Lawful Intercept


Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum


 

Prerequisites for Lawful Intercept

  • You must be running images that support secure shell (SSH), for example, s72033-adventerprisek9-mz. Lawful intercept is not supported on images that do not support SSH.
  • You must be logged in to the switch with the highest access level (level 15). To log in with level-15 access, enter the enable command and specify the highest-level password defined for the switch.
  • You must issue commands in global configuration mode at the command-line interface (CLI). You can configure lawful intercept globally on all interfaces or on a specific interface.
  • The time of day on the switches and the mediation device must be synchronized; use Network Time Protocol (NTP) on both the switches and the mediation device.
  • (Optional) It might be helpful to use a loopback interface for the interface through which the switch communicates with the mediation device. If you do not use a loopback interface, you must configure the mediation device with multiple physical interfaces on the switch to handle network failures.

Restrictions for Lawful Intercept

General Configuration Restrictions

  • VSS mode does not support lawful intercept.
  • If the network administrator expects lawful intercept to be deployed at a node, do not configure optimized ACL logging (OAL), VLAN access control list (VACL) capture, or Intrusion Detection System (IDS) at the node. Deploying lawful intercept at the node causes unpredictable behavior in OAL, VACL capture, and IDS.
  • To maintain switch performance, lawful intercept is limited to no more than 0.2% of active calls. For example, if the switch is handling 4000 calls, 8 of those calls can be intercepted.
  • The CISCO-IP-TAP-MIB does not support the virtual routing and forwarding (VRF) OID citapStreamVRF.
  • Captured traffic is rate limited to protect the CPU usage at the route processor. The rate limit is 8500 pps.
  • The interface index is used during provisioning to select the index to enable lawful intercept on only; when set to 0, lawful intercept is applied to all interfaces.
  • (Optional) The domain name for both the switch and the mediation device may be registered in the Domain Name System (DNS).
  • The mediation device must have an access function (AF).
  • You must add the mediation device to the SNMP user group that has access to the CISCO-TAP2-MIB view. Specify the username of the mediation device as the user to add to the group.

When you add the mediation device as a CISCO-TAP2-MIB user, you must include the mediation device’s authorization password. The password must be at least eight characters in length.

  • Dedicate an interface for lawful intercept processing. For example, you should not configure the interface to perform processor-intensive tasks such as QoS or routing.
  • Supported for IPv4 unicast traffic only. In addition, for traffic to be intercepted, the traffic must be IPv4 on both the ingress and egress interfaces. For example, lawful intercept cannot intercept traffic if the egress side is MPLS and the ingress side is IPv4.
  • IPv4 multicast, IPv6 unicast, and IPv6 multicast flows are not supported.
  • Not supported on Layer 2 interfaces. However, lawful intercept can intercept traffic on VLANs that run over the Layer 2 interface.
  • Not supported for packets that are encapsulated within other packets (for example, tunneled packets or Q-in-Q packets).
  • Not supported for Q-in-Q packets. There is no support for Layer 2 taps for lawful intercept.
  • Not supported for packets that are subject to Layer 3 or Layer 4 rewrite (for example, Network Address Translation [NAT] or TCP reflexive).
  • In the ingress direction, the switch intercepts and replicates packets even if the packets are later dropped (for example, due to rate limiting or an access control list [ACL] deny statement). In the egress direction, packets are not replicated if they are dropped (for example, by ACL).
  • Lawful intercept ACLs are applied internally to both the ingress and the egress directions of an interface.
  • To intercept traffic from a specific user, a typical configuration consists of two flows, one for each direction.
  • Packets that are subject to hardware rate limiting are processed by lawful intercept as follows:

blank.gif Packets that are dropped by the rate limiter are not intercepted or processed.

blank.gif Packets that are passed by the rate limiter are intercepted and processed.

  • If multiple LEAs are using a single mediation device and each is executing a wiretap on the same target, the switch sends a single packet to the mediation device. It is up to the mediation device to duplicate the packet for each LEA.
  • Lawful intercept can intercept IPv4 packets with values that match a combination of one or more of the following fields:
  • Destination IP address and mask
  • Destination port range
  • Source IP address and mask
  • Source port range
  • Protocol ID

MIB Guidelines

The following Cisco MIBs are used for lawful intercept processing. Include these MIBs in the SNMP view of lawful intercept MIBs to enable the mediation device to configure and execute wiretaps on traffic that flows through the switch.

  • CISCO-TAP2-MIB—Required for both types of lawful intercepts: regular and broadband.
  • CISCO-IP-TAP-MIB—Required for wiretaps on Layer 3 (IPv4) streams. Supported for regular and broadband lawful intercept.
  • The CISCO-IP-TAB-MIB imposes limitations on the following features:

blank.gif If one or all of the following features are configured and functioning and lawful intercept is enabled, lawful intercept takes precedence, and the feature behaves as follows:

• Optimized ACL logging (OAL)—Does not function.

• VLAN access control list (VACL) capturing—Does not function properly.

• Intrusion detection system (IDS)—Does not function properly.

The feature starts to function after you disable or unconfigure lawful intercept.

blank.gif IDS cannot capture traffic on its own, but captures traffic that has been intercepted by lawful intercept only.

Information About Lawful Intercept

caut.gif

Caution blank.gif This guide does not address legal obligations for the implementation of lawful intercept. As a service provider, you are responsible to ensure that your network complies with applicable lawful intercept statutes and regulations. We recommend that you seek legal advice to determine your obligations.

Lawful Intercept Overview

Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance.

The surveillance is performed through the use of wiretaps on traditional telecommunications and Internet services in voice, data, and multiservice networks. The LEA delivers a request for a wiretap to the target’s service provider, who is responsible for intercepting data communication to and from the individual. The service provider uses the target’s IP address to determine which of its edge switches handles the target’s traffic (data communication). The service provider then intercepts the target’s traffic as it passes through the switch, and sends a copy of the intercepted traffic to the LEA without the target’s knowledge.

The Lawful Intercept feature supports the Communications Assistance for Law Enforcement Act (CALEA), which describes how service providers in the United States must support lawful intercept. Currently, lawful intercept is defined by the following standards:

  • Telephone Industry Association (TIA) specification J-STD-025
  • Packet Cable Electronic Surveillance Specification (PKT-SP-ESP-101-991229)

For information about the Cisco lawful intercept solution, contact your Cisco account representative.

note.gif

Noteblank.gif The Lawful Intercept feature supports the interception of IPv4 protocol as defined by the object citapStreamprotocol in the CISCO-IP-TAB-MIB that includes voice and date interception.


Benefits of Lawful Intercept

  • Allows multiple LEAs to run a lawful intercept on the same target without each other’s knowledge.
  • Does not affect subscriber services on the switch.
  • Supports wiretaps in both the input and output direction.
  • Supports wiretaps of Layer 1 and Layer 3 traffic. Layer 2 traffic is supported as IP traffic over VLANs.
  • Supports wiretaps of individual subscribers that share a single physical interface.
  • Cannot be detected by the target. Neither the network administrator nor the calling parties is aware that packets are being copied or that the call is being tapped.
  • Uses Simple Network Management Protocol Version 3 (SNMPv3) and security features such as the View-based Access Control Model (SNMP-VACM-MIB) and User-based Security Model (SNMP-USM-MIB) to restrict access to lawful intercept information and components.
  • Hides information about lawful intercepts from all but the most privileged users. An administrator must set up access rights to enable privileged users to access lawful intercept information.
  • Provides two secure interfaces for performing an intercept: one for setting up the wiretap and one for sending the intercepted traffic to the LEA.

CALEA for Voice

The Communications Assistance for Law Enforcement Act (CALEA) for Voice feature allows the lawful interception of voice conversations that are running on Voice over IP (VoIP). Although the switches are not voice gateway devices, VoIP packets traverse the switches at the edge of the service provider network.

When an approved government agency determines that a telephone conversation is interesting, CALEA for Voice copies the IP packets comprising the conversation and sends the duplicate packets to the appropriate monitoring device for further analysis.

Network Components Used for Lawful Intercept

For information about lawful intercept processing, see the “Lawful Intercept Processing” section.

Figure 86-1 Lawful Intercept Overview

 

184430.eps

Mediation Device

A mediation device (supplied by a third-party vendor) handles most of the processing for the lawful intercept. The mediation device:

  • Provides the interface used to set up and provision the lawful intercept.
  • Generates requests to other network devices to set up and run the lawful intercept.
  • Converts the intercepted traffic into the format required by the LEA (which can vary from country to country) and sends a copy of the intercepted traffic to the LEA without the target’s knowledge.
note.gif

Noteblank.gif If multiple LEAs are performing intercepts on the same target, the mediation device must make a copy of the intercepted traffic for each LEA. The mediation device is also responsible for restarting any lawful intercepts that are disrupted due to a failure.


Lawful Intercept Administration

Lawful intercept administration (LIA) provides the authentication interface for lawful intercept or wiretap requests and administration.

Intercept Access Point

An intercept access point (IAP) is a device that provides information for the lawful intercept. There are two types of IAPs:

  • Identification (ID) IAP—A device, such as an authentication, authorization, and accounting (AAA) server, that provides intercept-related information (IRI) for the intercept (for example, the target’s username and system IP address) or call agents for voice over IP. The IRI helps the service provider determine which content IAP (switch) the target’s traffic passes through.
  • Content IAP—A device, such as the switch, that the target’s traffic passes through. The content IAP:
  • Intercepts traffic to and from the target for the length of time specified in the court order. The switch continues to forward traffic to its destination to ensure that the wiretap is undetected.
  • Creates a copy of the intercepted traffic, encapsulates it in User Datagram Protocol (UDP) packets, and forwards the packets to the mediation device without the target’s knowledge. IP option header is not supported.
note.gif

Noteblank.gif The content IAP sends a single copy of intercepted traffic to the mediation device. If multiple LEAs are performing intercepts on the same target, the mediation device must make a copy of the intercepted traffic for each LEA.


Content Intercept Access Point

Content IAP intercepts the interested data stream, duplicates the content, and sends the duplicated content to the mediation device. The mediation device receives the data from the ID IAP and Content IAP, converts the information to the required format depending on country specific requirement and forwards it to law enforcement agency (LEA).

Lawful Intercept Processing

After acquiring a court order or warrant to perform surveillance, the LEA delivers a surveillance request to the target’s service provider. Service provider personnel use an administration function that runs on the mediation device to configure a lawful intercept to monitor the target’s electronic traffic for a specific period of time (as defined in the court order).

After the intercept is configured, user intervention is no longer required. The administration function communicates with other network devices to set up and execute the lawful intercept. The following sequence of events occurs during a lawful intercept:

1.blank.gif The administration function contacts the ID IAP for intercept-related information (IRI), such as the target’s username and the IP address of the system, to determine which content IAP (switch) the target’s traffic passes through.

2.blank.gif After identifying the switch that handles the target’s traffic, the administration function sends SNMPv3 get and set requests to the switch’s Management Information Base (MIB) to set up and activate the lawful intercept. The CISCO-TAP2-MIB is the supported lawful intercept MIB to provide per-subscriber intercepts.

3.blank.gif During the lawful intercept, the switch:

a.blank.gif Examines incoming and outgoing traffic and intercepts any traffic that matches the specifications of the lawful intercept request.

b.blank.gif Creates a copy of the intercepted traffic and forwards the original traffic to its destination so the target does not suspect anything.

c.blank.gif Encapsulates the intercepted traffic in UDP packets and forwards the packets to the mediation device without the target’s knowledge.

note.gif

Noteblank.gif The process of intercepting and duplicating the target’s traffic adds no detectable latency in the traffic stream.


4.blank.gif The mediation device converts the intercepted traffic into the required format and sends it to a collection function running at the LEA. Here, the intercepted traffic is stored and processed.

note.gif

Noteblank.gif If the switch intercepts traffic that is not allowed by the judicial order, the mediation device filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.


5.blank.gif When the lawful intercept expires, the switch stops intercepting the target’s traffic.

Lawful Intercept MIBs

CISCO-TAP2-MIB

The CISCO-TAP2-MIB contains SNMP management objects that control lawful intercepts. The mediation device uses the MIB to configure and run lawful intercepts on targets whose traffic passes through the switch.

The CISCO-TAP2-MIB contains several tables that provide information for lawful intercepts that are running on the switch:

  • cTap2MediationTable—Contains information about each mediation device that is currently running a lawful intercept on the switch. Each table entry provides information that the switch uses to communicate with the mediation device (for example, the device’s address, the interfaces to send intercepted traffic over, and the protocol to use to transmit the intercepted traffic).
  • cTap2StreamTable—Contains information used to identify the traffic to intercept. Each table entry contains a pointer to a filter that is used to identify the traffic stream associated with the target of a lawful intercept. Traffic that matches the filter is intercepted, copied, and sent to the corresponding mediation device application (cTap2MediationContentId).

The cTap2StreamTable table also contains counts of the number of packets that were intercepted, and counts of dropped packets that should have been intercepted, but were not.

  • cTap2DebugTable—Contains debug information for troubleshooting lawful intercept errors.

The CISCO-TAP2-MIB also contains several SNMP notifications for lawful intercept events. For detailed descriptions of MIB objects, see the MIB itself.

CISCO-TAP2-MIB Processing

The administration function (running on the mediation device) issues SNMPv3 set and get requests to the switch’s CISCO-TAP2-MIB to set up and initiate a lawful intercept. To do this, the administration function performs the following actions:

1.blank.gif Creates a cTap2MediationTable entry to define how the switch is to communicate with the mediation device executing the intercept.

note.gif

Noteblank.gif The cTap2MediationNewIndex object provides a unique index for the mediation table entry.


2.blank.gif Creates an entry in the cTap2StreamTable to identify the traffic stream to intercept.

3.blank.gif Sets cTap2StreamInterceptEnable to true(1) to start the intercept. The switch intercepts traffic in the stream until the intercept expires (cTap2MediationTimeout).

CISCO-IP-TAP-MIB

The CISCO-IP-TAP-MIB contains the SNMP management objects to configure and execute lawful intercepts on IPv4 traffic streams that flow through the switch. This MIB is an extension to the CISCO-TAP2-MIB.

You can use the CISCO-IP-TAP-MIB to configure lawful intercept on the switch to intercept IPv4 packets with values that match a combination of one or more of the following fields:

  • Destination IP address and mask
  • Destination port range
  • Source IP address and mask
  • Source port range
  • Protocol ID

CISCO-IP-TAP-MIB Processing

When data is intercepted, two streams are created. One stream is for packets that originate from the target IP address to any other IP address using any port. The second stream is created for packets that are routed to the target IP address from any other address using any port. For VoIP, two streams are created, one for RTP packets from target and the second stream is for the RTP packets to target using the specific source and destination IP addresses and ports specified in SDP information used to setup RTP stream.

How to Configure Lawful Intercept Support

Security Considerations

  • SNMP notifications for lawful intercept must be sent to UDP port 161 on the mediation device, not port 162 (which is the SNMP default). See the “Enabling SNMP Notifications for Lawful Intercept” section for instructions.
  • The only users who should be allowed to access the lawful intercept MIBs are the mediation device and system administrators who need to know about lawful intercepts on the switch. In addition, these users must have authPriv or authNoPriv access rights to access the lawful intercept MIBs. Users with NoAuthNoPriv access cannot access the lawful intercept MIBs.
  • You cannot use the SNMP-VACM-MIB to create a view that includes the lawful intercept MIBs.
  • The default SNMP view excludes the following MIBs:

CISCO-TAP2-MIB
CISCO-IP-TAP-MIB
SNMP-COMMUNITY-MIB
SNMP-USM-MIB
SNMP-VACM-MIB

Also see the “Restrictions for Lawful Intercept” section and the “Prerequisites for Lawful Intercept” section.

Accessing the Lawful Intercept MIBs

Due to its sensitive nature, the Cisco lawful intercept MIBs are only available in software images that support the lawful intercept feature. These MIBs are not accessible through the Network Management Software MIBs Support page ( http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml).

Restricting Access to the Lawful Intercept MIBs

Only the mediation device and users who need to know about lawful intercepts should be allowed to access the lawful intercept MIBs. To restrict access to these MIBs, you must:

1.blank.gif Create a view that includes the Cisco lawful intercept MIBs.

2.blank.gif Create an SNMP user group that has read-and-write access to the view. Only users assigned to this user group can access information in the MIBs.

3.blank.gif Add users to the Cisco lawful intercept user groups to define who can access the MIBs and any information related to lawful intercepts. Be sure to add the mediation device as a user in this group; otherwise, the switch cannot perform lawful intercepts.

note.gif

Noteblank.gif Access to the Cisco lawful intercept MIB view should be restricted to the mediation device and to system administrators who need to be aware of lawful intercepts on the switch. To access the MIB, users must have level-15 access rights on the switch.


Configuring SNMPv3

To perform the following procedures, SNMPv3 must be configured on the switch. See this publication:

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/15-sy/snmp-15-sy-book.html

Creating a Restricted SNMP View of Lawful Intercept MIBs

To create and assign users to an SNMP view that includes the Cisco lawful intercept MIBs, perform the following procedure at the CLI, in global configuration mode with level-15 access rights. For command examples, see the “Configuration Example” section.

note.gif

Noteblank.gif The command syntax in the following steps includes only those keywords required to perform each task. For details on command syntax, see the documents listed in the previous section (“Configuring SNMPv3”).



Step 1blank.gif Make sure that SNMPv3 is configured on the switch. For instructions, see the documents listed in the “Configuring SNMPv3” section.

Step 2blank.gif Create an SNMP view that includes the CISCO-TAP2-MIB (where view_name is the name of the view to create for the MIB). This MIB is required for both regular and broadband lawful intercept.

Router(config)# snmp-server view view_name ciscoTap2MIB included
 

Step 3blank.gif Add one or both of the following MIBs to the SNMP view to configure support for wiretaps on IPv4 streams (where view_name is the name of the view you created in Step 2 ).

Router(config)# snmp-server view view_name ciscoIpTapMIB included
 

Step 4blank.gif Create an SNMP user group ( groupname) that has access to the lawful intercept MIB view and define the group’s access rights to the view.

Router(config)# snmp-server group groupname v3 noauth read view_name write view_name
 

Step 5blank.gif Add users to the user group you just created (where username is the user, groupname is the user group, and auth_password is the authentication password):

Router(config)# snmp-server user username groupname v3 auth md5 auth_password
 
note.gif

Noteblank.gif Be sure to add the mediation device to the SNMP user group; otherwise, the switch cannot perform lawful intercepts. Access to the lawful intercept MIB view should be restricted to the mediation device and to system administrators who need to know about lawful intercepts on the switch.


The mediation device is now able to access the lawful intercept MIBs, and issue SNMP set and get requests to configure and run lawful intercepts on the switch.

For instructions on how to configure the switch to send SNMP notifications to the mediation device, see the “Enabling SNMP Notifications for Lawful Intercept” section.


 

Configuration Example

The following commands show an example of how to enable the mediation device to access the lawful intercept MIBs.

Router(config)# snmp-server view tapV ciscoTap2MIB included
Router(config)# snmp-server view tapV ciscoIpTapMIB included
 

1.blank.gif Create a view (tapV) that includes the appropriate lawful intercept MIBs (CISCO-TAP2-MIB and the CISCO-IP-TAP-MIB).

2.blank.gif Create a user group (tapGrp) that has read, write, and notify access to MIBs in the tapV view.

3.blank.gif Add the mediation device (ss8user) to the user group, and specify MD5 authentication with a password (ss8passwd).

4.blank.gif (Optional) Assign a 24-character SNMP engine ID (for example, 123400000000000000000000) to the switch for administration purposes. If you do not specify an engine ID, one is automatically generated. Note that you can omit the trailing zeros from the engine ID, as shown in the last line of the example above.

note.gif

Noteblank.gif Changing an engine ID has consequences for SNMP user passwords and community strings.


Enabling SNMP Notifications for Lawful Intercept

SNMP automatically generates notifications for lawful intercept events (see Table 86-1 ). This is because the default value of the cTap2MediationNotificationEnable object is true(1).

To configure the switch to send lawful intercept notifications to the mediation device, issue the following CLI commands in global-configuration mode with level-15 access rights (where MD-ip-address is the IP address of the mediation device and community-string is the password-like community string to send with the notification request):

Router(config)# snmp-server host MD-ip-address community-string udp-port 161 snmp
Router(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 
  • For lawful intercept, udp-port must be 161 and not 162 (the SNMP default).
  • The second command configures the switch to send RFC 1157 notifications to the mediation device. These notifications indicate authentication failures, link status (up or down), and system restarts.

 

Table 86-1 SNMP Notifications for Lawful Intercept Events

Notification
Meaning

cTap2MIBActive

The switch is ready to intercept packets for a traffic stream configured in the CISCO-TAP2-MIB.

cTap2MediationTimedOut

A lawful intercept was terminated (for example, because cTap2MediationTimeout expired).

cTap2MediationDebug

Intervention is required for events related to cTap2MediationTable entries.

cTap2StreamDebug

Intervention is required for events related to cTap2StreamTable entries.

Disabling SNMP Notifications

You can disable SNMP notifications by entering the no snmp-server enable traps command.

To disable lawful intercept notifications, use SNMPv3 to set the CISCO-TAP2-MIB object cTap2MediationNotificationEnable to false(2). To reenable lawful intercept notifications through SNMPv3, reset the object to true(1).


Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum