12 3GPP IMS-based VoIP Services

33.1083G Security3GPPHandover interface for Lawful Interception (LI)Release 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

12.1 Identifiers

12.1.1 Overview

Specific identifiers are necessary to identify a target for interception uniquely and to correlate between the communication information, which is conveyed over the different handover interfaces (HI2 and HI3). The identifiers are defined in the subsections below. The eP-CSCF and enhanced IMS-AGW (eIMS-AGW) shall adhere to all the LI requirements pertaining to a P-CSCF and IMS-AGW, respectively. Any additional LI requirements pertaining to the support of WebRTC Interworking as specified in TS 23.228 [40] that only apply to the eP-CSCF or eIMS-AGW are described distinctly.

Based on the WebRTC Interworking as described in TS 23.228 [40], an individual Public User Identity is used as the target of interception in a WebRTC interworking system. Some additional considerations are included below.

1) When a Public User Identity may be temporarily assigned to a WebRTC IMS Client (WIC) from a pool of Public User Identities, an underlying identity for the WIC used during authentication (called a web identity in TS 24.371 [86], e.g. NAI) will need to be correlated to the temporary Public User Identity assigned to the WIC. This is needed to ensure that target identified in the lawful authorization is associated with the Public User Identity assigned to the user.

2) When a lawful authorization is targeting an entire pool of Public User Identites, the target should still be each individual Public User Identity associated with the pool of Public User Identities.

NOTE: As U.2.1.4 of TS 23.228 [40] indicates that WebRTC Web Server Function (WWSF) may be located in a third party network and have a business arrangement with the IMS operator, this third party network will have its own LI functions according to national regulation. This point and the definition of a target or parties in the annex B9 is FFS. Also, some national regulations may prohibit the WWSF or WebRTC Authorisation Function (WAF) from using the option of not authenticating the user, especially as unauthenticated users are anonymous to the third party but may still be authorized for IMS service.

12.1.2 Lawful Interception Identifier

See clause 7.1.1.

12.1.3 Network Identifier

See clause 7.1.2.

12.1.4 Correlation Number

For a given target, the Correlation Number is unique per VoIP session and used for the following purposes:

– Correlate CC with IRI,

– Correlate different IRI records and different CC data within one VoIP session.

For IMS-based VoIP, the S-CSCF and optionally, the P-CSCF provide the IRI events. For IMS-based VoIP, the functional element that provides the CC interception depends on the call scenario and network configuration.

As described in TS 33.107 [19], CC interception is done by one of the following functional elements (referred to as CC Intercept Function):

– PDN-GW/GGSN

– IMS-AGW

– TrGW

– IM-MGW

– MRF.

And, the trigger to perform the CC interception at the above functional elements may be provided by the following functional elements (referred to as CC Interception Triggering Function):

– P-CSCF for PDN-GW/GGSN

– P-CSCF for IMS-AGW

– IBCF for TrGW

– MGCF for IM-MGW

– S-CSCF or AS for MRF.

For the delivery of CC, the CC Intercept Triggering Function provides the Correlation Number to the CC Intercept Function. This Correlation Number is delivered to the LEMF on the handover interface HI3 and is also delivered to the LEMF on the handover interface HI2.

The IMS-VoIP-Correlation delivered to the LEMF on the HI2, contains the Correlation Number (s) used for the IRI messages as ims-iri (IRI-to-IRI-Correlation) and Correlation Number (s) used for the CC data as ims-cc (IRI-to-CC-Correlation). The LEMF shall interpret that the IRI messages and the CC data containing those Correlation Number values belong to the one single IMS VoIP session.

12.2 Timing and quality

Refer to clause 7.2 for the details.

12.3 Security aspects

Refer to clause 7.3 for the details.

12.4 Quantitative aspects

Refer to clause 7.4 for the details.

12.5 IRI for IMS-based VoIP

IRI for VoIP shall be based on the procedures defined in 7.5 IRI for IMS with the following change specific to IMS-based VoIP:

– According to TS 33.107 [19], national option may require a CSP to report the LEMF about the situation where the CC delivery is required for an intercept order but the media does not enter the CSP’s network, and hence, not available for interception.

– To support this case, a CC-Unavailable event is added to the IMS events with a parameter added to the list of IRI parameters that gives the reason for CC unavailability. The CC-Unavailable is reported only when the media interception is required according to the intercept order but the media is not available for interception.

12.6 CC for IMS-based VoIP

Annex B.12 provides the definitions of the data structures to be used for the delivery of CC for IMS-based VoIP (see Annex K for the detailed description). The Correlation Number received from the CC Intercept Triggering Function shall be used in the CC Data sent over the HI3.

For PDN-GW based interception of CC for IMS-based VoIP, optionally, the data structures defined in B.10 can be used if the combined delivery option is not required. In the same way, for GGSN based interception of CC for IMS-based VoIP, optionally, the data structures defined in B.10 or B.4 can be used if the combined delivery option is not required.

The Correlation Number received from the P-CSCF shall be used in the CC data sent over the handover interface (HI3).

12.7 VoLTE Roaming

12.7.1 General

Two roaming architectures are defined for VoLTE:

– S8HR.

– LBO.

As described in TS 33.107 [19], with S8HR as the roaming architecture, the PDN-GW and the P-CSCF reside in the HPLMN and therefore, the UE IMS signalling and media are directly routed to the HPLMN. In the alternate roaming architecture (Local Breakout), the PDN-GW and P-CSCF reside in the VPLMN.

In VoLTE roaming scenario, the lawful interceptions performed in the HPLMN and in the VPLMN are independent of each other. As such, the HPLMN is not aware of, if, any LI activities are performed in the VPLMN. Likewise, the VPLMN is not aware of, if, any LI activities are performed in the HPLMN.

12.7.2 LI in HPLMN

The interception of voice services in the HPLMN is done according to clause 15 of TS 33.107 [19] and the reporting of IRI messages over HI2 and CC over HI3 are done according to the sub-clause 12.5 (IRI) and the sub-clause 12.6 (CC) of this document.

12.7.2.1 With S8HR

With S8HR, as described in TS 33.107 [19], the IRI messages are generated by the S-CSCF and, optionally, by the P-CSCF.

As described in TS 33.107 [19], the CC is generated by the PDN-GW or by the IMS-AGW and, for redirecting scenarios, by the IM-MGW or by the TrGW.

12.7.2.2 With LBO

With LBO, as described in TS 33.107 [19], the IRI messages are generated by the S-CSCF.

As described in TS 33.107 [19], the CC is generated by the TrGW and, for redirecting scenarios, by the IM-MGW or by the TrGW. In some variations of LBO, the CC may not be available in the HPLMN in which case, HPLMN shall send the CC-Unavailable message to the LEMF as described in sub-clause 12.5.

12.7.3 LI in VPLMN with S8HR

See clause 20 and Annex J of TS 33.107 [19] for a detailed description of S8HR LI architectural aspects. A condensed view of the same is presented in figure 12.1 below.

Figure 12.1: Lawful Interception in the VPLMN with S8HR as the roaming architecture

The Serving Gateway/BBIFF extracts the data from the IMS signalling bearer of S8HR APNs and delivers the same to the LMISF. When the IMS signalling messages are related to a target communication, the LMISF generates the IMS events and sends the same to the Delivery Function 2 over the X2 reference point.

In addition, the Serving Gateway/BBIFF provides the LMISF with Media Bearer information of S8HR APNs over Xib reference point.

Based on the instruction received over the Xib reference point, the Serving Gateway/BBIFF extracts the the packets from associated media bearer and delivers the same to the LMISF. From those media packets, the LMISF delivers the CC along with the correlation information to the Delivery Function 3 over the X3 reference point.

NOTE 1: The confidentiality protection is disabled for roaming targets with S8HR as the roaming architecture, and therefore, the SIP messages and the voice-media content are always visible in clear form (i.e. no encryption) at the Serving Gateway/BBIFF.

NOTE 2: Like X2 and X3, the Xia and Xib reference points are not standardized in the present document.

The reporting of IRI messages over HI2 and CC over HI3 are done according to the sub-clause 12.5 (IRI) and the sub-clause 12.6 (CC) with the following additions:

– Include the VoIP roaming indication with the choice value of "roamingS8HR" indicating that the IMS events are generated in the VPLMN with S8HR as the roaming architecture. See annex B.9 for ASN.1 definition.

– Include the ICE-type with the value "lmISF" or "sGW" in the CC. See annex B.12 for ASN.1 definition.

12.7.4 LI in VPLMN with LBO

The interception of voice services in the VPLMN is done according to clause 15 of TS 33.107 [19] and the reporting of IRI messages over HI2 and the CC over HI3 are done according to the sub-clause 12.5 (IRI) and the sub-clause 12.6 (CC) with the following addition:

– Include the VoIP roaming indication with the choice value of "roamingLBO" indicating that the IMS events are generated in the VPLMN with LBO as the roaming architecture. See annex B.9 for ASN.1 definition.

As described in TS 33.107 [19], the IRI messages are generated by the P-CSCF and the CC is generated by the by PDN-GW or by the IMS-AGW.

12.8 Roaming Constraints to IMS VoIP/VoLTE LI

National regulations may limit delivery of communications (CC and communications-associated IRI) of an outbound international roaming target by the HPLMN as described in Clause 5.1.4 of [7].

If roaming interception is allowed, IMS VoIP (including VoLTE) interception and delivery to the LEMF by the HPLMN shall proceed normally as described elsewhere in this specification when the target is roaming outside the country as well as when the target is within the country.

If roaming interception is not allowed and the HPLMN determines that the target is outside the country, the HPLMN shall act as described in Clause 15.5 of TS 33.107 [19]. For scenarios where the invocation of a supplementary service causes the status of the target to change from participating to not participating, the HPLMN starts intercepting and reporting events to the LEMF. The HPLMN shall utilize:

– the Start of interception for already established IMS session REPORT Record as described in Clause 7.5 for non-conference calls;

– the Start of Intercept with Conference Active REPORT Record as described in Clause 11.5.1.2 for target provisioned or requested conference calls hosted by the HPLMN.