Overview
The lawful intercept (LI) network solution design requires the LI Intercept Access Point (IAP) vendors to implement support for multiple (two instances) regionally deployed SS8 Delivery Function systems. The
acts as an interconnect
to provide peering between an IMS network and other peering networks (CDMA, business, and other service providers). The
interfaces with two XCIPIO mediation servers. Any of these mediation servers can provision the network elements deployed in the network. Network elements expose provisioning, call data and/or call content interface towards these mediation servers for lawful interception. This feature supports the following types of media which can be intercepted:
- Audio
- Video
- MSRP
- FECC
- BFCP-TCP
The lawful Interception solution has three interfaces between the network element and the mediation server. These are used to provide provisioning, call data (signaling), and call content (media) information. These interfaces are created after the connection is established between the mediation server (DF – delivery function) and the network element (AF – access function). The interface from the mediation server to the lawful interception agency is standardized. The interfaces between AF and DF are defined as:
- X1 or INI-1 interface for provisioning targets
- X2 or INI-2 interface for providing signaling information for the subject
- X3 or INI-3 interface for providing media or call content for the subject
Where, X interfaces are specified by 3GPP standards while INI interfaces are specified by ETSi standards.
The P-Com.Session-Info (PCSI) Lawful Interception (LI) solution requires the
network elements (
, PSX and
) to provide lawful interception by supporting the X1 and X3 interfaces only. In the
LI solution the X1 interface is supported by the
and the storage of the target table is done by the PSX. The X3 interface is supported by the
(hereafter referred to as SBC).
The supported LI elements (, PSX and ) with SS8 as the mediation server are required to supported X1 and X3 interfaces only. The X2 interface is not implemented by the .
Call Flow
- Provision the intercept server X1 transport address and TLS certificate that has to use to initiate a transport connection over the X1 interface. These are individually specified for the mediation servers in the network.
- Provision the using the X3 intercept transport address and required IPsec details. This address is used to send X3 messages. These are individually specified for the mediation servers in the network.
- establishes a connection with the SS8 intercept server and executes the necessary authentication procedures to bring up the transport connection.
- The SS8 Intercept server, using the X1 interface, provisions the target URI which is sent to the PSX over the PIPE interface by the . This is a fully specified SIP/SIPS or TEL URI. This completes the provisioning of a target using the X1 interface. Any call received by this target is intercepted.
- The IMS network sends a SIP INVITE/18x/200 OK or re-INVITE/200 OK that contains a P-Com-Session-Info header. This header contains a correlation ID and one of more prospective target URI, which is looked into the target table maintained in the PSX.
- The receives a P-Com-Session-Info header in any of the above listed SIP messages and sends a policy request with the target URI to PSX. PSX uses this to perform a lookup in the target table created using the X1 provisioning interface. Assuming that a target URI matches, PSX provides the X3 transport address that is stored along with the target URI. This information is received by the SBC in the policy response.
The finds the LI information in the policy response and understands that the call has to be intercepted. It uses the correlation ID received in SIP messages as well as X3 transport address received from the PSX to fork the media stream to the appropriate mediation server using the X3 interface. This interface forks the media stream over TCP that is established over a secured IPsec tunnel.
PCSI Call Flow
RAMP Functionality
supports:
- Establishment of a TLS connection towards the mediation server. establishes a transport connection with the mediation server only when the admin state is set to
enabled
. - X1 interface for provisioning to provide connectivity to the mediation server for provisioning the subjects.
- Health monitoring of the transport connection using X1 interface defined application messages. provides a show status command to indicate the health of the link status between the mediation server and .
- Database operations on the target table.
The SS8 mediation server is represented as DF (Delivery Function). The
and PSX together are represented as AF (Access Function).
The LI database operations are performed on the PSX and X1 provisioning interface is implemented on the . For any X1 operation which has impact on PSX LI database operation, uses PIPE interface with the PSX.This transport connection is with or without TLS depending upon the configuration. sends the Authentication Request
towards DF with the following IEs when the transport connection is successfully established:
- Generic Message Header: This header uses an IE
Access Function Identifier
set to zero in Authentication Request
. - Transaction Identity: generates a unique transaction identifier and saves a copy of this.
- Interface Type: Is set to 0x01 – INI1.
- Serial Number: maps it from system configuration.
- MAC Address: maps it from system configuration.
- Model Number: maps it from system configuration.
- Software Revision: maps it from system configuration.
- Provisioning State:
- Set to 0x00 when PSX LI DB is not initialized.
- Set to 0xDC when PSX LI DB is initialized.
- Hash: NA
The accepts Global Info Set Request
coming from DF with the following IE:
- Link Polling Frequency
- Link Inactivity Interval
- AF Database Clean-up Interval
It checks that the Access Function Identifier
IE of Generic Message Header
in Global Info Set Request
has non zero value. If Access Function Identifier
is a non-zero value, stores this value and uses it in subsequent -generated messages. sends the Transaction Identifier
that it receives in the Global Info Set Request
message. It also accepts the Service Provider Identity
.
Link Options IE is enumerated type with following sub fields, which saves and uses during session maintenance and release procedures:
- Link Polling Frequency
- Link Inactivity Interval
- AF Database Clean-up Interval
checks that data type for all these sub fields is integer and stores their respective values
. Timestamp data type for this IE is in time format. If the AF (PSX) Provisioning State database is empty, it accepts the zero value of this IE.
Any IE received with incorrect data type is rejected with message Operation Result
with IEs.If Access Function Identifier
is set to zero, rejects it using Operation Result
message with the following IEs.
| |
---|
Operation Error Message | ASCII string (optional) |
Operation Result Code | 0x01 - Unknown error |
Request Code | 0x48 - Global info set request |
supports session maintenance, session release, and database clean up procedures using the timers mentioned below:
- Link Polling Frequency (LPF) or Keepalive Interval
- Link Inactivity Interval (LII)
- AF Database Clean-up Interval (DCI)
To configure
for this feature, refer to
Managing Mediation Servers.
PSX Functionality
configures the PSX LI DB over the PIPE interface by creating
entries for the Target Service List
and other parameters. The LI DB performs validation of data type for each parameter.
The PSX queries the LI DB based on the key Target Service List
received in a Warrant Info Get Request
and returns all parameters. If the Target Service List
is missing in the Warrant Info Get Request
, the query is based on the key DF1 ID next Target Service List
in LI DB.
The PSX accepts the target URI copied from P-Com.Session-Info, in POL-REQ messages. If POL-REQ is carrying the target URI, the PSX performs the LI DB lookup based on an exact match of URI and does not check any other AVPs in POL-REQ. If the LI table lookup for the target URI is successful and A
dministrative
status is enabled, the PSX provides LI information in POL-RES message to the
.
The PSX provides the following LI information in POL-RES:
- IP address type
- IP address
- Transport protocol type
- Port
- Encryption
SBC Core Functionality
The
, acting as an interconnect SBC, accepts P-Com.Session-Info headers received in the following message types received from
the S-CSCF:- Initial INVITE
- 18x SIP response
- 200 OK response to the initial INVITE
- re-INVITE and the 200 OK response to the re-INVITE for scenarios such as call transfer.
Where the P-Com.Session-Info format is:
Code Block |
---|
|
P-Com.Session-info = "P-Com.Session-Info" HCOLON=
corrID *( SEMI involved-party )
corrID = "corrID" EQUAL word [ "@" word ]
involved-party = LAQUOT involved-uri RAQUOT
involved-uri = SIP-URI / TEL-URI / SIPS-URI |
SIP-URI / TEL-URI / SIPS-URI is specified and can be in a different format as mentioned in the following table:
ID Type | Subject ID format | Matches |
---|
U@H | user@hostname | sip:user@hostname sips:user@hostname |
U@I | user@ip_address | sip:user@IP Address sips:user@IP Address
Both IPv4 and IPv6 are supported. |
P@H | phone_number@hostname | sip:phone number@hostname sips:phone number@hostname |
P@I | phone_number@ip_address | sip:phone number@IP Address sips:phone number@IP Address |
TEL | phone_number | tel:phone_number |
The sends the URI received in P-Com.Session-Info to the PSX in a POL-REQ message. This header is received in any of the SIP message (Invite/re-INVITE . 200 OK, 18X) from IMS network. Presence of P-Com.Session-Info in SIP response messages like 18x/200OK or in SIP re-INVITE request triggers a light weight policy dip. The truncates the Correlation ID (corrID), copied from P-Com.Session-Info, to 16 byte ASCII character (if it is more than 16 byte). If the correlation ID size is less than 16 bytes, the corrID is added with zero. The replies with 4xx response when Correlation ID (corrID) validations fails.
The accepts the LI information from the PSX in POL-RES message. The absence of LI information in POL-RES from the PSX to the means interception is disabled for target URI. The connection towards X3 connection is created when the mediation server state is enabled from the CLI. The checks listed here are to trigger interception of media. Apart from the checks listed here, the IP address of the mediation server returned in POL-RSP is matched with the address of the mediation server address configured in the CDC configurations. Also, the matched mediation server is ensured to be admin enabled before an interception is triggered.
- Transport Type = TCP
- Encryption = None/IPsec
- IP Address Type = IPv4 or IPv6
Note |
---|
IPsec is an optional configuration over X3. |
The Mediation Server creates a connection with IPsec over TCP connection towards the IP and port received in the LI information of POL-RES and meets the following IPsec requirements:
- Transport mode and Authentication algorithm pre-shared key.
The Mediation Server IP, port and pre-shared keys for X3 connection are already configured on the . The verifies that the configured X3 connection details (IP, type and port) are same under CDC as received in the LI information of POL-RES message.
If there is a change in mediation server through X1 interface for a target URI between the INVITE and re-INVITE message, the forks the media streams over the X3 connection for the new mediation server.