7.2 Central subscriber management

33.1273GPPLawful Interception (LI) architecture and functionsRelease 18TS

7.2.1 General

Clause 7.2 provides LI architecture and requirements for the CSP 3GPP subscriber database LI reporting. Central subscriber databases are common for all CSP network services, including both the network layer and the service layer. This clause 7.2 provides requirements for both user session related interception events and requirements for reporting of changes to the subscriber information held within the 3GPP subscriber databases, which may or may not be directly related to service usage.

7.2.2 LI at UDM

7.2.2.1 Architecture

The UDM provides the unified data management for UE. The UDM shall have LI capabilities to generate the target UE’s serving system (e.g. VPLMN Id or AMF Id related xIRI). Extending the generic LI architecture presented in clause 5, figure 7.2-1 below gives a reference point representation the LI architecture with UDM as a CP NF providing the IRI-POI functions.

Figure 7.2-1: LI architecture for LI at UDM

The LICF present in the ADMF receives the warrant from an LEA, derives the intercept information from the warrant and provides it to the LIPF.

The LIPF present in the ADMF provisions IRI-POI (over LI_X1) present in the UDM and MDF2. The LIPF may interact with the SIRF (over LI_SI) present in the NRF to discover the UDM in the network.

The IRI-POI present in the UDM detects the target UE’s service area registration and subscription related functions, generates and delivers the xIRI to the MDF2 over LI_X2. The MDF2 generates and delivers the IRI messages based on received xIRI to the LEMF over LI_H2.

7.2.2.2 Target identities

The LIPF present in the ADMF provisions the intercept information associated with the following target identities to the IRI-POI present in the UDM:

– SUPI.

– PEI.

– GPSI.

– IMPU/IMPI.

The interception performed on the above identities are mutually independent, even though, an xIRI may contain the information about the other identities when available.

7.2.2.3 Identity privacy

TS 33.501 [9] defines the ability to prevent the SUPI being exposed over the 5G RAN through the use of SUCI. Where SUPI privacy is implemented by both the UDM and UE, the SUPI is not sent in the clear over the RAN. Therefore, the UDM shall ensure that the SUPI is provided to the serving AMF in both initial registration and re-registration procedures as defined in TS 33.501 [9].

7.2.2.4 IRI events

The IRI-POI present in the UDM shall generate xIRI, when the UDM detects the following specific events or information:

– Serving system.

– Subscriber record change.

– Cancel location.

– Location information request.

– Location information result.

– UE information response.

– UE authentication response.

– Start of interception with target already registered at the UDM.

A serving system xIRI is generated when the IRI-POI present in the UDM detects the target UE registration or re-registration related notifications. The AMF Id or the MME Id, or the VPLMN Id (when the other two are not known) is used as the serving system identifier in a serving system xIRI.

NOTE: The serving system xIRI may carry the information of one or more serving systems based on the target UE’s network connectivity.

A subscriber record change xIRI is generated when the IRI-POI present in the UDM detects that the GPSI, or SUPI, or PEI associated to the target has changed. In addition, a subscriber record change xIRI is generated when the associated GPSI or, SUPI, or PEI for the target is de-provisioned. A subscriber record change xIRI is also generated when the target’s user service identifiers are modified (e.g. subscribed S-NSSAIs, subscribed CAG).

A cancel location xIRI is generated when the IRI-POI present in the UDM detects that a de-registration notification is sent, or received, by the UDM for the target. A cancel location xIRI is also generated when the IRI-POI present in the UDM detects that the UDM has sent a cancel location indicator to the AMF due to target de-registration.

A location information request xIRI is generated when the IRI-POI present in the UDM detects that the UDM received a query for the location information of the target UE from a different PLMN (e.g. inbound SMS routing) with a known PLMN Id.

A location information result xIRI is generated when the IRI-POI in the UDM detects that the UDM received a LocationInfoRequest from an NF service consumer (i.e. HSS) for the target and responds with a LocationInfoResult to the NF service consumer.

A UE information response xIRI is generated when the IRI-POI present in the UDM detects that the UDM received a ProvideUeInfo request for the target UE and returns a UeInfo response.

A UE authentication response xIRI is generated when the IRI-POI present in the UDM detects that the UDM received an authentication info request for the target UE from the HSS or AUSF and an authentication info result is sent.

A start of interception with already registered target xIRI is generated with the IRI-POI in the UDM detects that interception is activated on a identifier that has existing registration context information at the UDM.

7.2.2.5 Common IRI parameters

The list of xIRI parameters are specified in TS 33.128 [15]. All xIRIs shall include the following information:

– Target identity.

– Time stamp.

7.2.2.6 Specific IRI parameters

The parameters in each xIRI are defined in TS 33.128 [15].

7.2.2.7 Network topologies

The UDM shall provide the IRI-POI functions in the following network topology cases:

– Non-roaming case.

– Roaming case, in HPLMN.

7.2.3 LI at HSS

7.2.3.1 Architecture

The HSS contains the subscription-related information for all users served by the CSP. The HSS provides the support functions in the mobility management, session setup, user authentication and access authorization.

The HSS shall have LI capabilities to generate the xIRIs as described in clause 7.2.3.3. The present document specifies two options for HSS LI capabilities:

1. Use TS 33.107 [11] and TS 33.108 [21] natively as defined in those documents.

2. Use the capabilities specified below in the present document for stage 2 and in TS 33.128 [15] for stage 3.

Extending the generic LI architecture presented in clause 5, figure 7.2-2 below gives a reference point representation the LI architecture with HSS as a CP NF providing the IRI-POI functions.

Figure 7.2-2: LI architecture for LI at HSS

The LICF present in the ADMF receives the warrant from an LEA, derives the intercept information from the warrant and provides it to the LIPF.

The LIPF present in the ADMF provisions IRI-POI (over LI_X1) present in the HSS and MDF2.

The IRI-POI present in the HSS detects the target UE’s service area registration and subscription related functions, generates and delivers the xIRI to the MDF2 over LI_X2. The MDF2 generates and delivers the IRI messages based on received xIRI to the LEMF over LI_H2.

The HSS shall provide the IRI-POI functions independent of the services on which the interception is active.

When multiple intercepts are active, IRI-POI functions in the HSS may send one xIRI which can then be distributed to the LEMFs associated with those multiple intercepts from the MDF2.

7.2.3.2 Target identities

The LIPF present in the ADMF provisions the intercept information associated with the following target identities to the IRI-POI present in the HSS:

– IMSI.

– IMEI.

– MSISDN.

– IMPU/IMPI.

The interception performed on the above identities are mutually independent, even though, an xIRI may contain the information about the other identities when available.

7.2.3.3 IRI events

The IRI-POI present in the HSS shall generate xIRI, when it detects the applicable events specified in TS 33.107 [11].

The IRI-POI present in the HSS shall also generate a start of intercept with already registered target xIRI when the IRI-POI present in the HSS detects that intercept has been activated for a UE that has existing context in the HSS. Format of this xIRI is described in TS 33.128 [5] clause 7.2.3.3.3.

If HSS-UDM interworking is supported, the IRI-POI present in the HSS shall generate a serving system xIRI as defined in TS 33.128 [5] clause 7.2.3.3.2.

A serving system xIRI is generated when the IRI-POI present in the HSS detects that the HSS has received a roaming status update from the UDM as part of a UE context update.

NOTE: The serving system xIRI may carry the information of one or more serving systems based on the target UE’s network connectivity.

7.2.3.4 Common IRI parameters

The list of xIRI parameters are specified in TS 33.128 [15]. All xIRIs shall include the following information:

– Target identity.

– Time stamp.

7.2.3.5 Specific IRI parameters

The parameters in each xIRI are defined in TS 33.128 [15].

7.2.3.6 Network topologies

The HSS shall provide the IRI-POI functions in the following network topology cases:

– Non-roaming case.

– Roaming case, in HPLMN.