Enabling Lawful Interception
|
RADIUS Lawful Interception
All of the following attributes must be present in RADIUS access-accept or CoA request to control Lawful Interception (LI) via RADIUS. Those attributes are salt encrypted using the algorithm described in RFC 2868 for the Tunnel-Password. This encryption algorithm is defined for RADIUS access-accept messages only. To support CoA requests the request authenticator should be replaced with 16 zero bytes which is common industry standard.
RFC and draft compliance are partial except as specified. |
The LI action NOOP can be used to obfuscate lawful interception requests (fake requests) to prevent that just the presence of those attributes indicates that a subscriber is intercepted. LI requests via RADIUS will show up in the same table as requests via REST or HTTP RPC API (secure.lawful.access.1.li_request).
The failed LI activations are not signalled via RADIUS to prevent that just the presence of CoA response NAK shows that LI request is not fake (action NOOP). |
VSA 26-50058-140 - RtBrick-LI-Action (salt encrypted integer)
Value |
Code |
Description |
NOOP |
0 |
No action / Ignore LI request |
ON |
1 |
Start LI / Add LI request |
OFF |
2 |
Stop LI / Delete LI request |
VSA 26-50058-141 - RtBrick-LI-Identifier (salt encrypted integer)
Device unique lawful interception identifier (LIID) within the range from 1 to 4194303.
VSA 26-50058-142 - RtBrick-LI-Direction (salt encrypted integer)
Value |
Code |
Description |
INGRESS |
1 |
Ingress mirroring only (from subscriber) |
EGRESS |
2 |
Egress mirroring only (to subscriber) |
BOTH |
3 |
Bidirectional mirroring (from and to subscriber) |
VSA 26-50058-143 - RtBrick-LI-MED-Instance (salt encrypted string)
Routing instance through which the mediation device is reachable.
VSA 26-50058-144 - RtBrick-LI-MED-IP (salt encrypted IPv4 address)
IPv4 address of the mediation device.
VSA 26-50058-145 - RtBrick-LI-MED-Port (salt encrypted integer)
UDP port between 49152 and 65535 set in the mirrored traffic
RBFS Operational State API
The RBFS Operational State API provides endpoints for enabling and disabling LI on a per-subscriber basis:
-
A HTTP POST request to
/subscribers/{subscriber_id}/enableLI?
enables LI for the specified subscriber
id={li_id}&direction={li_direction}&med_ip={med_ip}&med_instance={med_instance}&med_port={med_port} -
A HTTP POST request to
/subscribers/{subscriber_id}/disableLI?id={li_id}
disable LI for the specified subscriber
The table below lists the request parameters:
Parameter Name | Description |
---|---|
subscriber_id |
Subscriber identifier that is generated by RBFS, for example, 72339069014638701. |
id |
Identifier for Lawful Interception. This is unique Identifier used by mediation device to identify the intercepted subscriber. The range can be between 1 to 4194303. |
direction |
LI direction. Values are: INGRESS, EGRESS, BOTH. |
med_instance |
VRF instance through the which the mediation device is reachable. |
med_ip |
IPv4 address of the mediation device |
med_port |
UDP port(MD)(49152-65535), mirrored traffic is forwarded |
All parameters are mandatory to enable LI. |
Request Examples
Enabling LI
The example below shows a curl
command to enable LI:
curl -i -H "Content-Type: application/json" -X POST -d http://198.51.100.76:19091/api/v1/rbfs/elements/rtbrick/services/opsd/proxy/subscribers/72339069014639042/enableLI?id=66666&direction=BOTH&med_instance=libox&med_ip=10.0.0.1&med_port=49153