Cisco IOS XR System Security Configuration Guide for the Cisco XR 12000 Series Router
Implementing Lawful Intercept on Cisco IOS XR Software
Downloads: This chapterpdf (PDF - 445.0KB) The complete bookPDF (PDF - 3.58MB) | Feedback

Implementing Lawful Intercept on Cisco IOS XR Software

Table Of Contents

Implementing Lawful Intercept on Cisco IOS XR Software

Contents

Prerequisites for Implementing Lawful Intercept

Restrictions for Implementing Lawful Intercept

Information About Lawful Intercept Implementation

Provisioning for VoIP Calls

Call Interception

Provisioning for Data Sessions

Data Interception

Lawful Intercept Topology

How to Configure SNMP v3 Access for Lawful Intercept on the Router

Disabling Lawful Intercept

Configuring the Inband Management Plane Protection Feature

Enabling the Mediation Device to Intercept VoIP and Data Sessions

Configuration Example for Inbound Management Plane Feature Enablement

Configuring the Inband Management Plane Protection Feature: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Implementing Lawful Intercept on Cisco IOS XR Software


Lawful intercept is the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order. Service providers worldwide are legally required to assist law enforcement agencies in conducting electronic surveillance in both circuit-switched and packet-mode networks.

Only authorized service provider personnel are permitted to process and configure lawfully authorized intercept orders. Network administrators and technicians are prohibited from obtaining knowledge of lawfully authorized intercept orders, or intercepts in progress. Error messages or program messages for intercepts installed in the router are not displayed on the console.

Feature History for Implementing Lawful Intercept on Cisco XR 12000 Series Router

Release
Modification

Release 3.7.0

This feature was introduced on the Cisco XR 12000 Series Router.

Release 3.8.0

Information erroneously stating that data interception was supported on the AAA RADIUS server was corrected.

Release 3.9.0

No modification.


Contents

Prerequisites for Implementing Lawful Intercept

Restrictions for Implementing Lawful Intercept

Information About Lawful Intercept Implementation

How to Configure SNMP v3 Access for Lawful Intercept on the Router

Additional References

Prerequisites for Implementing Lawful Intercept

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Lawful intercept implementation also requires that the following prerequisites are met:

Provisioned router—The Cisco XR 12000 Series Router must have already been provisioned. For information, see Cisco IOS XR Getting Started Guide.


Tip Provisioning a loopback interface has advantages over other interface types for the purpose of lawful intercept TAPs.


Understanding of SNMP Server commands in Cisco IOS XR software—Simple Network Management Protocol, version 3 (SNMP v3), which is the basis for lawful intercept enablement, is configured using commands described in the module SNMP Server Commands on Cisco IOS XR Software in Cisco IOS XR System Management Command Reference. To implement lawful intercept, you must understand how the SNMP server functions. For this reason, carefully review the information described in the module Implementing SNMP on Cisco IOS XR Software in Cisco IOS XR System Management Configuration Guide.

Lawful intercept must be explicitly disabled—It is automatically enabled on a provisioned router. However, you should not disable LI if there is an active TAP in progress, because this deletes the TAP.

Management plane configured to enable SNMPv3—Allows the management plane to accept SNMP commands, so that they go to the interface (preferably, a loopback) on the router. This allows the mediation device to communicate with a physical interface.

VACM views enabled for SNMP server—View-based access control model (VACM) views must be enabled on the router.

Provisioned mediation device—For detailed information, see the vendor documentation associated with your mediation device. For a list of mediation device equipment suppliers preferred by Cisco, see http://www.cisco.com/wwl/regaffairs/lawful_intercept/index.html.

VoIP surveillance-specific requirements:

Lawful-intercept-enabled call agent—A lawful-intercept-enabled call agent must support interfaces for communications with the mediation device (MD) to provide signaling information for the target of interest to the MD. The MD extracts the source and destination IP addresses and Real-Time Protocol (RTP) port numbers from the Session Description Protocol (SDP) signaling information for the target of interest. It uses these to form an SNMPv3 SET, which is sent to the router acting as the content Intercept Access Point (IAP) to provision the intercept for the target of interest.

The mediation device uses the CISCO-TAP2-MIB to set up the communications between the router acting as the content IAP and the MD.

The MD uses the CISCO-IP-TAP-MIB to set up the filter for the IP addresses and port numbers to be intercepted and derived from the SDP.

Routers to be used for calls by the target number that have been provisioned for this purpose through the MD

MD that has been provisioned with the target number to be intercepted

Data session surveillance-specific requirements:

Routers to be used by the data target that have been provisioned for this purpose through the MD

MD that has been provisioned with the user login ID, mac address of the user CPE device, or the DSLAM physical location ID—The IP address is the binding most frequently used to identify the target in the network. However, alternative forms of information that uniquely identify the target in the network may be used in some network architectures. Such alternatives include the MAC address and the acct-session-id.

Restrictions for Implementing Lawful Intercept

Lawful intercept does not provide support for the following features in Cisco IOS XR Software Release 3.8.0:

RTP encapsulation

MAC-based interception

Multicast traffic

IPv6 traffic

Information About Lawful Intercept Implementation

Cisco lawful intercept is based on service-independent intercept (SII) architecture and SNMPv3 provisioning architecture. SNMPv3 addresses the requirements to authenticate data origin and ensure that the connection from the router to the MD is secure. This guarantees that unauthorized parties cannot forge an intercept target.

Lawful intercept offers the following capabilities:

Voice-over IP (VoIP) and data session intercept provisioning from the mediation device using SNMPv3

Delivery of intercepted VoIP and data session data to the mediation device

SNMPv3 lawful intercept provisioning interface

Lawful intercept MIB: CISCO-TAP2-MIB, version 2

CISCO-IP-TAP-MIB manages the Cisco intercept feature for IP and is used along with CISCO-TAP2-MIB to intercept IP traffic.

User datagram protocol (UDP) encapsulation to mediation device

Voice-over IP (VoIP) call intercept, based on any rules configured for received packets.

Voice-over IP (VoIP) intercept with LI-enabled call agent

Data session call intercept based on IP address

Provisioning for VoIP Calls

Lawful Intercept provisioning for VoIP occurs in the following ways:

Security and authentication occurs as the user has defined this through SNMPv3.

The mediation device provisions lawful intercept information using SNMPv3.

Network management occurs through the standard MIBs.

Call Interception

VoIP calls are intercepted as follows:

The mediation device uses configuration commands to configure the intercept on the call control entity.

The call control entity sends intercept-related information about the target to the mediation device.

The mediation device initiates call content intercept requests to the edge router or trunk gateway through SNMPv3.

The edge router or trunk gateway intercepts the call content, replicates it, and sends it to the mediation device in Packet Cable Electronic Surveillance UDP format. Specifically, the original packet starting at the first byte of the IP header is prepended with a four-byte CCCID supplied by the mediation device in TAP2-MIB. It is then put into a UDP frame with the destination address and port of the mediation device.

After replicated VoIP packets are sent to the mediation device, the mediation device then forwards a copy to a law-enforcement-agency-owned collection function, using a recognized standard.

Provisioning for Data Sessions

Provisioning for data sessions occurs in a similar way to the way it does for lawful intercept for VoIP calls. (See Provisioning for VoIP Calls.)

Data Interception

Data are intercepted as follows:

If a lawful intercept-enabled authentication or accounting server is not available, a sniffer device can be used to detect the presence of the target in the network.

The mediation device uses configuration commands to configure the intercept on the sniffer.

The sniffer device sends intercept-related information about the target to the mediation device.

The mediation device initiates communication content intercept requests to the edge router using SNMPv3.

The edge router intercepts the communication content, replicates it, and sends it to the mediation device in UDP format.

Intercepted data sessions are sent from the mediation device to the collection function of the law enforcement agency, using a supported delivery standard for lawful intercept.

Information About the Mediation Device

The mediation device performs the following tasks:

Activates the intercept at the authorized time and removes it when the authorized time period has elapsed.

Periodically audits the elements in the network to ensure that all authorized intercepts are in place and that only authorized intercepts are in place.

Lawful Intercept Topology

The following illustration shows intercept access points and interfaces in a lawful intercept topology for both voice and data interception (Figure 1).

Figure 1 Lawful Intercept Topology for Both Voice and Data Interception

How to Configure SNMP v3 Access for Lawful Intercept on the Router

Perform the following procedures in the order presented to configure Management Plane Protection (MPP) and SNMP for the purpose of lawful intercept enablement:

Disabling Lawful Intercept

Configuring the Inband Management Plane Protection Feature (Optional)

Enabling the Mediation Device to Intercept VoIP and Data Sessions (Required)

Disabling Lawful Intercept

LI is enabled by default on each supported router.

To disable LI, enter the command lawful-intercept disable in global configuration mode.

To reenable it, use the no form of this command.


Note Do not disable LI if there is an active TAP, or the TAP will be deleted.


Configuring the Inband Management Plane Protection Feature

You do not need to configure the MPP feature to enable the SNMP server to communicate with the mediation device for the purpose of lawful intercept unless you have previously configured MPP to work with any other protocol. In such a case only, you must specifically configure MPP as an inband interface to allow SNMP commands to be accepted by the router, using a specified interface or using all interfaces.


Note If you have recently migrated to Cisco IOS XR software from Cisco IOS and you had MPP configured for a given protocol, you may still need to perform this task.


For the purpose of lawful intercept, a loopback interface is often the destination of choice for SNMP messages. If you choose this interface type, you must include it in your inband management configuration.

For the configuration procedure, see the "Configuring a Device for Management Plane Protection for an Inband Interface" section. For an LI-related example of this, see Configuring the Inband Management Plane Protection Feature: Example.

For a more detailed discussion of the Inband Management Interface, see the "Inband Management Interface" section.

Enabling the Mediation Device to Intercept VoIP and Data Sessions

The following SNMP server configuration tasks enable the Cisco SII feature on a router running Cisco IOS XR software by allowing the mediation device to intercept VoIP or data sessions.

SUMMARY STEPS

1. configure

2. snmp-server view view-name ciscoTap2MIB included

3. snmp-server view view-name ciscoIpTapMIB included

4. snmp-server view view-name snmpTrapOID

5. snmp-server view view-name sysUpTime

6. snmp-server group group-name v3 auth read view-name write view-name notify view-name

7. snmp-server host ip-address traps version 3 priv username udp-port port-number

8. snmp-server user mduser-id groupname v3 auth md5 md-password

9. end
or
commit

10. show snmp group

11. show snmp users

12. show snmp view

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters configuration mode.

Step 2 

snmp-server view view-name ciscoTap2MIB included

Example:

RP/0/0/CPU0:router(config)# snmp-server view TapName ciscoTap2MIB included

Creates or modifies a view record and includes the CISCO-TAP2-MIB family.

Step 3 

snmp-server view view-name ciscoipTabMIB included

Example:

RP/0/0/CPU0:router(config)# snmp-server view TapName ciscoipTapMIB included

Creates or modifies a view record and includes the CISCO-IP-TAP-MIB family.

Step 4 

snmp-server view view-name snmpTrapOID

Example:

RP/0/0/CPU0:router(config)# snmp-server view TapName snmpTrapOID

Creates or modifies a view record and includes snmpTrapOID.

Step 5 

snmp-server view view-name sysUpTime

Example:

RP/0/0/CPU0:router(config)# snmp-server view TapName sysUpTime

Creates or modifies a view record and includes sysUpTime.

Step 6 

snmp-server group group-name v3 auth read view-name write view-name notify view-name

Example:

RP/0/0/CPU0:router(config)# snmp-server group TapGroup v3 auth read TapView write TapView notify TapView

Configures a new SNMP group, or a table that maps SNMP users to SNMP views. This group should have read, write, and notify privileges for the SNMP view.

Step 7 

snmp-server host ip-address traps version 3 priv username udp-port port-number

Example:

RP/0/0/CPU0:router(config)# snmp-server host 223.255.254.224 traps version 3 priv bgreen udp-port 2555

Specifies SNMP trap notifications, the version of SNMP to use, the security level of the notifications, and the recipient (host) of the notifications.

Step 8 

snmp-server user mduser-id groupname v3 auth md5 md-password

Example:

RP/0/0/CPU0:router(config)# snmp-server mduser-id TapGroup v3 auth md5 mdpassword

Configures the mediation device user as part of an SNMP group, using the v3 security model and the HMAC MD5 algorithm, which you associate with the mediation device password.

The mduser-id and mdpassword must match that configured on MD. Alternatively, these values must match those in use on the router.

Passwords must be eight characters or longer to comply with SNMPv3 security minimums.

Minimum LI security level is auth; noauth will not work. The LI security level must also match that of the MD.

Choices other than MD5 are available on the router, but the MD values must match.

Most MDs default to or support only MD5.

Step 9 

end

or

commit

Example:

RP/0/0/CPU0:router(config)# end

or

RP/0/0/CPU0:router(config)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them 
before exiting (yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 10 

show snmp users

Example:

RP/0/0/CPU0:router# show snmp users

Displays information about each SNMP username in the SNMP user table.

Step 11 

show snmp group

Example:

RP/0/0/CPU0:router# show snmp group

Displays information about each SNMP group on the network.

Step 12 

show snmp view

Example:

RP/0/0/CPU0:router# show snmp view

Displays information about the configured views, including the associated MIB view family name, storage type, and status.

Configuration Example for Inbound Management Plane Feature Enablement

The following example illustrates how to enable the MPP feature, which is disabled by default, for the purpose of lawful intercept.

Configuring the Inband Management Plane Protection Feature: Example

You must specifically enable management activities either globally or on a per-inband-port basis using the following procedure. In other words, to globally enable inbound MPP, you would use the keyword all with the interface command, rather than using a particular interface type and instance ID with it.

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# control-plane
RP/0/0/CPU0:router(config-ctrl)# management-plane
RP/0/0/CPU0:router(config-mpp)# inband
RP/0/0/CPU0:router(config-mpp-inband)# interface loopback0
RP/0/0/CPU0:router(config-mpp-inband-Loopback0)# allow snmp
RP/0/0/CPU0:router(config-mpp-inband-Loopback0)# commit
RP/0/0/CPU0:router(config-mpp-inband-Loopback0)# exit
RP/0/0/CPU0:router(config-mpp-inband)# exit
RP/0/0/CPU0:router(config-mpp)# exit
RP/0/0/CPU0:router(config-ctr)# exit
RP/0/0/CPU0:router(config)# exit
RP/0/0/CPU0:router# show mgmt-plane inband interface loopback0
 
   
Management Plane Protection - inband interface
 
   
 
   
interface - Loopback0 
        snmp configured - 
                All peers allowed
RP/0/0/CPU0:router(config)# commit
 
   

Additional References

The following sections provide references related to implementing lawful intercept.

Related Documents

Related Topic
Document Title

Lawful Intercept commands on Cisco IOS XR software

Cisco IOS XR System Security Command Reference

Implementing SNMP on Cisco IOS XR software

Cisco IOS XR System Management Configuration Guide

SNMP Server commands on Cisco IOS XR software

Cisco IOS XR System Management Command Reference


Standards

Standards
Title

A modular, open architecture designed for simple implementation that easily interacts with third-party equipment to meet service provider lawful intercept requirements.

See RFC-3924 under RFCs.

An application layer protocol that facilitates the exchange of management information between network devices. Part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite.

Simple Network Management Protocol Version 3 (SNMPv3)


MIBs

MIBs
MIBs Link

CISCO-TAP2-MIB, version 2

CISCO-IP-TAP-MIB

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

RFC-3924

Cisco Architecture for Lawful Intercept in IP Networks


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport