with SBC Core 8.0 or earlier.
|
|
embedTapIdInCccId | N/A | Specifies whether the SBC embeds the Tap ID in the CCCID (Call Content Connection Identifier) it sends with X2 and X3 messages to the DF. The Tap ID comes from X1 surveillance data. The options are:
|
|
| 0-23 |
|
|
| 0-65535 |
|
|
liPolDipForRegdOodMsgs | N/A | Specifies whether the SBC should send a policy request to the PSX, when the SBC receives a registered user's out-of-dialog messages, to determine whether interception is required.
NOTE: This parameter is only visible when the |
|
mediaIpInterfaceGroupName | 1-23 characters | Specifies the name of the IP interface group to send X3 call content to the mediation server (DF). |
|
mediationServer | 0-23 |
|
|
| N/A |
|
|
| N/A | Mode of the primary server. Options are:
|
|
| 0-65535 |
|
|
| N/A | Use this flag to enable/disable communication to the primary LI server.
|
|
| N/A | Number of retries before the LI Call Data Channel is considered as failed. (default = 3) |
|
| N/A | Specifies whether to intercept RTCP information. Options are:
|
|
| N/A | Secondary LI server's IPv4 address where Call Data Channel messages are sent. (default = 0.0.0.0) |
|
| N/A | Mode of the secondary server. Options are:
|
|
| N/A | Use this flag to enable/disable communication to secondary LI server.
|
|
sipTrunkGroupExemptedList | N/A | List of TG which are exempted from Lawful interception. Only configured Modified: for 12.1.4 |
|
| N/A | List of trunk groups which are marked for Lawful interception. Only configured Modified: for 12.1.4 |
|
The SBC allows configuration of a maximum of 16 mediation servers in the Call Data Channel (CDC). Persistent TCP connections can be established towards all configured mediation servers. When a call is intercepted, the SBC selects among the Delivery Function 2 (DF2) servers in a round-robin manner.
Mediation server objects contain signaling (X2) and media (X3) IP addresses. The SBC allows configuration of multiple mediation servers with the same X2 IP address but different X3 IP addresses.
For IMS LI, the SBC does not support an active-standby configuration for the X2 servers. It assumes that the DF2 servers are running in active-active mode, and in case of failure, moves the IP address of the active DF2 server to the standby DF2 server.
The X2 and X3 servers operate independently. Even if the X2 servers are not reachable, the SBC sends X3 media if a DF3 server is available, and vice versa.
The SBC supports TCP to transport media details.
% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media tcp dscpValue <0-63> ipAddress <IPv4/IPv6 address> kaInterval <5-60 seconds> kaProbe <4-8 seconds> kaTime <60-7200 seconds> mode <inService | outOfService> portNumber <0-65535> state <disabled | enabled>
set addressContext default intercept callDataChannel CDC mediationServer MS1
Parameter | Length/Range | Descriptions |
---|---|---|
dscpValue | 0-63 | The DSCP value for intercepted media packets sent on TCP port. (Default = 16) |
ipAddress | IPv4/IPv6 format | The IPv4/IPv6 Address of the mediation server for media interception over TCP. |
| 5-60 | The duration between two successive keep-alive retransmissions, if an acknowledgement to the previous keep-alive transmission is not received. (Default = 30 seconds) |
| 4-8 | The number of retransmissions to be carried out before declaring that the remote end is not available. (Default = 4) |
| 60 to 7200 | The duration, in seconds, between the two keep-alive transmissions in the idle condition. (Default = 180 seconds) |
mode | N/A | The operational mode of the signaling/media connection towards the mediation server.
|
portNumber | 0-65535 | The TCP port number of the mediation server for media interception over TCP. (Default = 0) |
state | N/A | The administrative state of the TCP connection towards the mediation server.
|
The SBC supports UDP to transport media details. PC 2.0 LI only supports UDP transport for media.
% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media udp dscpValue <0-63> ipAddress <IPv4/IPv6 address> mode <inService | outOfService> portNumber <0-65535> state <disabled | enabled>
Parameter | Length/Range | Descriptions |
---|---|---|
dscpValue | 0-63 | The DSCP value for intercepted media packets sent on UDP port. (Default = 16) |
ipAddress | IPv4/IPv6 format | The IPv4/IPv6 Address of the mediation server for media interception over UDP. |
mode | N/A | The operational mode of the signaling/media connection towards the mediation server.
|
portNumber | 0-65535 | The UDP port number of the mediation server for media interception over UDP. (Default = 0) |
| N/A | The administrative state of the UDP connection towards the mediation server.
|
% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> signaling dfGroupName <DF Group name> dscpValue <0-63> ipAddress <IPv4/IPv6 address> mode <inService | outOfService> portNumber <0-65535> protocolType <tcp | udp> realmName <realm name> state <disabled | enabled>
Up to 63 characters The name of the DF Group configured against the Intercept Targets for which this Mediation server is to be used for interception. Note: This parameter is applicable for PC2 LI and IMS LI. However, it is optional in IMS LI. 0-63 The DSCP value for intercepted signaling packets sent on this port. The default is 16. IPv4: 32-bit format IPv6: 128-bit format The IPv4/IPv6 Address of the mediation server for signaling interception. N/A The operational mode of the signaling/media connection towards the mediation server. 0-65536 The UDP/TCP port number of the mediation server for signaling interception. The default is 0. N/A The protocol used by the mediation server for signaling interception (TCP/UDP). N/A The name of the realm to which this mediation server belongs. This name must match the realm name in the Note: This option applies only to PC 2.0 LI deployments. N/A The administrative state of the signaling/media connection towards the mediation server. The Parameter Length/Range Descriptions dfGroupName
dscpValue
ipAddress
mode
inService
outOfService
(default)portNumber
protocolType
tcp
(default)udp
realmName
diameterRealmRoute
configuration for the Diameter connection used to reach this mediation server. state
disabled
(default)enabled
protocolType
"udp
" is not currently supported for signaling interception.
> show status addressContext <addressContext name> intercept
To configure the name of the IP interface group used to stream to the LI server:
set addressContext default intercept callDataChannel CDC ipInterfaceGroupName LIG1 commit
The ipInterfaceGroup
/mediaIpInterfaceGroup
for CDC must be different from other signaling/media ipInterface
groups. This ensures that LI doesn't use signaling ipAddress
to send intercepted traffic (media/signaling) towards the mediation server.
To configure the intercept standard:
set addressContext default intercept callDataChannel CDC interceptStandard etsi commit
To configure the vendor ID:
set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint commit
To configure intercept standard, vendor type, and mediation server name:
set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint mediationServer ms1 commit
To configure mediation server parameters for media interception over TCP:
set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp dscpValue 0 ipAddress 10.54.66.67 portNumber 7870 commit set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp mode inService state enabled commit
To configure mediation server parameters for media interception over UDP:
set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp dscpValue 0 ipAddress 10.54.66.57 portNumber 7881 commit set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp mode inService state enabled commit
To configure mediation server parameters for signaling interception:
set addressContext default intercept callDataChannel CDC mediationServer MS1 signaling ipAddress 10.54.78.20 portNumber 65300 protocolType tcp dfGroupName dfGroupname_1 commit set addressContext default intercept callDataChannel CDC mediationServer MS1 signaling state enabled mode inService commit
To enable RTCP interception:
set addressContext default intercept callDataChannel CDC rtcpInterception enabled commit
To enable sending a policy dip to the PSX for registered users' out-of-dialog messages:
set addressContext default intercept callDataChannel CDC liPolDipForRegdOodMsgs enabled commit
To use the Mediation Server for Lawful Interception:
set addressContext default intercept callDataChannel CDC mediationServer MS1 signaling dfGroupName df1.stc.com commit
To create a Trunk Group Supported List
% set addressContext default intercept callDataChannel CDC sipTrunkGroupSupportedList [ TG1_FD ]
To create a Trunk Group Exempted List
% set addressContext default intercept callDataChannel CDC sipTrunkGroupExemptList [ TG1_FD ]
For adding to an existing Supported List
% set addressContext default intercept callDataChannel CDC sipTrunkGroupSupportedList [ TG1_FD TG2_FD ]