ETSI GS NFV-SEC 004 V1.1.1 (2015-09)

ETSI GS NFV-SEC 004 V1.1.1 (2015-09)






GROUP SPECIFICATION
Network Functions Virtualisation (NFV);
NFV Security;
Privacy and Regulation;
Report on Lawful Interception Implications
Disclaimer
This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification
Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)



Reference
DGS/NFV-SEC004
Keywords
interception, NFV, privacy, regulation, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definitions and abbreviations . 6
3.1 Definitions . 6
3.2 Abbreviations . 6
4 Requirements for Lawful Interception . 7
4.1 General CSP obligations . 7
4.2 Root of trust in LI . 7
4.3 Core requirements . 8
4.4 PoI location attestation . 9
4.5 LI undetectability . 9
5 Analysis and recommendations . 9
5.1 Overview . 9
5.2 The LI service shall always be provided . 10
5.3 The LI service shall be activated upon receipt of a valid interception authorization from an LEA . 10
5.4 The LI service shall be deactivated when the interception authorization expires or as defined by the
LEA . 10
5.5 Interrogation shall be possible only from an authorized user . 10
5.6 What the PoI delivers . 10
Annex A (informative): Architectures and structures for LI in networks composed from
VNF s . 11
Annex B (informative): Authors & contributors . 13
Annex C (informative): Bibliography . 14
History . 15

ETSI

---------------------- Page: 3 ----------------------
4 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
NOTE: Where the word "shall" appears in clauses 4 and 5 it has been taken from text originated in reference
documents and offers a requirement against the operator of networks and services and in general does not
place any additional technical constraints or conformance obligations on the NFV beyond those specified
in the reference documents.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI

---------------------- Page: 4 ----------------------
5 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)
1 Scope
The present document provides a problem statement on implementing LI in NFV and identifies the necessary
capabilities to be provided in NFV to meet the requirements outlined for telecommunications capabilities in general in
ETSI TS 101 331 [i.2].
The present document identifies the challenges of providing LI in an NFV. The present document is intended to give
guidance to the NFV community and to the wider LI community on the provision of LI in an NFV.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TS 101 671: "Lawful Interception (LI); Handover interface for the lawful interception of
telecommunications traffic".
[i.2] ETSI TS 101 331: "Lawful Interception (LI); Requirements of Law Enforcement Agencies".
[i.3] ETSI TR 102 528: "Lawful Interception (LI) Interception domain Architecture for IP networks".
[i.4] ETSI TS 103 120: "Lawful Interception; Interface for warrant information; Q & D LI Agnostic".
NOTE: In draft stage at the time of publication.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in ETSI TS 101 671 [i.1] and the following
apply:
Content of Communication (CC): information exchanged between two or more users of a telecommunications
service, excluding intercept related information
NOTE: This includes information which may, as part of some telecommunications service, be stored by one user
for subsequent retrieval by another.
Handover Interface (HI): physical and logical interface across which the interception measures are requested from
Communications Service Provider (CSP), and the results of interception are delivered from a CSP to a law enforcement
monitoring facility
Intercept Related Information (IRI): collection of information or data associated with telecommunication services
involving the target identity, specifically communication associated information or data (e.g. unsuccessful
communication attempts), service associated information or data and location information
interception: action (based on the law), performed by a CSP, of making available certain information and providing
that information to a law enforcement monitoring facility
interception interface: physical and logical locations within the CSP telecommunications facilities where access to the
content of communication and intercept related information is provided
NOTE: The interception interface is not necessarily a single, fixed point.
Internal Network Interface (INI): network's internal interface between the Internal Intercepting Function (IIF) and a
mediation device
Law Enforcement Agency (LEA): organization authorized by a lawful authorization based on a national law to
request interception measures and to receive the results of telecommunications interceptions
Law Enforcement Monitoring Facility (LEMF): law enforcement facility designated as the transmission destination
for the results of interception relating to a particular interception subject
mediation device: equipment which realizes the mediation function
Mediation Function (MF): mechanism which passes information between a network operator, an access provider or
service provider and a handover interface, and information between the internal network interface and the handover
interface
target identity: technical identity (e.g. the interception's subject directory number), which uniquely identifies a target
of interception
NOTE: One target may have one or several target identities.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ADMF ADMinistration Function
AF Administration Function
CC Content of Communication
CCCI Content of Communication Control Interface
CC-IIF Communications Content - Internal Interception Function
CCTF Content of Communication Trigger Function
CCTI Content of Communication Trigger Interface
CSP Communications Service Provider
FE Functional Entity
HI Handover Interface
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GS NFV-SEC 004 V1.1.1 (2015-09)
HI1 Handover Interface Port 1 (for Administrative Information)
HI2 Handover Interface Port 2 (for Intercept Related Information)
HI3 Handover Interface Port 3 (for Content of Communication)
IIF Internal Interception Function
IMEI International Mobile Equipment Identity
IMSI International Mobile Subscriber Identity
INI Internal Network Interface
IP Internet Protocol
IRI Intercept Related Information
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
LIAF Lawful Interception Administration Function
MANO Management and Orchestration
MF Mediation Function
NFV Network Functions Virtualisation
PKC Public Key Certificate
PoI Point of Interception
SIP Session Initiation Protocol
TC Technical Comittee
VM Virtual Machine
4 Requirements for Lawful Interception
4.1 General CSP obligations
The obligation to support LI applies irrespective of traffic type, signalling format or network configuration. The
obligations are not specific to the NFV domain but rather apply to the end-to-end service.
There is a broad obligation to remove encoding provided by the CSP before material is handed over to the LEA, but if
this cannot be done, the obligation to hand the material over still applies. This means that if the target is using some
form of end-to-end encryption the intercepted material is handed over even if the clear text is not available.
There are two primary components for legacy LI acquisition and handover:
• Intercept Related Information (IRI), e.g. associated signalling and call/log record information.
• Content of Communication (CC),
...