Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 33.127  Word version:  16.4.0

Top   Top   Up   Prev   Next
0…   5…   5.4…   5.6…   6…   6.3…   7…   7.3…   7.4…   7.4.7…   7.5…   8…   A…   A.2…   A.3…   A.4…   B…

 

6  Network layer based interceptionWord‑p. 29

6.1  General

Clause 6 gives details for the configuration of the high-level LI architecture for network layer based interception. It defines aspects of the LI configuration specific to each network under consideration (e.g. 5G), while aspects concerning services delivered over this network are considered in clause 7.

6.2  5G

6.2.1  General

Figure 6.2-1 depicts the 5G EPC-anchored LI architecture. The network functions are depicted in grey, while the LI elements are depicted in blue.
[not reproduced yet]
Figure 6.2-1: 5G EPC-anchored LI architecture
Up
Figure 6.2-2 depicts the 5G core-anchored LI architecture. The network functions are depicted in grey, while the LI elements are depicted in blue.
[not reproduced yet]
Figure 6.2-2: 5G core-anchored LI architecture
Up

6.2.2  LI at AMFWord‑p. 30

6.2.2.1  Architecture

In the 5GC network, the AMF handles the access and mobility functions. The AMF shall have LI capabilities to generate the target UE's network access, registration and connection management related xIRI. Extending the generic LI architecture presented in clause 5, figure 6.2-3 below gives a reference point representation of the LI architecture with AMF as a CP NF providing the IRI-POI functions.
[not reproduced yet]
Figure 6.2-3: LI architecture for LI at AMF
Up
The LICF present in the ADMF receives the warrant from an LEA, derives the intercept information from the warrant and provides the same to the LIPF.
The LIPF present in the ADMF provisions the IRI-POI (over LI_X1) present in the AMF and the MDF2. The LIPF may interact with the SIRF (over LI_SI) present in the NRF to discover the AMFs in the network.
The IRI-POI present in the AMF detects the target UE's access and mobility related functions (network access, registration and connection management), generates and delivers the xIRI to the MDF2 over LI_X2. The MDF2 delivers the IRI messages as part of the Interception Product to the LEMF over LI_HI2.
Up

6.2.2.2  Target identitiesWord‑p. 31
The LIPF present in the ADMF provisions the intercept information associated with the following target identities to the IRI-POI present in the AMF:
  • SUPI.
  • PEI.
  • GPSI.
The interception performed on the above three identities are mutually independent, even though, an xIRI may contain the information about the other identities when available.

6.2.2.3  Identity privacyWord‑p. 32
TS 33.501 defines the ability to prevent the SUPI being exposed over the 5G RAN through the use of SUCI. Where SUPI privacy is implemented by both the UDM and UE, the SUPI is not sent in the clear over the RAN. Therefore, AMF has to rely on the UDM to provide the SUPI as part of the registration procedure as defined in TS 33.501.
If the AMF receives a SUCI from the UE then the AMF shall ensure for every registration (including re-registration) that SUPI has been provided by the UDM to the AMF and that the SUCI to SUPI mapping has been verified as defined in TS 33.501. This shall be performed regardless of whether the SUPI is a target of interception.
The AMF IRI-POI shall provide both the SUPI and the current SUCI in all applicable events defined in clause 6.2.2.4.
Up

6.2.2.4  IRI events

The IRI-POI present in the AMF shall generate xIRI, when it detects the following specific events or information:
  • Registration.
  • Deregistration.
  • Location update.
  • Start of interception with already registered UE.
  • Unsuccessful communication attempt.
The registration xIRI is generated when the IRI-POI present in an AMF detects that a target UE has successfully registered to the 5GS via 3GPP NG-RAN or non-3GPP access. The registration xIRI describes the type of registration performed (e.g. initial registration, periodic registration, registration mobility update) and the access type (e.g. 3GPP, non-3GPP). Unsuccessful registration shall be reported only if the target UE has been successfully authenticated.
The deregistration xIRI is generated when the IRI-POI present in an AMF detects that a target UE has deregistered from the 5GS. The deregistration xIRI shall indicate whether it was an UE-initiated or a network-initiated deregistration.
The location update xIRI is generated each time the IRI-POI present in an AMF detects that the target's UE location is updated due to target's UE mobility (e.g. in case of Xn based inter NG-RAN handover). The generation of such xIRI may be omitted if the updated UE location information is already included in other xIRIs (e.g. mobility registration) provided by the IRI-POI present in the same AMF. If the information in the AMF received over N2 (TS 38.413) includes one or more cell IDs, then all cell IDs shall be reported to the LEMF whenever location reporting is triggered at the AMF.
The start of interception with already registered UE xIRI is generated when the IRI-POI present in an AMF detects that interception is activated on the target UE that has already been registered in the 5GS.
When additional warrants are activated on a target UE, MDF2 shall be able to generate and deliver the start of interception with already registered UE related IRI messages to the LEMF associated with the warrants without receiving the corresponding start of interception with already registered UE xIRI.
The unsuccessful communication attempt xIRI is generated when the IRI-POI present in an AMF detects that a target UE initiated communication procedure (e.g. session establishment, SMS) is rejected by the AMF before the proper NF handling the communication attempt itself is involved.
Up

6.2.2.5  Common IRI parameters

The list of xIRI parameters are specified in TS 33.128. All xIRI shall include the following:
  • Target identity.
  • Time stamp.
  • Location information.
  • Correlation information.

6.2.2.6  Specific IRI parametersWord‑p. 33
The list of parameters in each xIRI are defined in TS 33.128. The following give a summary.
The registration xIRI shall include the following:
  • Registration type information.
  • Access type information.
  • Requested slice information.
The deregistration xIRI shall include the following:
  • UE initiated de-registration.
  • Access type information.
  • Network initiated de-registration.
The location update xIRI shall include the following:
The start of interception with already registered UE xIRI shall include the following:
  • Access type information.
  • Requested slice information.
The unsuccessful communication attempt xIRI shall include the following:
  • Rejected type of communication attempt.
  • Access type information.
  • Failure reason.
When the access type is non-3GPP, the IP address used by the UE to reach the N3IWF shall be reported. The port shall also be reported if available.
Up

6.2.2.7  Network topologies

The AMF shall provide the IRI-POI functions in the following network topology cases:
  • Non-roaming case.
  • Roaming case, in VPLMN.
  • Roaming case, in HPLMN for non-3GPP access.
In a roaming case, it is possible that the target UE may use non-3GPP access with the N3IWF present in the HPLMN.

6.2.3  LI for SMF/UPF

6.2.3.1  Architecture

In the 5GC network, user plane functions are separated from the control plane functions. The SMF that handles control plane actions (e.g. establishing, modifying, deleting) for the PDU sessions shall include an IRI-POI that has the LI capability to generate the related xIRI. The UPF that handles the user plane data shall include a CC-POI that has have the capability to duplicate the user plane packets from the PDU sessions based on the interception rules received from the SMF. Figure 6.2-4 shows the LI architecture for SMF/UPF based interception.
[not reproduced yet]
Figure 6.2-4: LI architecture showing LI at SMF/UPF
Up
The LICF present in the ADMF receives the warrant from an LEA, derives the intercept information from the warrant and provides it to the LIPF.
The LIPF present in the ADMF provisions IRI-POI (present in the SMF), MDF2 and MDF3 over the LI_X1 interfaces. To enable the interception of the target's user plane packets (e.g. when the warrant requires the interception of communication contents), the CC-TF present in the SMF is also considered to be provisioned with the intercept data.
The LIPF may interact with the SIRF (over LI_SI) present in the NRF to discover the SMFs and UPFs in the network. The IRI-POI present in the SMF detects the PDU session establishment, modification, and deletion related events, generates and delivers the related xIRI to the MDF2 over LI_X2. The MDF2 delivers the IRI messages to the LEMF over LI_HI2.
When interception of communication contents is required, the CC-TF present in the SMF sends a trigger to the CC-POI present in the UPF over the LI_T3 interface which can be based on N4 functionalities (between SMF and UPF) with LI specific security measures applied.
The trigger sent from the CC-TF to CC-POI includes the following information:
  • User plane packet detection rules.
  • Target identity.
  • Correlation information.
  • MDF3 address.
The CC-POI present in the UPF generates the xCC from the user plane packets and delivers the xCC (that includes the correlation number and the target identity) to the MDF3. The MDF3 delivers the CC to the LEMF over LI_HI3.
A warrant that does not require the interception of communication contents, may require IRI messages that have to be derived from the user plane packets. To support the generation of related xIRI (i.e. that requires access to the user plane packets), the present document supports two implementation approaches:
  • In approach 1, the IRI-POI responsible for the generation of such xIRI resides in the UPF. Such an IRI-POI requires a trigger to enable it to detect the user plane packets. The corresponding Triggering Function (IRI-TF) resides in the same SMF that has the IRI-POI for the generation of other xIRI.
  • The trigger sent by the IRI-TF (present in the SMF) to the IRI-POI (present in the UPF) includes the following:
    • User plane packet detection rules.
    • Target identity.
    • Correlation information.
    • MDF2 address.
  • The IRI-POI present in the UPF generates the xIRI (that includes the correlation number and the target identity) from the user plane packets and sends it to the MDF2. The MDF2 generates the IRI messages and send them to the LEMF.
  • In approach 2, xCC is generated by the CC-POI present in the UPF as if the warrant involves the interception of communication contents. To enable this, the CC-TF presumed to be present in the SMF even when the warrant does not require the interception of communication contents. As explained before, the CC-POI generates the xCC and sends it to the MDF3. The MDF3 (based on the provisioned intercept information) does not generate and deliver the CC to the LEMF. Instead, the MDF3 forwards the xCC to the MDF2 over LI_MDF interface. The MDF2 then generates the IRI messages from xCC and delivers those IRI messages to the LEMF.
Clause 8.6.2 defines a CC-PAG (CC-POI Aggregator) as an architectural extension option that is located between the MDF3 and CC-POI and performs the function of aggregating the xCC from different CC-POIs towards the MDF3.
Up

6.2.3.2  Target identitiesWord‑p. 35
The LIPF provisions the intercept related information associated with the following target identities to the IRI-POI present in the SMF:
  • SUPI.
  • PEI.
  • GPSI.
The interception performed on the above three identities are mutually independent, even though, an xIRI may contain the information about the other identities when available.

6.2.3.3  IRI eventsWord‑p. 36
The IRI-POI present in the SMF shall generate xIRI, when it detects the following specific events or information:
  • PDU session establishment.
  • PDU session modification.
  • PDU session release.
  • Start of interception with an established PDU session.
The PDU session establishment xIRI is generated when the IRI-POI present in the SMF detects that a PDU session has been established for the target UE.
The PDU session modification xIRI is generated when the IRI-POI present in the SMF detects that a PDU session is modified for the target UE.
The PDU session release xIRI is generated when the IRI-POI present in the SMF detects that a PDU session is released for the target UE.
The start of interception with an established PDU session xIRI is generated when the IRI-POI present in a SMF detects that interception is activated on the target UE that has an already established PDU session in the 5GS. When a target UE has multiple PDU sessions, this xIRI shall be sent for each PDU session with a different value of correlation information.
When additional warrants are activated on a target UE, MDF2 shall be able to generate and deliver the start of interception with an established PDU session related IRI messages to the LEMF associated with the warrants without receiving the corresponding start of interception with an established PDU session xIRI.
When the warrant requires the packet data header information reporting, the following xIRI shall be generated:
  • Packet data header information report.
    The generation of packet data information report can be done by either the IRI-POI present in the UPF or the MDF2.
Up

6.2.3.4  Common IRI parameters

The list of xIRI parameters are specified in TS 33.128. Each xIRI shall include at the minimum the following information:
  • Target identity.
  • Time stamp.
  • Correlation information.
  • Location information.
  • Session related information.

6.2.3.5  Specific IRI parameters

The parameters in each xIRI are defined in TS 33.128.

6.2.3.6  Network topologies

The SMF shall provide the IRI-POI functions in the following network topology cases:
  • Non-roaming case.
  • Roaming case, in VPLMN.
  • Roaming case, in HPLMN.
  • Non-3GPP access case, in the PLMN where N3IWF resides.
When the target UE has multiple PDU sessions active, the generation and delivery of xCC for each PDU session shall be done independently, each with separate correlation information.
When a target UE's PDU session involves multiple Data Network (DN) connections, the generation and delivery of xCC shall be done in such a way that:
  • All applicable user plane packets are captured and delivered.
  • Duplicate delivery of CC is suppressed to the extent possible.
A PDU session may involve more than one UPFs. In that case, the CC-TF present in the SMF shall determine which UPF(s) is (are) more suitable to provide the CC-POI functions adhering to the above two requirements. Furthermore, independent of which UPF is used to generate the xCC, the CC delivered from the MDF3 shall be correlated to the IRI messages related to the PDU session.
Up

6.2.4  LI at UDM for 5GWord‑p. 37
In 5G packet core network, the UDM provides the unified data management for UE. The UDM shall have LI capabilities to generate the target UE's service area registration related xIRI. See clause 7.2.2 for the details.

6.2.5  LI at SMSF

6.2.5.1  Architecture

In the 5GC network, the SMSF provides functionalities to support the SMS over NAS. The SMSF shall have LI capabilities to generate xIRIs when SMS related to the target's UE are handled. Extending the generic LI architecture presented in clause 5, figure 6.2-5 below gives a reference point representation of the LI architecture with SMSF as a CP NF providing the IRI-POI functions.
[not reproduced yet]
Figure 6.2-5: LI architecture for LI at SMSF
Up
The LICF present in the ADMF receives the warrant from an LEA, derives the intercept information from the warrant and provides the same to the LIPF.
The LIPF present in the ADMF provisions the IRI-POI present in the SMSF and the MDF2 over LI_X1 interfaces. The LIPF may interact with the SIRF (over LI_SI) present in the NRF to discover the SMSFs in the network.
The IRI-POI present in the SMSF detects the target UE's SMS, generates and delivers the xIRI to the MDF2 over LI_X2. The xIRI will contain the SMS payload. The MDF2 shall support the capability to deliver the IRI messages including the SMS payload as part of the Interception Product to the LEMF over LI_HI2.
National regulations may require that the MDF2 remove information regarded as content from the payload in case of an IRI only warrant.
Up

6.2.5.2  Target identitiesWord‑p. 38
The LIPF present in the ADMF provisions the intercept information associated with the following target identities to the IRI-POI present in the SMSF:
  • SUPI.
  • PEI.
  • GPSI.
The interception performed on the above three identities are mutually independent, even though, an xIRI may contain the information about the other identities when available.

6.2.5.3  IRI eventsWord‑p. 39
The IRI-POI present in the SMSF shall generate xIRI, when it detects the following specific events or information:
  • SMS message.
The SMS message xIRI is generated when the IRI-POI present in an SMSF detects that an SMS message for the target UE is handled.

6.2.5.4  Common IRI parameters

The list of xIRI parameters are specified in TS 33.128. The xIRIs shall include at the minimum the following information:
  • Target identity.
  • Time stamp.
  • Location information.
  • SMS message direction (mobile originated, mobile terminated).
  • SMS message payload.

6.2.5.5  Specific IRI parameters

The parameters in each xIRI are defined in TS 33.128.

6.2.5.6  Network topologies

The SMSF shall provide the IRI-POI functions in the following network topology cases:
  • Non-roaming case.
  • Roaming case, in VPLMN.

6.2.6  LI support at NRF

6.2.6.1  Architecture

In 5G, network functions that support SBA register with the NRF after instantiation. The NRF thus provides the network repository functions and is aware of all the NFs that have been instantiated. The present document refers to this as system information.
The SIRF present in the NRF provides the system information to LIPF present in the ADMF, in order for the LIPF to establish which NFs (and therefore POIs) are applicable to a specific target user's services. LI function service discovery is described in clause 5.5.
An architecture diagram depicting this LI at NRF is shown in figure 6.2-6 below.
[not reproduced yet]
Figure 6.2-6: LI Architecture depicting NRF as an SIRF
Up
Figure 6.2-6 shows the architecture illustrating the SIRF functions within the NRF.
The LIPF present in the ADMF interacts with the SIRF (over LI_SI) present in the NRF to obtain the system information.

6.2.6.2  LI_SI notificationsWord‑p. 40
The SIRF present in the NRF shall generate notifications over LI_SI when the SIRF detects the following specific events or information:
  • NF service registration.
  • NF service update.
  • NF service deregistration.
  • NF service chain change.
The NF service chain change notification shall be generated whenever an NF is added to or removed from a service chain in response to NF discovery and selection events.

6.2.6.3  LI_SI parameters

The notifications reported over LI_SI by the SIRF shall include the following information elements:

6.2.7  External data storageWord‑p. 41
The UDSF or UDR as defined in TS 23.501 are used to externally store data relating to one or more NFs, separating the compute and storage elements of an NF. Where the NF contains a POI the following restrictions on the use of the UDSF/UDR shall apply:
  • The UDSF/UDR shall be subject to the same location, geographic, security and other physical environment constraints as the NF POI for which it is storing data.
  • No LI specific POI data (e.g. target list) shall be stored in the UDSF/UDR unless storage is directly under the control of the POI within the NF.
  • LI data stored in a UDSF/UDR shall only be accessible by the specific individual POI for which the UDSF/UDR is storing data and that data shall not be shared between POIs unless specifically authorised by the LICF within the ADMF.
  • By default, LI data shall not be stored in a UDSF/UDR which is shared by multiple NFs unless specifically authorised by the LICF.
  • Any storage of LI data outside of the POI in the UDSF/UDR shall be auditable by the LICF.
  • The interface between the POI/NF and the UDSF/UDR shall be protected such that an attacker cannot identify targeted users based on observation of this interface. (i.e. access to the UDSF/UDR shall be identical for both intercepted and non-intercepted user communications).
  • The use and placement of a UDSF/UDR within an NF/POI design shall not introduce additional interception delay compared with non-separated compute and storage.
  • Where the POI requires access to NF data that is stored in the UDSF/UDR, non-LI network functions and processes or non-LI authorised personnel shall not be able to detect POI access to that data in the UDSF/UDR.
  • The POI and LICF/MDF shall be responsible for managing encryption of LI data stored for the POI in addition to any default encryption applied by the NF.
The above requirements shall apply when the UDSF/UDR provide data storage for TF/NF.
Up


Up   Top   ToC