Guest

Cisco AS5800 Series Universal Gateways

Lawful Intercept on Cisco AS5000 Series Universal Gateways Feature Module

 Feedback

Table Of Contents

Lawful Intercept on Cisco AS5000 Series Universal Gateways - Feature Module

Overview

Cisco Lawful Intercept Implementation

LI for VoIP

Provisioning for LI for VoIP

Intercepting VoIP Calls

LI for Dial Calls

Provisioning LI for Dial Calls

Intercepting Dial Calls

Feature Descriptions

SNMPv3 LI Provisioning Interface

VoIP LI Provisioning TAP-MIB

Dial LI Provisioning TAP-MIB

Secured Intercept Content Delivery

Content Delivery Transport Protocols

LI Topology

SNMP v3 Access for LI

Further Information

Mediation Device Provisioning

Access Function Provisioning

Router Access Function Configuration

Call Agent Access Function Configuration

Surveillance Function Provisioning

Collection Function Provisioning

Call Agent Provisioning

Mediation Device Events

Glossary


Lawful Intercept on Cisco AS5000 Series Universal Gateways - Feature Module


Rev. B0, January 31, 2006

Release Date: December 11, 2005

Overview

This feature module describes the Lawful Intercept (LI) functionality as it is implemented on the Cisco AS5350, AS5400, AS54500HPX, AS5400XM, and AS5850 universal gateways.

Lawful Intercept is the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order.

Service providers worldwide are already legally required to allow government agencies to conduct electronic surveillance on traditional telephone equipment. Lawful Intercept enables government agencies to conduct electronic surveillance on packet networks as well.


Note Network management is the same as without Lawful Intercept. No difference is observable by management stations in the network. This ensures that unauthorized users cannot tell which nodes have Lawful Intercept enabled.


The Cisco implementation of LI is based on Service Independent Intercept (SII) architecture and Simple Network Management Protocol Version 3 (SNMP V3) provisioning architecture.

Cisco SII architecture supports LI with the following features:

Standard architecture for all IP networks.

Intercept control is performed by the mediation device instead of by call control equipment.

LI control is separated from call control.

Common interfaces are defined for the mediation device and for call control partners.

The Cisco AS5000 series universal gateways support LI under SII architecture with the following features:

VoIP legal intercept provisioning from the mediation device using SNMPv3

Dial legal intercept provisioning from the mediation device using SNMPv3

Deliver intercepted voice data to the mediation device

Deliver intercepted dial data to the mediation device

SNMPv3 LI provisioning interface

Cisco LI MIBs: TAp2-MIB, IP-TAP-MIB and USER-CONNECTION-TAP-MIB

Secure Internet Protocol (IPsec)

User Datagram Protocol (UDP)

Real-time Transport Protocol with NAK Oriented Retransmission (RTP-NOR)

Deliver intercepted data (voice or dial) with either UDP or RTP-NOR encapsulation

VoIP call intercept based on media gateway local IP address and UDP port number

VoIP intercept with MGCP

Dial call intercept based on account session ID

Dial intercept for PPP, multi-link PPP and Exec/TCP-clear sessions

Cisco Lawful Intercept Implementation

There are two types of Cisco lawful intercepts (LI) on the AS5000 platforms:

LI for VoIP calls

LI for dial calls

For IOS Release 12.3(6th)T, only the Cisco AS5350, AS5400, AS54500HPX, and AS5400XM universal gateways support Lawful Intercept (LI) on both dial calls and Voice over IP (VoIP). The Cisco AS5850 supports LI only on VoIP.

For IOS Release 12.4(2)T, the Cisco AS5350, AS5400, AS54500HPX, AS5400XM, and AS5850 universal gateways all support LI on both dial calls and VoIP.


Note Cisco LI is supported only on the k9u2 software images.


LI for VoIP

Cisco implements LI for VoIP calls under SII architecture and SNMP V3 provisioning architecture. The mediation device provisions the intercept on the gateway using SNMPv3. The gateway intercepts the target VoIP calls and sends the intercepted data to the mediation device.

Before provisioning LI for VoIP can be done, the LI administrator must perform the following tasks.

Provision the target number to be intercepted

Register the gateways used in the target number's calls

Provision DNS on the SS8 mediation device

Provisioning for LI for VoIP

Provisioning for LI for VoIP is done as follows:

The mediation device provisions LI information on an AS5000 gateway through SNMPv3.

Security and authentication is done as defined by SNMPv3.

Network management is done using the modified IP-TAP-MIB and the TAP2-MIB.

Mid-call LI provisioning allows an intercept to be provisioned and enabled or disabled while the call is active.

Intercepting VoIP Calls

VoIP calls are intercepted as follows:

1. The mediation device uses configuration commands to configure the intercept on the call control entity.

2. The call control entity sends intercept-related information about the target to the mediation device.

3. The mediation device initiates call content intercept requests to the edge router or trunk gateway using SNMPv3.

4. The edge router or trunk gateway intercepts the call content, replicates it, and sends it to the mediation device in either packet cable UDP format or RTP-NOR format.

Content Delivery of Intercepted VoIP Calls

Content of intercepted VoIP is transmitted as follows:

In IP datagram format

Over an interface with a mediation device through IPsec

Using UDP and RTP-NOR transports

LI for Dial Calls

Cisco implements LI for dial calls using SII architecture and SNMP V3 provisioning architecture.

Before provisioning LI for dial calls can be done, the LI administrator must perform the following tasks.

Provision the target number to be intercepted

Register the gateways used in the target number's calls

Provision DNS on the SS8 mediation device

Provisioning LI for Dial Calls

Provisioning for LI for dial calls is done as follows:

The mediation device provisions the LI information on an AS5000 gateway through SNMPv3.

Security and authentication is done as defined by SNMPv3.

Network Management is done using the TAP2-MIB and USER-CONNECTION-TAP-MIB.

Mid-call LI provisioning allows an intercept to be provisioned, enabled, or disabled while the call is active.

Intercepting Dial Calls

Dial calls are intercepted as follows:

1. A sniffer device is used to sniff all RADIUS messages between the gateway and the RADIUS server.


Note Cisco provides TopLayer sniffer from SS8.


2. The mediation device uses configuration commands to configure the intercept on the sniffer.

3. The sniffer device sends intercept-related information about the target to the mediation device.

4. The mediation device initiates communication content intercept requests to the edge router or access server using SNMPv3.

5. The edge router or access server intercepts the communication content, replicates it, and sends it to the mediation device in either packet cable UDP format or RTP-NOR format.

Content Delivery of Intercepted Dial Calls

Content of intercepted dial calls is transmitted as follows:

In IP datagram format

Over an interface with a mediation device through IPsec

Using UDP and RTP-NOR transports

Feature Descriptions

This section describes the individual LI features that are implemented on the Cisco AS5000 series universal gateways.

SNMPv3 LI Provisioning Interface

SNMPv3 is the provisioning interface for the Cisco AS5000 series implementation of LI. SNMPv3 provides data origin authentication and secure connections. The law requires authentication and security so that unauthorized parties cannot observe or forge an intercept target.

VoIP LI Provisioning TAP-MIB

VoIP LI provisioning is based on the local media gateway IP address and the UDP port. The mediation device uses the TAP2-MIB and IP-TAP-MIB to provision VoIP intercepts. In VoIP LI provisioning, an intercept can be enabled or disabled in the middle of a voice call.

Dial LI Provisioning TAP-MIB

Dial LI provisioning does not have fixed IP addresses. The IP addresses are assigned dynamically. The mediation device uses the TAP2-MIB and USER-CONNECTION-TAP-MIB to provision dial intercepts. The USER-CONNECTION-TAP-MIB has an account session ID object, which is unique for each dial call. In dial LI provisioning, an intercept can be enabled or disabled in the middle of a voice call.

Secured Intercept Content Delivery

Secured Internet Protocol (IPsec) is used on the interface with the mediation device to deliver intercepted call content. IPsec ensures that the call content is coming from a trusted, reliable network access server or media gateway.

Content Delivery Transport Protocols

The AS5000 platform supports the following two types of content delivery transport protocols, which are available on both digital and modem data calls:

User Datagram Protocol (UDP)

Real-time Transport Protocol with NAK Oriented Retransmission (RTP-NOR). RTP-NOR is provided when delivery reliability must be guaranteed.

The content of the following types of calls can be intercepted and delivered to the mediation device.

VoIP

Basic PPP

PPP callback

Multi-link PPP

Multi-chassis multi-link PPP

LT2P and Exec/TCP-clear

LI Topology

Figure 1 shows where a Cisco AS5000 series VoIP Media Gateway should be connected in a network with Cisco SII architecture.

Figure 2 shows where a Cisco AS5000 series Dial Access Server should be connected in a network with Cisco SII architecture.

Figure 1 Voice Media Gateway Topology in Cisco SII Architecture

Figure 2 Dial Access Server Topology in Cisco SII Architecture

The following components are used in the network topology for a VoIP LI solution:

MGCP call agent

Mediation device, such as SS8 or Verint

AS5000 series Media Gateway

When an MGCP call agent must support the interface with the mediation device to provide the SDP signaling information. The media gateway must support the mediation device extracts the intercept target's local IP/UDP address from the SDP signaling information to do the SNMPv3 LI provisioning. As long as the mediation device can use TAP2-MIB and IP-TAP-MIB to provision an intercept, the media gateway will be able to intercept the call.


Note Currently, PGW and BTS are the only two MGCP call agents that are supported.


The following components are used in the network topology for a dial LI solution:

AAA radius server

TopLayer sniffer device

Mediation device (Cisco recommends SS8)

AS5000 series dial access server

For the dial LI solution, the Sniffer device software caches the RADIUS server information. The mediation device obtains the LI provisioning information (such as the account session ID) from the sniffer. The mediation device provisions the intercept through the SNMPv3 interface using the TAP2-MIB and the USER-CONNECTION-TAP-MIB. The intercepted content is delivered to the mediation device through an IPsec interface.

SNMP v3 Access for LI

SNMP v3 Access for LI is configured on the router. The configuration commands to setup the configuration for SNMP v3 access are as follows:


Note The following configuration commands can be saved into NVRAM and do not need to be entered every time the system boots up.


router(config)#snmp-server group group3 v3 auth read view3 write view3 notify view3 
router(config)#snmp-server view view3 ciscoTap2MIB included
router(config)#snmp-server view view3 ciscoIpTapMIB included
router(config)#snmp-server view view3 ciscoUserConnectionTapMIB included
router(config)#snmp-server enable traps tty

The following configuration commands is not saved in NVRAM and needs to be entered every the the gateway boots up:

router(config)#snmp-server user SS8user group3 v3 auth md5 cisco

In the above example, group3 is an SNMP v3 group, which can access the three MIBS specified in read/write mode. SS8user is a user that belongs to group3 and can provision the specified MIBS securely. You can change SS8user and group3 to be whatever you want.

Further Information

For more information on Cisco Lawful Intercept (LI), go to the following URL:

http://www.cisco.com/en/US/partner/tech/tk583/tk799/technologies_design_guide09186a00801b42ff.shtml

For information on how to configure a Cisco Media Gateway Controller (MGC), go the the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/swinstl/3ins_cfg.htm#wp1464984

Mediation Device Provisioning

Typically, AS5000 Universal Gateway provisioning is done on the mediation device by the mediation device vendor. In this case, the SS8 mediation device is used as an example.

The SS8 mediation device vendor must provision the following three functions to complete LI provisioning on the SS8 mediation device for an AS5000 Universal Gateway:

Access Function Provisioning

Surveillance Function Provisioning

Collection Function Provisioning

Access Function Provisioning

The SS8 mediation device vendor must verify that the following information in the SS8 Access Function Table for Broadband Telephony Softswitch (BTS) is populated with the correct data as shown in the examples in Figure 3:

Access Function Configuration

Access Function Provisioning Interface

Access Function Radius Interface

Access Function BTS10200 Provisioning Interface

Access Function SNMPv3 Interface

On the SS8 mediation device main page, select the Access button as shown in Figure 3.

Figure 3 SS8 Main Page with Access Selected

When you select the Access button, the Access Function Configuration table appears as shown in Figure 4.

Figure 4 Access Function Configuration Table

Router Access Function Configuration

In the Access Function Configuration table, manually set the following fields for each router in the surveillance path as shown in the example in Figure 4:

Router name

IP Address

Port (always 161 for routers)

Req State

State

Username (same as SNMP username)

Security Value

Call Agent Access Function Configuration

In the Access Function Configuration table, manually set the following fields for the call agent as show in the example in Figure 5:

Domain Name

IP Address

Port

Req State

State

Username (set username to the PGW name, for example pgw951)

Security Value

Figure 5 Access Function Configuration Table, PGW Example

Surveillance Function Provisioning

On the SS8 mediation device main page, select the Surveillance button as shown in Figure 6.

Figure 6 SS8 Main Page with Surveillance Selected

\

When you select the Surveillance button, the Surveillance Configuration Screen appears as shown in Figure 7.

Figure 7 Surveillance Configuration Screen

In the Surveillance Configuration screen, perform the following steps:


Step 1 Select the Modify button to set the Subscriber ID and User fields.

Step 2 Set the Subscriber ID as follows:

For dial calls, set the subscriber ID to the username to be intercepted.

For VoIP, set the subscriber ID to the phone number to be intercepted.

Step 3 Set the user field to caleaopr as shown in Figure 7, to give the user caleaopr privileges.

Step 4 Go back to the Surveillance Configuration screen.

Step 5 Select the Call Content Channels button.

Step 6 Select the AFTDN tab and set the target phone number to be intercepted as shown in the example in Figure 8.

Figure 8 Call Content Channels - AFTDN Tab

Step 7 Select the IPCCC tab and set the IP address and port number of the collection function as shown in Figure 9.

Figure 9 Call Content Channels - IPCCC Tab

Collection Function Provisioning

On the SS8 mediation device main page, select the Collection button as shown in Figure 10.

Figure 10 SS8 Main Page with Collection Selected

When you select the Collection button, the Collection Functions screen appears as shown in Figure 11.

In the Collection Functions screen, define the collection type.

Figure 11 shows TCP/IP as the collection type.

Figure 11 Collection Functions Screen

Call Agent Provisioning

In the CLI, register the call agent with the mediation device by entering the following code:


Note In this example PGW is the call agent.


mml>add-af:afid=pgw952Dan,type=PGW2200,version=9.5.2,preprov=000:00;
mml>add-afgi:afid=pgw952Dan,ifid=1,ipaddr=192.168.80.129,username=liusr,passwd=test123;
mml>add-fri:afid=pgw952Dan,ifid=1,ipaddr=192.168.80.129,port=1813,version=I03,sharedsecret
=0000000000000000;

Mediation Device Events

The mediation device will activate the intercept at the authorized time and remove it when the authorized time period has elapsed.

The mediation device will periodically audit the elements in the network to ensure that all authorized intercepts are in place and that only authorized intercepts are in place.

Glossary

AAA

Authentication Authorization Accounting

AS5XXX

AS5350, AS5400, AS54500HPX, AS5400XM, and AS5850 universal gateways

BTS

Broadband Telephony Softswitch, a call agent

IOS

Internet Operating System

IP

Internet Protocol

IP-TAP-MIB

Cisco Lawful Intercept Control MIB

IPsec

secured Internet Protocol

mediation device

A hardware device that receives signaling and voice information from a service provider network and translates it into the national variant protocol.

MG

Media Gateway

MGCP

Media Gateway Control Protocol

MIB

Management Information Base

NAS

Network Access Server

PGW

PSTN GateWay, a call agent

PPP

Point to Point Protocol

PSTN

Public Switched Telephone Network

RADIUS

Remote Authentication Dial-In User Service

RTP-NOR

Real-time Transport Protocol with NAK Oriented Retransmission

SDP

Session Definition Protocol

SII

Service Independent Intercept

sniffer

A network analyzer used to capture packets transmitted in a network for inspection and problem detection.

SIP

SMDS Interface Protocol.

SNMPv3

Simple Network Management Protocol version 3

TCP

Transmission Control Protocol

TDM

Time Division Multiplexing

TOS

Type Of Service

UDP

User Datagram Protocol

VoIP

Voice over Internet Protocol