Enabling Lawful Interception

  • RBFS hides information about lawful intercepts from all but the most privileged users. An administrator must set up access rights to enable privileged users to access lawful intercept information.

  • LI can be enabled for both L2TP and PPPoE subscribers.

RADIUS Lawful Interception

All of the following attributes must be present in RADIUS access-accept or CoA request to control Lawful Interception (LI) via RADIUS. Those attributes are salt encrypted using the algorithm described in RFC 2868 for the Tunnel-Password. This encryption algorithm is defined for RADIUS access-accept messages only. To support CoA requests the request authenticator should be replaced with 16 zero bytes which is common industry standard.

RFC and draft compliance are partial except as specified.

The LI action NOOP can be used to obfuscate lawful interception requests (fake requests) to prevent that just the presence of those attributes indicates that a subscriber is intercepted. LI requests via RADIUS will show up in the same table as requests via REST or HTTP RPC API (secure.lawful.access.1.li_request).

The failed LI activations are not signalled via RADIUS to prevent that just the presence of CoA response NAK shows that LI request is not fake (action NOOP).
VSA 26-50058-140 - RtBrick-LI-Action (salt encrypted integer)

Value

Code

Description

NOOP

0

No action / Ignore LI request

ON

1

Start LI / Add LI request

OFF

2

Stop LI / Delete LI request
VSA 26-50058-141 - RtBrick-LI-Identifier (salt encrypted integer)

Device unique lawful interception identifier (LIID) within the range from 1 to 4194303.

VSA 26-50058-142 - RtBrick-LI-Direction (salt encrypted integer)

Value

Code

Description

INGRESS

1

Ingress mirroring only (from subscriber)

EGRESS

2

Egress mirroring only (to subscriber)

BOTH

3

Bidirectional mirroring (from and to subscriber)
VSA 26-50058-143 - RtBrick-LI-MED-Instance (salt encrypted string)

Routing instance through which the mediation device is reachable.

VSA 26-50058-144 - RtBrick-LI-MED-IP (salt encrypted IPv4 address)

IPv4 address of the mediation device.

VSA 26-50058-145 - RtBrick-LI-MED-Port (salt encrypted integer)

UDP port between 49152 and 65535 set in the mirrored traffic

RBFS Operational State API

The RBFS Operational State API provides endpoints for enabling and disabling LI on a per-subscriber basis:

  • A HTTP POST request to /subscribers/{subscriber_id}/enableLI?
    id={li_id}&direction={li_direction}&med_ip={med_ip}&med_instance={med_instance}&med_port={med_port}     enables LI for the specified subscriber

  • A HTTP POST request to /subscribers/{subscriber_id}/disableLI?id={li_id}
    disable LI for the specified subscriber

The table below lists the request parameters:

Parameter Name Description

subscriber_id

Subscriber identifier that is generated by RBFS, for example, 72339069014638701.

id

Identifier for Lawful Interception. This is unique Identifier used by mediation device to identify the intercepted subscriber. The range can be between 1 to 4194303.

direction

LI direction. Values are: INGRESS, EGRESS, BOTH.

med_instance

VRF instance through the which the mediation device is reachable.

med_ip

IPv4 address of the mediation device

med_port

UDP port(MD)(49152-65535), mirrored traffic is forwarded
All parameters are mandatory to enable LI.

Request Examples

Enabling LI

The example below shows a curl command to enable LI:

curl -i -H "Content-Type: application/json" -X POST -d http://198.51.100.76:19091/api/v1/rbfs/elements/rtbrick/services/opsd/proxy/subscribers/72339069014639042/enableLI?id=66666&direction=BOTH&med_instance=libox&med_ip=10.0.0.1&med_port=49153

Disabling LI

The example below shows a curl command to disable LI.

curl -i -H "Content-Type: application/json" -X POST -d http://198.51.100.76:19091/api/v1/rbfs/elements/rtbrick/services/opsd/proxy/subscribers/72339069014639042/disableLI?id=66666