Use the intercept and call data channel (CDC) commands to configure the parameters for lawful intercept (LI) processing on the SBCLawful interception is a means of conducting lawfully authorized electronic surveillance of communication against warranted users or subscribers. 

Refer to the Lawful Intercept page and associated pages for an in-depth explanation of SBC LI functionality.

Note

You must configured LI parameters within the default address context.

 

Note

The SBC 52x0 and SBC 7000 systems support creating IP Interface Groups containing sets of IP interfaces that are not "processor friendly" (i.e. carried on physical Ethernet ports served by separate processors). However, restrictions exist regarding the usage of such Interface Groups.

(This ability does not apply to the SBC 51x0 and SBC 5400 systems which have only two physical media ports. IP interfaces from the two physical ports may be configured within the same IP Interface Groups without restriction.)

For complete details, refer to Configuring IP Interface Groups and Interfaces.

Note

When configuring LI, you must be logged in as the 'calea' user. Refer to Managing SBC Core Users and Accounts for descriptions of users and permissions.

LI Commands

Command Syntax

As the user 'calea', use the following command syntax to configure LI.

% set addressContext <default> intercept 
   callDataChannel <callDataChannel> 
   nodeNumber <integer>

Command Parameters

Intercept Parameters

Parameter

Length/Range

Description

CallDataChannel

1-23

The user-configurable LI Call Data Control Channel name.

See Call Data Channel Parameters tables below for details on the parameters within the CDC.

nodeNumber

0-9999999

The unique global node number to assign to the SBC which is used by the LI server for identification purposes.

Call Data Channel Commands

CDC Command Syntax

As the user 'calea', use the following CLI syntax to establish the LI call data channel configuration:

Call Data Channel High Level Syntax
% set addressContext <default> intercept callDataChannel <callDataChannel_name>
    diamNode <name>	
    diameterPeer <calea Diameter peer name>
    diameterRealmRoute  <calea realmRoute>
    dsrProtocolVersion <0 | 1>
	embedTapIdInCccId <enabled | disabled>   
    interceptStandard <etsi | packetcable | packetcablePlusEtsi | packetcableVTwo | threeGpp>
	ipInterfaceGroupName <ipInterfaceGroup_Name> 
	kaTimer <0-65535 seconds>
	liPolDipForRegdOodMsgs <disabled | enabled>
	mediaIpInterfaceGroupName <IP interface group name>
	mediationServer <server name>
	priIpAddress <IPv4 address> 
	priMode <active | outofservice | standby> 
	priPort <0-65535> 
	priState <disabled | enabled> 
	retries <value>
	rtcpInterception <disabled | enabled>
	secIpAddress <IP_Address> 
	secMode <active | outofservice | standby> 
	secState <disabled | enabled>
	vendorId <none | groupTwoThousand | ss8 | utimaco | verint>

CDC Command Parameters

The following table describes the CDC parameters that determine the type of LI you are deploying. They must be configured for all types of LI. 

CDC Parameters that Determine LI Type

Parameter

Description

interceptStandard

The intercept standard to use for this CDC.

  • etsi
  • packetcable (default)
  • packetcablePlusEtsi

  • packetcableVTwo
  • threeGpp

vendorId

The vendor name of the LI server.

  • atos
  • none (default)
  • groupTwoThousand
  • ss8
  • utimaco
  • verint

Intercept Standards and Vendors for Different LI Types

The following table identifies the interceptStandard and vendorId configuration combinations the SBC supports for each type of LI.

Intercept Standards and Vendors per LI Type

CDC Configuration Settings

 

LI Type

interceptStandardvendorId
packetcable/packetCablePlusEtsinone/utimaco/verintLegacy LI (default)
packetcabless8PCSI LI
threeGpp/etsinone/utimaco/verint/groupTwoThousandIMS LI

packetcableVTwo

atos/nonePC 2.0 LI

The following table lists the rest of the CDC parameters. Not all parameters apply to each type of LI; some parameters do not become available until you specify an interceptStandard and vendorID combination of an LI type to which they apply. 

CDC Parameters Per LI Type

Parameter

Length/Range

Description

Applicable To

diamNodeup to 23 characters

<name> – Specifies the name assigned to the SBC Diameter node configuration. SBC configuration includes a single Diameter node to define the SBC side of the Diameter interface. If Diameter is used for more than one purpose on the SBC then the Diameter node is shared.

Note: Diameter node configuration must be completed on the SBC by a user with admin privileges. Then, the Diameter node name is entered in the CDC for a PC 2.0 LI deployment by the calea user using this parameter.

  • PC 2.0 LI
diameterPeer up to 23 characters

Diameter peer configuration under the CDC object, specifically for the mediation server (DF) side of the Diameter X2 signaling interface for PC 2.0 LI deployments. A maximum of 16 Diameter peers can be configured within the CDC.

<calea Diameter peer name> – Specifies a unique name for this Diameter peer configuration (up to 23 characters). This name must not duplicate any name used for either LI or non-LI Diameter peers.

  • deviceWatchdogTimer – Specifies the Device-Watchdog-Requests timer value, in milliseconds (range: 0-100000 / default=1000).
  • deviceWatchdogTimerAnswerTimeout – Specifies the Device Watchdog Answer timeout value, in milliseconds. The SBC considers a peer down if it does not receive a reply to a Device Watchdog Request before this timer expires. (range: 1000-500000 | default = 2000)
  • dscpValue – Specifies the Differentiated Services Code Point (DSCP) value for intercepted signaling packets sent to this peer. (range: 0-63 / default = 16)
  • fqdn – Specifies the FQDN for this peer (1-256 characters).
  • ipAddress – Specifies the IP address for this peer.
  • sessionDistribution – Specifies how to distribute Diameter sessions. Options are:
    • honor-reply-order (default) – Diameter session creation across multiple IP connections under this peer honors the order of the IP addresses that are returned in the DNS reply starting from the first one.

    • round-robin – Diameter session creation across multiple IP connections under this peer are rotated in round-robin fashion starting from the first one.

  • state – Specifies the administrative state of this peer:
    • disabled (default)
    • enabled
    • tcpPort –  Specifies the TCP port number for this peer (default is 3868).
  • PC 2.0 LI
diameterRealmRouteup to 23 characters

Diameter realm route configuration under the CDC object, specifically for the mediation server (DF) side of the Diameter X2 signaling interface for PC 2.0 LI deployments. A maximum of 16 Diameter realm routes can be configured within the CDC.

<calea realmRoute name> – Specifies a unique name for the Diameter realm route for the specified Diameter peer (up to 23 characters). This name must not duplicate any name used for either LI or non-LI Diameter realm routes.

  • appId – Specifies the application ID (Diameter interface type) for this route.
    • x2For PC 2.0 LI, the application ID must be set to X2.
    • e2
    • rf
    • rx
  • peer – Specifies the name of the Diameter peer this route belongs to.
  • priority – Specifies the priority of this route. (range 0-100 / default = 0)
  • realm – Specifies the realm (FQDN) for this route. This name must match the realm name for the mediation server that is associated with this route.
  • state – Specifies the administrative state of this route.
    • disabled (default)
    • enabled
  • PC 2.0 LI

dsrProtocolVersion

N/A

Signifies the intercepted X2 signaling protocol version towards the mediation servers. The default value 0 maintains backward compatibility with SBC Core 8.0 or earlier.

  • 0 (default)
  • 1
  • IMS LI
embedTapIdInCccIdN/A

Specifies whether the SBC embeds the Tap ID in the CCCID (Call Content Connection Identifier) it sends with X2 and X3 messages to the DF. The Tap ID comes from X1 surveillance data. The options are:

  • enabled – The SBC generates a CCCID with the Tap ID embedded if the Tap ID is a decimal value between 1 and 65534. If the Tap ID is null, it is converted to 0, but if it is out of range or not a decimal number, it is converted to 65535 or hex 0xFFFF.
  • disabled – (default) Embedding of the Tap ID is not required.
  • PC 2.0 LI

ipInterfaceGroupName

0-23

<IPIG name>Specifies the name of the IP interface group to send X2 signaling data to the LI server.

  • Default LI
  • IMS LI
  • PC 2.0 LI

kaTimer

0-65535

<# seconds> (default = 5) – The keep-alive timer value, in seconds.

  • Default LI
liPolDipForRegdOodMsgs N/A

 Specifies whether the SBC should send a policy request to the PSX, when the SBC receives a registered user's out-of-dialog messages, to determine whether interception is required.

  • disabled (default) – The SBC does not send policy request to PSX for out-of-dialog messages.
  • enabled – The SBC sends a policy request to PSX for out-of-dialog messages.

NOTE: This parameter is only visible when the interceptStandard is not set to packetcable.

  • IMS LI
  • PC 2.0 LI
mediaIpInterfaceGroupName1-23 charactersSpecifies the name of the IP interface group to send X3 call content to the mediation server (DF).
  • All LI Types
mediationServer0-23

<name>Mediation server configuration to specify parameters for X2 and X3 destinations. Up to 16 mediation servers can be configured. See Mediation Server Configurations below for parameter details.

  • IMS LI
  • PC 2.0 LI
  • PCSI LI

priIpAddress

N/A

<IPv4 address> – The primary LI server's IPv4 address where Call Data Channel messages are sent. (default = 0.0.0.0)

  • Default LI

priMode

N/A

Mode of the primary server. Options are:

  • active (default)
  • outOfService
  • standby
  • Default LI

priPort

0-65535

<port number> – The primary LI server's UDP port where Call Data Channel messages are sent. (default = 0)

  • Default LI

pristate

N/A

Use this flag to enable/disable communication to the primary LI server.

  • enabled (default)
  • disabled
  • Default LI

 

retries

N/A

Number of retries before the LI Call Data Channel is considered as failed. (default = 3)

  • Default LI

rtcpInterception

N/A

Specifies whether to intercept RTCP information. Options are:

  • disabled (default)
  • enabled
  • IMS LI
  • PC 2.0 LI
  • PCSI LI

secIpAddress

N/A

Secondary LI server's IPv4 address where Call Data Channel messages are sent. (default = 0.0.0.0)

  • Default LI

secMode

N/A

Mode of the secondary server. Options are:

  • active
  • outOfService (default)
  • standby
  • Default LI 

secState

N/A

Use this flag to enable/disable communication to secondary LI server.

  • enabled (default)
  • disabled
  • Default LI

 

Mediation Server Configuration

Note

The SBC allows configuration of a maximum of 16 mediation servers in the Call Data Channel (CDC).  Persistent TCP connections can be established towards all configured mediation servers. When a call is intercepted, the SBC selects among the Delivery Function 2 (DF2) servers in a round-robin manner.

Mediation server objects contain signaling (X2) and media (X3) IP addresses. The SBC allows configuration of multiple mediation servers with the same X2 IP address but different X3 IP addresses.

For IMS LI, the SBC does not support an active-standby configuration for the X2 servers. It assumes that the DF2 servers are running in active-active mode, and in case of failure, moves the IP address of the active DF2 server to the standby DF2 server.

The X2 and X3 servers operate independently. Even if the X2 servers are not reachable, the SBC sends X3 media if a DF3 server is available, and vice versa.

Mediation Server Configuration for Media Interception over TCP

The SBC supports TCP to transport media details.

Command Syntax

% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media tcp
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	kaInterval <5-60 seconds>
	kaProbe <4-8 seconds>
	kaTime <60-7200 seconds>
	mode <inService | outOfService>
	portNumber <0-65535>
	state <disabled | enabled>

Command Parameters

Mediation Server: Media over TCP Parameters

ParameterLength/RangeDescriptions
dscpValue0-63The DSCP value for intercepted media packets sent on TCP port. (Default = 16) 
ipAddressIPv4/IPv6 formatThe IPv4/IPv6 Address of the mediation server for media interception over TCP. 

kaInterval

5-60The duration between two successive keep alive retransmissions, if acknowledgement to the previous keep alive transmission is not received. (Default = 30 seconds)

kaProbe

4-8The number of retransmissions to be carried out before declaring that the remote end is not available. (Default = 4)

kaTime

60 to 7200The duration, in seconds, between the two keep alive transmissions in the idle condition. (Default = 180 seconds)
modeN/A

The operational mode of the signaling/media connection towards the mediation server.

  • inService
  • outOfService (default) 
portNumber0-65535The TCP port number of the mediation server for media interception over TCP. (Default = 0) 
stateN/A

The administrative state of the TCP connection towards the mediation server.

  • disabled (default)
  • enabled

Mediation Server for Media Interception over UDP

 The SBC supports UDP to transport media details. PC 2.0 LI only supports UDP transport for media.

Command Syntax

% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media udp
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	mode <inService | outOfService>
	portNumber <0-65535>
	state <disabled | enabled>

 

Command Parameters

Mediation Server: Media over UDP Parameters

ParameterLength/RangeDescriptions
dscpValue 0-63 The DSCP value for intercepted media packets sent on UDP port. (Default = 16)
ipAddressIPv4/IPv6 format The IPv4/IPv6 Address of the mediation server for media interception over UDP. 
mode N/A The operational mode of the signaling/media connection towards the mediation server.
  • inService
  • outOfService (default)
portNumber 0-65535The UDP port number of the mediation server for media interception over UDP. (Default = 0)

state 

N/A 

The administrative state of the UDP connection towards the mediation server.

  • disabled (default)
  • enabled

 

Mediation Server Configuration for Signaling Interception

Command Syntax

Mediation Server Syntax
% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> signaling
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	mode <inService | outOfService>
	portNumber <0-65535>
	protocolType <tcp | udp>
    realmName <realm name>
	state <disabled | enabled>

Command Parameters

Mediation Server: Signaling Parameters

ParameterDescriptions

signaling

Mediation server signaling interception settings.

  • dscpValue – The DSCP value for intercepted signaling packets sent on this port. (range: 0-63 / default = 16)
  • ipAddress – The IPv4/IPv6 Address of the mediation server for signaling interception.
  • mode – The operational mode of the signaling/media connection towards the mediation server.
    • inService
    • outOfService (default)
  • portNumber – The UDP/TCP port number of the mediation server for signaling interception. (range: 0-65536 / default = 0)
  • protocolType – The protocol used by the mediation server for signaling interception (TCP/UDP).
    • tcp (default)
    • udp
  • realmName The name of the realm to which this mediation server belongs. This name must match the realm name in the diameterRealmRoute configuration for the Diameter connection to be used to reach this mediation server. This option applies only to PC 2.0 LI deployments.
  • state – The administrative state of the signaling/media connection towards the mediation server.
    • disabled (default)
    • enabled
Note

The protocolType "udp" is not currently supported for signaling interception.

To retrieve LI statistics, use the command:

> show status addressContext <addressContext name> intercept

Command Examples

To configure the name of the IP interface group used to stream to the LI server, use the commands:

% set addressContext default intercept callDataChannel CDC ipInterfaceGroupName LIG1
% commit
Note

 The ipInterfaceGroup/mediaIpInterfaceGroup for CDC must be different from other signaling/media ipInterface groups. This ensures that LI doesn't use signaling ipAddress to send intercepted traffic (media/signaling) towards the mediation server.

 

To configure the intercept standard, use the commands:

% set addressContext default intercept callDataChannel CDC interceptStandard etsi
% commit

 

To configure the vendor ID, use the commands:

% set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint
% commit

 

To configure intercept standard, vendor type, and mediation server name, use the commands:

% set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint mediationServer ms1
% commit

 

To configure mediation server parameters for media interception over TCP, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp dscpValue 0 ipAddress 10.54.66.67 portNumber 7870
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp mode inService state enabled 
% commit

 

To configure mediation server parameters for media interception over UDP, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp dscpValue 0 ipAddress 10.54.66.57 portNumber 7881
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp mode inService state enabled 
% commit

 

To configure mediation server parameters for signaling interception, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 signaling dscpValue 0 ipAddress 10.54.64.80 portNumber 7880 protocolType tcp
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 signaling mode inService state enabled
% commit

 

To enable RTCP interception, use the commands:

% set addressContext default intercept callDataChannel CDC rtcpInterception enabled
% commit

 

To enable sending a policy dip to the PSX for registered users' out-of-dialog messages, use the commands:

% set addressContext default intercept callDataChannel CDC liPolDipForRegdOodMsgs enabled
% commit