Page 1
1© 2005 Cisco Systems, Inc. All rights reserved.
Craig MulhollandConsulting EngineerFebruary 8, 2006
Cisco SystemsLawful Intercept Capabilities
The contents of this presentation do not constitute legal advice nor does Cisco guarantee the accuracy or completeness of such information.
Page 2
2© 2005 Cisco Systems, Inc. All rights reserved.
Disclaimers
• It is Cisco's intent to support its customers by developing products that will help them meet the requirements of the law.
• Customers are STRONGLY advised to seek qualified legal counsel to advise them about the extent of their obligation under Lawful Intercept regulations and laws in each country in which they operate
The contents of this presentation do not constitute legal advice nor does Cisco guarantee the accuracy or completeness of such information.
Page 3
3© 2005 Cisco Systems, Inc. All rights reserved.
Agenda
• Lawful Intercept Product Planning
• Lawful Intercept Architecture
• Lawful Intercept Standards
Page 4
4© 2005 Cisco Systems, Inc. All rights reserved.
Lawful Intercept Product Planning
Page 5
5© 2005 Cisco Systems, Inc. All rights reserved.
Lawful Intercept Product Planning
• Today – 2/8/2006 – status quo – the NPRM and first report and order have not changed the lawful intercept requirements for enterprises, including institutes of higher education
• Cannot predict the future
• If requirements change, service provider architecture adaptable for other product lines
Page 6
6© 2005 Cisco Systems, Inc. All rights reserved.
• Service provider customer’s have been requiring LI capabilities for several years
• Cisco introduced an architecture for LI in June 2003
• Informational RFC 3924 adopted October 2004
• Existing protocols should NOT be modified to support LI capabilities
• Similar approach adaptable for Higher Education, if required
Lawful Intercept Product Planning
Page 7
7© 2005 Cisco Systems, Inc. All rights reserved.
LI Architecture
Page 8
8© 2005 Cisco Systems, Inc. All rights reserved.
LI Architecture Requirements
• Carrier must be able to provide:
Content of Communication
Communication-Identifying Information (CmII)
• LI must be undetectable by the intercept subject
• Knowledge of wire-tap limited to authorized personnel
• Ability to correlate Communication Identifying Information with Content of Communication
• Confidentiality, Integrity and Authentication of the CmII
• Requirements vary between agencies, regions, and countries
Page 9
9© 2005 Cisco Systems, Inc. All rights reserved.
• Communication-identifying information (CII)
Dialed Digits (Voice Calls)
Subject login (data)
Network Addresses (data)
• Content of Communications
Audio Content of Voice Call
Packets to/from subject
LI Architecture – Examples of information reported
Page 10
10© 2005 Cisco Systems, Inc. All rights reserved.
LI Architecture Requirements
• Transparency/Confidentiality of Intercept:
No indication of intercept to unauthorized parties.
No interruption of ongoing communications
Intercept not perceptible to target or outside parties
LEAs must not be able to detect other LEA intercepts
• Intercept should not affect service to subscribers
• Encryption of Communication Identifying Information & Communication Content desirable
Page 11
11© 2005 Cisco Systems, Inc. All rights reserved.
Generic View of the LI Architecture
LI AdministrationFunction
MediationDevice
InterceptingControlElement
(ICE)
Request
IRI
InterceptingNetworkElement
(INE)
Request Content
Service Provider
Request
Demarcation Point (SP, LEA
responsibility)
Information for the same intercept may be sent to multiple LEA’s
Cisco Equipment
3rd Party Equipment
CollectionFunction
Law EnforcementAgency (LEA)
CommunicationIdentifying Information
CmII
CommunicationContent (CC)
Access Function (AF)/Intercept Access Point (IAP)
Page 12
12© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Lawful Intercept Architecture
• IETF First draft June 2003
• IETF Second draft October 2003
• Informational RFC 3924 adopted October 2004
• Modular architecture – adapts to regional requirements via partner equipment (mediation device)
• Key Features:– Common architecture (SII) for voice and data
– Separation of intercept control from call control (voice) and session control (data)
– Controlled by Mediation Device
– Standardized interface for mediation device to provision intercepts via SNMPv3
Page 13
13© 2005 Cisco Systems, Inc. All rights reserved.
IETF – RFC 3924
Lawful Intercept Architecture Reference Model Lawful Intercept Architecture Reference Model
Law Enforcement Agency (LEA)
Law Enforcement Agency (LEA)
Law Intercept
Administration Function
Law Intercept
Administration Function
Intercept RelatedInformation (IRI) IAP
Intercept RelatedInformation (IRI) IAP Mediation Device (MD)Mediation Device (MD)
Content InterceptAccess Point (IAP)
Content InterceptAccess Point (IAP)
Service ProviderFunctions
MD Provisioning Interface b
HI1(a)
e
IRI (e)
HI2(g)
User Content User Content
c
Intercept Request (d)f
Intercepted Content ( f)
HI3(h)
d
Page 14
14© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Service Independent Intercept
LI AdministrationFunction
MediationDevice
InterceptingControlElement
(ICE)
Request
IRI
InterceptingNetworkElement
(INE)
Request Content
Service Provider
Cisco Equipment
3rd Party Equipment
CollectionFunction
Law EnforcementAgency (LEA)
InterceptRelatedInfo (IRI)
CommunicationContent (CC)
Voice - Call Agent Data - Radius, AAA
RADIUS Event Messages
SNMPv3RTP or UDP transport
for delivery
Configuration Commands
Voice - Edge router, Trunk G/WData – Access/Aggregation router
Page 15
15© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Service Independent Intercept
• Separates control for intercept from network authorization and control functions
• Mediation Device sets up filter specification, destination, transport, controls intercept via SNMPv3
• Intercept Access Point (router/switch) replicates content stream based on configuration by M/D
• Intercept NOT visible through command line at the router/switch (IAP)
• Modular architecture – Mediation device adapts to regional requirements (M/D partners familiar with local requirements/variations)
Page 16
16© 2005 Cisco Systems, Inc. All rights reserved.
IRI
CC
LI Architecture – Voice Intercept
LI AdministrationFunction
Service Provider
(a/c)
CollectionFunction
Request (c2)
Request(c1)
Content(d1)
RTP Stream
Request (a1)
IRI (d2)
INE
ICE
TargetSubscriber
Customer Premise IAD or IP Phone
(SIP, H.323, or MGCP-based)
Customer Premise IAD or IP
Phone
LI AdministrationFunction
Aggregation Router
Aggregation Router
Gatekeeper,SIP Proxy,Call Agent
MediationDevice (3rd Party)
Ad
min
ConfigIRI IRI
CallControl
CC
SNMPv3SET
VoicePackets
Admin
CallControl
LEA
Page 17
17© 2005 Cisco Systems, Inc. All rights reserved.
IRI
CC
LI Architecture – Data Intercept
LI AdministrationFunction
Service Provider
CollectionFunction
LEA
Request
Content
Request
IRIIntercepting
ControlElement
InterceptingNetworkElement
MediationDevice
TargetSubscriber
AAA Server(Cisco Access
Registrar, other)
Sniffer/Probe
Aggregation Router
LI AdministrationFunction
Data Stream
Admin (HI1)
1
Ad
min 2
Config3
Access Request
4
IRI6
InterceptRequest
7
8Ack
13
InterceptedData 14
CC
15
9
AccessAccept
IRI 5 11AcctStart
10
12
Page 18
18© 2005 Cisco Systems, Inc. All rights reserved.
Lawful Intercept Standards
Page 19
19© 2005 Cisco Systems, Inc. All rights reserved.
Why Lawful Intercept Standards?
• Developed cooperatively in standards organizations (eg. ETSI, ATIS, TIA) with participation from service providers, equipment vendors, and law enforcement
• Compliance with Lawful Intercept Standards provides “Safe Harbor” under CALEA
• “Safe Harbor” status until challenged
• Appeals to FCC and courts
Page 20
20© 2005 Cisco Systems, Inc. All rights reserved.
Standards Organizations (Cisco Participation)
• Telecommunications Industry Association (TIA)
• Alliance for Telecommunications Industry Solutions (ATIS formerly Committee T1)
• PacketCable™
• European Telecommunications Standards Institute (ETSI)
Page 21
21© 2005 Cisco Systems, Inc. All rights reserved.
DeliveryFunction
DeliveryFunction
TelecommunicationService Provider
Service Provider
Administration Function
Service Provider
Administration Function
AccessFunction
AccessFunction
Law Enforcement Agency (LEA)
Law Enforcement
Administration Function
Law Enforcement
Administration Function
CollectionFunction
CollectionFunction
a
b
c
d
eThe scope ofJ-STD-025 is limited to thee reference point.
Network Reference Model Network Reference Model
TIA – J-STD-025
Page 22
22© 2005 Cisco Systems, Inc. All rights reserved.
• J-STD-025 B – J-STD-025 A, current standard for telephone network LI, published May 2000 – B ver adds cdma2000® packet data, and references for VoP and 3GPP, approved as trial standard Dec 2003, second default ballot as ANSI standard completed
• TIA 1066 – LI for cdma2000® - developed in TR 45.6, currently in ballot comment resolution
• TIA 1071 – LI for IP Multimedia Subsystem – developed in TR45.2 AHI, moved to TR45.6, needs to be aligned with TIA 1066
TIA – LI Standards of Interest
Page 23
23© 2005 Cisco Systems, Inc. All rights reserved.
TerminalVoP
CCAccess
Function
CIIMediationFunction
CCMediationFunction
CIIDeliveryFunction
CCDeliveryFunction
LEACollectionFunction
LEACollectionFunction
Subject’sDomain
Network’sDomain
LEA’sDomain
‘e’
‘e’
VoP
VoP
VoP
TDM, VoP’
VoPSignaling
J-STD-025 xVoP/NetworkSignaling
VoP/NetworkSignalingCII
AccessFunction
NetworkSignaling
I
I
I = IAP
ATIS – T1.678
Page 24
24© 2005 Cisco Systems, Inc. All rights reserved.
• T1.678v2 – LI for VoIP (SIP, H.323) – V2 completed January 2006, includes supplementary services (call hold, call transfer, multiparty calls)
• T1.IPNA – LI for Public IP Network Access (data) – V1 in progress
• New Issue NGN – TR for application of LI standards to ATIS NGN architecture
• T1.724 - Handover Interface for Lawful Interception of Packet-Data Services, Circuit Switched Services, and Multimedia Services within the Universal Mobile Telecommunications System (UMTS) – adoption of TS 33.108
ATIS – LI Standards of Interest
Page 25
25© 2005 Cisco Systems, Inc. All rights reserved.
PacketCable Electronic Surveillance Reference Model
PacketCable™ - LI Reference Model
Page 26
26© 2005 Cisco Systems, Inc. All rights reserved.
• Electronic Surveillance Protocol
- PKT-SP-ESP-I01-991229 Published 29 Dec 1999
- PKT-SP-ESP-I02-030801 Published 1 Aug 2003
- PKT-SP-ESP-I03-040113 Published 13 Jan 2004
• PKT-SP-ESP- I04-040723 Published 23 July 2004– Meets Law Enforcements requirements, including call forward, call
transfer, and PC “Punch-List” items
• PacketCable 2.0 currently in development
PacketCable™- LI Standards of Interest - VoIP
Page 27
27© 2005 Cisco Systems, Inc. All rights reserved.
ETSI – Lawful Intercept Reference Model
LEMF
NetworkInternalFunctions
Intercept related information (IRI)
Content ofCommunication (CC)
Administration function
IRI Mediation function
Content Mediationfunction
IIF
INI
HI1
HI2
HI3
IIF: Internal interception FunctionINI: Internal Network Interface
HI1: Administrative InformationHI2: Intercept Related InformationHI3: Content of Communication
NWO/AP/SvPDomain
Page 28
28© 2005 Cisco Systems, Inc. All rights reserved.
ETSI – Third Generation Mobile (3GMS)
• TS 133.106 - Lawful interception requirements within a Third Generation Mobile Communication System (3GMS) – v6.1.0 Published January, 2005
• TS 133.107 - Lawful interception architecture and functions –v5.6.0 Published Sept, 2003
• TS 133.108 - Handover Interface for Lawful Intercept – v5.5.0 Published Sept, 2003
Page 29
29© 2005 Cisco Systems, Inc. All rights reserved.
• ETSI TS 102.232 v1.1.1 – Lawful Interception: Handover Interface for IP Delivery – Published Feb, 2004, Updated Oct, 2004 (v1.2.1)
• ETSI TS 102.233 v1.2.1 – Lawful Interception: Service Specific Details for E-mail Services – Published May, 2004
• ETSI TS 102.234 v1.1.1 – Lawful Interception: Service Specific Details for Internet Access Services – Published Feb, 2004, updated Oct 2004, (v1.2.1)
ETSI – LI Standards of Interest - IP Data
Page 30
30© 2005 Cisco Systems, Inc. All rights reserved.