Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 4.1
Implementing Lawful Intercept
Download the complete book
Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 4.1Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 4.1 (PDF - 2 MB)
 Feedback

Implementing Lawful Intercept

Lawful intercept is the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications, authorized by judicial or administrative order. Service providers worldwide are legally required to assist law enforcement agencies in conducting electronic surveillance in both circuit-switched and packet-mode networks.

Only authorized service provider personnel are permitted to process and configure lawfully authorized intercept orders. Network administrators and technicians are prohibited from obtaining knowledge of lawfully authorized intercept orders, or intercepts in progress. Error messages or program messages for intercepts installed in the router are not displayed on the console.

Feature History for Implementing Lawful Intercept

Release

Modification

Release 4.1.0

This feature was introduced.

Prerequisites for Implementing Lawful Intercept

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Lawful intercept implementation also requires that these prerequisites are met:

  • Cisco ASR 9000 Series Aggregation Services Router will be used as content Intercept Access Point (IAP) router in lawful interception operation.
  • Provisioned router—The router must be already provisioned. For more information, see Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide.

    Tip

    For the purpose of lawful intercept taps, provisioning a loopback interface has advantages over other interface types.

  • Understanding of SNMP Server commands in Cisco IOS XR software—Simple Network Management Protocol, version 3 (SNMP v3), which is the basis for lawful intercept enablement, is configured using commands described in the module SNMP Server Commands in Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference. To implement lawful intercept, you must understand how the SNMP server functions. For this reason, carefully review the information described in the module Implementing SNMP in Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide.
  • Lawful intercept must be explicitly disabled—It is automatically enabled on a provisioned router. However, you should not disable LI if there is an active tap in progress, because this deletes the tap.
  • Management plane configured to enable SNMPv3—Allows the management plane to accept SNMP commands, so that the commands go to the interface (preferably, a loopback) on the router. This allows the mediation device (MD) to communicate with a physical interface.
  • VACM views enabled for SNMP server—View-based access control model (VACM) views must be enabled on the router.
  • Provisioned MD—For detailed information, see the vendor documentation associated with your MD. For a list of MD equipment suppliers preferred by Cisco, see http://www.cisco.com/en/US/tech/tk583/tk799/tsd_technology_support_protocol_home.html.
  • VoIP surveillance-specific requirements
    • Lawful-intercept-enabled call agent—A lawful-intercept-enabled call agent must support interfaces for communications with the MD, for the target of interest to provide signaling information to the MD. The MD extracts source and destination IP addresses and Real-Time Protocol (RTP) port numbers from the Session Description Protocol (SDP) signaling information for the target of interest. It uses these to form an SNMPv3 SET, which is sent to the router acting as the content IAP to provision the intercept for the target of interest. The MD uses the CISCO-TAP2-MIB to set up communications between the router acting as the content IAP, and the MD. The MD uses the CISCO-IP-TAP-MIB to set up the filter for the IP addresses and port numbers to be intercepted and derived from the SDP.
    • Routers to be used for calls by the target number must be provisioned for this purpose through the MD.
    • The MD that has been provisioned with the target number to be intercepted.
  • Data session surveillance-specific requirements
    • Routers to be used by the data target that have been provisioned for this purpose through the MD.
    • The MD that has been provisioned with the user login ID, mac address of the user CPE device, or the DSLAM physical location ID—The IP address is the binding that is most frequently used to identify the target in the network. However, alternative forms of information that uniquely identify the target in the network might be used in some network architectures. Such alternatives include the MAC address and the acct-session-id.
  • The MD can be located anywhere in the network but must be reachable from the content IAP router, which is being used to intercept the target. MD should be reachable ONLY from global routing table and NOT from VRF routing table.

Restrictions for Implementing Lawful Intercept

Lawful intercept does not provide support for these features on Cisco ASR 9000 Series Router:

  • IPv6 multicast tapping
  • IPv4 multicast tapping
  • Per tap drop counter
  • IPv6 MD encapsulation
  • Per interface tapping
  • Replicating a single tap to multiple MDs
  • Tapping of tag packets
  • Tapping L2 flows
  • RTP encapsulation
  • Encryption and integrity checking of replication device

Note

Per tap drop counter support is available only for ASR9000-SIP-700 line card, and not for ethernet line cards.

Information About Lawful Intercept Implementation

Cisco lawful intercept is based on service-independent intercept (SII) architecture and SNMPv3 provisioning architecture. SNMPv3 addresses the requirements to authenticate data origin and ensure that the connection from the router to the MD is secure. This ensures that unauthorized parties cannot forge an intercept target.

Lawful intercept offers these capabilities:

  • Voice-over IP (VoIP) and data session intercept provisioning from the MD using SNMPv3
  • Delivery of intercepted VoIP and data session data to the MD
  • SNMPv3 lawful intercept provisioning interface
  • Lawful intercept MIB: CISCO-TAP2-MIB, version 2
  • CISCO-IP-TAP-MIB manages the Cisco intercept feature for IP and is used along with CISCO-TAP2-MIB to intercept IP traffic.
  • User datagram protocol (UDP) encapsulation to the MD
  • Replication and forwarding of intercepted packets to the MD
  • Voice-over IP (VoIP) call intercept, based on any rules configured for received packets.
  • Voice-over IP (VoIP) intercept with LI-enabled call agent
  • Data session call intercept based on IP address

Provisioning for VoIP Calls

Lawful Intercept provisioning for VoIP occurs in these ways:

  • Security and authentication occurs because users define this through SNMPv3.
  • The MD provisions lawful intercept information using SNMPv3.
  • Network management occurs through standard MIBs.

Call Interception

VoIP calls are intercepted in this manner:

  • The MD uses configuration commands to configure the intercept on the call control entity.
  • The call control entity sends intercept-related information about the target to the MD.
  • The MD initiates call content intercept requests to the content IAP router or trunk gateway through SNMPv3.
  • The content IAP router or trunk gateway intercepts the call content, replicates it, and sends it to the MD in Packet Cable Electronic Surveillance UDP format. Specifically, the original packet starting at the first byte of the IP header is prefixed with a four-byte CCCID supplied by the MD in TAP2-MIB. It is then put into a UDP frame with the destination address and port of the MD.
  • After replicated VoIP packets are sent to the MD, the MD then forwards a copy to a law-enforcement-agency-owned collection function, using a recognized standard.

Provisioning for Data Sessions

Provisioning for data sessions occurs in a similar way to the way it does for lawful intercept for VoIP calls. (See Provisioning for VoIP Calls.)

Data Interception

Data are intercepted in this manner:

  • If a lawful intercept-enabled authentication or accounting server is not available, a sniffer device can be used to detect the presence of the target in the network.
    • The MD uses configuration commands to configure the intercept on the sniffer.
    • The sniffer device sends intercept-related information about the target to the MD.
  • The MD initiates communication content intercept requests to the content IAP router using SNMPv3.
  • The content IAP router intercepts the communication content, replicates it, and sends it to the MD in UDP format.
  • Intercepted data sessions are sent from the MD to the collection function of the law enforcement agency, using a supported delivery standard for lawful intercept.

Information About the MD

The MD performs these tasks:

  • Activates the intercept at the authorized time and removes it when the authorized time period elapses.
  • Periodically audits the elements in the network to ensure that:
    • only authorized intercepts are in place.
    • all authorized intercepts are in place.

Lawful Intercept Topology

This figure shows intercept access points and interfaces in a lawful intercept topology for both voice and data interception.

Figure 1. Lawful Intercept Topology for Both Voice and Data Interception

Scale or Performance Improvement

New enhancements introduced on the Cisco ASR 9000 Series Router in terms of scalability and performance for lawful intercept are:

  • IPv4 lawful intercept tap limit is 1000 taps per IPv4.
  • IPv6 lawful intercept tap limit is 1000 taps per IPv6.
  • Interception rate is:
    • 50 Mbps per network processor (NP) for ASR9000-SIP-700 line card.
    • 100 Mbps for Gigabit Ethernet line cards.
  • Support upto 512 MDs.

How to Configure SNMPv3 Access for Lawful Intercept on the Cisco ASR 9000 Series Router

Perform these procedures in the order presented to configure SNMPv3 for the purpose of Lawful Intercept enablement:

Disabling SNMP-based Lawful Intercept

Lawful Intercept is enabled by default on the Cisco ASR 9000 Series Router.

  • To disable Lawful Intercept, enter the lawful-intercept disable command in global configuration mode.
  • To reenable it, use the no form of this command.

Disabling SNMP-based Lawful Intercept: Example

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# lawful-intercept disable

Note

All SNMP-based taps are dropped when lawful intercept is disabled.

Configuring the Inband Management Plane Protection Feature

If MPP was not earlier configured to work with another protocol, then ensure that the MPP feature is also not configured to enable the SNMP server to communicate with the mediation device for lawful interception. In such cases, MPP must be configured specifically as an inband interface to allow SNMP commands to be accepted by the router, using a specified interface or all interfaces.


Note

Ensure this task is performed, even if you have recently migrated to Cisco IOS XR Software from Cisco IOS, and you had MPP configured for a given protocol.

For lawful intercept, a loopback interface is often the choice for SNMP messages. If you choose this interface type, you must include it in your inband management configuration.

For a more detailed discussion of the inband management interface, see the Inband Management Interface.

Related Tasks

Related Examples

Enabling the Mediation Device to Intercept VoIP and Data Sessions

The following SNMP server configuration tasks enable the Cisco SII feature on a router running Cisco IOS XR Software by allowing the MD to intercept VoIP or data sessions.

SUMMARY STEPS

    1.    configure

    2.    snmp-server view view-name ciscoTap2MIB included

    3.    snmp-server view view-name ciscoUserConnectionTapMIB included

    4.    snmp-server group group-name v3auth read view-name write view-name notify view-name

    5.    snmp-server host ip-address traps version 3 auth username udp-port port-number

    6.    snmp-server user mduser-id groupname v3 auth md5 md-password

    7.    Use one of these commands:

    • end
    • commit

    8.    show snmp users

    9.    show snmp group

    10.    show snmp view


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure


    Example: 
    RP/0/RSP0/CPU0:router# configure
     

    Enters global configuration mode.

     
    Step 2snmp-server view view-name ciscoTap2MIB included


    Example: 
    RP/0//CPU0:router(config)# snmp-server view TapName ciscoTap2MIB included
     

    Creates or modifies a view record and includes the CISCO-TAP2-MIB family in the view. The SNMP management objects in the CISCO-TAP2-MIB that controls lawful intercepts are included. This MIB is used by the mediation device to configure and run lawful intercepts on targets sending traffic through the router.

     
    Step 3snmp-server view view-name ciscoUserConnectionTapMIB included


    Example: 
    RP/0//CPU0:router(config)# snmp-server view TapName ciscoUserConnectionTapMIB included
     

    Creates or modifies a view record and includes the CISCO-USER-CONNECTION-TAP-MIB family, to manage the Cisco intercept feature for user connections. This MIB is used along with the CISCO-TAP2-MIB to intercept and filter user traffic.

     
    Step 4snmp-server group group-name v3auth read view-name write view-name notify view-name


    Example: 
    RP/0//CPU0:router(config)# snmp-server group TapGroup v3 auth read TapView write TapView notify TapView
     

    Configures a new SNMP group that maps SNMP users to SNMP views. This group must have read, write, and notify privileges for the SNMP view.

     
    Step 5snmp-server host ip-address traps version 3 auth username udp-port port-number


    Example: 
    RP/0//CPU0:router(config)# snmp-server host 223.255.254.224 traps version 3 auth bgreen udp-port 2555
     

    Specifies SNMP trap notifications, the version of SNMP to use, the security level of the notifications, and the recipient (host) of the notifications.

     
    Step 6snmp-server user mduser-id groupname v3 auth md5 md-password

    Example: 
    RP/0//CPU0:router(config)# snmp-server mduser-id TapGroup v3 auth md5 mdpassword
     

    Configures the MD user as part of an SNMP group, using the v3 security model and the HMAC MD5 algorithm, which you associate with the MD password.

    • The mduser-id and mdpassword must match that configured on MD. Alternatively, these values must match those in use on the router.
    • Passwords must be eight characters or longer to comply with SNMPv3 security minimums.
    • Minimum Lawful Intercept security level is auth; The noauth option will not work, as it indicates noAuthnoPriv security level. The Lawful Intercept security level must also match that of the MD.
    • Choices other than MD5 are available on the router, but the MD values must match. Most MDs default to or support only MD5.
     
    Step 7Use one of these commands:
    • end
    • commit


    Example: 
    RP/0/RSP0/CPU0:router(config)# end

    or

    RP/0/RSP0/CPU0:router(config)# commit
     

    Saves configuration changes.

    • When you issue the end command, the system prompts you to commit changes: 
      Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
      • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
      • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
      • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
    • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
     
    Step 8 show snmp users


    Example: 
    RP/0//CPU0:router# show snmp users
     

    Displays information about each SNMP username in the SNMP user table.

     
    Step 9 show snmp group


    Example: 
    RP/0//CPU0:router# show snmp group
     

    Displays information about each SNMP group on the network.

     
    Step 10 show snmp view


    Example: 
    RP/0//CPU0:router# show snmp view
     

    Displays information about the configured views, including the associated MIB view family name, storage type, and status.

     

    Configuration Example for Inband Management Plane Feature Enablement

    This example illustrates how to enable the MPP feature, which is disabled by default, for the purpose of lawful intercept.

    Configuring the Inband Management Plane Protection Feature: Example

    You must specifically enable management activities, either globally or on a per-inband-port basis, using this procedure. To globally enable inbound MPP, use the keyword all with the interface command, rather than use a particular interface type and instance ID with it. 

    RP/0//CPU0:router# configure
RP/0//CPU0:router(config)# control-plane
RP/0//CPU0:router(config-ctrl)# management-plane
RP/0//CPU0:router(config-mpp)# inband
RP/0//CPU0:router(config-mpp-inband)# interface loopback0
RP/0//CPU0:router(config-mpp-inband-Loopback0)# allow snmp
RP/0//CPU0:router(config-mpp-inband-Loopback0)# commit
RP/0//CPU0:router(config-mpp-inband-Loopback0)# exit
RP/0//CPU0:router(config-mpp-inband)# exit
RP/0//CPU0:router(config-mpp)# exit
RP/0//CPU0:router(config-ctr)# exit
RP/0//CPU0:router(config)# exit
RP/0//CPU0:router# show mgmt-plane inband interface loopback0

Management Plane Protection - inband interface


interface - Loopback0 
        snmp configured - 
                All peers allowed
RP/0//CPU0:router(config)# commit

    Additional References

    These sections provide references related to implementing lawful intercept.

    Related Documents

    Related Topic

    Document Title

    Lawful Intercept commands

    		 Cisco ASR 9000 Series Aggregation Services Router System Security Command Reference

    Implementing SNMP

    		 Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide

    SNMP Server commands

    		 Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference

    Standards

    Standards

    Title

    A modular, open architecture designed for simple implementation that easily interacts with third-party equipment to meet service provider lawful intercept requirements.

    See RFC-3924 under RFCs.

    An application layer protocol that facilitates the exchange of management information between network devices. Part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite.

    Simple Network Management Protocol Version 3 (SNMPv3)

    MIBs

    MIBs

    MIBs Link
    • CISCO-TAP2-MIB, version 2
    • CISCO-IP-TAP-MIB

    To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/​/​cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

    RFCs

    RFCs

    Title

    RFC-3924

    Cisco Architecture for Lawful Intercept in IP Networks

    Technical Assistance

    Description

    Link

    The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access more content.

    http:/​/​www.cisco.com/​techsupport