Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ca7f046c, userName='null'}
JIRAIDAUTHSBX-88900
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c86573c09001659ee33a580027, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a0c855f106160156068a02c5000a, userName='null'}


Panel

In this section:

Table of Contents
maxLevel3



Info
iconfalse


Overview

The lawful intercept (LI) network solution design requires the LI Intercept Access Point (IAP) vendors to implement support for multiple (two instances) regionally deployed SS8 Delivery Function systems. The 

Spacevars
0product
 acts as an interconnect
Spacevars
0product
 to provide peering between an IMS network and other peering networks (CDMA, business, and other service providers). The
Spacevars
0product
 interfaces with two XCIPIO mediation servers. Any of these mediation servers can provision the network elements deployed in the network. Network elements expose provisioning, call data and/or call content interface towards these mediation servers for lawful interception. This feature supports the following types of media which can be intercepted:

  • Audio
  • Video
  • MSRP
  • FECC
  • BFCP-TCP

The lawful Interception solution has three interfaces between the network element and the mediation server. These are used to provide provisioning, call data (signaling), and call content (media) information. These interfaces are created after the connection is established between the mediation server (DF – delivery function) and the network element (AF – access function). The interface from the mediation server to the lawful interception agency is standardized. The interfaces between AF and DF are defined as:

  • X1 or INI-1 interface for provisioning targets
  • X2 or INI-2 interface for providing signaling information for the subject
  • X3 or INI-3 interface for providing media or call content for the subject

Where, X interfaces are specified by 3GPP standards while INI interfaces are specified by ETSi standards.

The P-Com.Session-Info (PCSI) Lawful Interception (LI) solution requires the 

Spacevars
0company
network elements (
Spacevars
0model3
, PSX and
Spacevars
0series2
) to provide lawful interception by supporting the X1 and X3 interfaces only. In the 
Spacevars
0company
LI solution the X1 interface is supported by the
Spacevars
0model3
and the storage of the target table is done by the PSX. The X3 interface is supported by the
Spacevars
0series2
(hereafter referred to as SBC).

The supported LI elements (

Spacevars
0product
, PSX and
Spacevars
0model3
) with SS8 as the mediation server are required to supported X1 and X3 interfaces only. The X2 interface is not implemented by the
Spacevars
0product
. 

Call Flow

  1. Provision the intercept server X1 transport address and TLS certificate that
    Spacevars
    0model3
    has to use to initiate a transport connection over the X1 interface. These are individually specified for the mediation servers in the network.
  2. Provision the
    Spacevars
    0product
     using the 
    Spacevars
    0company
    Spacevars
    0model3
     X3 intercept transport address and required IPsec details. This address is used to send X3 messages. These are individually specified for the mediation servers in the network.
  3. Spacevars
    0model3
    establishes a connection with the SS8 intercept server and executes the necessary authentication procedures to bring up the transport connection.
  4. The SS8 Intercept server, using the X1 interface, provisions the target URI which is sent to the PSX over the PIPE interface by the
    Spacevars
    0model3
    . This is a fully specified SIP/SIPS or TEL URI. This completes the provisioning of a target using the X1 interface. Any call received by this target is intercepted.
  5. The IMS network sends a SIP INVITE/18x/200 OK or re-INVITE/200 OK that contains a P-Com-Session-Info header. This header contains a correlation ID and one of more prospective target URI, which is looked into the target table maintained in the PSX.
  6. The
    Spacevars
    0product
     receives a P-Com-Session-Info header in any of the above listed SIP messages and sends a policy request with the target URI to PSX. PSX uses this to perform a lookup in the target table created using the X1 provisioning interface. Assuming that a target URI matches, PSX provides the X3 transport address that is stored along with the target URI. This information is received by the SBC in the policy response.
  7. The

    Spacevars
    0product
     finds the LI information in the policy response and understands that the call has to be intercepted. It uses the correlation ID received in SIP messages as well as X3 transport address received from the PSX to fork the media stream to the appropriate mediation server using the X3 interface. This interface forks the media stream over TCP that is established over a secured IPsec tunnel.


PCSI Call Flow



RAMP Functionality

Spacevars
0model3
supports:

  • Establishment of a TLS connection towards the mediation server.
    Spacevars
    0model3
    establishes a transport connection with the mediation server only when the admin state is set to enabled.
  • X1 interface for provisioning to provide connectivity to the mediation server for provisioning the subjects.
  • Health monitoring of the transport connection using X1 interface defined application messages.
    Spacevars
    0model3
    provides a show status command to indicate the health of the link status between the mediation server and
    Spacevars
    0model3
    .
  • Database operations on the target table.

The SS8 mediation server is represented as DF (Delivery Function). The

Spacevars
0model3
and PSX together are represented as AF (Access Function).The LI database operations are performed on the PSX and X1 provisioning interface is implemented on the
Spacevars
0model3
. For any X1 operation which has impact on PSX LI database operation,
Spacevars
0model3
uses PIPE interface with the PSX.

This transport connection is with or without TLS depending upon the configuration.

Spacevars
0model3
sends the Authentication Request towards DF with the following IEs when the transport connection is successfully established:

  • Generic Message Header: This header uses an IE Access Function Identifier set to zero in Authentication Request.
  • Transaction Identity:
    Spacevars
    0model3
    generates a unique transaction identifier and saves a copy of this.
  • Interface Type: Is set to 0x01 – INI1.
  • Serial Number:
    Spacevars
    0model3
    maps it from system configuration.
  • MAC Address:
    Spacevars
    0model3
    maps it from system configuration.
  • Model Number:
    Spacevars
    0model3
    maps it from system configuration.
  • Software Revision:
    Spacevars
    0model3
    maps it from system configuration.
  • Provisioning State:
    • Set to 0x00 when PSX LI DB is not initialized.
    • Set to 0xDC when PSX LI DB is initialized.
  • Hash: NA

The

Spacevars
0model3
accepts Global Info Set Request coming from DF with the following IE:

  • Link Polling Frequency
  • Link Inactivity Interval
  • AF Database Clean-up Interval

It checks that the Access Function Identifier IE of Generic Message Header in Global Info Set Request has non zero value. If Access Function Identifier is a non-zero value,

Spacevars
0model3
stores this value and uses it in subsequent
Spacevars
0model3
-generated messages.
Spacevars
0model3
sends the Transaction Identifier that it receives in the Global Info Set Request message. It also accepts the Service Provider Identity.

Link Options IE is enumerated type with following sub fields, which

Spacevars
0model3
saves and uses during session maintenance and release procedures:

  • Link Polling Frequency
  • Link Inactivity Interval
  • AF Database Clean-up Interval

Spacevars
0model3
checks that data type for all these sub fields is integer and stores their respective values. Timestamp data type for this IE is in time format. If the AF (PSX) Provisioning State database is empty, it accepts the zero value of this IE.  Any IE received with incorrect data type is rejected with message Operation Result with IEs.

If Access Function Identifier is set to zero,

Spacevars
0model3
rejects it using Operation Result message with the following IEs.

IE
Value
Operation Error MessageASCII string (optional)
Operation Result Code0x01 - Unknown error
Request Code0x48 - Global info set request

Spacevars
0model3
supports session maintenance, session release, and database clean up procedures using the timers mentioned below:

  • Link Polling Frequency (LPF) or Keepalive Interval
  • Link Inactivity Interval (LII)
  • AF Database Clean-up Interval (DCI)

To configure

Spacevars
0model3
for this feature, refer to Managing Mediation Servers.

PSX Functionality

Spacevars
0model3
configures the PSX LI DB over the PIPE interface by creating entries for the Target Service List and other parameters. The LI DB performs validation of data type for each parameter.

The PSX queries the LI DB based on the key Target Service List received in a Warrant Info Get Request and returns all parameters. If the Target Service List is missing in the Warrant Info Get Request, the query is based on the key DF1 ID next Target Service List in LI DB.

The PSX accepts the target URI copied from P-Com.Session-Info, in POL-REQ messages. If POL-REQ is carrying the target URI, the PSX performs the LI DB lookup based on an exact match of URI and does not check any other AVPs in POL-REQ. If the LI table lookup for the target URI is successful and Administrative status is enabled, the PSX provides LI information in POL-RES message to the

Spacevars
0product
.

The PSX provides the following LI information in POL-RES:

  • IP address type
  • IP address
  • Transport protocol type
  • Port
  • Encryption 

SBC Core Functionality

The

Spacevars
0product
, acting as an interconnect SBC, accepts P-Com.Session-Info headers received in the following message types received from the S-CSCF:

  • Initial INVITE
  • 18x SIP response
  • 200 OK response to the initial INVITE
  • re-INVITE and the 200 OK response to the re-INVITE for scenarios such as call transfer.

Where the P-Com.Session-Info format is:

Code Block
languagenone
P-Com.Session-info = "P-Com.Session-Info" HCOLON= 
corrID *( SEMI involved-party )
corrID = "corrID" EQUAL word [ "@" word ]
involved-party = LAQUOT involved-uri RAQUOT
involved-uri = SIP-URI / TEL-URI / SIPS-URI

 SIP-URI / TEL-URI / SIPS-URI is specified and can be in a different format as mentioned in the following table:

ID Type

Subject ID format

Matches

U@H

user@hostname

sip:user@hostname

sips:user@hostname

U@I

user@ip_address

sip:user@IP Address

sips:user@IP Address

Both IPv4 and IPv6 are supported.

P@H

phone_number@hostname

sip:phone number@hostname

sips:phone number@hostname

P@I

phone_number@ip_address

sip:phone number@IP Address

sips:phone number@IP Address

TEL

phone_numbertel:phone_number

The

Spacevars
0product
 sends the URI received in P-Com.Session-Info to the PSX in a POL-REQ message. This header is received in any of the SIP message (Invite/re-INVITE . 200 OK, 18X) from IMS network. Presence of P-Com.Session-Info in SIP response messages like 18x/200OK or in SIP re-INVITE request triggers a light weight policy dip. The
Spacevars
0product
 truncates the Correlation ID (corrID), copied from P-Com.Session-Info, to 16 byte ASCII character (if it is more than 16 byte). If the correlation ID size is less than 16 bytes, the corrID is added with zero. The
Spacevars
0product
 replies with 4xx response when Correlation ID (corrID) validations fails.

The

Spacevars
0product
 accepts the LI information from the PSX in POL-RES message. The absence of LI information in POL-RES from the PSX to the
Spacevars
0product
 means interception is disabled for target URI.  The connection towards X3 connection is created when the mediation server state is enabled from the CLI. The checks listed here are to trigger interception of media. Apart from the checks listed here, the IP address of the mediation server returned in POL-RSP is matched with the address of the mediation server address configured in the CDC configurations. Also, the matched mediation server is ensured to be admin enabled before an interception is triggered.

  • Transport Type = TCP
  • Encryption = None/IPsec
  • IP Address Type = IPv4 or IPv6
Note

IPsec is an optional configuration over X3.

The Mediation Server creates a connection with IPsec over TCP connection towards the IP and port received in the LI information of POL-RES and meets the following IPsec requirements:

  • Transport mode and Authentication algorithm pre-shared key. 

The Mediation Server IP, port and pre-shared keys for X3 connection are already configured on the

Spacevars
0product
. The
Spacevars
0product
 verifies that the configured X3 connection details (IP, type and port) are same under CDC as received in the LI information of POL-RES message.

If there is a change in mediation server through X1 interface for a target URI between the INVITE and re-INVITE message, the

Spacevars
0product
 forks the media streams over the X3 connection for the new mediation server.