LAWFUL INTERCEPTION FOR 3G NETWORKS White Paper

November, 2005 Aqsacom Document No. 040450

Copyright 2003-2005 Aqsacom Inc. and Aqsacom SA. No portion of this document may be reproduced without the expressed permission of Aqsacom. The data and figures of this document have been presented for illustrative purposes only. Aqsacom assumes no liability for errors or omissions.

Table of Contents
1. Introduction..................................................................................................................... 3 2. Definition of 3G Technology and Deployments............................................................. 3 3. Uses of 3G Technology and Implications for Lawful Interception ................................ 7 4. The Architecture of Lawful Interception ........................................................................ 8 5. Overview of network structure for CDMA and UMTS................................................ 10 6. Lawful Interception in 3G Networks ........................................................................... 13 7. Aqsacoms ALIS Mediation Function Platform .......................................................... 18 8. Summary ....................................................................................................................... 21 9. References..................................................................................................................... 23

Aqsacom SA Les Conquerants, Bt B Everest 1 avenue de lAtlantique Les Ulis Courtabeouf Cedex F-91976 France Tel. 33 1 69 29 36 00 Fax 33 1 69 29 84 01 sales@aqsacom.com www.aqsacom.com

Aqsacom Inc. Washington, DC tel. 202 315 3943

v 4.0

Aqsacom Document No. 040450

Lawful Interception and 3G Networks

Aqsacom SA and Aqsacom Inc. 1. Introduction
This White Paper aims to introduce the reader to the formal definition of 3G mobile services and describe the implications that 3G networks have on lawful interception. We also discuss standardized approaches to lawful interception for 3G networks. Given that these networks are at an early stage of deployment, the implementation of standardsbased interception systems is also at a rather early stage. Finally, we show how Aqsacom addresses lawful interception requirements as applied to 3G networks.

2. Definition of 3G Technology and Deployments

Term 3G is somewhat controversial and rather loosely used. 3G mobiles broad definition calls for the support of enhanced multimedia services (voice, data, video) and applications (E-mail, cell phone, paging, Web browsing). Strict ITU IMT-2000 requirements call for uplink/downlink data transmission speeds 2 Mbs, 384 kbs, and 144 kbs for indoor pico cell, outdoor micro cell, and outdoor macro cell settings, respectively (see Table 2-1). Table 2-1: Summary of IMT 2000 Requirements for 3G Coverage Indoor (Pico Cell) Local Pedestrian (Micro Cell) Regional or Vehicular Traffic (Macro Cell) Min. data rate 2 Mbps 384 kbs 144 kbs

True UMTS, otherwise informally known as WCDMA because of the UMTS use of wideband CDMA modulation in the air space, conforms to the IMT-2000 3G requirements. Nevertheless, many transmission standards do not fit the speed requirements even though their proponents continue to classify such standards as 3G. The following summarize the capabilities of the transmission standards, some of which may be better described as 2.5G (e.g., GPRS) or 2.75G (CDMA2000 1X RTT). CDMA2000 1X RTT: This standard follows from CDMAOne (CDMA IS95) in that it also occupies 1.25 MHz channels, as its earlier generation system (hence the term 1X). RTT stands for Radio Transmission Technology. Although this standard supports theoretical data transmission rates of 307 kbs, operators such as Verizon Wireless support typical rates of 40 to 80 kbs

v 4.0

Aqsacom Document No. 040450

peak. This is the dominant technology of the Verizon Wireless and Sprint PCS networks in their offer of voice and limited data services. CDMA2000 1X EV-DO: This represents the next evolutionary step up from the above standard (hence the term EV). The standard makes use of Qualcomms High Data Rate (HDR) system which supports packet data rates of up to 2.4 Mbs. Qualcomm holds core patents to this technology, as it does in the other technologies behind the CDMA and WCDMA standards. CDMA2000 1X EV-DO is now being deployed in major markets by Verizon Wireless and Sprint Nextel, and can support true mobile 3G services according to the IMT-2000 3G definition. CDMA Deployments CDMA (One and 2000) [2] has its largest base in North America (over 102 million subscribers as of 3Q 2005 according to the CDMA Development Group [2]), mainly thanks to the widespread deployments of the system by Sprint Nextel and Verizon Wireless. Both operators offer US nationwide coverage of CDMA2000, and are also deploying CDMA 2000 EV-DO in major markets. Bell Mobility and Telus operate CDMA2000 in most major cities throughout Canada. CDMA in the Asia-Pacific region is even stronger at 125 million subscribers (CDMA Development Group Figures, 3Q05). Carriers now operating and enlarging their CDMA2000 networks include China Unicom (China), KDDI (Japan), Telstra (Australia), and those in South Korea (SK Telecom, LG, KT Freetel). The Caribbean and Latin America represent a strong CDMA region, with over 53 million (3Q05[2]) subscribers. Deployments of CDMA2000 are scattered throughout these regions. Not surprisingly, Europe represents a weak zone for CDMA in general with most CDMA activity confined to Russia, the Ukraine, Romania, and other Eastern European countries. Operators worldwide are deploying CDMA2000 EV-DO, which unlike CDMA2000 1X, strictly meets the IMT 2000 definition of 3G (see [2] for extensive data on CDMA deployments region-by-region). GPRS (General Packet Radio Service): This service complements GSM voice and rides within the 200 kHz band reserved for GSM channelization. It is a packet-based service with a theoretical transmission speed of up to 172 kbs, although current operator implementations and handsets typically operate at 10 to 50 kbs. The packet mode enables the service to be always connected. This is the dominant wireless data transmission technology wherever GSM is deployed, such as throughout Europe. In North America, Cingular/AT&T, and T-Mobile have been offering calling plans with this technology. EDGE (Enhanced Data Rates for GSM and TDMA Evolution): EDGE updates GPRS technology by using higher-order modulation schemes. The upgrade is not necessarily trivial to perform on a large scale. Despite its theoretical

v 4.0

Aqsacom Document No. 040450

transmission speed of over 300 kbs, users will be more likely to find rates of from about 20 to 100 kbs. The technology operates within channels allocated for GSM and GPRS. In North America, Cingular/AT&T, and T-Mobile have adapted this technology as their current 3G solution, although its data rates clearly do not conform to the IMT-2000 3G definition. In Europe, many operators have deployed EDGE despite their ongoing efforts to also deploy full UMTS. UMTS (WCDMA): UMTS (Universal Mobile Telephone System) has been developed under the 3GPP (3rd Generation Partnership Project) Working Group and proposed as a true 3G standard It is commonly called WCDMA (Wideband CDMA) because of its use of CDMA in the air space modulation. The standard makes use of 5 MHz for transmission and 5 MHz for reception, thereby consuming relatively more bandwidth than its distant cousin GSM (200 kHz). UMTS can offer 2 Mbs provided sufficient cell sites are in place. Note that in Japan, NTT DoCoMos FOMA (Freedom Of Mobile Access) is based on an early variant of UMTS that employs a 64 kbs dedicated channel for video and other higher speed delivery to a given handset. Such dedicated channels are not present in current UMTS and CDMA2000 specifications used in North America and Europe. WCDMA continues to be rolled out throughout Europe, Asia, and the US (mainly by Cingular / AT&T) by GSM carriers, although uptake has been slower than anticipated (current worldwide user base at about 35 million according to the GSM Suppliers Association , 3Q05). Adaptation is expected to pick up with anticipated services involving music downloading and video delivery to wireless devices. Higher download speeds are anticipated with the deployment of services and handsets based on HSDPA (high-speed downlink packet access), which will augment WCDMA services data rates into the 2 Mbs range. However, HSDPA deployments will not begin in earnest until later in 2006. TD-SCDMA (Time Domain Synchronous Code Division Multiple Access) This standard was developed by the Chinese Academy of Telecommunications Technology, Datong, and Siemens [1]. The standard addresses the Chinese governments concern that China was too dependent on mobile technology, especially that of 3G, from Western companies. TD-SCDMA is built upon GSM, and proponents of the standard claim that it can achieve 3G functionality at a substantially lower cost than UMTS. Technically, the standard is now registered as part of UMTS Release 4.0. It is anticipated that TD-SCDMA will not only serve as a platform for 3G data services, but also facilitate the deployment of conventional voice services competing against wireline voice or where wireline is not available. TD-SCDMA supports data links of up to 2 Mbit/sec, thereby qualifying it (in theory) as a true 3G standard. China constitutes the worlds largest cellular telephone market with 300 million subscribers, which is about 3X the size of Chinas fixed-line market. The timeframe for decisions by the Chinese government on the allocation of 3G licenses and use of technology remain unclear, except that 3G deployment and use should be well underway in time for the 2008 Olympics in Beijing. Details on lawful interception for TD-SCDMA networks are

v 4.0

Aqsacom Document No. 040450

difficult to obtain; however, its use of UMTS network elements likely would imply that LI network implementations for TD-SCDMA are similar to those for UMTS. Wi-Fi1: Although not classified as a 3G service, Wi-Fi is often given the title mainly for marketing reasons. Wi-Fi represents the standardized implementation of wireless LANs based on the IEEE 802.11 family of standards (in particular, 802.11a for 5 GHz operation, 802.11b for 2.5 GHz operation, 802.11g for higher speeds at 2.5 GHz, and 802.11i for secure networks). Even though transmission speeds on the order of 10 Mbs are stated in the standard, this data rate is rarely achieved in the outdoor micro cell or indoor pico cell environments to which public and private Wi-Fi networks are deployed. Nevertheless, public Wi-Fi services do typically deliver rates on the order of 1 to 2 Mbs, making the service close in performance to that called for in the IMT-2000 3G requirements. From a strategic point of view, Wi-Fi may become a formidable competitor to emerging 3G services, especially for users that frequent common public spaces (e.g., airport waiting areas, coffee shops) and require high speed Internet connectivity. WiMAX (Worldwide Interoperability for Microwave Access): Given the success of Wi-Fi in spreading the use of low cost 802.11 implementations and assuring cross-vendor interoperation, another industry group, the WiMAX Forum, is now attempting to do the same for the IEEE 802.16 wireless standard. Originally intended for fixed-position broadband point-to-multipoint metropolitan area networking, the standard is being extended to support mobility. Fixed range is up to 50 km (30 miles) for line of site spans; mobile range is 5 to 15 km (3 to 10 miles). The WiMAX Forum aims to recommend product implementations of the 802.16 standard as well as elements of the similar ETSI HiperMAN standard. Vendor products conforming to these implementations will be given WiMAX certification. In the near term, WiMAX will provide long range, alternative broadband access to network nodes. These network nodes, in turn, could support wired or wireless Wi-Fi local networks. However, low cost PCbased radio transceivers are now under development that can enable a workstation or even hand-held wireless device to connect directly to a WiMAX-enabled network. WiMAX poses a potential source of competition to 3G UMTS and CDMA networks, especially in the delivery of broadband wireless data services over areas of several km in diameter. However, issues related to signal obstruction, attenuation, in-building coverage, etc. would have to be considered as they could mitigate the effectiveness of WiMAX in many locations. By definition, only UMTS, CDMA2000 1X EV-DO, and perhaps TD-SCDMA conform to the true definition of the term 3G. Nevertheless, the term 3G is often loosely used for services reliant on lower speed technologies, such as EDGE, CDMA2000 1X RTT, or even unrelated technologies such as Wi-Fi.
1

The term Wi-Fi is a trademark of the Wi-Fi Alliance, a group of industry players advancing the deployment of 802.11 systems and their compatibility.

v 4.0

Aqsacom Document No. 040450

3. Uses of 3G Technology and Implications for Lawful Interception

Voice. Although 3G networks are often associated with killer applications such as music downloading, video email, high speed Internet connectivity, and related applications, from the operators point of view voice will likely remain the dominant application to operate over 3G networks for a long time to come. As users migrate from wireline to wireless services, voice traffic over wireless systems, and the number of users making voice calls, will continue to grow. The increased amount of voice traffic over wireless networks has already had implications for lawful interception, where an increasing proportion of lawful interception requests from Law Enforcement Agencies (LEAs) have targeted mobile telephones and their users. For example, the US Dept. of Justice reported that about 90% of lawful interception requests during the year 2003 were for cellular phone taps [4]. Similar trends occur in other countries and will likely continue. Short Message Services (SMS) will also continue to grow, especially as younger generations of users grow in proportion to the overall user demographics. Although not a 3G service in itself, 3G networks will nevertheless have to support the proliferation of this service and its growing usage (now amounting to hundreds of millions of users worldwide), especially as messaging migrates to richer multimedia applications (e.g., exchange of photos). Likewise, lawful interception will have to meet the growing use of the service among interception targets, who also take advantage of mobility in their communications. General Connectivity to the Internet for email, chat, Web browsing, etc. Here law enforcement officials are faced with the same set of challenges as in the interception of information on IP networks, namely the assignment of information flow to the targeted accounts to which IP packets originate and terminate. Of course, in the case of 3G mobile networks there is the added complication of the mobility of the target. As in the case of voice, criminals will likely find mobile Internet connections a safer and more convenient means to communicate, thus the proportion of Internet communications over mobile networks subject to lawful interception will likely grow in proportion to that of fixed networks. Another factor that will drive the growth of Internet over mobile networks are the variety of devices with which to communicate, including notebook computers (equipped with 2.5/3G modem cards), PDAs, and phones with alphanumeric entry/display. High Speed Photo, Video Clip, and Music upload/download. Many operators are now offering such services, even over 2.5G networks. As phones with built-in cameras proliferate and improve in image quality, privacy concerns become a growing issue. Gross abuse of such services for the purpose of outright privacy invasion can have legal implications; therefore, LEAs need to be prepared to intercept video and still imagery in the preparation of a case against such abusers. Music downloading to 3G devices will likely be a big application for 3G networks, and with that will likely come copyright violations as has been the case over wired IP networks. Law enforcement will therefore be called to assist in the surveillance of such cases.

v 4.0

Aqsacom Document No. 040450

Multimedia Games. As handsets become more sophisticated in their support of downloadable and networked games, issues of lawful interception as applied to games can arise. Clearly, lawful interception has a role in the tracking of users and sources of games with illicit thematic material, such as child pornography, gambling, hate-targeting, or copyright infringement. Voice over IP (VOIP). VOIP-capable handsets are now on the market and will grow in popularity, especially for operation over Wi-Fi networks. As robust 3G networks are deployed, VOIP will likely become a growing application among mobile users. Clearly, the lawful interception of VOIP traffic raises a number of technical and legal issues that cannot be ignored by the LEAs and network operators.

4. The Architecture of Lawful Interception

Figure 4-1 depicts a highly general view of lawful interception architecture, as proposed by the European Telecommunications Standards Institute (ETSI). Of note is the separation of LEA functions from the interception functions performed by the network operator.
Communications Network

Voice Switch Probe

Router IN Server LI request formatted interception information

Law Enforcement Agency (LEA) MEDIATION PLATFORM

Figure 4-1. Simplified view of ETSI architecture. Of primary interest is the use of a Mediation Platform to convey intercepted data from the network to the LEA.

A more detailed, yet still generalized view of the ETSI architecture is provided in Figure 4-2 [5]. This architecture attempts to define a systematic and extensible means by which network operators and LEAs can interact, especially as networks grow in sophistication and scope of services. The architecture is now applied worldwide (in some cases with

v 4.0

Aqsacom Document No. 040450

slight variations in terminology), including the US in the context of CALEA2. Of particular note is the separation of lawful interception management functions (mainly session set-up and tear down, as demanded from the LEA), conveyance of call data (e.g., destination of call, source of a call, time of the call, duration, etc.) from the network operator to the LEA, and conveyance of call content, also from the network operator to the LEA. Communications between the network operator and LEA are via the Handover Interfaces (designated HI). Also of importance is interception entity, which gathers the intercepted data from various switches and probes in the network, formats the data into standardized data representations, and delivers the interception data to one or more LEAs. Aqsacom addresses the functions of the interception entity through its ALIS mediation platform (discussed in Section 7). Keep in mind that the ETSI lawful interception architecture is not only applicable to voice calls, but to IP data interception as well.

Communication Service Provider

LEA domain

Net Operator Administration Function

intercept related information (IRI) (also called Call Data)

(Provisioning)

HI1

Network Internal Functions Content of Communication (CC) Network Entities Voice / IP Network

IRI Mediation Function HI2

(CDC)

CC Mediation Function

HI3
(CCC)

Interception Mediation Law Enforcement Collection & Administration

Figure 4-1. ETSI-developed architecture for lawful interception. Note the separation of lawful interception management functions (HI1), call-related data (HI2), and call content (HI3) in the interaction between the LEA and communication service provider (based on [5]).
2

Communications Assistance for Law Enforcement Agencies. CALEA was an act of US Congress, passed in 1994, in response to the proliferation of wireless networks and growing sophistication of wireline networks. It has attempted to define specific measures that carriers must take to convey lawful intercept information to LEAs. All telephone service operators, wireline and wireless, were to have complied with this law by the middle 2003.

v 4.0

Aqsacom Document No. 040450

5. Overview of network structure for CDMA and UMTS.

Before discussion the specifics of how lawful interception is applied to 3G networks, it is instructive to review the overall network topologies of UMTS and CDMA2000 mobile networks. These technologies represent the bulk of the 3G networks that are now being deployed worldwide. In a general sense, networks based on UMTS and CDMA are quite similar. Both interconnect a group of BTS units into a single BSC (see terminology definitions following each figure). From the BSC, circuit switched and packet data are sent, respectively, to some form of a Mobile Switching Center and packet manipulation system (PSDN for CDMA2000 or SGSN for UMTS). There is also some level of overlap in the signaling and database functions. Note each network device shown does not have to represent a separate physical device, and many of the network elements can be combined into a single network device. Figures 5-1 and 5-2 provide generalized descriptions of UMTS and CDMA2000 networks. Note slight variations can occur depending on the choice of vendors and desired features.
To PSTN, other networks HSS MRF BTS VLR

To IPv6 Networks

MGCF

EIR

BTS BSC / RNC

IMS-MGW

CSCF

AS SGSN AUC GGSN SMSC

BTS switched voice/data packet data signaling and control

UMTS

TSGW to Internet

Figure 5-1. Generalized view of a mobile 3G network based on UMTS. This diagram corresponds to Release 5 and later of the UMTS specification. Configuration is nominal and varies by vendors who furnish equipment. Some functions may be combined into a single network entity.

v 4.0

10

Aqsacom Document No. 040450

UMTS Network Terms [6,7] BSC (Base Station Controller). Controls and coordinates the function and data flow to/from a group of BTSs that are connected to it. BTS (Base Transceiver Station). Contains RF and other network elements serving as the air interface between the network and mobile handsets. GGSN (Gateway GPRS Support Node). Enables packet flow between the SGSN and the outside world, the latter typically the public Internet. This is a relic of GPRS that is also implemented in UMTS. IMS-MGW (IP Multimedia Subsystem - Media Gateway). Routes switched data from the BSC/RCN, via IP, ATM, or other NGN type networks, to the PSTN and other public or private networks. Used in later revisions to UMTS (e.g., Releases 5 and later). MGCF (Media Gateway Control Function). Controls the Media Gateway, in part, by interacting with network signaling (e.g., SS7). Used in later revisions to UMTS (e.g., Release 5). MRF (Media Resource Function). Manages enhanced services and other applications over 3G networks, including voice mail, conferencing, pre-paid calling, messaging, etc. RNC (Radio Network Controller). Same as BSC. Controls a group of base stations covering a given territory. SGSN (Serving GPRS Support Node). Core element of GPRS networks and also used in UMTS. Responsible for routing of packets between the BSC/RNC and the GGSN. More specifically, the SGSN handles: a) encryption, decryption, and authentication of packets; b) session management and communication set-up with the mobile subscriber; c) logical link management to the mobile subscriber, d) packet flow and signaling to/from other nodes (HLR, BSC/RCN, GGSN, etc.); and e) tracks charges to subscriber based on services consumed. In some vendor implementations, the SGSN and GGSN can reside on the same equipment chassis. TGSW (Transport Signaling Gateway). Serves as signaling interface (e.g., SSL) between MGW and PSTN. Registers, Controllers, Signaling Devices AS (Application Server). Operates in conjunction with the MRF for executing enhanced calling and data services. AUC (Authentication Center). Stores user information for authentication purposes to prevent unauthorized use of a subscribers account. HSS (Home Subscriber Server). Includes the functions of the Home Location Register (HLR) as well as other functions for managing user mobility and multimedia applications over IP networks. VLR (Visitor Location Register). When the user moves outside of the home territory of the HLR, the VLR records the presence of the user in a new territory and relays this information back to the users home HLR. If the user roams into the network of a different carrier, the new networks VLR will record this action. EIR (Equipment Identity Register). Lists all devices that the network considers valid. If a mobile device is stolen, the EIR would prevent access of this device to the network.

v 4.0

11

Aqsacom Document No. 040450

CSCF (Call Session Control Function). Handles call set up and termination, state and event management, billing information, location-based services and other functions according to vendor implementation. SMSC (SMS Center). System for managing Short Message Service through network signaling.

To PSTN, other networks

BTS IWF MSC

HLR

VLR

BSC BTS

MRF

EIR

SMSC PDSN AS AAA AUC

BTS

CDMA2000
switched voice/data packet data signaling and control to Internet

Figure 5-2. General overview of a typical 3G mobile network based on CDMA2000 technology. CDMA2000 Network Terms AAA (Authentication, Authorization, and Accounting server). Handles user access to the Internet in typical 3G configurations. BSC (Base Station Controller). Controls and coordinates the function and data flow to/from a group of BTSs that are connected to it. BTS (Base Transceiver Station). Contains RF and other network elements serving as the air interface between the network and mobile handsets. IWF (Inter-working Function). Generally serves as a gateway between circuit-switched CDMA networking and outside public switched networks. Different manufacturers provide different levels of

v 4.0

12

Aqsacom Document No. 040450

functionality in their IWF systems (e.g., remote access, interface to Internet effectively making the IWF operate as a PDSN). MRF (Media Resource Function). Manages enhanced services and other applications over 3G networks, including voice mail, conferencing, pre-paid calling, messaging, etc. MSC (Mobile Switching Center). A switch that provides a connection between the local BSC and the MSC of a remote network. The MSC establishes circuit-switched call between two networks, while accounting for signaling (e.g., from SS7 networks). PDSN (Packet Data Serving Node). Extracts packets from BSC that are destined for transmission over the Internet, and likewise routes packets from the Internet to the BSC. Registers, Controllers, Signaling Devices AS (Application Server). Operates in conjunction with the MRF for executing enhanced calling and data services. AUC (Authentication Center). Stores user information for authentication purposes to prevent unauthorized use of a subscribers account. HLR (Home Location Register). Contains user profile and handles updates to billing based on usage of the subscribed to services. VLR (Visiting Location Register). When the user moves outside of the home territory of the HLR, the VLR records the presence of the user in a new territory and relays this information back to the users home HLR. If the user roams into the network of a different carrier, the new networks VLR will record this action. EIR (Equipment Identity Register). Lists all devices that the network considers valid. If a mobile device is stolen, the EIR would prevent access of this device to the network. SMSC (SMS Center). System for managing Short Message Service through network signaling.

6. Lawful Interception in 3G Networks

Given both the network topology of each type of network (CDMA2000 and UMTS), plus the ETSI framework for LI, we can visualize where to capture call data (i.e., Interception Related Information or IRI), call content, and where LI management functions flow (Figures 6-1 and 6-2). Note that the notion of Content of Communications (otherwise known as call content) and call data (which is also designated as Intercept Related Information or IRI) may seem somewhat inappropriate for characterizing packet data. Nevertheless, the terms do have well defined meanings in the context of packet (including IP) data: call content represents the bulk data that is intercepted from the target, while call data represents information used to set up and tear down a data transmit / receive session between the mobile device and network [8,9,10]. Interception for CDMA networks is formalized in the updated J-STD-025B standard [11].

v 4.0

13

Aqsacom Document No. 040450

CDMA and UMTS are generally very similar in their lawful interception implementations, albeit slight differences do occur. For example, UMTS target identifiers apply the Subscriber Identify Module (or SIM card) ID of the targets mobile device, whereas CDMA phones do not use these cards. Likewise, interception session set-up can also differ given the at times subtle differences in equipment functions between the two networks. We emphasize that the diagrams are mainly conceptual and that many of the network elements can be combined into single pieces of equipment. Likewise, the LI information flow does not consider the underlying network transport technology, which can be based on IP, ATM, or other means. The interception functions (designated by the magnifying glasses) may be internal to the equipment (circuitswitched equipment, in particular), through database interrogations, or via equipment installed for the purpose of interception information collection (routers, probes).

D
To IPv6 Networks To PSTN, other networks

C,D
MRF BTS

HSS

C,D D D MGCF

VLR

EIR

C,D D
IMS-MGW CSCF

BTS BSC / RNC

C,D D
SGSN AUC AS

BTS

C,D GGSN
SMSC switched voice/data packet data signaling and control

UMTS

C
TSGW to Internet

X interception point
X=C X=D Content of Communication Call Data (IRI)

Figure 6-1. Overview of interception points for a UMTS network (Release 5 and later). The designated network elements and network points denote possible points for intercepting data. Usually only one to three of these points need to be intercepted, depending on equipment design, access, and other factors.

v 4.0

14

Aqsacom Document No. 040450

To PSTN, other networks

C
BTS IWF

D C,D

HLR MSC

C,D

VLR

BSC BTS

MRF

EIR

C,D
SMSC PDSN AS AAA

BTS

AUC

CDMA2000
switched voice/data packet data signaling and control

X interception point
X=C X=D Content of Communication Call Data (IRI) to Internet

Figure 6-2. Overview of interception points for a CDMA2000 network. As in the previous figure, the interception points shown are among a pool of suggested points, but only one to three would typically have to be implemented (based in part on [10].

Figure 6-3 provides a closer view of the interception topology expected to be found in 3G networks, in this case for circuit-switched network operation. This depiction (based on that published by 3GPP) is sufficiently general to include CDMA2000. In summary, it shows that LI management commands are conveyed between the Administrative Function (ADMF) and other network elements via the X1 interface, Intercepted call data (IRI) are conveyed via the X2 interface, and Intercepted call content are gathered via the X3 interface. Note that X3 can convey both bulk content (bearer) and signaling information, which are ultimately conveyed to the LEA via Handover HI3. The shaded boxes represent functions performed by Aqsacoms core product, the ALIS Mediation Platform (discussed further in Section 7). A similar diagram pertaining to packet data services is provided in Figure 6-4. It is important to understand from Figures 6-3 and 6-4 not the definition of another interface, but rather the separation of the LEA and data gathering functions within the network operator via a mediation function. This separation is the core contribution of the ETSI standard (Figure 4-1). It is this separation that enables

v 4.0

15

Aqsacom Document No. 040450

LEAs and network operators to configure interception systems in a generalized manner that covers a wide range of services and technologies, including wireline voice, wireless voice, wired and wireless data, and emerging services such as VOIP.

HI1
X1_1

ADMF

Mediation Function
X1_2

X1_3

MSC Server, GMSC Server

X2

Delivery Function 2

Mediation Function

HI2

LEA
Monitoring Center

HI3
X3 MGW, IWF X3

Delivery Function 3

Mediation Function

Figure 6-3. Interception interfaces for circuit-switched services within a 3G mobile network (generalized for CDMA2000 and UMTS) (based on [9]). Functions in shaded boxes are implemented in ALIS (Section 7).

HI1
X1_1

ADMF

Mediation Function
X1_2

X1_3 GSN PDSN

HI2
Delivery Function 2 Mediation Function

LEA
Monitoring Center

X2

HI3
X3

Delivery Function 3

Mediation Function

Figure 6-4. Interception interfaces for packet data services (including IP) within a 3G mobile network (generalized for CDMA2000 and UMTS) (based on [9]). Functions in the shaded boxes are implemented in ALIS (Section 7).

v 4.0

16

Aqsacom Document No. 040450

Additional Information on 3G Interception Location-Dependent Interception The issue of location of the interception target may come into play for two reasons: 1) to simply track the location of the target and 2) to restrict lawful interception, as authorized by a given LEA, to only the geographical territory representing the jurisdiction of the LEA. Execution of the first remains rather vague in that no formal standards have been introduced to formally track the movement of a target for lawful interception purposes, as useful as this information may appear [5]. One reason is that the target may cross boundaries controlled by different LEAs, not all of whom have authorized the interception. Another reason is that the required accuracy, typically to within the range of the nearest base station, may not be adequate to pinpoint the location of the target. Technical means are generally available to enhance the accuracy of position determination, such as through Global Positioning Satellite (GPS), triangulation methods which apply multiple towers, statistical methods that track the motion of the target, or any combination of these. Nevertheless, formal LI procedures incorporating these methods have yet to be introduced. In the second case, a given BSC may traverse many different Interception Areas (IAs), with each area defined by a set of BTS cells within the BSC. As mentioned above, these IAs may correspond to different jurisdictions. Therefore, when a moving targets communications must be intercepted, a check must be made to ensure that the corresponding LEA initiating the interception can in fact receive intercepted information from the IA where the target is located at a given point in time. Checks for valid IAs, when such checks are called for, are performed by the delivery functions and other network elements such as the MSC, GMSC, CSCF, and IWF. There is also the notion of geographic vs. identity-driven interception. The first is when all subjects at a given location become targets of an LI procedure. This can be useful when tracking the presence of targets in sparsely populated (subscriber-wise) zones. Identity-driven LI is the more common form of LI where targets are identified by specific identity information (e.g., the SIM cards International Mobile Subscriber Identity or IMSI; the handsets International Mobile Equipment Identity or IMEI). In both cases, novel target detection methods must be employed to include the notion of location in the surveillance. Wi-Fi and WiMAX interception Although not technically 3G services, we mention Wi-Fi and WiMAX for the sake of completeness since these services could constitute reasonable replacements for the 3G services. LI could take place at two levels: at the RF level where wireless sniffers are used to detect the presence of the Wi-Fi or WiMAX signals and their traffic. These sniffers are essentially constructed with wireless base stations operating in a promiscuous mode where all OSI Layer 2/3 addresses are sensed and sent to a protocol analyzer. Alternatively, traffic over these networks could be monitored along wired

v 4.0

17

Aqsacom Document No. 040450

trunks feeding the base stations. Of course, access to the trunk lines or base stations would be required. See our companion White Paper Lawful Interception for IP Networks (Aqsacom Document 040451) for more details on the interception of IP networks, which would equally apply to wireless IP networks.

7. Aqsacoms ALIS Mediation Function Platform

The Aqsacom real time Lawful Interception System, known as ALIS, reflects AQSACOMs ongoing philosophy of meeting the challenges of lawful interception in a highly systematic, low cost manner over networks supporting a diversity of services. The platform makes the deployment of lawful interception systems easier for the communications operator, while simplifying the processes of data collection and analysis by the law enforcement agency (LEA). It also addresses the growing lawful interception needs and requirements of newly emerging services, including those based on wireless 3G, broadband IP, voice-over-IP, and other technologies. The systems client/server layered architecture comprises two functional entities: ALISM for target provisioning and ALIS-D for the mediation and delivery of interception content. Central Management facilities are also available. The overall architecture of the ALIS system is shown in Figure 7-1. Both ALIS-M and ALIS-D may reside on the same computing and data collection platform, or they may reside on separate platforms. If necessary, ALIS-D platforms may be distributed throughout networks depending on the services, geography, and anticipated surveillance load to be supported.

Figure 7-1. Architecture of the Aqsacom ALIS platform.

v 4.0

18

Aqsacom Document No. 040450

Features and functions of ALIS include:

Provisioning ALIS-M is responsible for provisioning a lawful interception session. Provisioning falls under the ADMF (Administrative Management Function), discussed in Figures 6-3 and 6-4 above. Specific tasks of provisioning include start, stop, query and modification of lawful interception operations, audit, consistency checking, etc. These tasks are generally invoked by the LEA, and securely communicated to ALIS, which typically resides within the network operators premises. ALIS user-friendly graphical interface allows for the easy automation of many operational interception tasks, such as the automatic triggering or stopping of an interception operation at predefined dates and times. Multi-administration More than one LEA can independently manage surveillance sessions over one ALIS platform, even when tracking the same target. All data flows are secured to ensure that no interception data are leaked between LEAs. Mediation and Delivery Management Mediation is carried out by the ALIS-D platform, which gathers data from diverse intercept points within the network, formats the data, and delivers the information to the LEA over a secure network (typically a VPN, secure FTP, and ISDN). As discussed in Section 4, intercept data takes the form of Call Data (otherwise known as Intercept Related Information) and Content of Communication (Call Content). Both types of data are delivered via separate channels. The data are also formatted by ALIS-D to conform to national standards such as CALEA. This format typically conforms to ASN.1 notation. To ensure reliable real time delivery of interception information to the LEA, ALIS implements adequate buffering to account for nominal transmission outages or other unforeseen interruptions between the network operator and LEA. Secure Access Clearly the ALIS, as any lawful interception system, must have highly controlled and secure access allowing for operation only by cleared personnel. Aqsacom takes this point very seriously, and has incorporated a number of safeguard technologies to assure secure access. These technologies include smart tokens and biometrics. Billing ALIS can be adapted to a variety of billing plans where the network operator invoices the LEA. These plans include billing on a per-LI session basis, per LI change basis, flat rate, per special service, and other plans. Likewise, billing can be configured to facilitate the operation of a LI service bureau, where several network operators share a common LI infrastructure. This configuration is attractive to those operators that are too small to invest in LI equipment and who claim that the frequency of LI requests from LEAs is not sufficient to justify the investment. In this case, billing can be addressed to the subscribing network operator, or one of many LEAs ordering the interception request. Alarms, Statistics, Logging ALIS provides a wide array of alarms (e.g., notification when a session is interrupted), statistics (number of active interceptions in a given interval in time, utilization of LI system resources), and logs for tracking of past LI events.

v 4.0

19

Aqsacom Document No. 040450

Hardware / Operating System ALIS makes use of off-the-shelf industrial strength PC hardware. This allows for easy parts replacement and reduced cost. All software runs under the Windows 2000 and LINUX operating systems.

ALIS and 3G Networks Figure 7-2 depicts the implementation of ALIS as a mediation platform in a UMTS network. The network configuration follows the generalized views introduced in Sections 5 and 6. Of note are the call data, call content, and LI management paths leading between ALIS-D and ALIS-M and the appropriate network elements and functions. Figure 7-3 provides a similar diagram for CDMA2000, where the LI network configuration is quite similar. In both diagrams, we depict a number of different possibilities as to where ALIS-D can receive interception data not all the connections to ALIS specified in these figures need to be implemented.

To IPv6 Networks MRF BTS

To PSTN, other networks HSS

VLR

MGCF

EIR

BTS BSC / RNC

IMS-MGW

CSCF

AS SGSN AUC GGSN SMSC

BTS

UMTS

switched voice/data packet data signaling and control LI management Content of Communication Call Data (IRI) ALIS-m to Internet

TSGW

LEA 1 ...
VPN, ISDN, FTP

ALIS-d

LEA n

Figure 7-2. Role of ALIS in the interception of UMTS 3G mobile networks (Release 5 and later).

v 4.0

20

Aqsacom Document No. 040450

To PSTN, other networks

BTS IWF MSC

HLR

VLR

BSC BTS

MRF

EIR

SMSC PDSN AS AAA AUC

BTS

CDMA2000
switched voice/data packet data signaling and control LI management Content of Communication Call Data (IRI) to Internet ALIS-m VPN, ISDN, FTP

LEA 1
... ...

ALIS-d

LEA n

Figure 7-3. Role of ALIS in the interception of CDMA 3G mobile networks.

8. Summary
This White Paper has presented an overview of 3G mobile services and methods supporting the lawful interception of targets subscribing to these services. The LI processes are delineated by architectures, such as those specified by ETSI, 3GPP, ANSI, and other standards bodies, that facilitate systematic implementations and provisioning of lawful interception systems. However, challenges to lawful interception remain, including the need to support a diversity of: services, vendor technologies, wireless networking technologies, voice, and a multiplicty of high speed speed data services. Aqsacoms ALIS mediation platform offers a comprehensive solution to the above challenges, while conforming to emerging mainstream architectures and regulations worldwide in lawful interception: . No Network Modifications Designed for seamless integration and interoperation with existing mobile networks, ALIS interoperates with switching and networking equipment from most major vendors.

v 4.0

21

Aqsacom Document No. 040450

This equipment vendor independence ensures that no network modifications are needed to support lawful interception, and that networks comprising a mix of vendors can be equally well supported. The result is rapid lawful interception installation, at reduced costs. Most Technologies and Services Supported ALIS operates over UMTS and CDMA2000 networks, as well as IP, wireline, and legacy 2G (e.g., GSM) networks. Thus, subsribers to a network operators mixed service offer of wireline and mobile 3G services can be targeted, regardless of what services they are using. Perhaps more important, operation of the ALIS platform is essential identical, regardless of the type of service implemented. This alows the operators of the system to quickly adapt to new services; hence, operator training costs diminish. No Detection by the Mobile Subscriber Subscribers are completely unaware of whether or not they are being tracked, thanks to Aqsacoms patented use of signalling information that is inherently processed within mobile networks. No Detection by the Mobile Subscriber Standards-compliance also means interoperability of the network with the LEA. Thus a LEAs investment in analysis tools remains intact as new networks and services come on line. ALIS complete set of funcitonalities The comprehensive set of features and capabilities of the ALIS platform ensures easy, reliable, and secure operation of the system from both the network operators and LEAs point of view.

v 4.0

22

Aqsacom Document No. 040450

9. References
[1] [2] [3] TD-SCDMA Forum. See http://www.tdscdma-forum.org CDMA Development Group worldwide statistics (see www.cdg.org) UMTS Forum. Data are as of January 2005. See http://www.umtsforum.org/servlet/dycon/ztumts/umts/Live/en/umts/Resources_Deployment_index Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications, 2003. Available at http://www.askcalea.net/docs/2003wiretap.pdf ETSI Standard ETSI ES 201 671 V2.1.1 (2001-09), Handover interface for the lawful interception of telecommunications traffic, September 2001. 3rd Generation Partnership Project TR 21.905 V6.6.0 (2004-03), Technical Specification Group Services and System Aspects; Vocabulary for 3GPP Specifications (Release 6), March 2004. 3rd Generation Partnership Project TS 23.002 V6.4.0, Technical Specification Group Services and Systems Aspects; Network architecture (Release 6), March 2004. 3rd Generation Partnership Project, Technical Specification 3GPP TS 33.106 V5.1.0 (2002-09), Lawful Interception Requirements (Release 5), September 2003. 3rd Generation Partnership Project, Technical Specification 3GPP TS 33.107 V6.0.0 (2003-09), Lawful interception architecture and functions (Release 6), September 2003. 3rd Generation Partnership Project, Technical Specification 3GPP TS 33.108 V6.3.0 (2003-09), Handover interface for Lawful Interception (Release 6), September 2003. Lawfully Authorized Electronic Surveillance, T1P1/T1S1 joint standard, document number J-STD-025B, December 2003.

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v 4.0

23

Aqsacom Document No. 040450