Embed Size (px)
Citation preview
The IP Multimedia Subsystem (IMS)
A Verint Systems Technical Brief
January 2007
1
Table of Contents
Preface ....................................................................................................... 3 Acronyms .......................................................................................................................... 3 Terms ............................................................................................................................... 4
Introduction................................................................................................. 6
The Need for Lawful Interception in the IMS Era................................................ 6
IMS Challenges for LI .................................................................................... 7 Arbitrary Access Layer ......................................................................................................... 7 Multiple Functions Involved in the SIP Path............................................................................. 7 Unlimited Applications Potential ............................................................................................ 7 Multiple Dynamic Structured Subscriber Identities ................................................................... 7
IMS Technology............................................................................................ 8 IMS Functional Decomposition .............................................................................................. 8
Control Plane .................................................................................................................. 8 Media Plane .................................................................................................................... 9
Other IMS Architectures....................................................................................................... 9
LI Solutions in the IMS Domain..................................................................... 10 Separate IMS LI Domain .....................................................................................................10 Classical LI Architecture......................................................................................................10 Basic Solution Types for IMS ...............................................................................................11
Guiding Rules.................................................................................................................11 Roamers Coverage..........................................................................................................12 Inter-Network Sessions ...................................................................................................13 Active Solutions..............................................................................................................13 Passive Solutions............................................................................................................15 Hybrid Solutions .............................................................................................................17
Delivery Protocols ..............................................................................................................18
2
Case Studies.............................................................................................. 19 Active Interception Example ................................................................................................19 Passive Interception Example ..............................................................................................20
Summary .................................................................................................. 21
This document contains confidential and proprietary information of Verint Systems Inc. and is protected by copyright laws and related international treaties. Unauthorized use, duplication, disclosure or modification of this document in whole or in part without the written consent of Verint Systems Inc. is strictly prohibited.
By providing this document, Verint Systems Inc. is not making any representations regarding the correctness or completeness of its contents and reserves the right to alter this document at any time without notice.
All marks referenced herein with the ® or TM symbol are registered trademarks or trademarks of Verint Systems Inc. or its subsidiaries. All rights reserved. All other marks are trademarks of their respective owners.
© 2007 Verint Systems Inc. All rights reserved.
ACSTG010107U
3
Preface This white paper provides an overview of Lawful Interception (LI) in the IP Multimedia Subsystem
(IMS) domain. Its intended audiences are Communication Service Providers (CSPs) and LI
practitioners.
Below are lists of useful acronyms and terms related to this topic.
Acronyms
Acronym Description
3GPP Third-Generation Partnership Project
AS Application Server
B2BUA Back to Back User Agent
BGCF Breakout Gateway Controller Function
CDMA Code Division Multiple Access
CS Circuit Switch
CSCF Call Session Control Function
CSP Communication Service Provider
ETSI European Telecommunications Standards Institute
GGSN Gateway GPRS Serving Node
GPRS General Packet Radio Service
GSA Global System Administrator
GSM Global System for Mobile communications
GUI Graphical User Interface
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
IMS MGW IMS Media Gateway
LEA Law Enforcement Agency
LI Lawful Interception
MGC Media Gateway Controller
MGCF Media Gateway Controller Function
MRFC Media Resource Function Controller
MRFP Media Resource Function Processor
4
Acronym Description
NGN Next Generation Networks
PoC Push to talk Over Cellular
PS Packet Switch
SBC Session Border Controller
SDP Session Description Protocol
SGSN Serving GPRS Support Node
SGW Signaling Gateway
SIP Session Initiation Protocol
TISPAN Telecom & Internet converged Services & Protocols for Advanced Networks
UA User Agent
UE User Equipment
UMTS Universal Mobile Telecommunications System
VoIP Voice over IP
WCDMA Wideband
Terms
Term Description
In-bound roamers Subscribers of another CSP roaming in the network
Out-bound roamers Subscribers of our CSP roaming in another network
Session Data The data describing the SIP session containing information extracted from the control data in SIP messages
Session Content The content of the session, such as voice and video
Subscriber Communications The Session Data and Session Content of a particular subscriber session
5
Verint. Powering Actionable Intelligence.® Verint® Systems Inc. (NASDAQ: VRNT) is a leading global provider of analytic software-based
solutions for security and business intelligence. Verint solutions help organizations make sense of the
vast amounts of voice, video and data available to them, transforming this information into actionable
intelligence for better decisions and highly effective performance.
Since 1994, Verint has been committed to developing innovative solutions that help global
organizations achieve their most important objectives. Today, organizations in over 50 countries use
Verint solutions to enhance security, boost operational efficiency and fuel profitability.
6
Introduction The IP Multimedia Subsystem (IMS) has become the leading architecture enabling communication
service providers to offer VoIP and multimedia services. The IMS standards, which were developed by
3GPP and embraced by the European Telecommunications Standards Institute and the Telecom &
Internet converged Services & Protocols for Advanced Networks (ETSI/TISPAN), are now becoming
widely established. These standards have also been adopted by PacketCable, paving the way for
future fixed-mobile convergence and Triple Play services. Designed to work with multiple access types,
such as Global System for Mobile communications (GSM), Wideband (WCDMA), Code Division Multiple
Access (CDMA) 2000, WiMax and Wireline broadband, IMS has become the solution of choice for many
communication service providers as a substantial enabler of growth.
Most communication service providers envision the completion of the technological transition and full
reliance on IMS-based services to be achieved by the end of the decade. However, no one wants to be
late, and IMS currently reigns as the leading choice. Numerous tier 1 communication service providers
are already heavily involved in IMS test trials, while others are in advanced stages of planning and
implementation, gearing up to take their place in this competitive market.
The Need for Lawful Interception in the IMS Era The technological revolution that is taking mobility, connectivity and applications to the next level
does not exclude the LI domain. Although connectivity and the applications that subscribers use have
become more diverse and complex, the basic need for reliable LI and full coverage of all
communication aspects is extremely relevant. As in other LI domains, LI standardization lags behind
the technology standardization. Nevertheless, law enforcement agencies, as well as legislative and
regulatory bodies, require LI solutions for both the near and the long term.
Today’s IMS implementations primarily enable VoIP sessions, such as regular voice calls (PSTN/ISDN
emulation) and Push to talk Over Cellular (PoC). Current non-IMS LI standards deal with the delivery
of intercepted voice calls to enforcement agencies. The current need for an LI solution for IMS stems
from the same voice user experience in both legacy and IMS domains. Law enforcement agencies
acknowledge the different underlying technologies, but call for similar LI measures for obtaining the
required information. In terms of user experience, this information is practically the same. To meet
this requirement, LI standardization bodies are in the process of producing appropriate IMS domain LI
standards.
IMS has promise for seamless multimedia connectivity. Consequently, current and future applications
need to be covered by LI. They are all part of a constantly growing set of personal communications
that could be eligible for interception by the authorities. Law enforcement agencies cannot overlook
these communication methods, which are destined to capture a substantial share of the telecom
market. It is crucial for law enforcement agencies to be able to intercept the data communicated by
these methods so as to acquire the full communications picture surrounding a suspect.
7
As the IMS application landscape grows, LI coverage for these applications will need to follow suit and
to also cover fixed-mobile convergence and Triple Play in the future.
IMS Challenges for LI IMS is a distributed architecture and deals mainly with the session establishment control plane. This
poses significant challenges for LI, as indicated below.
Arbitrary Access Layer An IMS may establish Session Initiation Protocols (SIPs) across multiple access types in a seamless
manner. However, the LI solution must access the actual Session Content irrespective of the access
type and across all session scenarios in order to supply full coverage.
Multiple Functions Involved in the SIP Path The IMS architecture is comprised of a multitude of SIP functional entities, each with a specific role.
Actual systems may aggregate a number of functionalities into one physical box. Different vendors
may aggregate the functionalities in different ways. Furthermore, a deployed system may comprise
multi-vendor parts.
The LI solution must be able to acquire Session Data from all relevant functional entities across
multiple vendors in order to establish a comprehensive session picture to be delivered to the law
enforcement agency.
Unlimited Applications Potential The IMS architecture provides an important benefit as it can sustain growth through additional
applications without changing the underlying session establishment infrastructure. Numerous
applications such as these are envisioned, and some (for example, PoC) are already implemented.
However, each will entail some of its own peculiarities in terms of LI. Even though all application
specific peculiarities cannot be foreseen today, the LI solution architecture must enable incremental
upgrades that will not affect deployed functionality adversely.
Multiple Dynamic Structured Subscriber Identities The rich set of options for subscriber identities in the IMS environment necessitates a modified
paradigm for interception criteria. A sole identity may not be enough, and an LI solution must be able
to intercept relying on all target identities. Moreover, a subscriber may manage his or her identities by
connecting via the Internet to the IMS management infrastructure. This poses unforeseen and
dynamic changes to the set of subscriber identities, of which neither law enforcement agencies nor
communication service providers may be aware in advance.
8
IMS Technology Before going into the exact specifications of practical LI solutions in the IMS domain, a brief
explanation of IMS architecture is needed. This explanation is not intended as an IMS tutorial, and we
will only briefly note the major functional components in the architecture and their respective roles.
IMS Functional Decomposition
Control Plane
The main functional role of IMS architecture is to establish and manage SIP sessions. The main brain
of the IMS architecture is the Serving Call Session Control Function (S-CSCF), which manages the SIP
sessions on behalf of the subscriber. Irrespective of the subscriber state (such as turned on or off,
roaming or busy), an S-CSCF is assigned to the subscriber to manage its session. The S-CSCF is
totally independent of any physical aspects of the subscriber, its communication pattern, its location
and access method.
Figure 1 - IMS Architecture
9
The Proxy Call Session Control Function (P-CSCF) serves as the initial SIP contact point in the IMS
domain; it handles issues, such as security and compression towards the User Equipment (UE). The
UE must find the P-CSCF prior to any registration to the IMS. Different initial underlying access layers
and geographical locations of the UE result in a different accessed P-CSCF.
The Interrogating Call Session Control Function (I-CSCF) serves as the internal and external focal
point for finding other subscribers in the IMS network. Finding the terminating party in each session
involves querying the I-CSCF. I-CSCF accesses the Home Subscriber Server (HSS) and returns the S-
CSCF identity serving the terminating party. This information enables the establishment of the SIP
session.
The HSS holds all subscriber data relevant for the IMS session management: identities, service
profiles and so on. The HSS plays a similar role for the HLR in GSM networks.
The IMS enables multiple Application Servers (AS) to be connected to the infrastructure. The
Multimedia Resource Function Controller (MRFC) and its associated Media Resource Function Processor
(MRFP) are considered as an AS. Their role is to provide conferencing and announcement services.
Many other Application Servers, such as a PoC server and a Messaging server, can be attached.
To interface to the Circuit Switch (CS) domain, the IMS incorporates a number of functions that deal
mainly with signaling media translation and transformation. These include the Breakout Gateway
Controller Function (BGCF), the Media Gateway Controller Function (MGCF), the IMS Media Gateway
(IMS-MGW) and the Signaling Gateway (SGW).
A typical session setup scenario takes place along the following lines. Subscriber A, who is connected
to a P-CSCF, sends an INVITE message to subscriber B. The message reaches the S-CSCF associated
with subscriber A. The S-CSCF interrogates the I-CSCF as to the S-CSCF of subscriber B. Then, the I-
CSCF forwards the INVITE to the S-CSCF associated with subscriber B, which in turn sends it to the P-
CSCF to which subscriber B is attached. Once this path is established, regular SIP session
establishment procedures can take place.
Media Plane
The IMS is defined mostly in terms of its control plane, leaving the media plane to take almost any
form. These forms can be Universal Mobile Telecommunications System Packet Switch (UMTS PS)
access, fixed Next Generation Networks (NGN) access, CDMA2000 access or Internet access. For the
near term, the vision is for the IMS to be connected mostly with the UMTS PS access, that is, with the
Serving GPRS Support Node/Gateway GPRS Serving Node (SGSN/GGSN) backbone.
Other IMS Architectures Besides 3rd Generation Partnership Project (3GPP), other technical bodies rely on IMS as their core
session management infrastructure. Notably, TISPAN, PacketCable and 3GPP2 have already adopted
IMS with appropriate modifications.
10
LI Solutions in the IMS Domain
Separate IMS LI Domain The scope of IMS domain interception is separate from other domains of interception. Each
interception domain must be supported separately, resulting in separate and appropriate LI standard-
compliant delivery to the law enforcement agency.
For example, a communication service provider with UMTS deployed technology might have an
SGSN/GGSN access infrastructure and IMS. The difference between the access level interception and
the application level interception is clearly evident in this case. Interception at the SGSN/GGSN
(access) level produces the entire IP stream of the subscriber, while interception at the IMS
(application) level produces only the IMS SIP oriented sessions of the subscriber. Accordingly, 3GPP
33.108 specifies the LI delivery standard for the UMTS PS domain, while ETSI DTS/LI-00024 specifies
the LI delivery standard for the IMS domain.
A communication service provider that needs to support LI in both domains must support both
delivery standards separately. Note that the law enforcement agency receiving intercepts from both
domains may be getting IMS traffic through both delivery mechanisms: once from the access level and
once from the application level. This is a common situation whenever delivery to a law enforcement
agency requires multiple interception overlapping domains.
Classical LI Architecture Before going into the details of IMS interception architectures, a brief explanation of classical LI
architecture is required. As depicted in Figure 2, the western world LI paradigm involves two legally
separated organizations. One is a law enforcement agency, responsible for requesting the interception
of the communications of a specific subscriber, and the other is a communication service provider,
responsible for providing the subscriber’s intercepted data.
Figure 2 - LI General Architecture
11
The LI standardization bodies deal with the exact specification of the mechanisms of intercepted data
and delivery protocols from the communication service providers to the law enforcement agencies.
These standards basically define a similar set of functional entities for the accomplishment of the LI
procedures, as depicted in Figure 2.
The communication service provider is responsible for the LI Access Function and the Mediation
Function. The role of the LI Access Function is to extract subscriber communications for Call/Session
Control information (Call/Session Data) and Call/Session Content information. These communications
are sent to a Mediation Function. The Mediation Function is responsible for the translation of
communication into the appropriate format, according to the LI delivery standard, and for its
distribution to multiple law enforcement agencies. The law enforcement agencies are considered a
Collection Function and are responsible for accepting all information sent from the communication
service providers via the LI delivery standard.
Basic Solution Types for IMS In general, all LI solutions can be categorized as either active or passive. Active solutions rely on
network elements (LI Access functions in Figure 2) to support an LI interface protocol stack through
which the Mediation Function can access the subscriber’s communications. The LI interface is usually
proprietary to the vendor.
Passive solutions rely on passive tapping devices placed at strategic positions in the communication
pathways at the communication service provider. They enable the capture of subscriber
communications. There is no active interaction with any part of the network.
Both the active and passive LI solutions are designed not to interfere with a subscriber’s actual
communications. In the active solution, the network element vendor is responsible for the transparent
interception. In the passive solution, the nature of the tapping devices ensures the same objective.
Guiding Rules
The IMS architecture produces a number of insights affecting LI solutions:
• Every originating or terminating subscriber SIP session always travels through an S-CSCF in the subscriber’s home network.1 This includes out-bound roamers.
• In-bound roamer SIP traffic will only traverse a P-CSCF in the roamed network.2
• AS servers entail special information that is application specific.
1 The case of emergency calls is an exception. The call will be placed through an S-CSCF in the roamed network so
as to provide the emergency service on a geographical basis. 2 This pertains to the case of roaming agreements at the IMS level between two CSPs. If the roaming agreement is
on the access level only (for example, GPRS), the session goes from the SGSN in the roamed network (where interception takes place), to the GGSN in the home network. Such a session does not need to be intercepted at the IMS domain in the roamed network, but rather in the PS domain.
12
These insights enable us to establish a number of general guiding rules for the LI solutions:
• All S-CSCFs in the network must be accessed to provide information since all SIP sessions traverse at least one S-CSCF.
• All P-CSCFs in the network must be accessed to provide information since in-bound roamer SIP sessions do not necessarily traverse any of the S-CSCFs in the roamed network.3
• All AS in the network must be accessed to provide information since they can act as User Agents (UAs) by themselves, terminate sessions, and perform various tasks that are beyond the basic infrastructure of the IMS.
Roamers Coverage
Since all SIP traffic traverses the home network, Session Data of out-bound roamers can always be
accessed in the home network for both roaming agreement types — IMS roaming agreements (see
Figure 3a), and access roaming agreements (see Figure 3b). Note that in Figure 3, the SIP paths
(denoted in red lines) always traverse the intercepted network (denoted in cyan).
However, in such cases, Session Content cannot be accessed. If the roaming model supports roaming
at the IMS service level (Figure 3a), the serving GGSN and P-CSCF would be in the roamed network.
The LI function in the home network will have no access to the Session Content (in Figure 3a the
green line does not traverse the intercepted network). 4
Figure 3 - Different Roaming Agreements
3 See footnote 2. 4 If the session associate belongs to the same IMS home network and is not out-bound roaming (that is, CSP B and
CSP C merge in Figure 3(a)), then it is possible for the associate’s side to access Session Content.
13
Alternatively, if the roaming model is at the access level — for example, GPRS — as shown in Figure
3b, then the Session Content is bound to traverse a GGSN in the home network. This enables access
to the Session Content for all of the target sessions irrespective of the location of the associate.
Inter-Network Sessions
The LI solution needs to address the cases in which session parties are off-network. There are a
number of such cases and solutions, as follows:
Case 1: The target is in the network and talks to an off-network associate.
Solution 1: Content is accessible since the target is in the network.
Case 2: An out-bound roaming target talks to an off-network associate.
Solution 2: Content is accessible if the target roams under an access level roaming
agreement (see Roamers Coverage).
Case 3: An off-network associate is redirected to a service (for instance, voice mail) on behalf
of the target.
Solution 3: Content is accessible since the service is in the network.
Case 4: An off-network associate is redirected to another off-network subscriber on behalf of
the target.
Solution 4: Content may not be accessible depending on the type of redirection.
In all these cases, there is an S-CSCF associated with the target, and it is involved in the SIP path.
This is even true when the UE is turned off and incoming calls need to be handled. Consequently, in
these cases, accessing the S-CSCF provides access to Session Data.
From the above we see that accessing the Session Content depends on the content’s path.
Active Solutions
In an active solution, the IMS functional entities serve as the LI Access Functions which support an
active interface. The underlying assumption is that the physical platforms incorporating the IMS
functional entities support an active interface.
14
Figure 4 - Active Interception Solution
The Mediation Function interfaces with all P-CSCFs, S-CSCFs, and AS in the network, as shown in
Figure 4.
Other functional entities need not necessarily be interfaced since all SIP traffic coverage can be
handled by these functions alone. Nevertheless, some vendors may provide LI interfaces to additional
functional entities. These interfaces towards additional functional entities may provide LI information
that compensates for the possible lack of information coming from the S-CSCFs, P-CSCSFs, and AS.
Once the communication service provider is bound to provision a new IMS target, it must collect the
entire set of private and public target identities via its IMS management interface (for example, GUI).
As a target may use any of its public identities, the entire identity set is needed. This set will be
provisioned to all abovementioned functional entities. Provisioning the target to all platforms is the
prevailing provisioning method in wireless systems. This provisioning mode covers all S-CSCF
allocation possibilities, as follows:
• The target may have a pre-defined S-CSCF.
• The S-CSCF may be allocated to the target dynamically when registering based on the required capabilities.
• The pre-defined S-CSCF may be malfunctioning or inaccessible resulting in a new allocated S-CSCF for a specific session.
The provisioning also covers all the associations of a roaming target in any of the available P-CSCFs in
the network as well as the invocation of any application. Once the target is provisioned, the IMS
entities intercept all SIP traffic, and the relevant Session Data information is sent to the LI Mediation
Function.
15
In order to also acquire the content of the intercepted session, two methods can be applied. The first
method relies on the vendor to incorporate some proprietary LI intra-IMS protocol between its
platforms (SIP control and media platforms). This enables entities such as the S-CSCF to control and
command the content pathways that will be duplicated towards the Mediation Function.
To achieve this, the session can be set up either through a conference device (for example, MRFC) for
which the Mediation Function is a silent member, or through direct control of media resources in the
access network. In the latter method, content is duplicated and sent to the Mediation Function without
affecting the original path (for example, by mirroring traffic in various IP switching devices).
The second method relies on the functional entities to supply the Session Data and the SDP
information with the appropriate media IP addresses and port to the Mediation Function. The
Mediation Function uses these IP addresses to acquire the Session Content from the access layer. It
provisions, in real time, the appropriate access device for sending the target traffic towards the
Mediation Function. Once the session ends, the Mediation Function provisions the access device to
stop sending the Session Content.
A key aspect of handling the Session Data and Content in the Mediation Function is the correlation
between the two. In the first method, the IMS elements provide a unique system-wide ID that enables
the Mediation Function to correlate the Session Data instances between themselves and the Session
Content. In the second method, the IMS elements still provide a similar unique ID for Session Data
instance correlation but the Mediation Function correlates the Session Content on its own using the
SDP information (IP address and port).
The Mediation Function transforms the information acquired actively from the IMS infrastructure
(Session Data and Content), and delivers and distributes it to the Law enforcement agencies using the
appropriate delivery standard.
Passive Solutions
Passive solutions do not involve the IMS at all in the acquisition of Session Data and Content. Passive
taps are placed at various strategic places in the network to acquire the data. These tapping devices
serve as the LI Access Functions. Naturally, the number of tap points needs to be as few as possible.
The main differences between active and passive solutions are the methods of acquisition and the
correlation between the Session Data and Session Content.
Using the guiding rules described in the section Guiding Rules, the tapping points need to cover all
traffic to and from the entire set of P-CSCFs, S-CSCFs, and AS (see Figure 5).
16
Figure 5 - Passive Interception Solution
The tapping devices, which sniff bare IP, are provisioned to deliver only SIP traffic to the Mediation
Function. Provisioning is for all tapping devices using the target identities set, as in the active case.
To access the Session Content, tapping devices are placed at the access infrastructure in the home
network. The actual acquisition of the Session Content is accomplished in two stages. Firstly, the IP
address and port of the Session Content is extracted from the sniffed SIP traffic of the target. Then,
the tapping device covering this IP address at the access layer is commanded to filter the traffic of this
specific IP address and to deliver it to the Mediation Function.
Unlike the active solution, the Mediation Function is responsible for correlating the Session Data
instances (SIP messages in this case) between themselves and the Session Content. The Mediation
Function uses the IMS Correlation ID (ICID) to correlate the Session Data instances. The ICID is
generated by the first SIP control function in the IMS which encounters a new session. It is
propagated henceforth in all SIP messages pertaining to that session.
The Session Content is correlated explicitly to the Session Data using the session IP address and port
(acquired from the SIP messages) to filter the IP traffic at the access layer.
17
Hybrid Solutions
Real IMS systems may involve equipment from a number of vendors. Not all vendors may support
active LI interfaces. In these cases, a hybrid solution is necessary. IMS functionalities, which have an
active LI interface, provide Session Data and Session Content directly. Tapping devices are placed
accordingly to access all missing information following the guidelines described previously in the
sections Active Solutions and Passive Solutions. The most probable case may be where one vendor
provides an LI relevant core IMS infrastructure (for example, P-CSCF and S-CSCF) and another vendor
provides the access infrastructure. In many cases, these access devices need to be tapped. For the
IMS platforms, most vendors will probably introduce active LI interfaces. Therefore, active access to
Session Data and passive access to Session Content are expected to be quite common. This does not
exclude other combinations, as well.
Another hybridization concept worth mentioning is that of vendors leveraging existing platforms for
IMS utilization. One example is the Session Border Controller (SBC). Besides its current popular role
as Back to Back User Agent (B2BUA) and security enforcer, it may include P-CSCF functionality and
more. In general, solutions with a soft switch (meaning I/S-CSCF or AS), SBC (meaning P-CSCF), and
with the addition of the complementary SIP functionalities can be expected, especially in the near
term.
18
Delivery Protocols A number of delivery protocols between communication service provider and law enforcement agency
are standardized for the IMS domain, as follows:
3GPP 33.108 / ETSI TS 133 108
This is the current delivery standard for the UMTS domain. Note that although the standard requires
the delivery of all SIP messages pertaining to the target’s session as ASN.1 (BER) messages over
TCP/IP, Session Content consists of all bare IP target traffic and is delivered as an encapsulated
stream over UDP. In addition, the standard explicitly enables the sending of P-CSCF and S-CSCF
information to the LEA resulting in duplication of information.
PacketCable 2.0
As of this writing, the PacketCable standard is still not finalized, but work is progressing vigorously,
and most aspects are defined. Session Data is delivered as ASN.1 (BER) messages over TCP/IP.
Session Content is delivered as RTP (and may be also T.38 for fax, or similar) and is encapsulated in
UDP with the addition of a correlation header.
TIA-1066
This is the US CDMA2000 VoIP LI standard. The standard utilizes another US standard, T1.678, which
is intended for the VoIP fixed NGN domain. Session Data is delivered towards the LEA as ASN.1 (BER)
messages over TCP/IP, while Session Content is delivered as encapsulated traffic over UDP.
ETSI DTS/LI-00024
The standardization process for a general IP multimedia LI standard in ETSI is in progress. Session
Data and Content are delivered towards the LEA as ASN.1 (BER) messages.
TISPAN DTS-07013
The standardization process for IMS interception delivery in TISPAN is in progress. For the purpose of
delivery, the above mentioned ETSI standard is to be used.
19
Case Studies A myriad of case studies could be shown in various communication domains. But, for the sake of
simplicity, we will consider some realistic examples of a fixed network.
Active Interception Example Figure 6 shows the IMS infrastructure at the communication service provider. There is an access layer
that connects the subscriber’s UE, an IMS core layer that supplies the session management and
subscriber profile management, and an application layer that consists of a number of AS (basically soft
switches).
These various elements support an active LI interface. For brevity, these are not shown in Figure 6.
The elements include the AS and CSCFs for Session Data and the SBCs and MGW for Session Content.
When the communication service provider requires a new warrant to be intercepted for a specific
target, the target identity and all associated parameters are provisioned through the Mediation
Device’s administrator console. In this case, the Mediation Device is Verint’s STAR-GATE™ product,
whereas the administrator console is the GSA. The target is provisioned to the AS, CSCFs, SBCs and
MGW. Once a session is set up in the network on behalf of the target, the AS and CSCFs report
Session Data (denoted as red lines in Figure 6), and the SBCs and MGW convey Session Content
(denoted as blue lines in Figure 6) towards the Mediation Function.
Figure 6 - Active IMS Interception in a Fixed Network
The Mediation Function translates the Session Data and Content to a specific delivery standard format
and delivers and distributes the session to the law enforcement agencies.
20
Passive Interception Example Figure 7 shows the same network depicted in Figure 6, but the network elements do not support an
active LI interface.
Figure 7 - Passive IMS Interception in a Fixed Network
Tapping devices are placed in strategic places in the network. We show only a handful of devices
placed over some connections (denoted in purple). Some of the tapping devices are placed so as to
capture session control traffic. Taps are placed between AS and CSCF and between CSCF and MGC.
Other taps are placed for capturing the Session Content between SBC and the access server, and
between SBC and MGW. All tap devices are connected to an IP sniffing device (Verint’s IP-Probe),
which filters only relevant traffic and feeds it into the Mediation Device.
As in the active case, the administrator’s console (GSA) is used to provision the target. The target
information is propagated to the Mediation Device, but unlike the active case, the target is now
provisioned to the IP-Probe. Since passive taps are placed in the system, the IP-Probe is provisioned
with the target identifiers to be filtered out of the general traffic.
As in the active case, the Mediation Function translates the Session Data and Content to a specific
delivery standard format and delivers and distributes the session to the law enforcement agencies.
21
Summary The IMS is an extremely versatile platform enabling communication service providers a substantial
opportunity for growth by offering new multimedia services. This communication technology poses
new challenges for the LI domain yet these challenges can be readily met and overcome by careful
analysis and planning.
The two basic modes of LI, active and passive solutions, are applied to the IMS domain and shown to
produce viable interception architectures. These solutions cover all aspects of LI Session Data and
Content, roaming models, inter/intra-network sessions, and delivery standards. Although the IMS
serves in numerous communication domains, such as UMTS, PacketCable and TISPAN, its invariance
to the access layer also enables a modular LI solution structure that can be readily upgraded or
tailored, as necessary.
STAR-GATE active and passive architectures provide solutions for virtually all communication domains.
This technical brief showed two specific examples in the fixed domain. Current STAR-GATE
deployments in all communication domains can be upgraded to support IMS interception using the
same GSA console and mode of operation, while new installations can also benefit from these
solutions.
