You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Unable to show "metadata-from": No such page "_space_variables"
acting as P-CSCF or I-BCF is configurable to intercept IMS sessions using Lawful Interception (LI)  techniques (legally sanctioned official access to private communications). This feature can also be used in non-IMS deployments to intercept audio, clear mode and fax streams.

At a high level, SBC Lawful Intercept functionality includes:

  • Support of Encapsulation mode (multimedia) for all signaling messages and media streams; Encapsulation mode signifies intercepting the received or sent signaling or media stream, by appending an header with extra information, towards the Mediation Server.
  • Support for SIP URI and DN based interception
  • Support for intercepting RTP media types such as audio, image (fax), clearmode
  • Support for intercepting any SIP signaling messages
  • Support for sending intercepted signaling messages over TCP, using an optional IPSec tunnel

The figure below depicts a SBC deployment scenario supporting LI.

SBC for Lawful Interception

  • X1 interface: Provisioning interface supported by EMS using SOAP XML/TCP.
  • X2 interface: Signaling interface supported by SBC to send call data (signaling) messages over TCP using an optional IPSec tunnel. This interface encapsulates a copy of the SIP signaling message sent/received towards/from the target.
  • X3 interface: Media interface supported by SBC to send call content (media) messages over UDP only. These media streams (audio/image/clearmode) carries a copy of the stream sent/received towards/from the target.

EMS/PSX support for LI

For information on configuring EMS and PSX for Lawful Intercept, see EMS document Sonus Lawful Intercept.

Configuring SBC for LI

 Perform these steps if not already configured in EMS. The LI license is provisioned before interception, using EMS. For more details to provision LI license, refer to EMS User Guide.

To configure LI, perform the following steps:

Create the CALEA user

  1. Log on as admin user.
  2. Create a CALEA user, by executing the command:

    % set oam localAuth user calea group Calea
    commit


    You will see a system-generated password. Use this password when you log on to CALEA user for the first time.

Configure the CDC

  1. Log on as an admin user.
  2. Add the static route towards the Mediation Server with suitable (full) prefix, executing the command:

     

    % set addressContext default staticRoute 10.70.54.106 32 10.54.1.1 LIG1 LIF1 preference 100
    

    For a CALEA user, address context used is always default.

    SBC uses the same IP Interface, defined in IP Interface Group, to send Call Data and Call Content information.When you add the static route towards the Mediation Server, use the same interface group configured in Call Data Channel (CDC).  Any other static route already added from the different IP Interface group within same address context is to be deleted.

     

     

  3. Log on as CALEA user as only CALEA user is authorized to intercept calls.

     

    If you are logging as a CALEA user for the first time,

    1. Enter the system-generated password generated in the Section : Creating the CALEA user You will be prompted to enter the new password.

    2. Enter the new password and then re-enter the same password to confirm.

     

     

  4. Configure the CDC with the details of the Mediation Server, by executing the command:

     

    % set addressContext default intercept callDataChannel CDC1 priIpAddress 10.70.56.94 dsrTcpPort 6161 ipInterfaceGroupName LIG1 mediaTypeIntercepted multimedia priState disabled priMode outOfService UDPMediaTransport udpMediaIpAddress 10.70.56.94 udpMediaPort 3002

    When the mediaTypeIntercepted  is set to multimeda only then  UDPMediaTransport  ( media-related details such as udpMediaIpAddress and udpMediaPort) can be configured.

     

     

  5. Trigger a TCP connection towards the Mediation Server for sending intercepted signaling messages, by executing the command:

     

    Either primaryTCPChannelStatus or secondaryTCPChannelStatus is active at a time for interception.

    % set addressContext default intercept callDataChannel CDC1 priState enabled priMode active
    commit
    

Verify TCP connection

Verify the TCP connection status, by executing the command:

> show status addressContext default intercept interceptCallDataChannelStatistics default primaryTCPChannelStatus
primaryTCPChannelStatus inService;

Verify the secondary TCP channel status, by executing the command:

> show status addressContext default intercept interceptCallDataChannelStatistics default secondaryTCPChannelStatus
secondaryTCPChannelStatus outOfService;

Verify the Success/Failure of the intercepted call

View the number of successful intercepted DSR messages, by executing the command:

> show status addressContext default intercept interceptCallDataChannelStatistics default DSRSuccess
DSRSuccess 464;

View the number of unsuccessful intercepted DSR messages, by executing the command:

> show status addressContext default intercept interceptCallDataChannelStatistics default DSRFailures
DSRFailures 0; 

Enable the Policy dip to PSX

The parameter liPolDipForRegdOodMsg when enabled is used to indicate SBC to send policy request to PSX for registered Out-Of-Dialog requests(messages) to be intercepted. When this parameter is disabled, policy request is not sent to PSX for registered Out-Of-Dialog requests (messages).

Enable the support for Policy dip, for registered users out-of-dialog messages, to decide on interception, by executing the command

% set addressContext default intercept callDataChannel CDC1 liPolDipForRegdOodMsg enabled 
commit

Resetting the Configuration

You can make the changes in the configuration as follows:

  1. Terminate the current connection
  2. Change/Reset the configuration
  3. Reestablish the connection

Terminate the current connection

Terminate the TCP connection towards the Mediation Server, by executing the command:

% set addressContext default intercept callDataChannel CDC1 priState disabled priMode outOfService
commit

Once the state is set to disabled and mode is set to outOfService, the connection towards the LI mediation server is terminated. Verify the TCP connection status to ensure that the connection is terminated.

Now, you can change/reset the configuration.

Change/Reset the configuration

The following configurations can be changed/reset:

Prerequisite: Before you change/reset the configuration, ensure the state is disabled and the mode is out of service.

Mode of Interception

Change the mode of interception, by executing the command:

% set addressContext default intercept callDataChannel CDC1 mediaTypeIntercepted multimedia
commit

IP address of Mediation Server

Change IP address of the Mediation Server, by executing the command:

% set addressContext default intercept callDataChannel CDC1 priIpAddress 10.56.3.1
commit

TCP port (dsrTcpPort) of Mediation Server

Change the signalling TCP port of the Mediation Server, by executing the command:

% set addressContext default intercept callDataChannel CDC1 dsrTcpPort 4041
commit

Reestablish Connection

Once you have made the desired changes in the configuration, you need to re- establish the connection to the Mediation Server.

Re-establish the connection, by executing the command:

% set addressContext default intercept callDataChannel CDC1 priState enabled priMode active
commit

Once the state is set to enabled and mode is set to active, the connection towards the mediation server is re-established.

Viewing the LI Configuration

Enter the show commands to view the configurations.

View the CALEA user status

View the CALEA user status, by executing the command:

admin@pear> show status oam localAuth userStatus
userStatus admin {
    currentStatus Enabled;
    userId        3000;
}
userStatus calea {
    currentStatus Enabled;
    userId        3329;
}
[ok]

View the intercept details

View the intercept details, by executing the command:

calea@pear> show status addressContext default intercept interceptCallDataChannelStatistics default
primaryChannelStatus      outOfService;
secondaryChannelStatus    outOfService;
StartSuccess              0;
StartFailures             0;
StopSuccess               0;
StopFailures              0;
CallAnswerSuccess         0;
CallAnswerFailures        0;
CallDisconnectSuccess     0;
CallDisconnectFailures    0;
ServiceInstanceSuccess    0;
ServiceInstanceFailures   0;
IndicationSuccess         0;
IndicationFailures        0;
KeepAliveSuccess          0;
KeepAliveFailures         0;
RestartSuccess            0;
RestartFailures           0;
RadiusAckReceived         0;
StartResponsesReceived    0;
primaryTCPChannelStatus   inService;
secondaryTCPChannelStatus outOfService;
DSRSuccess                299;
DSRFailures               0;
[ok]

View the CDC configuration

View the CDC configuration, by executing the command:

calea@pear% show addressContext default intercept callDataChannel CDC1
priState              enabled;
priMode               active;
priIpAddress          10.70.54.106;
ipInterfaceGroupName  LIG1;
liPolDipForRegdOodMsg enabled;
dsrTcpPort            8161;
mediaTypeIntercepted  multimedia;
UDPMediaTransport {
        udpMediaIpAddress 10.70.54.106;
        udpMediaPort      3004;
    }
}
[ok] 

  • No labels