My 5G lawful interception notes

From Got Opinion Wiki
Jump to navigation Jump to search

5G LI specifications

Caption text
Specification Scope My notes
33.126 This document specifies both the architectural and functional system requirements for Lawful Interception (LI) in 3GPP networks. The present document provides an LI architecture supporting both network layer based and service layer based Interception. National regulations determine the specific set of LI functional capabilities that are applicable to a specific 3GPP operator deployment. Example
33.127 This document specifies both the architectural and functional system requirements for Lawful Interception (LI) in 3GPP networks. The present document provides an LI architecture supporting both network layer based and service layer based Interception. National regulations determine the specific set of LI functional capabilities that are applicable to a specific 3GPP operator deployment. Example
33.128 This document specifies the protocols and procedures required to perform Lawful Interception within a 3GPP network. The present document addresses both internal interfaces used internally with a 3GPP network and external handover interfaces used to handover intercepted communications to law enforcement. Example

5G Functional Entities

Law Enforcement Agency (LEA)

See 33.127 § 5.3.1

Point of Interception (POI)

See 33.127 § 5.3.2

POI detects target communications, derives the Intercept Related Information (IRI) or Content of Communication (CC) from target communications, and delivers the POI output as xIRI to MDF2 (IRI-POI) or as xCC to MDF3 (CC-POI). The POI may be embedded within a Network Function (NF) or separate from an NF with which it is associated. Multiple POIs may be involved in executing a warrant.

  • Directly provisioned POIs are provisioned by Lawful Intercept Provisioning Function (LIPF)
  • Triggered POIs are triggered by Triggering Function (TF) - see 33.127 § 5.3.3

Triggering Function (TF)

See 33.127 § 5.3.3

Mediation and Delivery Function (MDF)

See 33.127 § 5.3.4

Administration Function (ADMF)

See 33.127 § 5.3.5

Made up of four logical sub-functions:

  • Lawful Intercept Control Function (LICF) - see 33.127 § 5.3.5.2
  • Lawful Intercept Provisioning Function (LIPF) - see 33.127 § 5.3.5.3
  • Identifier Query Function (IQF) - the function responsible for receiving and responding to dedicated LEA real-time queries for identifier associations. See 33.127 § 5.7.2.1 for further details.
  • Certificate Authority (CA) - see 33.127 § 8.3

Within one ADMF there is one LICF, one IQF, and at least one and possibly more LIPFs.

System Information Retrieval Function (SIRF)

See 33.127 § 5.3.6

Law Enforcement Monitoring Facility (LEMF)

The LEMF receives the interception product as Handover Information (HI) or HI2 for IRI and HI3 for CC. LEMF is out of scope.

5G target identifier info

5G identifiers in general

See 3GPP 23.003 document that defines the principal purpose and use of different naming, numbering, addressing and identification resources (i.e. Identifiers (ID)) within the digital cellular telecommunications system and the 3GPP system.

Identifier Acronym Full Identifier Defined in Meaning
SUPI Subscription Permanent Identifier 3GPP 23.501 § 5.9.2 A globally unique 5G Subscription Permanent Identifier (SUPI) shall be allocated to each subscriber in the 5G System and provisioned in the UDM/UDR. The SUPI is used only inside 3GPP system, and its privacy is specified in TS 33.501. The SUPI may contain:
  • an IMSI as defined in TS 23.003, or
  • a network-specific identifier, used for private networks as defined in TS 22.261
  • a GLI and an operator identifier of the 5GC operator, used for supporting FN-BRGs, as further described in TS 23.316
  • a GCI and an operator identifier of the 5GC operator, used for supporting FN-CRGs and 5G-CRG, as further described in TS 23.316

A SUPI containing a network-specific identifier shall take the form of a Network Access Identifier (NAI) using the NAI RFC 7542 based user identification as defined in TS 23.003.

When UE needs to indicate its SUPI to the network (e.g. as part of the Registration procedure), the UE provides the SUPI in concealed form as defined in TS 23.003.

In order to enable roaming scenarios, the SUPI shall contain the address of the home network (e.g. the MCC and MNC in the case of an IMSI based SUPI).

For interworking with the EPC, the SUPI allocated to the 3GPP UE shall always be based on an IMSI to enable the UE to present an IMSI to the EPC.

The usage of SUPI for W-5GAN is further specified in TS 23.316.

SUCI Subscription Concealed Identifier 3GPP 23.501 § 5.9.2a The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing the concealed SUPI. It is specified in TS 33.501. The usage of SUCI for W-5GAN access is further specified in TS 23.316.
PEI Permanent Equipment Identifier 3GPP 23.501 § 5.9.3 A Permanent Equipment Identifier (PEI) is defined for the 3GPP UE accessing the 5G System.

The PEI can assume different formats for different UE types and use cases. The UE shall present the PEI to the network together with an indication of the PEI format being used.

If the UE supports at least one 3GPP access technology (i.e. NG-RAN, E-UTRAN, UTRAN or GERAN), the UE must be allocated a PEI in the IMEI or IMEISV format.

In the scope of this release, the PEI may be one of the following:

  • for UEs that support at least one 3GPP access technology, an IMEI or IMEISV, as defined in TS 23.003;
  • PEI used in the case of W-5GAN access as further specified in TS 23.316.
  • for UEs not supporting any 3GPP access technologies, the IEEE Extended Unique Identifier EUI-64 of the access technology the UE uses to connect to the 5GC.
5G-GUTI 5G Globally Unique Temporary Identifier 3GPP 23.501 § 5.9.4 The AMF shall allocate a 5G Globally Unique Temporary Identifier (5G-GUTI) to the UE that is common to both 3GPP and non-3GPP access. It shall be possible to use the same 5G-GUTI for accessing 3GPP access and non-3GPP access security context within the AMF for the given UE. An AMF may re-assign a new 5G-GUTI to the UE at any time. The AMF provides a new 5G-GUTI to the UE under the conditions specified in clause 6.12.3 in TS 33.501. When the UE is in CM-IDLE, the AMF may delay providing the UE with a new 5G-GUTI until the next NAS transaction.

The 5G-GUTI shall be structured as <5G-GUTI> := <GUAMI> <5G-TMSI> where GUAMI identifies one or more AMF(s).

When the GUAMI identifies only one AMF, the 5G-TMSI identifies the UE uniquely within the AMF. However, when AMF assigns a 5G-GUTI to the UE with a GUAMI value used by more than one AMF, the AMF shall ensure that the 5G-TMSI value used within the assigned 5G-GUTI is not already in use by the other AMF(s) sharing that GUAMI value.

The Globally Unique AMF ID (GUAMI) shall be structured as <GUAMI> := <MCC> <MNC> <AMF Region ID> <AMF Set ID> <AMF Pointer> where AMF Region ID identifies the region, AMF Set ID uniquely identifies the AMF Set within the AMF Region and AMF Pointer identifies one or more AMFs within the AMF Set.

NOTE 1: The AMF Region ID addresses the case that there are more AMFs in the network than the number of AMFs that can be supported by AMF Set ID and AMF Pointer by enabling operators to re-use the same AMF Set IDs and AMF Pointers in different regions.

NOTE 2: In the case of SNPNs, the PLMN IDs may be shared among SNPNs such that the constructed GUAMIs are not globally unique. However, PLMN ID and NID are provided together, separate from the GUAMI, to uniquely identify selected or supported SNPN in RRC and N2. NOTE 3: See TS 23.003 for details on the structure of the fields of GUAMI.

The 5G-S-TMSI is the shortened form of the GUTI to enable more efficient radio signalling procedures (e.g. during Paging and Service Request) and is defined as <5G-S-TMSI> := <AMF Set ID> <AMF Pointer> <5G-TMSI>

As specified in TS 38.304 and TS 36.304 for 3GPP access, the NG-RAN uses the 10 Least Significant Bits of the 5G-TMSI in the determination of the time at which different UEs are paged. Hence, the AMF shall ensure that the 10 Least Significant Bits of the 5G-TMSI are evenly distributed.

As specified in TS 38.331 and TS 36.331 for 3GPP access, the NG-RAN's RRC Connection Establishment's contention resolution process assumes that there is a low probability of the same 5G-TMSI being allocated by different AMFs to different UEs. The AMFs' process for allocating the 5G-TMSI should take this account. NOTE 4: To achieve this, the AMF could, for example, use a random seed number for any process it uses when choosing the UE's 5G-TMSI.

AMF Name 3GPP 23.501 § 5.9.5 An AMF is identified by an AMF Name. AMF Name is a globally unique FQDN, the structure of AMF Name FQDN is defined in TS 23.003]. An AMF can be configured with one or more GUAMIs. At a given time, GUAMI with distinct AMF Pointer value is associated to one AMF name only.
IGI Internal-Group Identifier 3GPP 23.501 § 5.9.7 The subscription data for an UE in UDR may associate the subscriber with groups. A group is identified by an Internal-Group Identifier.

NOTE 1: A UE can belong to a limited number of groups, the exact number is defined in stage 3 specifications.
NOTE 2: In this Release of the specification, the support of groups is only defined in non-roaming case.
The Internal-Group Identifier(s) corresponding to an UE are provided by the UDM to the SMF as part Session Management Subscription data and (when PCC applies to a PDU Session) by the SMF to the PCF. The SMF may use this information to apply local policies and to store this information in CDR. The PCF may use this information to enforce AF requests as described in clause 5.6.7. The Internal-Group Identifier(s) corresponding to an UE are provided by the UDM to the AMF as part of Access and Mobility Subscription data. The AMF may use this information to apply local policies (such as Group specific NAS level congestion control defined in clause 5.19.7.5).

GPSI Generic Public Subscription Identifier 3GPP 23.003 § 28.8 The Generic Public Subscription Identifier (GPSI) is defined in clause 5.9.8 of 3GPP TS 23.501.

The GPSI is defined as:

  • a GPSI type: in this release of the specification, it may indicate an MSISDN or an External Identifier; and
  • dependent on the value of the GPSI type:
  • an MSISDN as defined in clause 3.3; or
  • an External Identifier as defined in clause 19.7.2.

NOTE: Depending on the protocol used to convey the GPSI, the GPSI type can take different formats.

NAI Network Access Identifier Example
Email address
E164Number


Lawful interception (LI) at each network or service function and applicable target identifiers based on Release 16.6.0 (2020-12)

Target identifier AMF SMF/UPF UDM SMSF Location MMS Proxy-Relay ICF
SUPIIMSI
SUPINAI
PEIIMEI
PEIIMEISV
GPSIMSISDN
GPSINAI
PEI
GPSI
SUPI
E164Number
EmailAddress
IMPI
IMPU
IMSI
NAI
SUCI
5G-S-TMSI
5G-GUTI

IRI events

Network layer

AMF

The IRI-POI present in the AMF shall generate xIRI, when it detects the following specific events or information:

  • Registration.
  • Deregistration.
  • Location update.
  • Start of interception with already registered UE.
  • Unsuccessful communication related attempt.
  • A new identifier association for a UE matching one of the target identifiers is provided via LI_X1.
IRI Payload
IRI Record Type Field name Description Source
AMFRegistration location Location information determined by the network during the registration, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. 33.128 V17.0.0 § 6.2.2.2.2
AMFDeregistration location Location information determined by the network during the deregistration, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation), see Annex A. 33.128 V17.0.0 § 6.2.2.2.3
AMFLocationUpdate location Updated location information determined by the network. Depending on the service or message type from which the location information is extracted, it may be encoded in several forms (Annex A):
  1. as a userLocation parameter (location>locationInfo>userLocation) in the case the information is obtained from an NGAP message, except the LOCATION REPORT message (see TS 38.413 [23]);
  2. as a locationInfo parameter (location>locationInfo) in the case the information is obtained from a ProvideLocInfo (TS 29.518 [22], clause 6.4.6.2.6);
  3. as a locationPresenceReport parameter (location>locationPresenceReport) in the case the information is obtained from an AmfEventReport (TS 29.518 [22], clause 6.2.6.2.5) with event type Location-Report or Presence-In-AOI-Report;
  4. as a positionInfo parameter (location>positioningInfo>positionInfo) in the case the information is obtained from a ProvidePosInfo (TS 29.518 [22], clause 6.4.6.2.3) or a NotifiedPosInfo (TS 29.518 [22], clause 6.4.6.2.4).
33.128 V17.0.0 § 6.2.2.2.4
AMFStartOfInterceptionWithRegisteredUE location Location information, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. 33.128 V17.0.0 § 6.2.2.2.5
AMFUnsuccessfulProcedure location Location information determined during the procedure, if available. Encoded as a userLocation parameter (location>locationInfo>userLocation), see Annex A. 33.128 V17.0.0 § 6.2.2.2.6
AMFIdentifierAssociation location Location information available when identifier association occurs. Encoded as a userLocation parameter (location>locationInfo>userLocation) and, when Dual Connectivity is activated, as an additionalCellIDs parameter (location>locationInfo>additionalCellIDs), see Annex A. 33.128 V17.0.0 § 6.2.2.2.7

SMF/UPF

The IRI-POI present in the SMF/UPF shall generate xIRI, when it detects the following specific events or information:

  • PDU session establishment.
  • PDU session modification.
  • PDU session release.
  • Start of interception with an established PDU session.

SMSF

The IRI-POI present in the SMSF shall generate xIRI, when it detects the following specific events or information:

  • SMS message.

SIRF/NRF

The SIRF present in the NRF shall generate notifications over LI_SI when the SIRF detects the following specific events or information:

  • NF service registration.
  • NF service update.
  • NF service deregistration.
  • NF service chain change.

The NF service chain change notification shall be generated whenever an NF is added to or removed from a service chain in response to NF discovery and selection events.

Service layer

UDM

The IRI-POI present in the UDM shall generate xIRI, when the UDM detects the following specific events or information:

  • Serving system.
  • Subscriber record change.
  • Cancel location.
  • Location information request.

IMS Signaling Function

The IRI-POI present in the IMS Signaling Function generates the following xIRI:

  • Encapsulated SIP message.
  • CC unavailable in serving PLMN.
  • Start of interception with an established IMS session.

MMS Proxy-Relay

The IRI-POI present in the MMS Proxy-Relay shall generate xIRI, when it detects the following specific events or information:

  • An MMS message is sent by the target or sent to the target.

Push to Talk over Cellular (PTC)

The IRI-POI present in the PTC Server shall generate xIRI when it detects the following specific events or information:

  • PTC service registration.
  • PTC serving system.
  • PTC session initiation.
  • PTC session abandon.
  • PTC session start.
  • PTC session end.
  • PTC start of interception.
  • PTC pre-established Session.
  • PTC instant personal alert.
  • PTC party join.
  • PTC party drop.
  • PTC party hold.
  • PTC party retrieve.
  • PTC media modification.
  • PTC group advertisement.
  • PTC floor control.
  • PTC target presence.
  • PTC associate presence.
  • PTC list management.
  • PTC access policy.
  • PTC media type notification.
  • PTC encryption message.

CC

SMF/UPF

The CC-POI present in the UPF generates the xCC from the user plane packets and delivers the xCC (that includes the correlation number and the target identity) to the MDF3.

IMS Media Function

The IMS-based services are determined based on the deployment option, the network configuration, LI service scope and the IMS session including the roaming scenarios. Network functions that handle the media are referred to as IMS Media Functions and IMS Media Functions that act as CC-POI generate the xCC.

MMS

The MMS xCC is generated when the CC-POI in the MMS Proxy-Relay detects that CC related to an MMS message is either received from the target, sent to the target, or stored on behalf of the target.

PTC service

The CC-POI present in the PTC Server shall generate xCC.

5G location info notes

Cell site information can be manual or automatic. 33 127 and 33 128 discuss automatic reporting.

When automatic, when the cell identity is present within an xIRI the MDF2 that receives the xIRI may retrieve the cell site information for that cell from a CSP database and deliver the same to the LEMF either within the IRI message generated from the received xIRI or in a separate IRI message containing the MDFCellSiteReport record.

I recommend the separate IRI message containing the MDFcellSiteReport record, specifically, asynchronously requesting cell info from a CSP database and delivering original IRI to LEMF without delay or additional modification. Modifying an existing xIRI delays delivery of associated IRI and introduces additional processing steps to convert xIRI to IRI that increases the chances to introduce a software bug.

The MDFCellSiteReport record shall be delivered as an IRI REPORT (see ETSI TS 102 232-1 clause 5.2.10) and allocated the same CIN, if any, as the IRI message that caused the retrieval.

ASN.1 notes

The use of --... in my ASN.1 notes indicate portions of ASN.1 above or below are omitted. See 3GPP specification for full ASN.1.

Location Info

-- ===================
-- Location parameters
-- ===================

Location ::= SEQUENCE
{
    locationInfo                [1] LocationInfo OPTIONAL, 
    positioningInfo             [2] PositioningInfo OPTIONAL,  
    locationPresenceReport      [3] LocationPresenceReport OPTIONAL 
}

CellSiteInformation ::= SEQUENCE
{
    geographicalCoordinates     [1] GeographicalCoordinates,
    azimuth                     [2] INTEGER (0..359) OPTIONAL,
    operatorSpecificInformation [3] UTF8String OPTIONAL
}

-- TS 29.518 [22], clause 6.4.6.2.6
LocationInfo ::= SEQUENCE
{
    userLocation                [1] UserLocation OPTIONAL,
    currentLoc                  [2] BOOLEAN OPTIONAL, 
    geoInfo                     [3] GeographicArea OPTIONAL,
    rATType                     [4] RATType OPTIONAL,
    timeZone                    [5] TimeZone OPTIONAL,
    additionalCellIDs           [6] SEQUENCE OF CellInformation OPTIONAL
}

-- TS 29.571 [17], clause 5.4.4.7
UserLocation ::= SEQUENCE
{
    eUTRALocation               [1] EUTRALocation OPTIONAL,
    nRLocation                  [2] NRLocation OPTIONAL,
    n3GALocation                [3] N3GALocation OPTIONAL
}

MDF Cell Site Report

-- ===============
-- HI2 IRI payload
-- ===============

IRIPayload ::= SEQUENCE
{
    iRIPayloadOID       [1] RELATIVE-OID,
    event               [2] IRIEvent,
    targetIdentifiers   [3] SEQUENCE OF IRITargetIdentifier OPTIONAL
}

IRIEvent ::= CHOICE
{
    -- ...
    -- MDF-related events, see clause 7.3.4
    mDFCellSiteReport                                   [16] MDFCellSiteReport,
    -- ...
}
MDFCellSiteReport ::= SEQUENCE OF CellInformation

CellInformation ::= SEQUENCE 
{
    rANCGI                      [1] RANCGI,
    cellSiteinformation         [2] CellSiteInformation OPTIONAL,
    timeOfLocation              [3] Timestamp OPTIONAL
}

RANCGI ::= CHOICE
{
    eCGI                        [1] ECGI,
    nCGI                        [2] NCGI
}

CellSiteInformation ::= SEQUENCE
{
    geographicalCoordinates     [1] GeographicalCoordinates,
    azimuth                     [2] INTEGER (0..359) OPTIONAL,
    operatorSpecificInformation [3] UTF8String OPTIONAL
}

-- TS 29.572 [24], clause 6.1.6.2.4
GeographicalCoordinates ::= SEQUENCE
{
    latitude                            [1] UTF8String,
    longitude                           [2] UTF8String,
    mapDatumInformation                 [3] OGCURN OPTIONAL
}

-- TS 29.571 [17], clause 5.4.4.5
ECGI ::= SEQUENCE
{
    pLMNID                      [1] PLMNID,
    eUTRACellID                 [2] EUTRACellID,
    nID                         [3] NID OPTIONAL
}

-- TS 29.571 [17], clause 5.4.4.6
NCGI ::= SEQUENCE
{
    pLMNID                      [1] PLMNID,
    nRCellID                    [2] NRCellID,
    nID                         [3] NID OPTIONAL
}

PLMNID ::= SEQUENCE
{
    mCC [1] MCC,
    mNC [2] MNC
}

MCC ::= NumericString (SIZE(3))

MNC ::= NumericString (SIZE(2..3))

-- TS 38.413 [23], clause 9.3.1.9
EUTRACellID ::= BIT STRING (SIZE(28))

-- TS 38.413 [23], clause 9.3.1.7
NRCellID ::= BIT STRING (SIZE(36))

-- TS 23.003 [19], clause 12.7.1 encoded as per TS 29.571 [17], clause 5.4.2
NID ::= UTF8String (SIZE(11))

References

  • 33 127 § 7.3.4
  • 33 128 § 7.3.2

Identity functions

  • ICF Identifier Caching Function
  • IEF Identifier Event Function
  • IQF Identifier Query Function

For dedicated query, lookup and reporting, figure 5.7-1 shows the high-level architecture used to support identifier association query and response requirements. The Identifier Event Function (IEF) provides the Identifier Caching Function (ICF) with the events necessary to answer the identifier association queries from the IQF. LEAs are able to issue real-time queries to the Identifier Query Function (IQF), which in turn queries the ICF.

33.128 V16.6.0 § 5.2.7 Usage for realising LI_XEM1

For the purposes of realizing LI_XEM1 between the LIPF and an IEF, the LIPF plays the role of the ADMF as defined in ETSI TS 103 221-1 reference model (clause 4.2), and the IEF plays the role of the NE.

  • The IEF shall be enabled by sending the following ActivateTask message from the LIPF.
  • The IEF may be reconfigured to send identity associations to a different ICF using a ModifyTask message to modify the delivery destinations.
  • The IEF shall be disabled by sending the following DeactivateTask message from the LIPF.

Resources

5G NR Cell Global Identity Planning Info

My lawful interception notes