ETSI X1

Lawful Interception (LI) involves defined interfaces between Law Enforcement Agencies (LEAs) and Communication Service Providers (CSPs), commonly referred to as handover interfaces. Within the CSP domain, LI defines the following three interfaces:

  • X1 for interception management and administrative control

  • X2 for delivery of intercept-related information (IRI)

  • X3 for delivery of intercepted content (CC)

RBFS implements the X1 interface in compliance with ETSI TS 101 671. This interface is used for provisioning, modifying, and terminating interception sessions and forms the control plane between the LI management system and RBFS.

Refer to the “LIX1 Configuration” section below for details on configuring the LIX1 administration interface.

LIX1 Configuration

In this section, you will find the configurations related to the LIX1 interface.

Syntax:

set lawful-intercept protocol <protocol-name> <attribute> <value>

Attribute Description

<protocol-name>

Enables lawful intercept on the switch. Supported Value: x1.

administrative-function-endpoint <administrative-function-endpoint>

Specifies the ADMF endpoint URL for sending requests.

administrative-function-id <administrative-function-id>

Specifies the ADMF identifier.

mediation-device-instance <mediation-device-instance>

Specifies the routing instance that hosts the mediation devices.

mutual-tls

Global mutual TLS configuration.

mutual-tls client authentication <certificate-name>

(Optional) Name of the certificate.

mutual-tls client authentication <certificate-name> certificate <certificate>

(Optional) Specifies the certificate PEM data in base64 encoding. If this value is not specified, it defaults to the server certificate.

mutual-tls client authentication <certificate-name> key-encrypted-text <key-encrypted-text>

(Optional) Specifies the Certificate key in an encrypted format.

mutual-tls client authentication <certificate-name> key-plain-text <key-plain-text>

(Optional) Specifies the Certificate key in base64 encoding. If this value is not specified, it defaults to the server authentication key.

mutual-tls client root-ca <root-ca>

(Optional) Specifies the trusted CA in base64 encoding. This is mandatory for a self-signed certificate.

mutual-tls server certificate <certificate>

Specifies the certificate PEM data in base64 encoding.

mutual-tls server client-ca <client-ca>

Specifies the trusted client CAs in base64 encoding.

mutual-tls server key <key-encrypted-text>

Specifies the certificate key in base64 encoding.

network-element-id <network-element-id>

The network element ID of the network element in the ADMF.

network-element-path <network-element-path>

(Optional) The context-path for all incoming protocol requests. Default: /X1/NE.

sync-timeout <5-60>

(Optional) The maximum interval for completing protocol requests synchronously in seconds. Default: 5.

async-timeout <10-120>

(Optional) The maximum interval for completing protocol requests asynchronously in seconds. Default: 15 seconds.

hold-time <60-86400>

(Optional) Specifies the hold time in seconds for the LI tasks if no keepalive messages are seen from ADMF. Default: 3600 seconds.

If both sync and async-timeout are configured, async-timeout has to be at least twice the value of sync-timeout.

Invoking LI with CURL

As shown in the example below, you can use CURL to invoke LI.

sudo curl --location 'http://localhost/hostconfd/api/v1/li' --header 'Content-Type: application/json' --data '<Insert data>'  --unix-socket /var/run/rtbrick/hostconfd_sock/unix.sock -v

Enabling Lawful Interception

RBFS restricts access to lawful interception data, making it accessible only to users with the highest privilege level or to explicitly defined LI operator roles.

RBFS supports lawful interception for PPPoE, L2TP, and IPoE subscribers.