The Administration Function (ADMF) provides the CSP's administrative and management functions for the LI capability.
The ADMF's primary roles and responsibilities include:
The logical point of contact from the LEA to the CSP via LI_HI1 for Lawfully authorised requests (e.g. warrant).
Maintaining the CSP / LEA mutually agreed unique Lawful Interception IDentifier (LIID) for the warrant which is used for all corresponding LI_HI2, LI_HI3, and LI_HI4 communications for warrant correlation.
CSP administration and local management of the warrant including start/stop times, filter criteria, LEA policy toggles, etc.
Deriving internal information (ID mappings, potential POIs, etc.) from the warrant.
For virtualised instances, verifying the authenticity/integrity of CSP LI functions (e.g. LI function's software image) prior to instantiation, see e.g. ETSI NFV-SEC 011  or equivalent.
When required, providing keys to newly instantiated LI functions to enable decryption of LI specific software.
LI functions physical location policy control ensuring LI functions are within the legal location policy of the warrant.
LI Certificate Authority (LI CA, sub-CA of the CSP root CA) for issuing certificates to LI functions as part of their LI provisioning via LI_X0 interface, see clause 188.8.131.52.
Provisioning of all required and valid LI functions instantiated by the CSP network.
Maintaining the master list of all authorised and provisioned LI functions.
Managing the termination of LI instances across all impacted LI functions when the warrant expires or the LEA specifically requests termination of a LI instance.
Certificate revoking when the LI function is terminated or the LI function is de-instantiated.
Maintaining the status of the warrant execution within the CSP (e.g. accepted, pending/provisioning, active, suspended, de-provisioned, etc.).
As agreed between the LEA and CSP, reporting warrant execution status changes to the LEA as well as responds to warrant audit requests from the LEA.
This annex presents a means within current ETSI and 3GPP specifications to support the temporary suspension (suspend) and subsequent resuming (resume) of a Lawful Intercept. Temporary suspension of LI is either directly initiated by the LEA or automatically initiated based on predefined criteria/policy between the LEA and CSP as part of the warrant. This clause only addresses the case of LEA initiated temporary suspension of the delivery of LI product to the LEA.
The underlying baseline is that a Lawful Intercept has been fully authorised and established between the LEA and the CSP via LI_HI with an agreed LIID to map the warrant to the CSP provided LI product via LI_HI2, LI_HI3 and LI_HI4.
The LEA may request that this active LI instance be temporarily suspended. This means, at a minimum, that the CSP no longer delivers (or buffers) LI product to the LEA.
LEA initiated LI suspension may involve the following steps:
The LEA, via LI_HI1, sends an Update Request, referencing the intercept, with the DesiredStatus of Suspended; reference ETSI TS 103 120 .
The ADMF, via LI_X1, deactivates/deprovisions the required LI Functions, reference ETSI TS 103 221-1 . These LI Functions then locally fully delete the active intercept as required and hence stops any subsequent LI_HI2/3 delivery.
The ADMF should maintain all the intercept warrant information of the original intercept, with the status advanced to Suspended.
The MDFs for which the intercept instance has been de-activated send an LI_HI4 deactivation notification to the LEMF.
The ADMF sends an Update Response message to the LEA, via LI_HI1, with a status of Suspended.
To resume the LI product delivery, this may involve the following steps:
The LEA sends the CSP, via LI_H1, an Update Request, referencing the original intercept, with the DesiredStatus of Active. This is equivalent to the initial LI activation but without having to repeat all the warrant information in the original intercept request, and the existing LIID is maintained. Sessions that were active before the intercept suspension that are still active when resumed, or new sessions initiated while the intercept is resumed, are handled as per mid-call intercept activation.
The ADMF, via LI_X1, re-provisions the de-activated LI Functions just as for a new intercept to re-instantiate the intercept.
The re-provisioned MDFs send an LI_HI4 activation notification to the LEMF.
The ADMF sends an Update Response message to the LEA, via LI_HI1, with a status of Active.
If the intercept (warrant) timespan expires or the LEA directly requests intercept deactivation while the intercept is in a suspended state, all remaining LI Functions are deactivated/deprovisioned and the rest of LI instance is taken down as per usual warrant deactivation.