G.5.4.2 Interception
33.1283GPPProtocol and procedures for Lawful Interception (LI)Release 18SecurityStage 3TS
G.5.4.2.1 IMS deployment
There are two deployment options for IMS for intercepting the service type of Voice (TS 33.127 [5]):
– Default.
– Alternate option.
It is expected that the CSP implements one of the two deployment options.
The conditions under which IRI-POI or CC-TF functions have to provisioned are illustrated within the drawing and are further clarified in table G.5-1 and G.5-2.
G.5.4.2.2 LALS triggering
There are two deployment options for LALS triggering. It is expected that the CSP implements one of the two deployment options.
In LALS triggering option 1, the LTF present in the host NF that has the associated IRI-POI triggers the LI-LCS Client. In LALS triggering option 2, the LTF presents in the MDF2 triggers the LI-LCS Client.
G.5.4.2.3 Summary
Table G.5-1 provides the scope of NF domain that provides the IRI-POI/CC-TF/CC-POI functions for the service type of Voice with the IMS deployment option Default.
Table G.5-1: Scope of NF domain in IMS providing the LI functions with Default option
|
NFs with LI function |
Non-roaming |
Roaming with LBO |
Roaming with HR |
||||
|
VPLMN |
HPLMN |
VPLMN |
HPLMN |
||||
|
HSS |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
AS (NOTE 6, NOTE 12) |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
AS (NOTE 7) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
MRFP (NOTE 7) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
S-CSCF (NOTE 8) |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
E-CSCF (NOTE 8) |
IRI-POI |
IRI-POI |
n/a |
IRI-POI |
n/a |
||
|
P-CSCF |
n/a |
IRI-POI (NOTE 1) |
n/a |
n/a |
n/a |
||
|
P-CSCF |
CC-TF |
CC-TF |
n/a |
CC-TF (NOTE 2) |
n/a |
||
|
IMS-AGW |
CC-POI |
CC-POI |
n/a |
CC-POI (NOTE 2) |
n/a |
||
|
MGCF (NOTE 3) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
IM-MGW (NOTE 3) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
IBCF (NOTE 14) |
IRI-POI |
IRI-POI |
IRI-POI |
IRI-POI |
IRI-POI |
||
|
IBCF (NOTE 4) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
TrGW (NOTE 4) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
LMISF-IRI (NOTE 1) |
n/a |
n/a |
n/a |
IRI-POI |
n/a |
||
|
LMISF-CC (NOTE 1) |
n/a |
n/a |
n/a |
CC-POI |
n/a |
||
|
LALS triggering |
Option 1 |
S-CSCF |
LTF |
n/a |
LTF |
n/a |
LTF |
|
E-CSCF |
LTF |
LTF |
n/a |
LTF |
n/a |
||
|
P-CSCF |
n/a |
LTF (NOTE 1) |
n/a |
n/a |
n/a |
||
|
LMISF-IRI |
n/a |
n/a |
n/a |
LTF (NOTE 1) |
n/a |
||
|
Option 2 |
MDF2 |
LTF |
LTF |
LTF |
LTF |
LTF |
|
Table G.5-2 provides the scope of NF domain that provides the IRI-POI/CC-TF/CC-POI functions for the service type of Voice with the IMS deployment option Alternate option.
Table G.5-2: Scope of NF domain in IMS providing the LI functions with Alternate option
|
NFs with LI function |
Non-roaming |
Roaming with LBO |
Roaming with HR |
||||
|
VPLMN |
HPLMN |
VPLMN |
HPLMN |
||||
|
HSS |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
AS (NOTE 6, NOTE 12) |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
AS (NOTE 7) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
MRFP (NOTE 7) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
P-CSCF |
IRI-POI |
IRI-POI |
n/a |
IRI-POI (NOTE 2) |
IRI-POI |
||
|
P-CSCF |
CC-TF |
CC-TF |
n/a |
CC-TF (NOTE 2) |
CC-TF |
||
|
IMS-AGW |
CC-POI |
CC-POI |
n/a |
CC-POI (NOTE 2) |
CC-POI |
||
|
MGCF (NOTE 3) |
IRI-POI |
n/a |
IRI-POI |
n/a |
IRI-POI |
||
|
MGCF (NOTE 3) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
IM-MGW (NOTE 3) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
IBCF |
IRI-POI (NOTE 13) |
IRI-POI (NOTE 2, 14) |
IRI-POI (NOTE 13) |
IRI-POI (NOTE 2, 14) |
IRI-POI (NOTE 13) |
||
|
IBCF (NOTE 4) |
CC-TF |
n/a |
CC-TF |
n/a |
CC-TF |
||
|
TrGW (NOTE4) |
CC-POI |
n/a |
CC-POI |
n/a |
CC-POI |
||
|
LMISF-IRI (NOTE 1) |
n/a |
n/a |
n/a |
IRI-POI |
n/a |
||
|
LMISF-CC (NOTE 1) |
n/a |
n/a |
n/a |
CC-POI |
n/a |
||
|
LALS Triggering |
Option 1 |
P-CSCF |
LTF |
LTF |
n/a |
LTF (NOTE 2) |
LTF |
|
IBCF |
n/a |
n/a |
LTF (NOTE 5) |
n/a |
n/a |
||
|
LMISF-IRI |
n/a |
n/a |
n/a |
LTF (NOTE 1) |
n/a |
||
|
Option 2 |
MDF2 |
LTF |
LTF |
LTF |
LTF |
LTF |
|
NOTE 1: For non-emergency sessions only.
NOTE 2: For emergency sessions only.
NOTE 3: Only when an incoming session to a target is redirected over a CS domain.
NOTE 4: Only when target is outbound roaming or when an incoming session to a target is redirected over an IP domain, or to an outbound roaming party with LBO.
NOTE 5: Only when the target is outbound roaming without a redirection.
NOTE 6: When the interception of conferencing services is required.
NOTE 7: When the content interception of conferencing, or application of music/ is required.
NOTE 8: For IMS emergency sessions in fixed networks when the S-CSCF is on the signaling path, S-CSCF may optionally (instead of E-CSCF) provide the IRI-POI functions with the default option.
NOTE 9: The use of "n/a" in the above table implies that the LI function is not applicable to the NF for the indicated scenario.
NOTE 10: The LIPF is not aware of the above role played by the host NFs in providing the LI functions.
NOTE 11: MDF2, MDF3 and LI-LCS Client which are also involved in providing the LI functions are not shown in the tables above.
NOTE 12: When the interception of STIR/SHAKEN is required.
NOTE 13: Only when target is outbound roaming or when an incoming session to a target is redirected over an IP domain, or to an outbound roaming party with LBO, or when the interception of STIR/SHAKEN is required.
NOTE 14: Only when the interception of STIR/SHAKEN is required.
G.5.4.2.4 STIR/SHAKEN
Since the IRI-POI in AS, in support of LI for special services such as conferencing, is always provisioned, the LIPF logic has to ensure that when the STIR/SHAKEN is required to be intercepted and the target Id is IMPU, the ReportDiversionPASSporTInfo is included as part of that provisioning.
Likewise, the IRI-POI in IBCF is also provisioned except for the case when the default option for IMS LI is deployed. The diagram shown in figure G.5-6A illustrates that when STIR/SHAKEN is required to be intercepted and the target Id is IMPU, the IRI-POI in IBCF is provisioned even with the default option of IMS LI with ReportDiversionPASSporTInfo is included.
In general, when the STIR/SHAKEN is required to be intercepted in the network, and the target Id is IMPU, the IRI-POIs in AS and the IBCF are provisioned with ReportDiversionPASSporTInfo parameter included.
The diagram shown in figure G.5-6B below illustrates the LI provisioning just from STIR/SHAKEN perspective. However, from an overall provisioning perspective, it is embedded within the LIPF logic of IMS LI provisioning as illustrated in clause G.5.4.1.
Figure G.5-6B: Localized LI provisioning view from STIR/SHAKEN perspective
The inclusion of ReportDiversionPASSporTInfo for provisioning of IRI-POI in P-CSCF and LMISF-IRI is not required.
Table G.5-2A shows the NFs that will have to provide the STIR/SHAKEN LI (signing) for various scenarios and the table G.5-2B shows the NFs that will have to provide the STIR/SHAKEN LI (verification) for various scenarios.
The signing for STIR/SHAKEN happens in the HPLMN except for the emergency sessions it can also happen in the VPLMN. In these tables the indicated scenarios are from the perspective of target.
Table G.5-2A: Scope of NF domain in IMS providing the LI functions for STIR/SHAKEN (signing)
|
Scenario |
HPLMN |
VPLMN |
||
|
CSP choice AS |
CSP choice is IBCF |
|||
|
Emergency call |
IBCF |
IBCF |
IBCF |
|
|
RCD present |
AS |
AS |
n/a |
|
|
Intra-CSP session signing/verification required |
AS |
AS |
n/a |
|
|
Intra-CSP session signing/verification not required |
Intra-CSP session |
n/a |
n/a |
n/a |
|
Inter-CSP session |
AS |
IBCF |
n/a |
|
Table G.5-2B: Scope of NF domain in IMS providing the LI functions for STIR/SHAKEN (verification)
|
Scenario |
HPLMN |
VPLMN |
||
|
CSP choice AS |
CSP choice is IBCF |
|||
|
Emergency callback |
AS |
IBCF |
See NOTE 1 |
|
|
Inbound roaming with LBO |
n/a |
n/a |
P-CSCF |
|
|
Inbound roaming with Home-Routed |
n/a |
n/a |
LMISF-IRI |
|
|
Intra-CSP session signing/verification required |
AS |
AS |
See NOTE 1 |
|
|
Intra-CSP session signing/verification not required |
Intra-CSP session |
AS (see NOTE 2) |
AS (see NOTE 2) |
See NOTE 1 |
|
Inter-CSP session |
AS |
IBCF (see NOTE 3) |
See NOTE 1 |
|
NOTE 1: Same as in the row for inbound roaming (LBO) and inbound roaming (HR).
NOTE 2: This is the case where the redirection happens with the outgoing SIP INVITE containing the validation result and the REQUEST URI is a target identity (see clause 7.11.2.3). The AS may or may not interact with the Verification AS.
NOTE 3: The IRI-POI is in IBCF. The IRI-POI can be in AS for the special redirection case depicted in NOTE 2 (see clause 7.11.2.3).
The indicated CSP choice is applicable when the signing/verification of only inter-CSP session is required. The CSP choice for signing and verification need not be the same.