Lawful Interception

1. Introduction

Lawful Interception (LI) is a legal requirement in most of the countries. It enables the legal authorities to obtain communications network data for analysis or evidence. It is a method of intercepting certain data-streams of end-users in both directions, and tunnel the intercepted traffic to a Mediation Device (MD) with information about direction of capture and reference to the intercepted connection.

Leaf node is the Point of Interception (POI) and MD is the final Point of Collection (POC).

1.1. Supported Platforms

Not all features are necessarily supported on each hardware platform. Refer to the Platform Guide for the features and the sub-features that are or are not supported by each platform.

1.2. Components of Lawful Interception

The figure below shows the different components of the LI solution.

Definitions

L(QMX): Leaf node in the POD which is connected to subscribers.
S/BL: Spine and Border Leaf in the POD, which can be replaced with just one node.
LI Box: Lawful Intercept Box, which communicates to Law Enforcement Agency (LEMF) and relays mirrored traffic. Two LI boxes per POD are connected for redundancy.
PAO: POD Access Orchestrator, which configures the LI Box and network nodes with LI configurations.
DST: Destination node for traffic from subscribers.

Abbreviations

Abbreviation	Definition
LI	Lawful Interception
POI	Point of Interception
POC	Point of Collection
PAO	Pod Access Orchestrator
LIMS	Lawful Interception Management System
VRF	Virtual Routing Instance
LEMF	Lawful Enforcement Monitoring Facility
Leaf	Access node
PPPoE	Point to Point Protocol over Ethernet
L2TP	Layer 2 Tunnelling Protocol
MPLS	Multi Protocol Label Switching

Abbreviation

Definition

Lawful Interception

POI

Point of Interception

POC

Point of Collection

PAO

Pod Access Orchestrator

LIMS

Lawful Interception Management System

VRF

Virtual Routing Instance

LEMF

Lawful Enforcement Monitoring Facility

Leaf

Access node

PPPoE

Point to Point Protocol over Ethernet

L2TP

Layer 2 Tunnelling Protocol

MPLS

Multi Protocol Label Switching

1.3. Guidelines & Limitations

The unidentified LI traffic is subject to the following limitations when using more than seven UDP ports.

Currently, there is a restriction on UDP destination ports, which are limited to 7. The IP destination addresses (IP1 through IPn) can utilize any of the seven ports. The distribution of these seven ports is determined by the order in which requests are received, with priority given to those who arrive first.

2. LI Encapsulation

Qumran-MX (BCM) supports LI with 32 bits shim header: SHIMoUDPoIPoETH

2.1. Packet Format Encoding

Figure 1. Packet Format Encoding

2.1.1. Payload Direction

Value	Payload Direction
0	Reserved for keepalive mechanism
2	Intercepted data or event was sent to target (downstream)
3	Intercepted data or event was sent from target (upstream)

2.1.2. Mapping Payload Format

Value	Payload Format
0-3	Reserved (unused)
4	Unknown, Not able to decide the PT
5	IPv4 packet (not used)
6	IPv6 packet (not used)
7	Ethernet Frame (used for Lawful Interception)

2.1.2.1. Sub-payload Format (Type)

The sub-payload formats are:

Single VLAN tag
Double VLAN tag
Untagged

3. Enabling Lawful Interception

RBFS hides information about lawful intercepts from all but the most privileged users. An administrator must set up access rights to enable privileged users to access lawful intercept information.
LI can be enabled for both L2TP and PPPoE subscribers.

3.1. RADIUS Lawful Interception

All of the following attributes must be present in RADIUS access-accept or CoA request to control Lawful Interception (LI) via RADIUS. Those attributes are salt encrypted using the algorithm described in RFC 2868 for the Tunnel-Password. This encryption algorithm is defined for RADIUS access-accept messages only. To support CoA requests the request authenticator should be replaced with 16 zero bytes which is common industry standard.

RFC and draft compliance are partial except as specified.

The LI action NOOP can be used to obfuscate lawful interception requests (fake requests) to prevent that just the presence of those attributes indicates that a subscriber is intercepted. LI requests via RADIUS will show up in the same table as requests via REST or HTTP RPC API (secure.lawful.access.1.li_request).

The failed LI activations are not signalled via RADIUS to prevent that just the presence of CoA response NAK shows that LI request is not fake (action NOOP).

VSA 26-50058-140 - RtBrick-LI-Action (salt encrypted integer)

Value

Code

Description

NOOP

No action / Ignore LI request

Start LI / Add LI request

OFF

Stop LI / Delete LI request

VSA 26-50058-141 - RtBrick-LI-Identifier (salt encrypted integer)

Device unique lawful interception identifier (LIID) within the range from 1 to 4194303.

VSA 26-50058-142 - RtBrick-LI-Direction (salt encrypted integer)

Value

Code

Description

INGRESS

Ingress mirroring only (from subscriber)

EGRESS

Egress mirroring only (to subscriber)

BOTH

Bidirectional mirroring (from and to subscriber)

VSA 26-50058-143 - RtBrick-LI-MED-Instance (salt encrypted string)

Routing instance through which the mediation device is reachable.

VSA 26-50058-144 - RtBrick-LI-MED-IP (salt encrypted IPv4 address)

IPv4 address of the mediation device.

VSA 26-50058-145 - RtBrick-LI-MED-Port (salt encrypted integer)

UDP port between 49152 and 65535 set in the mirrored traffic

3.2. RBFS Operational State API

The RBFS Operational State API provides endpoints for enabling and disabling LI on a per-subscriber basis:

A HTTP POST request to /subscribers/{subscriber_id}/enableLI? id={li_id}&direction={li_direction}&med_ip={med_ip}&med_instance={med_instance}&med_port={med_port} enables LI for the specified subscriber
A HTTP POST request to /subscribers/{subscriber_id}/disableLI?id={li_id}
disable LI for the specified subscriber

The table below lists the request parameters:

Parameter Name	Description
subscriber_id	Subscriber identifier that is generated by RBFS, for example, 72339069014638701.
id	Identifier for Lawful Interception. This is unique Identifier used by mediation device to identify the intercepted subscriber. The range can be between 1 to 4194303.
direction	LI direction. Values are: INGRESS, EGRESS, BOTH.
med_instance	VRF instance through the which the mediation device is reachable.
med_ip	IPv4 address of the mediation device
med_port	UDP port(MD)(49152-65535), mirrored traffic is forwarded

Parameter Name

Description

subscriber_id

Subscriber identifier that is generated by RBFS, for example, 72339069014638701.

Identifier for Lawful Interception. This is unique Identifier used by mediation device to identify the intercepted subscriber. The range can be between 1 to 4194303.

direction

LI direction. Values are: INGRESS, EGRESS, BOTH.

med_instance

VRF instance through the which the mediation device is reachable.

med_ip

IPv4 address of the mediation device

med_port

UDP port(MD)(49152-65535), mirrored traffic is forwarded

All parameters are mandatory to enable LI.

3.2.1. Request Examples

3.2.1.1. Enabling LI

The example below shows a curl command to enable LI:

curl -i -H "Content-Type: application/json" -X POST -d http://198.51.100.76:19091/api/v1/rbfs/elements/rtbrick/services/opsd/proxy/subscribers/72339069014639042/enableLI?id=66666&direction=BOTH&med_instance=libox&med_ip=10.0.0.1&med_port=49153

3.2.1.2. Disabling LI

The example below shows a curl command to disable LI.

curl -i -H "Content-Type: application/json" -X POST -d http://198.51.100.76:19091/api/v1/rbfs/elements/rtbrick/services/opsd/proxy/subscribers/72339069014639042/disableLI?id=66666

©Copyright 2023 RtBrick, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of RtBrick in the United States and other countries. Use of the Marks are subject to RtBrick’s Term of Use Policy, available at https://www.rtbrick.com/privacy. Use of marks belonging to other parties is for informational purposes only.