My 5G lawful interception notes
5G LI specifications
| Specification | Scope | My notes |
|---|---|---|
| 33.126 | This document specifies both the architectural and functional system requirements for Lawful Interception (LI) in 3GPP networks. The present document provides an LI architecture supporting both network layer based and service layer based Interception. National regulations determine the specific set of LI functional capabilities that are applicable to a specific 3GPP operator deployment. | Example |
| 33.127 | This document specifies both the architectural and functional system requirements for Lawful Interception (LI) in 3GPP networks. The present document provides an LI architecture supporting both network layer based and service layer based Interception. National regulations determine the specific set of LI functional capabilities that are applicable to a specific 3GPP operator deployment. | Example |
| 33.128 | This document specifies the protocols and procedures required to perform Lawful Interception within a 3GPP network. The present document addresses both internal interfaces used internally with a 3GPP network and external handover interfaces used to handover intercepted communications to law enforcement. | Example |
5G Functional Entities
Law Enforcement Agency (LEA)
See 33.127 § 5.3.1
Point of Interception (POI)
See 33.127 § 5.3.2
POI detects target communications, derives the Intercept Related Information (IRI) or Content of Communication (CC) from target communications, and delivers the POI output as xIRI to MDF2 (IRI-POI) or as xCC to MDF3 (CC-POI). The POI may be embedded within a Network Function (NF) or separate from an NF with which it is associated. Multiple POIs may be involved in executing a warrant.
- Directly provisioned POIs are provisioned by Lawful Intercept Provisioning Function (LIPF)
- Triggered POIs are triggered by Triggering Function (TF) - see 33.127 § 5.3.3
Triggering Function (TF)
See 33.127 § 5.3.3
Mediation and Delivery Function (MDF)
See 33.127 § 5.3.4
Administration Function (ADMF)
See 33.127 § 5.3.5
Made up of four logical sub-functions:
- Lawful Intercept Control Function (LICF) - see 33.127 § 5.3.5.2
- Lawful Intercept Provisioning Function (LIPF) - see 33.127 § 5.3.5.3
- Identifier Query Function (IQF) - the function responsible for receiving and responding to dedicated LEA real-time queries for identifier associations. See 33.127 § 5.7.2.1 for further details.
- Certificate Authority (CA) - see 33.127 § 8.3
Within one ADMF there is one LICF, one IQF, and at least one and possibly more LIPFs.
System Information Retrieval Function (SIRF)
See 33.127 § 5.3.6
Law Enforcement Monitoring Facility (LEMF)
The LEMF receives the interception product as Handover Information (HI) or HI2 for IRI and HI3 for CC. LEMF is out of scope.
5G target identifier info
5G identifiers in general
See 3GPP 23.003 document that defines the principal purpose and use of different naming, numbering, addressing and identification resources (i.e. Identifiers (ID)) within the digital cellular telecommunications system and the 3GPP system.
| Identifier Acronym | Full Identifier | Defined in | Meaning |
|---|---|---|---|
| SUPI | Subscription Permanent Identifier | 3GPP 23.501 § 5.9.2 | A globally unique 5G Subscription Permanent Identifier (SUPI) shall be allocated to each subscriber in the 5G System and provisioned in the UDM/UDR. The SUPI is used only inside 3GPP system, and its privacy is specified in TS 33.501. The SUPI may contain:
A SUPI containing a network-specific identifier shall take the form of a Network Access Identifier (NAI) using the NAI RFC 7542 based user identification as defined in TS 23.003. When UE needs to indicate its SUPI to the network (e.g. as part of the Registration procedure), the UE provides the SUPI in concealed form as defined in TS 23.003. In order to enable roaming scenarios, the SUPI shall contain the address of the home network (e.g. the MCC and MNC in the case of an IMSI based SUPI). For interworking with the EPC, the SUPI allocated to the 3GPP UE shall always be based on an IMSI to enable the UE to present an IMSI to the EPC. The usage of SUPI for W-5GAN is further specified in TS 23.316. |
| SUCI | Subscription Concealed Identifier | 3GPP 23.501 § 5.9.2a | The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing the concealed SUPI. It is specified in TS 33.501. The usage of SUCI for W-5GAN access is further specified in TS 23.316. |
| PEI | Permanent Equipment Identifier | 3GPP 23.501 § 5.9.3 | A Permanent Equipment Identifier (PEI) is defined for the 3GPP UE accessing the 5G System.
The PEI can assume different formats for different UE types and use cases. The UE shall present the PEI to the network together with an indication of the PEI format being used. If the UE supports at least one 3GPP access technology (i.e. NG-RAN, E-UTRAN, UTRAN or GERAN), the UE must be allocated a PEI in the IMEI or IMEISV format. In the scope of this release, the PEI may be one of the following:
|
| 5G-GUTI | 5G Globally Unique Temporary Identifier | 3GPP 23.501 § 5.9.4 | The AMF shall allocate a 5G Globally Unique Temporary Identifier (5G-GUTI) to the UE that is common to both 3GPP and non-3GPP access. It shall be possible to use the same 5G-GUTI for accessing 3GPP access and non-3GPP access security context within the AMF for the given UE. An AMF may re-assign a new 5G-GUTI to the UE at any time. The AMF provides a new 5G-GUTI to the UE under the conditions specified in clause 6.12.3 in TS 33.501. When the UE is in CM-IDLE, the AMF may delay providing the UE with a new 5G-GUTI until the next NAS transaction.
The 5G-GUTI shall be structured as When the GUAMI identifies only one AMF, the 5G-TMSI identifies the UE uniquely within the AMF. However, when AMF assigns a 5G-GUTI to the UE with a GUAMI value used by more than one AMF, the AMF shall ensure that the 5G-TMSI value used within the assigned 5G-GUTI is not already in use by the other AMF(s) sharing that GUAMI value. The Globally Unique AMF ID (GUAMI) shall be structured as NOTE 1: The AMF Region ID addresses the case that there are more AMFs in the network than the number of AMFs that can be supported by AMF Set ID and AMF Pointer by enabling operators to re-use the same AMF Set IDs and AMF Pointers in different regions. NOTE 2: In the case of SNPNs, the PLMN IDs may be shared among SNPNs such that the constructed GUAMIs are not globally unique. However, PLMN ID and NID are provided together, separate from the GUAMI, to uniquely identify selected or supported SNPN in RRC and N2. NOTE 3: See TS 23.003 for details on the structure of the fields of GUAMI. The 5G-S-TMSI is the shortened form of the GUTI to enable more efficient radio signalling procedures (e.g. during Paging and Service Request) and is defined as As specified in TS 38.304 and TS 36.304 for 3GPP access, the NG-RAN uses the 10 Least Significant Bits of the 5G-TMSI in the determination of the time at which different UEs are paged. Hence, the AMF shall ensure that the 10 Least Significant Bits of the 5G-TMSI are evenly distributed. As specified in TS 38.331 and TS 36.331 for 3GPP access, the NG-RAN's RRC Connection Establishment's contention resolution process assumes that there is a low probability of the same 5G-TMSI being allocated by different AMFs to different UEs. The AMFs' process for allocating the 5G-TMSI should take this account. NOTE 4: To achieve this, the AMF could, for example, use a random seed number for any process it uses when choosing the UE's 5G-TMSI. |
| AMF Name | 3GPP 23.501 § 5.9.5 | An AMF is identified by an AMF Name. AMF Name is a globally unique FQDN, the structure of AMF Name FQDN is defined in TS 23.003]. An AMF can be configured with one or more GUAMIs. At a given time, GUAMI with distinct AMF Pointer value is associated to one AMF name only. | |
| IGI | Internal-Group Identifier | 3GPP 23.501 § 5.9.7 | The subscription data for an UE in UDR may associate the subscriber with groups. A group is identified by an Internal-Group Identifier.
NOTE 1: A UE can belong to a limited number of groups, the exact number is defined in stage 3 specifications. |
| GPSI | Generic Public Subscription Identifier | 3GPP 23.003 § 28.8 | The Generic Public Subscription Identifier (GPSI) is defined in clause 5.9.8 of 3GPP TS 23.501.
The GPSI is defined as:
NOTE: Depending on the protocol used to convey the GPSI, the GPSI type can take different formats. |
| NAI | Network Access Identifier | Example | |
| Email address | |||
| E164Number | |||
Lawful interception (LI) at each network or service function and applicable target identifiers based on Release 16.6.0 (2020-12)
| Target identifier | AMF | SMF/UPF | UDM | SMSF | Location | MMS Proxy-Relay | ICF |
|---|---|---|---|---|---|---|---|
| SUPIIMSI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| SUPINAI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| PEIIMEI | ✓ | ✓ | ✓ | ✓ | |||
| PEIIMEISV | ✓ | ✓ | ✓ | ✓ | |||
| GPSIMSISDN | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| GPSINAI | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| PEI | ✓ | ||||||
| GPSI | ✓ | ✓ | |||||
| SUPI | ✓ | ✓ | ✓ | ||||
| E164Number | |||||||
| EmailAddress | ✓ | ||||||
| IMPI | ✓ | ✓ | |||||
| IMPU | ✓ | ✓ | |||||
| IMSI | ✓ | ||||||
| NAI | |||||||
| SUCI | ✓ | ||||||
| 5G-S-TMSI | ✓ | ||||||
| 5G-GUTI | ✓ |
IRI events
Network layer
AMF
The IRI-POI present in the AMF shall generate xIRI, when it detects the following specific events or information:
- Registration.
- Deregistration.
- Location update.
- Start of interception with already registered UE.
- Unsuccessful communication related attempt.
- A new identifier association for a UE matching one of the target identifiers is provided via LI_X1.
IRI Payload
| IRI Record Type | Field name | Description | Source |
|---|---|---|---|
| AMFRegistration | location | Location information determined by the network during the registration, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. | 33.128 V17.0.0 § 6.2.2.2.2 |
| AMFDeregistration | location | Location information determined by the network during the deregistration, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation), see Annex A. | 33.128 V17.0.0 § 6.2.2.2.3 |
| AMFLocationUpdate | location | Updated location information determined by the network. Depending on the service or message type from which the location information is extracted, it may be encoded in several forms (Annex A):
|
33.128 V17.0.0 § 6.2.2.2.4 |
| AMFStartOfInterceptionWithRegisteredUE | location | Location information, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. | 33.128 V17.0.0 § 6.2.2.2.5 |
| AMFUnsuccessfulProcedure | location | Location information determined during the procedure, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation), see Annex A. | 33.128 V17.0.0 § 6.2.2.2.6 |
| AMFIdentifierAssociation | location | Location information available when identifier association occurs. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. | 33.128 V17.0.0 § 6.2.2.2.7 |
SMF/UPF
The IRI-POI present in the SMF/UPF shall generate xIRI, when it detects the following specific events or information:
- PDU session establishment.
- PDU session modification.
- PDU session release.
- Start of interception with an established PDU session.
SMSF
The IRI-POI present in the SMSF shall generate xIRI, when it detects the following specific events or information:
- SMS message.
SIRF/NRF
The SIRF present in the NRF shall generate notifications over LI_SI when the SIRF detects the following specific events or information:
- NF service registration.
- NF service update.
- NF service deregistration.
- NF service chain change.
The NF service chain change notification shall be generated whenever an NF is added to or removed from a service chain in response to NF discovery and selection events.
Service layer
UDM
The IRI-POI present in the UDM shall generate xIRI, when the UDM detects the following specific events or information:
- Serving system.
- Subscriber record change.
- Cancel location.
- Location information request.
IMS Signaling Function
The IRI-POI present in the IMS Signaling Function generates the following xIRI:
- Encapsulated SIP message.
- CC unavailable in serving PLMN.
- Start of interception with an established IMS session.
MMS Proxy-Relay
The IRI-POI present in the MMS Proxy-Relay shall generate xIRI, when it detects the following specific events or information:
- An MMS message is sent by the target or sent to the target.
Push to Talk over Cellular (PTC)
The IRI-POI present in the PTC Server shall generate xIRI when it detects the following specific events or information:
- PTC service registration.
- PTC serving system.
- PTC session initiation.
- PTC session abandon.
- PTC session start.
- PTC session end.
- PTC start of interception.
- PTC pre-established Session.
- PTC instant personal alert.
- PTC party join.
- PTC party drop.
- PTC party hold.
- PTC party retrieve.
- PTC media modification.
- PTC group advertisement.
- PTC floor control.
- PTC target presence.
- PTC associate presence.
- PTC list management.
- PTC access policy.
- PTC media type notification.
- PTC encryption message.
CC
SMF/UPF
The CC-POI present in the UPF generates the xCC from the user plane packets and delivers the xCC (that includes the correlation number and the target identity) to the MDF3.
IMS Media Function
The IMS-based services are determined based on the deployment option, the network configuration, LI service scope and the IMS session including the roaming scenarios. Network functions that handle the media are referred to as IMS Media Functions and IMS Media Functions that act as CC-POI generate the xCC.
MMS
The MMS xCC is generated when the CC-POI in the MMS Proxy-Relay detects that CC related to an MMS message is either received from the target, sent to the target, or stored on behalf of the target.
PTC service
The CC-POI present in the PTC Server shall generate xCC.
5G location info notes
Cell site information can be manual or automatic. 33 127 and 33 128 discuss automatic reporting.
When automatic, when the cell identity is present within an xIRI the MDF2 that receives the xIRI may retrieve the cell site information for that cell from a CSP database and deliver the same to the LEMF either within the IRI message generated from the received xIRI or in a separate IRI message containing the MDFCellSiteReport record.
I recommend the separate IRI message containing the MDFcellSiteReport record, specifically, asynchronously requesting cell info from a CSP database and delivering original IRI to LEMF without delay or additional modification. Modifying an existing xIRI delays delivery of associated IRI and introduces additional processing steps to convert xIRI to IRI that increases the chances to introduce a software bug.
The MDFCellSiteReport record shall be delivered as an IRI REPORT (see ETSI TS 102 232-1 clause 5.2.10) and allocated the same CIN, if any, as the IRI message that caused the retrieval.
ASN.1 notes
The use of --... in my ASN.1 notes indicate portions of ASN.1 above or below are omitted. See 3GPP specification for full ASN.1.
Location Info
-- ===================
-- Location parameters
-- ===================
Location ::= SEQUENCE
{
locationInfo [1] LocationInfo OPTIONAL,
positioningInfo [2] PositioningInfo OPTIONAL,
locationPresenceReport [3] LocationPresenceReport OPTIONAL
}
CellSiteInformation ::= SEQUENCE
{
geographicalCoordinates [1] GeographicalCoordinates,
azimuth [2] INTEGER (0..359) OPTIONAL,
operatorSpecificInformation [3] UTF8String OPTIONAL
}
-- TS 29.518 [22], clause 6.4.6.2.6
LocationInfo ::= SEQUENCE
{
userLocation [1] UserLocation OPTIONAL,
currentLoc [2] BOOLEAN OPTIONAL,
geoInfo [3] GeographicArea OPTIONAL,
rATType [4] RATType OPTIONAL,
timeZone [5] TimeZone OPTIONAL,
additionalCellIDs [6] SEQUENCE OF CellInformation OPTIONAL
}
-- TS 29.571 [17], clause 5.4.4.7
UserLocation ::= SEQUENCE
{
eUTRALocation [1] EUTRALocation OPTIONAL,
nRLocation [2] NRLocation OPTIONAL,
n3GALocation [3] N3GALocation OPTIONAL
}
MDF Cell Site Report
-- ===============
-- HI2 IRI payload
-- ===============
IRIPayload ::= SEQUENCE
{
iRIPayloadOID [1] RELATIVE-OID,
event [2] IRIEvent,
targetIdentifiers [3] SEQUENCE OF IRITargetIdentifier OPTIONAL
}
IRIEvent ::= CHOICE
{
-- ...
-- MDF-related events, see clause 7.3.4
mDFCellSiteReport [16] MDFCellSiteReport,
-- ...
}
MDFCellSiteReport ::= SEQUENCE OF CellInformation
CellInformation ::= SEQUENCE
{
rANCGI [1] RANCGI,
cellSiteinformation [2] CellSiteInformation OPTIONAL,
timeOfLocation [3] Timestamp OPTIONAL
}
RANCGI ::= CHOICE
{
eCGI [1] ECGI,
nCGI [2] NCGI
}
CellSiteInformation ::= SEQUENCE
{
geographicalCoordinates [1] GeographicalCoordinates,
azimuth [2] INTEGER (0..359) OPTIONAL,
operatorSpecificInformation [3] UTF8String OPTIONAL
}
-- TS 29.572 [24], clause 6.1.6.2.4
GeographicalCoordinates ::= SEQUENCE
{
latitude [1] UTF8String,
longitude [2] UTF8String,
mapDatumInformation [3] OGCURN OPTIONAL
}
-- TS 29.571 [17], clause 5.4.4.5
ECGI ::= SEQUENCE
{
pLMNID [1] PLMNID,
eUTRACellID [2] EUTRACellID,
nID [3] NID OPTIONAL
}
-- TS 29.571 [17], clause 5.4.4.6
NCGI ::= SEQUENCE
{
pLMNID [1] PLMNID,
nRCellID [2] NRCellID,
nID [3] NID OPTIONAL
}
PLMNID ::= SEQUENCE
{
mCC [1] MCC,
mNC [2] MNC
}
MCC ::= NumericString (SIZE(3))
MNC ::= NumericString (SIZE(2..3))
-- TS 38.413 [23], clause 9.3.1.9
EUTRACellID ::= BIT STRING (SIZE(28))
-- TS 38.413 [23], clause 9.3.1.7
NRCellID ::= BIT STRING (SIZE(36))
-- TS 23.003 [19], clause 12.7.1 encoded as per TS 29.571 [17], clause 5.4.2
NID ::= UTF8String (SIZE(11))
References
- 33 127 § 7.3.4
- 33 128 § 7.3.2
Identity functions
- ICF Identifier Caching Function
- IEF Identifier Event Function
- IQF Identifier Query Function
For dedicated query, lookup and reporting, figure 5.7-1 shows the high-level architecture used to support identifier association query and response requirements. The Identifier Event Function (IEF) provides the Identifier Caching Function (ICF) with the events necessary to answer the identifier association queries from the IQF. LEAs are able to issue real-time queries to the Identifier Query Function (IQF), which in turn queries the ICF.
33.128 V16.6.0 § 5.2.7 Usage for realising LI_XEM1
For the purposes of realizing LI_XEM1 between the LIPF and an IEF, the LIPF plays the role of the ADMF as defined in ETSI TS 103 221-1 reference model (clause 4.2), and the IEF plays the role of the NE.
- The IEF shall be enabled by sending the following ActivateTask message from the LIPF.
- The IEF may be reconfigured to send identity associations to a different ICF using a ModifyTask message to modify the delivery destinations.
- The IEF shall be disabled by sending the following DeactivateTask message from the LIPF.
Resources
5G NR Cell Global Identity Planning Info