Lawful Intercept (LI) in 5G System

5G, 5G Core, 5G Network Architectures, 6G

Lawful Interception

For any Service Provider/Wireless Operator Lawful Interception (LI) is one of the must satisfy regulatory requirements and a legal obligation towards the Law Enforcement Agencies and Government Authorities. Lawful Intercept allows appropriate authorities to perform interception of communication traffic for specific users. In this blog, we will discuss on a brief and high level to complete the overall 5G System functionalities w.r.t. 3GPP LI standards

3GPP Definition for Lawful Intercept (LI)

  • As per 3GPP standards, Lawful Intercept (LI) is currently defined as: “Laws of individual nations and regional institutions, and sometimes licensing and operating conditions, define a need to intercept targeted communications traffic and related information in communication systems. Lawful Interception applies in accordance with applicable national or regional laws and technical regulations.”

Lawful Intercept (LI) Requirements

3GPP standard TS 33.126,  Lawful Interception Requirements has described requirements. At high level, LI function does not place requirements on how a system should be built. Their requirement is that

  • 5G Network shall allow legal authorities to get the necessary information from the 5G networks via legal means, according to specific security requirements, without disruption of the normal mode of operations and without jeopardizing the privacy of communications not to be intercepted
  • LI allows appropriate authorities to perform interception of communication traffic for specific user(s) and this includes activation (requiring a legal document such as a warrant), deactivation, interrogation, and invocation procedures
  • LI functions must operate without being detected by the person whose information is being intercepted and other unauthorized
  • As LI has regional jurisdiction, national regulations may define specific requirements on how to handle the user’s location and interception across boundaries.

5G Architecture for Lawful Intercept

A simplified view of the Lawful Intercept architecture for the 5G system is shown in below figure. We can define this architecture into two domain namely Service Provide Domain and Law Enforcement Domain.

The service provider domain consist of 5G RAN, 5G Core network and some addition functions like Administration Function (ADMF) and Mediation and Delivery Function (MDF), where as the Law Enforcement Domain includes Law Enforcement Agency (LEA) and Law Enforcement Monitoring Facility (LEMF).  Here we will discuss only functions which are related to Lawful Intercept.

lawful interception

  • Law Enforcement Agency (LEA) which in general is the one that submits the warrant to the Service Provider for the Users Interception
  • Administration Function (ADMF) is responsible for the overall management/control plane of the LI system. ADMF uses the LI_X1 interface toward the 5G Core Network Functions (NFs) for managing the LI functionality
  • Mediation and Delivery Function (MDF) delivers the interception reports to the Law Enforcement Monitoring Facility (LEMF)
  • Law Enforcement Monitoring Facility (LEMF) is the entity receiving the Interception Reports. The LEMF is not specified
  • Point of Interest (POI) is functionality that detects the target communication, derives the intercept related information or communications content from the target communications and delivers the output to the MDF. The POI is located in the relevant 5G Core NFs as shown in above figure. The POI uses the LI_X2 and LI_X3 interfaces for delivering the interception reports to MDF.

Intercept-Related Information (IRI) from 5GC NFs

Intercept-related information also referred to as Events are triggered by activities detected at the Network Function and provided to the LI. The IRI Event are generated based on SUCI or PEI or GPSI (Generic Public Subscription Identifier) Identities.

  • IRI Event applicable to the AMF are:
    • Registration
    • Deregistration
    • Location update
    • Start of interception with already registered UE.
    • Unsuccessful communication attempt.
  • IRI Event applicable to SMF/UPF include:
    • PDU Session establishment
    • PDU Session modification
    • PDU Session release
    • Start of interception with an established PDU Session

Using above information Target identity, Time stamp, Correlation information, Location information, Session related information is provided to Law Enforcement Facility via MDF function.


Related Topics: