1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
|
Network Working Group F. Baker
Request for Comments: 3924 B. Foster
Category: Informational C. Sharp
Cisco Systems
October 2004
Cisco Architecture for Lawful Intercept in IP Networks
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
IESG Note
This RFC is not a candidate for any level of Internet Standard. The
IETF disclaims any knowledge of the fitness of this RFC for any
purpose, and in particular notes that the decision to publish is not
based on IETF review for such things as security, congestion control
or inappropriate interaction with deployed protocols. The RFC Editor
has chosen to publish this document at its discretion. Readers of
this document should exercise caution in evaluating its value for
implementation and deployment.
Abstract
For the purposes of this document, lawful intercept is the lawfully
authorized interception and monitoring of communications. Service
providers are being asked to meet legal and regulatory requirements
for the interception of voice as well as data communications in IP
networks in a variety of countries worldwide. Although requirements
vary from country to country, some requirements remain common even
though details such as delivery formats may differ. This document
describes Cisco's Architecture for supporting lawful intercept in IP
networks. It provides a general solution that has a minimum set of
common interfaces. This document does not attempt to address any of
the specific legal requirements or obligations that may exist in a
particular country.
Baker, et al. Informational [Page 1]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Motivating the Architecture . . . . . . . . . 3
1.2. Document Organization. . . . . . . . . . . . . . . . . . . 4
2. Reference Model . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Reference Model Components . . . . . . . . . . . . . . . . 6
2.2. Operational Considerations . . . . . . . . . . . . . . . . 7
3. Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Content Intercept Request Interface. . . . . . . . . . . . 9
3.2. Intercept Content Interface (f). . . . . . . . . . . . . . 10
4. Applying the Reference Model. . . . . . . . . . . . . . . . . . 11
4.1. Voice over IP networks . . . . . . . . . . . . . . . . . . 11
4.1.1. Interception of Voice over IP Services. . . . . . . 11
4.1.2. Local Voice Services. . . . . . . . . . . . . . . . 12
4.2. Data Services. . . . . . . . . . . . . . . . . . . . . . . 13
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 13
5.1. Content Request Interface (d) - SNMPv3 Control . . . . . . 14
6. Informative References. . . . . . . . . . . . . . . . . . . . . 14
7. Acronyms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . 17
9. Full Copyright Statement. . . . . . . . . . . . . . . . . . . . 18
1. Introduction
For the purposes of this document, lawful intercept is the lawfully
authorized interception and monitoring of communications of an
intercept subject. The term "intercept subject", "subject", "target
subscriber" or "target" in this document refers to the subscriber of
a telecommunications service whose communications and/or intercept
related information (IRI) has been lawfully authorized to be
intercepted and delivered to some agency. Note that although the
term "Law Enforcement Agency" (LEA) is used throughout this document,
this may refer to any agency that is able to request lawfully
authorized interception.
By intercept related information (IRI) we mean information related to
the IP traffic of interest. There is currently no standardized
definition for IRI for IP traffic. IRI has been defined for a few
services that might run over IP (e.g., Voice over IP) or that IP runs
on top of (e.g., GPRS). For example, IRI for voice over IP could be
the called and calling phone numbers. The definition of IRI from
[14] is shown below:
Baker, et al. Informational [Page 2]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
Intercept Related Information: collection of
information or data associated with
telecommunication services involving the target
identity, specifically communication associated
information or data (e.g., unsuccessful
communication attempts), service associated
information or data and location
information.
Service providers are being asked to meet legal and regulatory
requirements for the interception of voice as well as data
communications in IP networks in a variety of countries worldwide.
Although requirements vary from country to country, some requirements
remain common even though details such as delivery formats may
differ. This document describes Cisco's Architecture for supporting
lawful intercept in IP networks. It provides a general solution that
has a minimum set of common interfaces. This document does not deal
with legal requirements or obligations.
This document describes one method for supporting lawful intercept.
Other methods may be available.
The IESG wishes to draw the reader's attention to RFC 2804 [15] for a
description of why architectures such as these are vendor-specific,
rather than a topic of standardization for the IETF.
1.1. Requirements Motivating the Architecture
The purpose of the following list of requirements is to provide an
understanding of the motivation behind the architecture and some of
the requirements imposed on components and interfaces that are
described in the later sections of the document. This does not imply
any legal requirements on service providers or equipment vendors
although such requirements may coincide.
Note that there are a variety of requirements that have been defined
for lawfully authorized intercept throughout the world. Some of
these have been defined by standards bodies (e.g., [13]), while
others are country specific. The following itemized list is a
distillation of some of these, although a given item may or may not
apply to a specific country:
* Lawful Intercept (LI) should be undetectable by the intercept
subject.
Baker, et al. Informational [Page 3]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
* Mechanisms should be in place to limit unauthorized personnel from
performing or knowing about lawfully authorized intercepts.
* There is often a requirement (especially for telecommunications
services) to provide intercept related information (IRI)
separately from the actual Internet Protocol (IP) traffic (or
content) of interest (Note: some authorizations may be restricted
to IRI).
* If IRI is delivered separately from content, there should be some
means to correlate the IRI and the content with each other.
* If the information being intercepted is encrypted by the service
provider and the service provider has access to the keys, then the
information should be decrypted before delivery to the Law
Enforcement Agency (LEA) or the encryption keys should be passed
to the Law Enforcement Agency to allow them to decrypt the
information.
* If the information being intercepted is encrypted by the intercept
subject and its associate and the service provider has access to
the keys, then the service provider may deliver the keys to the
LEA.
* There is often a requirement for a service provider to be able to
do multiple simultaneous intercepts on a single subject. The fact
that there are multiple intercepts should be transparent to the
LEAs.
* There is often a requirement that the service provider should not
deliver any unauthorized information to the LEA.
The architecture and interfaces described in this document attempts
to address these requirements.
1.2. Document Organization
Section 1 of this document lists requirements motivating the
architecture. Section 2 of this document describes a reference model
along with some operation considerations. Section 3 provides more
detailed requirements on the interfaces related to content
interception. Section 4 applies the reference model to voice over IP
and data intercepts and Section 5 examines security considerations.
Baker, et al. Informational [Page 4]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
2. Reference Model
This section describes a generic reference model (Figure 1) for
lawful intercept.
+--------------------+ +-----+
| LI Administration | HI1(a) | |
| Function |<--------------| |
+--------------------+ | |
| | |
| MD Provisioning | |
| Interface(b) | LEA |
v | |
+-----------+ +--------------------+ | |
| |<---(c)----| | | |
| IRI IAP |--IRI(e)-->| Mediation |----HI2(g)--->| |
| | | Device (MD) | | |
+-----------+ | |----HI3(h)--->| |
+--------------------+ +-----+
| ^
Intercept | | Intercepted
Request(d) | | Content(f)
| |
v |
+--------------------+
User | Content | User
------->| IAP |-------->
Content +--------------------+ Content
Figure 1: Intercept Architecture
A brief description of the interfaces is included in table 1 below.
For a more detailed description of the interfaces refer to section 3.
For a description of the components refer to section 2.1.
Table 1 LI Interfaces
Interface Description
--------------------- -------------------------------------------
(a) HI1 Handover Interface 1 - Administration
Interface: The LEA provides intercept
information to the service provider
administration function.
(b) MD Provisioning Mediation Device provisioning interface.
Parameters include: target identifier,
duration of intercept, type of intercept,
etc.
Baker, et al. Informational [Page 5]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
(c) IRI IAP Provisioning Specifies Target identifier, duration,
etc. for provisioning of delivery of
Intercept Related Information (IRI).
(d) Content Intercept Provisioning of the Content IAP.
Provisioning
(e) IRI to MD Internal interface between IRI Intercept
Access Point (IAP) and Mediation device
(MD) for delivery of IRI.
(f) Content to MD Internal interface between content
IAP and MD for delivery of Content.
(g) HI2 Handover Interface 2: Interface between
the MD and LEA for delivering IRI. This
interface may vary from country to
country.
(h) HI3 Handover Interface 3: Interface between
the MD and LEA for delivering Content.
This interface may vary from country to
country.
2.1. Reference Model Components
A brief description of the key components in the reference model is
as follows:
Lawful Intercept (LI) Administration Function:
This function provides the (typically manual) provisioning
interface for the intercept as a result of a court order or
warrant delivered by the Law Enforcement Agency (LEA). It could
involve separate provisioning interfaces for several components,
but more typically is a single interface to the Mediation Device
(MD), which then takes care of provisioning of other components in
the network. Because of the requirement in some laws to limit
accessibility to authorized personnel, the provisioning interface
has to be strictly controlled. In many cases, the identity of the
subject received from the LEA has to be translated into an
identity that can be used by the network to enable the intercept.
Intercept Access Point (IAP):
An IAP is a device within the network that is used for
intercepting lawfully authorized intercept information. It may be
an existing device that has intercept capability or it could be a
Baker, et al. Informational [Page 6]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
special device that is provided for that purpose. Two types of
IAP's are discussed here: IAP's that provide content; and IAP's
that provide intercept related information (IRI).
Content IAP:
A content IAP is an IAP that is used to intercept the IP traffic
of interest.
IRI IAP: This is an IAP that is used to provide intercept related
information (IRI).
Law Enforcement Agency (LEA):
This is the agency that has requested the intercept and to which
the service provider delivers the information.
Mediation Device (MD):
The MD requests intercepts from IAPs through interfaces (c) and
(d) in Figure 1. The Mediation Device receives the data from the
IAP, packages it in the correct format (which may vary from
country to country) and delivers it to the LEA. In the case where
multiple law enforcement agencies are intercepting the same
subject, the mediation device may replicate the information
multiple times. The assumption is that the service provider
operates the MD (via specially authorized personnel) and that the
LEA only has access to interfaces (a), (g) and (h) in Figure 1.
2.2. Operational Considerations
In a typical operation, a lawfully authorized surveillance request
arrives for a specified intercept subject. Authorized personnel
provision the intercept using interface (b) in Figure 1, which may be
for content only, IRI only or both. Once the intercept is
provisioned, the IAP's send the IRI and/or content to the MD, which
formats the information into the appropriate format for delivery to
the LEA. Some operational issues that need to be considered:
* Location and Address Information for Content Intercepts: In some
cases where the location and/or addressing information for the
intercept is not known until the subject registers (or makes a
call in the case of voice), the IRI may provide needed information
in order to do the content tap (e.g., the IP address and port for
the content streams).
* Content Encryption: If the intercept content is encrypted and the
service provider has access to the encryption keys (e.g., receives
keys in Session Description Protocol for Voice over IP), then the
keys can be sent via IRI. It is, however, possible for end-users
to exchange keys by some other means without any knowledge of the
Baker, et al. Informational [Page 7]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
service provider in which case the service provider will not be
able to provide the keys. Content transformations could make
decryption at the LEA impossible. This is why the original
packets are provided on interface (f) rather than attempting to
convert them to some other format.
* Detection by the Intercept Subject: One requirement is to ensure
that the intercept subject is unable to detect that they are being
intercepted. This document assumes a sophisticated subject:
- Able to check IP addresses, use traceroute, etc.
- Able to check if any unusual signaling is occurring on their
customer premises equipment (CPE).
- Able to detect degradation or interruptions in service.
This is why the intercept mechanism described here does not
involve special requests to the CPE, re-routing of packets or
end-to-end changes in IP addresses. Instead, content intercept is
done on a device along the normal content path (i.e., no re-
routing has occurred) that is within the service provider's
network. A convenient content IAP is a router or switch at the
edge of the service provider's network to which the intercept
subject connects. This is illustrated in Figure 2.
|
Customer Premises | Service Provider's Network
|
+-------+
+-----+ | |
| CPE |-------------| Router|----------
+-----+ | (IAP) |
| |
+-------+
Figure 2 Content IAP - Router
Another possibility of course is to provide a special device along
the path to provide the content IAP capabilities.
Note that in the case where there is multi-homing (two or more
routers connected to provide access for the CPE), intercept taps
may have to be installed on more than one access router. If the
CPE is multi-homed to multiple service providers, then the
intercept will have to be installed on each service provider
separately and the LEA will have to correlate the data.
Baker, et al. Informational [Page 8]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
* Unauthorized Creation and Detection: Another concern is the
prevention of unauthorized creation and detection of intercepts.
This is particularly important when a network element such as a
router is used as a content IAP. Those routers that have the
capability should be carefully controlled with access to intercept
capability and information only via authorized personnel. In one
approach using the reference model in Figure 1, the MD is in a
controlled environment and the MD does the intercept request to
the content IAP over an encrypted link. Logging and auditing are
used to detect unauthorized attempts to access the intercept
capability.
* Capacity: Support for lawful intercept on a network element
supporting customers consumes resources on that equipment.
Therefore, support for lawful intercept requires capacity planning
and engineering to ensure that revenue-producing services are not
adversely affected.
3. Interfaces
This section provides a brief description of the interfaces in the
reference model (Figure 1). A list of these interfaces is included
in Table 1 in Section 2.
One of the objectives in defining these interfaces is to keep the
internal interfaces (b to f) the same regardless of country-specific
requirements. The MD then formats the IRI and the content to meet
the country specific requirements for interfaces (g) and (h).
3.1. Content Intercept Request Interface
This section describes some of the requirements for the content
intercept request interface (d) in Figure 1. It makes use of a
common request protocol (SNMPv3) regardless of the type of
application (e.g., voice, data) and suggests the usage of a TAP-MIB,
which is defined in a separate document [1]. Some of the
considerations that lead to the use of SNMPv3 and to the definition
of the specific Management Information Base (MIB) defined in [1] are
provided here.
In order to provide a generic interface for intercepting,
replicating, encapsulating and transporting content packets to the
MD, the content intercept interface ((d) in Figure 1) should specify:
* A Filter specification for classifying the packets to be
intercepted.
* The destination address of the MD (where to send the packets).
Baker, et al. Informational [Page 9]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
* Encapsulation and Transport parameters.
In addition, a timeout value for the intercept should also be
specified. This defines a limited lifetime for the intercept so that
failures will not result in intercepts remaining beyond their
authorized lifetime. If a failure of the MD occurs such that it is
not able to supply the refresh to the timeout, then the intercept
will cease to exist after the timeout expires. Similarly, if the IAP
re-boots, then the intercept will not survive the re-boot unless the
IAP is capable of ascertaining that the intercept lifetime
requirements will continue to be met.
In order for this to work, it must be possible for the mediation
device to realize that there is a failure in the IAP such that it
must re-establish the intercept. This may be in the form of an audit
(from the MD to the IAP), or in the form of a heartbeat mechanism in
the content stream, or both.
3.2. Intercept Content Interface (f)
The encapsulation method should retain all of the information in the
original packets (source and destination addresses as well as
payload) and provide an identifier for correlating the packets with
the IRI. One encapsulation that meets those requirements is
described in Section 4 of [2]. For non-voice intercepts, the
"Intercepted Information" field in Table 1 of [2] contains the
original intercepted IP packet.
Note, however, that the interface defined in [2] is based on UDP
which is an unreliable and unordered transport protocol (i.e.,
provides neither retransmission on detection of errors nor ordering
of data). If this transport is used, the underlying network (Layers
1 - - 3) should be engineered to meet the overall reliability
requirements for delivery of content.
If a more reliable transport protocol is required, then a mechanism
that provides timely delivery as well as limits the burden (both
processing and buffering) on the Content IAP should be used. One
mechanism that meets these requirements is a NACK-oriented
retransmission scheme based on [12].
If [12] is used, the call content channel identifier may be placed in
the SSRC field of the encapsulating RTP packet. The payload type may
be used to identify the type of packet encapsulated in RTP (e.g., IP,
PPP, Ethernet MAC). Note that usage of [12] is still under
investigation and may need further specification. Usage of [12] in
the content IAP places more processing burden on the content IAP than
a UDP-based intercept and can affect the capacity of the content IAP.
Baker, et al. Informational [Page 10]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
4. Applying the Reference Model
This section applies the reference model to some example
applications.
4.1. Voice over IP networks
This section will look at some of the issues surrounding interception
of voice over IP calls, taking local voice services as a specific
service example. The reference model from Figure 1 will be applied
with the use of a common set of interfaces that are independent of
the call signaling protocols in use.
4.1.1. Interception of Voice over IP Services
There are a variety of architectures in use for voice over IP (e.g.,
centralized versus distributed) as well as various protocols (SIP
[6], H.323 [9], MGCP [7], H.248 [8]). There are also a variety of
services that may be offered:
* Local Voice Services (i.e., service to a user that has an IP phone
or a phone connected to a gateway)
* Transit services
* Long distance access services (e.g., calling/debit card).
This document does not address any obligations that a service
provider might or might not have to support intercepts. It simply
describes how intercept might be done using the reference model in
Figure 1.
Note that in the case of services where the intercept subject
accesses the network via a non-IP endpoint (e.g., TDM), the
detectability issue is less acute (e.g., re-routing of packets to
intercept them in a special device is a possible option), since the
intercept subject does not have access to the IP addresses or to
traceroute.
However, in the case of local services, this is a much more difficult
problem. The intercept for a call originating and terminating on-net
(i.e., a call that is voice over IP end-to-end) has to be intercepted
along its normal route in order to be undetectable. In addition, the
call-forwarding feature that is often provided as a local service
feature makes interception even more difficult: If call forwarding is
invoked, a call that was intended to terminate on the intercept
subject may be forwarded anywhere in the network resulting in the
media stream bypassing the original content IAP (since in voice over
Baker, et al. Informational [Page 11]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
IP, the media stream goes directly from end-to-end). Also, since
call forwarding can often be set up on a call-by-call basis, the
location of the content IAP will often not be known until the call is
set up.
4.1.2. Local Voice Services
This sub-section will look at the specific case in which the
intercept subject under surveillance is being provided with a local
voice service by the same provider that also provides the network
access (e.g., controls the edge router or switch). This is an
important assumption, since in VoIP the entity providing call control
(e.g., SIP server) can be totally separate from the entity providing
network access (e.g., operates edge routers).
Suppose that a subscriber that subscribes to a local (e.g.,
residential) voice service is a target for a lawfully authorized
surveillance. Part of the system providing these services is a
subscriber database that includes addressing information about the
subscriber as well information on what features are in effect (e.g.,
call forwarding). Some call control entity (CCE) accesses that
database in order to provide local services. For example, if the
subject has call forwarding invoked, that fact (and where to forward
the call) is indicated in the subscriber database. A call arriving
at the CCE that "owns" that subscriber can then take the appropriate
action (e.g., forward the call).
The CCE that "owns" the target subscriber (which could be an H.323
gatekeeper, a SIP proxy or a Media Gateway Controller) is provisioned
with the intercept parameters (e.g., subject identification
information such as the telephone number and where to deliver the
IRI). The provisioning of this CCE could be through interface (c) in
Figure 1. The CCE in question is the IRI IAP and once provisioned,
it passes the IRI to the MD. In the scenario being discussed, the
CCE typically remains in the signaling path throughout the call, even
in the call-forwarding case. Part of the IRI it passes to the MD is
the media signaling information (i.e., SDP [11] or H.245 [10]), which
includes endpoint IP address and port information for the media
(content) streams. Armed with this media address information, the MD
can determine the content IAP (e.g., [5]) and make the request via
interface (d). The request identifies the voice stream to be
intercepted based on information received in the call signaling
(i.e., IP addresses and UDP port numbers).
Note that the content IAP in the case of voice over IP could be an
edge router or a PSTN gateway (e.g., a call from the PSTN forwarded
to the PSTN). SIP, H.323, MGCP or H.248 call signaling protocols
could be used. However, the protocol (SNMPv3 [1]) used for interface
Baker, et al. Informational [Page 12]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
(d), is not dependent on the type of call signaling protocol used;
nor is the encapsulation format and transport protocol (interface
"f"). The same reference model (Figure 1) with the same interfaces
can be used for lawfully authorized surveillance, regardless of the
signaling protocol and regardless of the type of service being
provided (Note: even though a local voice service was used in this
example, other voice services could use the same model and
interfaces).
4.2. Data Services
The same model (Figure 1) can also be used for data services. In
this case the IRI IAP could be a server that acts as registration,
authentication and authorization point for the data service (e.g., a
RADIUS server). If a potential IRI IAP does not have the available
interfaces (c) and (e), the MD may have to do a content tap on
registration signaling in order to obtain the IRI.
The IRI in the case of a data service could include:
* The time that the user registered or de-registered for the
service.
* Addressing information (i.e., given the user identity, what IP
address or other information is available that could be used in
interface (d) to do the content tap).
Once suitable addressing information is available in order to do
content tapping the MD can invoke the tap via interface (d).
Clearly the IRI interfaces (c, e, g) are different for data than they
are for voice services. However, the content IAP is typically the
same (an edge router). Interfaces (d, f, and h) may also be the
same.
5. Security Considerations
Given the sensitive nature of lawful intercept (LI) -- both from the
standpoint of the need to protect sensitive data, as well as conceal
the identities of the intercept subjects, the LI solution should have
the ability to provide stringent security measures to combat threats
such as impersonation of MD's, privacy and confidentiality breaches,
as well as message forgery and replay attacks.
While this document doesn't discuss issues of physical security,
operating system, or application hardening within the principals of
the LI solution, they are clearly important. In particular, the MD
server would be considered a prime target for attacks.
Baker, et al. Informational [Page 13]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
In general, all interfaces should have the capability of providing
strong cryptographic authentication to establish the identity of the
principals, and be able to correlate the identity of the principal
with the action they are attempting to perform. All interfaces
should be capable of performing some sort of cryptographic message
integrity checking such as, for example, HMAC-MD5. Message integrity
checking can also be used to counter replay attacks. Privacy and
confidentiality considerations, may also require the use of
encryption.
The content and IRI IAPs also should also provide protection of the
identity of the intercept subject and the existence of an intercept.
5.1. Content Request Interface (d) - SNMPv3 Control
For interface (d,) native SNMPv3 security module mechanism is used.
The additional requirement is that the IAP should support the ability
to protect the TAP MIB's [1] from disclosure or control by
unauthorized USM [3] users. VACM [4] provides the necessary tools to
limit the views to particular USM users, but there are also special
considerations:
* The ability to limit access to the appropriate TAP MIB's by only
those SNMPv3 USM users which have keys established and the proper
VACM views defined.
* Segregation of the TAP MIB such that only operators of sufficient
privilege level can create VACM views that include the TAP MIB
[1].
6. Informative References
[1] Baker, F., "Cisco Lawful Intercept Control MIB", Work in
Progress, April 2004.
[2] PacketCable(TM) Electronic Surveillance Specification, PKT-SP-
ESP-I04-040723, http://www.packetcable.com/specifications/
[3] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM)
for version 3 of the Simple Network Management Protocol
(SNMPv3)", STD 62, RFC 3414, December 2002.
[4] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management Protocol
(SNMP)", STD 62, RFC 3415, December 2002.
Baker, et al. Informational [Page 14]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
[5] Warnicke, E., "A Suggested Scheme for DNS Resolution of Networks
and Gateways", Work in Progress.
[6] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[7] Andreasen, F. and B. Foster, "Media Gateway Control Protocol
(MGCP) Version 1.0", RFC 3435, January 2003.
[8] ITU-T Recommendation H.248.1, Gateway Control Protocol: Version
2, May 2002.
[9] ITU-T Recommendation H.323, Packet-based Multimedia
Communications Systems, July 2003.
[10] ITU-T Recommendation H.245, Control Protocol for Multimedia
Communications, July 2003.
[11] Handley, M. and V. Jacobson, "SDP: Session Description
Protocol", RFC 2327, April 1998.
[12] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. Hakenber,
"RTP Retransmission Payload Format", Work in Progress.
[13] ETSI TS 101 331, Telecommunications security; Lawful
Interception (LI); Requirements of law enforcement agencies.
[14] ETSI TS 33.108 v6.7.0, 3rd Generation Partnership Project;
Technical Specification Group Services and System Aspects; 3G
Security; Handover Interface for Lawful Interception (Release
6).
[15] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May 2000.
Baker, et al. Informational [Page 15]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
7. Acronyms
CCE Call Control Entity
CMTS Cable Modem Termination System
CPE Customer Premises Equipment
ETSI European Telecommunications Standards Institute
GPRS Generalized Packet Radio Service
HMAC-MD5 Hash-based Message Authentication Code -
Message Digest 5
IAP Intercept Access Point
IETF Internet Engineering Task Force
IRI Intercept Related Information
ITU-T International Telecommunications Union -
Telecommunications Sector
LEA Law Enforcement Agency
LI Lawful Intercept
MGCP Media Gateway Control Protocol
MD Mediation Device
MIB Management Information Base
NACK Negative Acknowledgement
PSTN Public Switched Telecommunications Network
RFC Request for Comment
RTP Real-time Transport Protocol
SDP Session Description Protocol
SIP Session Initiation Protocol
SSRC Synchronization Source
TDM Time Division Multiplex
UDP User Datagram Protocol
USM User Service Model
VACM View-based Access Control Model
VoIP Voice over IP
Baker, et al. Informational [Page 16]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
8. Authors' Addresses
Fred Baker
Cisco Systems
1121 Via Del Rey
Santa Barbara, CA 93117
US
Phone: +1-408-526-4257
Fax: +1-413-473-2403
EMail: fred@cisco.com
Bill Foster
Cisco Systems
Suite 2150
1050 West Pender St.
Vancouver, BC, V6E 3S7
Canada
Phone: +1-604-647-2315
EMail: bfoster@cisco.com
Chip Sharp
Cisco Systems
7025 Kit Creek Road
RTP, NC 27709 USA
Tel:+1.919.392.3121
EMail: chsharp@cisco.com
Baker, et al. Informational [Page 17]
^L
RFC 3924 Architecture for Lawful Intercept October 2004
9. Full Copyright Statement
Copyright (C) The Internet Society (2004).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and at www.rfc-editor.org, and except as set
forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the ISOC's procedures with respect to rights in ISOC Documents can
be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Baker, et al. Informational [Page 18]
^L
|
