Content for  TS 33.127  Word version:  18.6.0

The term S8HR is used to denote the home-routed roaming architecture for VoEPS UEs. Within the VPLMN with S8HR, the IMS signalling messages are carried over the GTP tunnel that corresponds to the IMS signalling bearer and the media packets are carried over the GTP tunnel that corresponds to the media bearer. (i.e. a dedicated EPS Bearer is used to carry the media packets). The EPS Bearer ID of the IMS signalling bearer is always linked to the dedicated EPS Bearer used as a media bearer. The SGW/PGW within the EPC may implement control plane and user plane functions in a combined form or in a separated form. In a separated form, the SGW-C/PGW-C provides the control plane functions and SGW-U/PGW-U provides the user plane functions.

The present document specifies two options for implementing the LI functions for voice services with S8HR as the roaming architecture:

1. Use the capabilities specified below in the present document for stage 2 and in TS 33.128 for stage 3.
2. Use the capabilities defined in TS 33.107 and TS 33.108 natively as defined in those documents.

According to the present document, to provide the lawful interception of voice services in the VPLMN with S8HR, the architecture presented in Figure 7.4.7.4-1 is used with SGW-C providing the BBIFF-C and SGW-U providing the BBIFF-U functions. S8HR LI solution requires that Access Point Name (APN) can be identified as being used for S8HR and therefore can be used to identify that the EPS Bearers are used for inbound roamers with S8HR.

For the describing the S8HR LI process, the following terms apply:

• The packet data connection representing the IMS signalling channel referenced in clause 7.4.7.4.11 is referred to as IMS signalling bearer. This is also referred to as the default bearer and uses the QCI value of 5, GSMA IR.92 [26].
• The packet data connection representing the IMS media channel referenced in clause 7.4.7.4.11 is referred to as IMS media bearer. This is a dedicated bearer and uses the QCI value of 1 for voice media, GSMA IR.92 [26].
• The IMS signalling bearer and IMS media bearers are on separate GTP tunnels but are linked.

The S8HR LI process follows the steps described in clause 7.4.7.4.11 with the following specific aspects that apply to S8HR:

• The LIPF configures the BBIFF-C present in the SGW-C to notify the LMISF-IRI whenever an IMS signalling bearer or an IMS media bearer is created, modified, or deleted for S8HR inbound roaming UEs (i.e. the UEs that use S8HR APN).
• The BBIFF-C present in the SGW-C notifies the LMISF-IRI whenever it detects that such an IMS signalling bearer or an IMS media bearer is created, modified, or deleted.
• When the LMISF-IRI detects that IMS voice media interception is required, the LMISF-IRI instructs the BBIFF-C present in the SGW-C to deliver the user plane packets from the related IMS voice media bearer to the LMISF-CC.

The CC-POI and IRI-POI functions are provided by the embedded functions LMISF-CC and LMISF-IRI within the LMISF. As such the only interaction required between the two is to establish the correlation between the xCC and xIRI at an IMS session-leg level. The LMISF-IRI instructs the BBIFF-C present in the SGW-C to deliver the user plane packets (to LMISF-CC) from the IMS media bearer linked to the IMS signalling bearer when it determines that an IMS session is associated with a target and requires CC interception. The BBIFF-C forwards the instruction along with the linked IMS signalling bearer information to BBIFF-U present in the SGW-U.

During a session that involves the target UE, the SGW-C/SGW-U associated with the BBIFF-C/BBIFF U can change. To support the continued interception of IMS sessions, the BBIFF-C in the new SGW-C notifies the LMISF-IRI that a BBIFF relocation has occurred. The LMISF-IRI provides the functions described in clause 7.4.7.4.12 to support the continued and correlated interception for the CC.

The term N9HR is used to denote the home-routed roaming architecture for Vo5GS UEs. Within the VPLMN with N9HR, the IMS signalling messages and media packets are carried over the GTP tunnel that corresponds to the PDU session established for the UE for IMS based services. The IMS signalling packets and the media packets are on separate Quality of Service (QoS) Flows with specific 5QI values (5QI = 5 for IMS signalling and 5QI = 1 for voice, GSMA NG.114 [27]). The H-SMF in the HPLMN assigns a separate QoS Flow Index (QFI) for IMS signalling related packets and IMS voice related packets. The UPF in the VPLMN can isolate the IMS signalling and media related packets from user plane packets based on the QFI value.

To provide the lawful interception of voice services in the VPLMN with N9HR, the architecture presented in Figure 7.4.7.4-1 is used with SMF providing the BBIFF-C and UPF providing the BBIFF-U functions. N9HR LI requires that a Data Network Name (DNN) can be identified as being used for N9HR and therefore can be used to identify that PDU sessions are used for inbound roamers with N9HR. The BBIFF-C and BBIFF-U functions are provided by adopting a subset of LI functions defined for LI at SMF/UPF as defined in clause 6.2.3 and TS 33.128.

For the purposes of describing the N9HR LI process, the following terms apply:

• The packet data connection representing the IMS signalling channel referenced in clause 7.4.7.4.11 is referred to as PDU session with IMS signalling related QoS flow.
• The packet data connection representing the IMS media channel referenced in clause 7.4.7.4.11 is referred to as PDU session with IMS media related QoS flow.

The IMS signalling and the IMS voice media are on the same PDU session. The N9HR LI process follows the steps described in clause 7.4.7.4.11 with the following specific aspects that apply to N9HR:

• The LIPF configures the BBIFF-C present in the SMF to notify the LMISF-IRI whenever a PDU session is created, modified, or deleted for inbounding roaming UEs with an N9HR DNN.
• The BBIFF-C present in the SMF notifies the LMISF-IRI whenever it detects that a PDU session is created, modified, or deleted for inbound roaming UEs with N9HR DNN. The UE location information and the PDU session ID is included in such notifications.
• When the LMISF-IRI determines that IMS voice media interception is required, the LMISF-IRI instructs the BBIFF-C present in the SMF with the PDU session information that the IMS voice media related user plane packets from that PDU session are to be delivered to LMISF-CC.

The CC-POI and IRI-POI functions are provided by the embedded functions LMISF-CC and LMISF-IRI within the LMISF. As such the only interaction required between the two is to establish the correlation between the xCC and xIRI at an IMS session-leg level. The LMISF instructs the BBIFF-C present in the SMF to deliver to (to LMISF-CC) the IMS voice media related user plane packets from the PDU session associated with the intercepted IMS session. The BBIFF-C present in the SMF forwards the instruction along with the PDU session information to BBIFF-U present in the UPF.

During a session that involves the target UE, the SMF that has the BBIFF-C, or the UPF that has the BBIFF-U can change. To support the continued interception of IMS sessions, the BBIFF-C in the new SMF notifies the LMISF-IRI that a BBIFF (i.e., SMF or UPF) relocation has occurred. The LMISF-IRI provides the functions described in clause 7.4.7.4.12 to support the continued and correlated interception of CC.

With home-routed roaming architecture, all the IMS Signalling Functions and IMS Media Functions reside in the HPLMN. National regulations may still require the VPLMN to have the capabilities to perform the lawful interception of voice services involving the inbound roaming targets. The LI capabilities provided in the VPLMN with home-routed roaming architecture shall be to the same extent as the LI capabilities provided in the VPLMN with LBO approach as the roaming architecture. The IMS signalling messages are exchanged between the UE and the P-CSCF (in HPLMN) and the media is exchanged between the UE and the IMS-AGW (in HPLMN).

To provide the lawful interception of voice services in the VPLMN with home-routed roaming architecture, new LI-specific functions are introduced to examine the packets that flow through the VPLMN packet core network functions in order to generate IRI and CC when the communication involves an inbound roaming target. Figure 7.4.7.4-1 shown below illustrates a generic LI architecture for home-routed roaming architecture in the VPLMN.

The target identifiers used for inbound roaming UEs are same as the identifiers used for IMS sessions in the VPLMN with LBO as the roaming architecture. See clause 7.4.2.2 for further details.

Depending on the session direction, different SIP parameters are used to identify the target. The SIP parameters used to identify the target can be different from the SIP parameters used to identify a target at the P-CSCF (with LBO as the roaming architecture). Further details on the use of SIP parameters in identifying a target are described in TS 33.128.

The IRI events are same as the xIRI defined for IMS sessions in the VPLMN with LBO as the roaming architecture. See clause 7.4.3.2 for details.

The IRI parameters are the same as those defined for IMS sessions in the VPLMN with LBO as the roaming architecture. See clauses 7.4.3.3 and 7.4.3.4 for details.

The LMISF-IRI instructs the BBIFF-C (over the LI_T1 interface) to deliver the IMS media packets when it determines that an IMS session is associated with a target and requires CC interception. The BBIFF-C forwards the instruction to BBIFF-U over the LI_T3 interface.

The CC parameters are the same as those defined for IMS sessions in the VPLMN with LBO as the roaming architecture. See clause 7.4.4.3 for details.

The LMISF assigns the correlation number for an IMS session and uses the same correlation number in the associated xIRI and xCC. The interaction between the LMISF-IRI that generates the xIRI and LMISF-CC that generates the xCC is an internal function of LMISF.

The additional LI specific functions and interfaces introduced to support the LI with home-routed roaming architecture shown in Figure 7.4.7.4-1 are listed below:

• LMISF (LI Mirror IMS State Function): A logical LI specific function that provides the IMS state function for LI purposes. The LMISF provides the IRI-POI and CC-POI functions. The LMISF also initiates the required trigger for IMS media interception. The LMISF may be viewed as consisting of two embedded functions: 1) LMISF-IRI (handling the IMS signalling related LI functions, i.e. IRI-POI), 2) LMISF-CC (handling the IMS media related LI functions, i.e. CC-POI). The interface between the two embedded functions is not defined.
• BBIFF (Bearer Binding Intercept and Forward Function): Binds the IMS signalling and media to the LMISF for interception purpose. The BBIFF may be split into two BBIFF-C and BBIFF-U, with the former present in the NF that provides the control plane related functions and the latter present in the NF that provides the user plane related functions associated with the inbound roaming UEs.
• LI_X2_LITE: Used to carry the control plane information (e.g. packet data connection related notifications, UE location) from BBIFF-C to LMISF-IRI.
• LI_X3_LITE_S: Used to forward the IMS signalling related user plane packets of inbound roaming UEs from BBIFF-U to the LMISF-IRI.
• LI_X3_LITE_M: Used to forward the IMS media related user plane packets of inbound roaming target UE from BBIFF-U to the LMISF-CC.
• LI_T1: Used to instruct the BBIFF-C that user plane packets of the associated IMS media need to be captured and delivered to the LMISF-CC.
• LI_T3: Used to instruct the BBIFF-U to capture and deliver the selective user plane packets of inbound roaming UEs to the LMISF.

The user plane packets reported by BBIFF-U include the IMS signalling related packets and IMS media related packets. A condition required for this LI architecture is that LMISF shall have access to the IMS signalling messages and the IMS media packets in an unencrypted form.

The following steps happen for all home-routed inbound roaming UEs irrespective of whether those UEs are associated with a target:

• The LIPF configures the BBIFF-C (over LI_X1 interface) to notify the LMISF-IRI whenever home-routed inbound roaming UEs establish, modify or delete the IMS signalling and the IMS media channels. The UE exchanges the IMS signalling messages with the P-CSCF residing in the HPLMN over the IMS signalling channel and IMS media with the IMS-AGW residing in the HPLMN over the IMS media channel. The LIPF also provides the same information to LMISF-IRI (over LI_X1 interface) in order to let it know the notifications to be expected from the BBIFF-C.
• The BBIFF-C notifies the LMISF-IRI (over LI_X2_LITE interface) whenever the IMS signalling channel or the IMS media channel is established, modified or deleted for home-routed inbound roaming UEs. The UE location information is included in such notifications. The BBIFF-C instructs the BBIFF-U (over LI_T3 interface) to deliver the appropriate IMS signalling related user plane packets to the LMISF-IRI.
• The BBIFF-U delivers the IMS signalling related user plane packets to the LMISF-IRI (over the LI_X3_LITE_S interface).

The following steps are performed for the target UEs:

• The LIPF provisions the LMISF-IRI, MDF2 and MDF3 (over LI_X1 interface) with the IMS target information.
• When the received user plane packets from the BBIFF-U represent IMS signalling messages associated with a target, the LMISF-IRI generates the xIRI and delivers them to the MDF2 over the LI_X2 interface.
• Upon identifying that IMS signalling messages are associated with a target that requires CC interception, the LMISF-IRI instructs the BBIFF-C (over LI_T1 interface) that the user plane packets that represent associated IMS media (i.e. from the IMS media channel associated with the IMS signalling channel) are to be delivered to LMISF-CC.
• The BBIFF-C instructs the BBIFF-U (over LI_T3 interface) to deliver user plane packets that represent the associated IMS media to the LMISF-CC.
• The BBIFF-U delivers the indicated user plane packets that represent the IMS media to the LMISF-CC (over LI_X3_LITE_M interface). The LMISF-CC generates xCC from the received IMS media related user plane packets and delivers them to the MDF3 over LI_X3 interface along with the information that correlates the xCC with the xIRI.
• When all IMS sessions for a target UE have ended, LMISF-IRI instructs the BBIFF-C (over LI_T1 interface) to stop the delivery of IMS media related user plane packets. Upon receiving such a notification, the BBIFF-C instructs the BBIFF-U (over LI_T3 interface) to stop the delivery of the IMS media related user plane packets to the LMISF-CC.

The LMISF-IRI stores the IMS signalling messages received from the BBIFF-U for a potential future LI activation (i.e. mid-call interception). Furthermore, the xCC generated from the IMS media related user plane packets may be associated with different session-legs, and hence may have different correlation numbers. When the inbound roaming UE deregisters for the IMS signalling (i.e. with HPLMN), the LMISF shall ensure that deregistration is mirrored in its own maintained state for that UE.

During a session that involves the target UE, the network function associated with the BBIFF-C, or the BBIFF U can change. The lawful interception of IMS sessions involving a target shall continue when such a relocation happens. The xIRI and xCC delivered before and after the relocation shall be correlated. To support the continued interception of IMS sessions, the BBIFF-C in the new network function notifies the LMISF-IRI (over LI_X2_LITE interface) that a BBIFF relocation has occurred. The LMISF-IRI provides the following functions to support the continued and correlated interception of CC:

• When a notification is received from the BBIFF-C that a BBIFF relocation has occurred, examine to see whether any IMS session is setup for the UE and is being intercepted.
• If an intercepted IMS session is setup, examine to see whether a CC interception for that IMS session is required.
• If the intercepted IMS session requires CC interception, inform the new BBIFF-C (over the LI_T1 interface) with an instruction that the user plane packets that represent associated IMS media are to be delivered to LMISF-CC.

Further handling of CC interception is as defined in clause 7.4.7.4.11.