Implementing Lawful Intercept on VXSM
Lawful intercept is the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order. Service providers worldwide are legally required to assist law enforcement agencies in conducting electronic surveillance in both circuit-switched and packet-mode networks.
Only authorized service provider personnel are permitted to process and configure lawfully authorized intercept orders. Network administrators and technicians are prohibited from obtaining knowledge of lawfully authorized intercept orders, or intercepts in progress. Error messages or program messages for intercepts installed in VXSM are not displayed on the console.
Service Independent Intercept (SII) describes a standard Cisco architecture that provides Lawful Intercept (LI) capabilities using an SNMPv3 interface.
This chapter describes the high-level architecture of Lawful Intercept in VXSM based on xGCP signaling controlled by the call agent and contains the following sections:
•Information About Lawful Intercept
•Benefits of Lawful Intercept
•Network Components Used for Lawful Intercept
•Lawful Intercept Processing
•Lawful Intercept MIBs
This guide does not address legal obligations for the implementation of lawful intercept. As a service provider, you are responsible to ensure that your network complies with applicable lawful intercept statutes and regulations. We recommend that you seek legal advice to determine your obligations.
Information About Lawful Intercept
Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance.
The surveillance is performed through the use of wiretaps on traditional telecommunications and Internet services in voice, data, and multiservice networks. The LEA delivers a request for a wiretap to the target's service provider, who is responsible for intercepting data communication to and from the individual. The service provider uses the target's IP address or sessionID to determine which of its edge switches handles the target's traffic (data communication). The service provider then intercepts the target's traffic as it passes through the switch, and sends a copy of the intercepted traffic to the LEA without the target's knowledge.
The Lawful Intercept feature supports the Communications Assistance for Law Enforcement Act (CALEA), which describes how service providers in the United States must support lawful intercept. Currently, lawful intercept is defined by the following standards:
•Telephone Industry Association (TIA) specification J-STD-025
•Packet Cable Electronic Surveillance Specification (PKT-SP-ESP-101-991229)
The Lawful intercept feature via SII offers the following capabilities:
•Voice-over IP (VoIP) and data session intercept provisioning from the Mediation Device using SNMPv3
•Delivery of intercepted VoIP and data session data to the Mediation Device
•SNMPv3 lawful intercept provisioning interface
•Lawful intercept MIB: CISCO-TAP2-MIB, version 2
•CISCO-IP-TAP-MIB manages the Cisco intercept feature for IP and is used along with CISCO-TAP2-MIB to intercept IP traffic.
•User datagram protocol (UDP) encapsulation to mediation device
•Voice-over IP (VoIP) call intercept based on media gateway local IP address and UDP port number
•Voice-over IP (VoIP) intercept with LI-enabled call agent
•Data session call intercept based on IP address
Lawful Intercept Topology
The following illustration shows intercept access points and interfaces in a lawful intercept topology for both voice and data interception (Figure 8-1).
Figure 8-1 Lawful Intercept Topology for Both Voice and Data Interception
CALEA for Voice
The Communications Assistance for Law Enforcement Act (CALEA) for Voice feature allows the lawful interception of voice conversations that are running on Voice over IP (VoIP) based on xGCP signaling controlled by Call Agent. CALEA for Voice is one component of a complete lawful intercept solution, consisting of external monitoring and third-party management devices.
When an approved government agency determines that a telephone conversation is interesting, CALEA for Voice copies the IP packets comprising the conversation and sends the duplicate packets to the appropriate monitoring device for further analysis.
SNMPv3 Provisioning Lawful Intercept Requests
SNMPv3 provisioning lawful intercept requests are initiated by the mediation device using SNMPv3 messages, and all traffic data traveling to or from an IP address or session is passed to a mediation device. SNMPv3 provisioning uses the following lawful intercept MIBs:
In case of intercept requested call failure, VXSM notifies the mediation device using traps. For more information, see the "Trap Filtering" section
VXSM sends the traps to mediation device trough PXM when an alarm is raised. All the SII related traps are sent to the mediation device, and rest of the traps are multicasted to the active trap managers. Trap filtering can be achieved by associating a notification view with the group and by adding a SNMPV3 user to that group.
The following commands are modified on the PXM for this feature:
•addsnmpgroup: This command is modified to specify the notify view. The modified syntax of the command is:
addsnmpgroup <groupName> <securityModel> <securityLevel> [-read <readview>] [-write <writeview>] [-notify <notify>]
The notify value should be a string with less than 33 characters.
•dspsnmpgroup: This command is modified to display the notify view details.
•cnfsnmpgroup: This command is modified to specify the notify view. The modified syntax of the command is:
cnfsnmpgroup <groupName> <securityModel> <securityLevel> [-read <readview>] [-write <writeview>] [-notify <notify>]
The notify value should be a string with less than 33 characters.
Benefits of Lawful Intercept
Lawful intercept has the following benefits:
•Allows multiple LEAs to run a lawful intercept on the same target without each other's knowledge.
•Does not affect subscriber services on the Cisco MGX switches.
•Supports wiretaps in both the input and output direction.
•Supports wiretaps of individual subscribers that share a single physical interface.
•Cannot be detected by the target. Neither the network administrator nor the calling parties is aware that packets are being copied or that the call is being tapped.
•Uses Simple Network Management Protocol Version 3 (SNMPv3) and security features such as the View-based Access Control Model (SNMP-VACM-MIB) and User-based Security Model (SNMP-USM-MIB) to restrict access to lawful intercept information and components.
•Hides information about lawful intercepts from all but the most privileged users. An administrator must set up access rights to enable privileged users to access lawful intercept information.
•Provides two secure interfaces for performing an intercept: one for setting up the wiretap and one for sending the intercepted traffic to the LEA.
Network Components Used for Lawful Intercept
The following network components are used for lawful intercepts:
•Lawful Intercept Administration
•Intercept Access Point
For information about lawful intercept processing, see the "Lawful Intercept Processing" section.
Lawful Intercept Administration
Lawful intercept administration (LIA) provides the authentication interface for lawful intercept or wiretap requests and administration.
A mediation device (supplied by a third-party vendor) handles most of the processing for the lawful intercept. The mediation device:
•Provides the interface used to set up and provision the lawful intercept.
•Generates requests to other network devices to set up and run the lawful intercept.
•Converts the intercepted traffic into the format required by the LEA (which can vary from country to country) and sends a copy of the intercepted traffic to the LEA without the target's knowledge.
Note If multiple LEAs are performing intercepts on the same target, the mediation device will make a copy of the intercepted traffic for each LEA. The mediation device is also responsible for restarting any lawful intercepts that are disrupted due to a failure.
Intercept Access Point
An intercept access point (IAP) is a device that provides information for the lawful intercept. There are two types of IAPs:
•Identification (ID) IAP—A device, such as an authentication, authorization, and accounting (AAA) server, that provides intercept-related information (IRI) for the intercept (for example, the target's username and system IP address) or call agents for voice over IP. The IRI helps the service provider determine which content IAP (VXSM) the target's traffic passes through.
•Call Content (CC) IAP—A device, such as VXSM, that the target's traffic passes through. The call content IAP:
•Intercepts traffic to and from the target for the length of time specified in the court order. VXSM continues to forward traffic to its destination to ensure that the wiretap is undetected.
•Creates a copy of the intercepted traffic, encapsulates it in User Datagram Protocol (UDP) packets, and forwards the packets to the mediation device without the target's knowledge. IP option header is not supported.
Note The call content IAP sends a single copy of intercepted traffic to the mediation device. If multiple LEAs are performing intercepts on the same target, the mediation device must make a copy of the intercepted traffic for each LEA.
The collection Function is a software program that runs on equipment at the LEA. This program stores and processes traffic intercepted by the service provider.
Lawful Intercept Processing
After acquiring a court order or warrant to perform surveillance, the LEA delivers a surveillance request to the target's service provider. Service provider personnel use an administration function that runs on the mediation device to configure a lawful intercept to monitor the target's electronic traffic for a specific period of time (as defined in the court order).
After the intercept is configured, user intervention is no longer required. The administration function communicates with other network devices to set up and execute the lawful intercept. The following sequence of events occurs during a lawful intercept:
1. The administration function contacts the ID IAP for intercept-related information (IRI), such as the target's username and the IP address of the system, to determine which call content IAP (VXSM) the target's traffic passes through.
2. After identifying VXSM that handles the target's traffic, the administration function sends SNMPv3 get and set requests to VSXM's Management Information Base (MIB) to set up and activate the lawful intercept. The CISCO-TAP2-MIB is the supported lawful intercept MIB to provide per-subscriber intercepts.
3. During the lawful intercept, VXSM:
a. Examines incoming and outgoing traffic and intercepts any traffic that matches the specifications of the lawful intercept request.
b. Creates a copy of the intercepted traffic and forwards the original traffic to its destination so the target does not suspect anything.
c. Encapsulates the intercepted traffic in UDP packets and forwards the packets to the mediation device without the target's knowledge.
Note The process of intercepting and duplicating the target's traffic adds no detectable latency in the traffic stream.
4. The mediation device converts the intercepted traffic into the required format and sends it to a collection function running at the LEA. Here, the intercepted traffic is stored and processed.
Note If VXSM intercepts traffic that is not allowed by the judicial order, the mediation device filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.
5. When the lawful intercept expires, VXSM stops intercepting the target's traffic.
Lawful Intercept MIBs
To perform lawful intercept, VXSM uses these MIBs, which are described in the following sections:
•CISCO-TAP2-MIB—Used for lawful intercept processing.
•CISCO-IP-TAP-MIB—Used for intercepting Layer 3 (IPv4) traffic.
The CISCO-TAP2-MIB contains SNMP management objects that control lawful intercepts on VXSM. The mediation device uses the MIB to configure and run lawful intercepts on targets whose traffic passes through VXSM.
The CISCO-TAP2-MIB contains several tables that provide information for lawful intercepts that are running on VXSM:
•cTap2MediationTable—Contains information about each mediation device that is currently running a lawful intercept on VXSM. Each table entry provides information that VXSM uses to communicate with the mediation device (for example, the device's address, the interfaces to send intercepted traffic over, and the protocol to use to transmit the intercepted traffic).
•cTap2StreamTable—Contains information used to identify the traffic to intercept. Each table entry contains a pointer to a filter that is used to identify the traffic stream associated with the target of a lawful intercept. Traffic that matches the filter is intercepted, copied, and sent to the corresponding mediation device application (cTap2MediationContentId).
The cTap2StreamTable table also contains counts of the number of packets that were intercepted, and counts of dropped packets that should have been intercepted, but were not.
•cTap2DebugTable—Contains debug information for troubleshooting lawful intercept errors.
The CISCO-TAP2-MIB also contains several SNMP traps for lawful intercept events. For detailed descriptions of MIB objects, see the MIB itself.
The administration function (running on the mediation device) issues SNMPv3 set and get requests to CISCO-TAP2-MIB to set up and initiate a lawful intercept. To do this, the administration function performs the following actions:
1. Creates a cTap2MediationTable entry to define how VXSM is to communicate with the mediation device executing the intercept.
Note The cTap2MediationIndex object provides a unique index for the mediation table entry.
2. Creates an entry in the cTap2StreamTable to identify the traffic stream to intercept.
3. Sets cTap2StreamInterceptEnable to true(1) to start the intercept. VXSM intercepts traffic in the stream until the intercept expires (cTap2MediationTimeout).
The CISCO-IP-TAP-MIB contains the SNMP management objects to configure and execute lawful intercepts on IPv4 traffic streams that flow through VXSM. This MIB is an extension to the CISCO-TAP2-MIB.
You can use the CISCO-IP-TAP-MIB to configure lawful intercept on VXSM to intercept IPv4 packets with values that match a combination of one or more of the following fields:
•Destination IP address and mask
•Destination port range
•Source IP address and mask
•Source port range
When data is intercepted, two streams created. One stream is for packets that originate from the target IP address to any other IP address using any port. The second stream is created for packets that are routed to the target IP address from any other address using any port. For VoIP, two streams are created, one for RTP packets from target and the second stream is for the RTP packets to target using the specific source and destination IP addresses and ports specified in SDP information used to setup RTP stream.