ETSI TS 133 127 V15.4.0 (2020-04)

TECHNICAL SPECIFICATION
LTE;
5G;
Digital cellular telecommunications system (Phase 2+) (GSM);
Universal Mobile Telecommunications System (UMTS);
Lawful Interception (LI) architecture and functions
(3GPP TS 33.127 version 15.4.0 Release 15)

3GPP TS 33.127 version 15.4.0 Release 15 1 ETSI TS 133 127 V15.4.0 (2020-04)

Reference
RTS/TSGS-0333127vf40
Keywords
5G,GSM,LTE,SECURITY,UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2020.
All rights reserved.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.

3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners. ®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 2 ETSI TS 133 127 V15.4.0 (2020-04)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Legal Notice
This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities. These shall be
interpreted as being references to the corresponding ETSI deliverables.
The cross reference between 3GPP and ETSI identities can be found under http://webapp.etsi.org/key/queryform.asp.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 3 ETSI TS 133 127 V15.4.0 (2020-04)
Contents
Intellectual Property Rights . 2
Legal Notice . 2
Modal verbs terminology . 2
Foreword . 6
Introduction . 6
1 Scope . 7
2 References . 7
3 Definitions, symbols and abbreviations . 8
3.1 Definitions . 8
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Requirements realisation . 9
5 Functional architecture . 10
5.1 General . 10
5.2 High-level generic LI architecture . 10
5.3 Functional entities . 11
5.3.1 Law Enforcement Agency (LEA) . 11
5.3.2 Point of Interception (POI) . 12
5.3.2.1 General . 12
5.3.2.2 Directly provisioned and triggered POIs . 12
5.3.2.3 IRI-POIs and CC-POIs . 12
5.3.2.4 Failure handling . 12
5.3.3 Triggering Function . 12
5.3.4 Mediation and Delivery Function (MDF) . 12
5.3.5 Administrative Function (ADMF) . 13
5.3.5.1 General . 13
5.3.5.2 LICF . 14
5.3.5.3 LIPF . 14
5.3.6 System Information Retrieval Function (SIRF) . 14
5.3.7 LEMF – Law Enforcement Monitoring Facility . 14
5.4 LI interfaces . 15
5.4.1 General . 15
5.4.2 Interface LI_SI . 15
5.4.3 Interface LI_HI1 . 15
5.4.4 Interface LI_X1 . 16
5.4.4.1 General . 16
5.4.4.2 LIPF and POI . 16
5.4.4.3 LIPF and TF . 16
5.4.4.4 LIPF and MDF2/MDF3 . 17
5.4.5 Interface LI_X2 . 17
5.4.6 Interface LI_X3 . 17
5.4.7 Interface LI_T . 17
5.4.7.1 General . 17
5.4.7.2 Interface LI_T2 . 18
5.4.7.3 Interface LI_T3 . 18
5.4.8 Interface LI_HI2 . 18
5.4.9 Interface LI_HI3 . 18
5.4.10 Interface LI_HI4 . 18
5.4.10.1 General . 18
5.4.10.2 LI operation notification . 18
5.4.10.3 Contents of the notification . 19
5.4.11 Interface LI_ADMF . 19
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 4 ETSI TS 133 127 V15.4.0 (2020-04)
5.4.12 Interface LI_MDF . 19
5.5 LI service discovery . 19
5.6 LI in a virtualised environment . 19
5.6.1 General . 19
5.6.2 Virtualised deployment architecture . 20
6 Network layer based interception . 21
6.1 General . 21
6.2 5G . 21
6.2.1 General . 21
6.2.2 LI at AMF . 22
6.2.2.1 Architecture . 22
6.2.2.2 Target identities . 23
6.2.2.3 Identity privacy . 24
6.2.2.4 IRI events . 24
6.2.2.5 Common IRI parameters . 24
6.2.2.6 Specific IRI parameters . 25
6.2.2.7 Network topologies . 25
6.2.3 LI for SMF/UPF . 25
6.2.3.1 Architecture . 25
6.2.3.2 Target identities . 27
6.2.3.3 IRI events . 28
6.2.3.4 Common IRI parameters . 28
6.2.3.5 Specific IRI parameters . 28
6.2.3.6 Network topologies . 28
6.2.4 LI at UDM for 5G . 29
6.2.5 LI at SMSF . 29
6.2.5.1 Architecture . 29
6.2.5.2 Target identities . 30
6.2.5.3 IRI events . 31
6.2.5.4 Common IRI parameters . 31
6.2.5.5 Specific IRI parameters . 31
6.2.5.6 Network topologies . 31
6.2.6 LI support at NRF . 31
6.2.6.1 Architecture . 31
6.2.6.2 LI_SI notifications . 32
6.2.6.3 LI_SI parameters . 32
6.2.7 External data storage . 33
6.3 4G . 33
6.4 3G . 33
6.5 VoNR . 33
7 Service layer based interception . 34
7.1 General . 34
7.2 Central subscriber management . 34
7.2.1 General . 34
7.2.2 LI at UDM . 34
7.2.2.1 Architecture . 34
7.2.2.2 Target identities . 35
7.2.2.3 Identity privacy . 36
7.2.2.4 IRI events . 36
7.2.2.5 Common IRI parameters . 36
7.2.2.6 Specific IRI parameters . 36
7.2.2.7 Network topologies . 36
7.2.3 LI at HSS . 37
7.3 Location . 37
7.3.1 General . 37
7.3.2 Service usage location reporting . 37
7.3.2.1 General . 37
7.3.2.2 Embedded location reporting . 37
7.3.2.3 Separated location reporting. 37
7.3.3 Lawful Access Location Services (LALS) . 38
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 5 ETSI TS 133 127 V15.4.0 (2020-04)
7.3.3.1 General . 38
7.3.3.2 Target positioning . 38
7.3.3.2.1 General . 38
7.3.3.2.2 Immediate location provision . 39
7.3.3.2.3 Periodic location provision . 39
7.3.3.3 Triggered location . 39
7.3.3.4 LI_X2 interface for target positioning and triggered location . 40
7.3.4 Cell database information reporting . 41
7.4 IMS . 42
8 LI security considerations . 42
8.1 Introduction . 42
8.2 Architectural alternatives . 42
8.2.1 Full target list at every POI node . 42
8.2.2 Full target list only in LICF . 42
8.2.3 Provisioning for registered users . 43
8.3 LI key management at ADMF . 43
8.3.1 General . 43
8.3.2 Key management . 43
8.4 Virtualised LI security . 43
8.4.1 General . 43
8.5 Points of Interception . 43
Annex A (informative): 5G LI network topology views . 45
A.1 Non-roaming scenario . 45
A.1.1 General . 45
A.1.2 Service-based representation with point-to-point LI system . 45
A.2 Interworking with EPC/E-UTRAN . 46
A.2.1 General . 46
A.2.2 Topology view for a non-roaming scenario . 47
A.3 Multiple DN connections in a PDU session . 49
A.3.1 General . 49
A.3.2 Topology view for a non-roaming scenario . 49
A.4 Non-3GPP access in a non-roaming scenario . 51
A.4.1 General . 51
A.4.2 Topology view . 51
Annex Z (informative): Change history . 53
History . 54

ETSI
3GPP TS 33.127 version 15.4.0 Release 15 6 ETSI TS 133 127 V15.4.0 (2020-04)
Foreword
This Technical Specification has been produced by the 3rd Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
Introduction
The present document has been produced by the 3GPP TSG SA to standardise Lawful Interception of
telecommunications. The present document specifies the architecture and functions required to support Lawful
Interception in 3GPP networks. Lawful Interception shall always be done in accordance with the applicable national or
regional laws and technical regulations. Such national laws and regulations define the extent to which functional
capabilities in the present document are applicable in specific jurisdictions.
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 7 ETSI TS 133 127 V15.4.0 (2020-04)
1 Scope
The present document specifies both the architectural and functional system requirements for Lawful Interception (LI)
in 3GPP networks. The present document provides an LI architecture supporting both network layer based and service
layer based Interception.
National regulations determine the specific set of LI functional capabilities that are applicable to a specific 3GPP
operator deployment.
2 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TR 21.905: "Vocabulary for 3GPP Specifications".
[2] 3GPP TS 23.501: "System Architecture for the 5G System".
[3] 3GPP TS 33.126: "Lawful interception requirements".
[4] 3GPP TS 23.502: "Procedures for the 5G System; Stage 2".
[5] 3GPP TS 23.271: "Functional stage 2 description of Location Services (LCS)".
[6] OMA-TS-MLP-V3_5-20181211-C: "Open Mobile Alliance; Mobile Location Protocol, Candidate
Version 3.5", https://www.openmobilealliance.org/release/MLS/V1_4-20181211-C/OMA-TS-
MLP-V3_5-20181211-C.pdf.
[7] ETSI TS 103 120: "Lawful Interception (LI); Interface for warrant information".
[8] ETSI TS 103 221-1: "Lawful Interception (LI); Part 1: Internal Network Interface X1 for Lawful
Interception".
[9] 3GPP TS 33.501: "Security Architecture and Procedures for the 5G System".
[10] ETSI GR NFV-SEC 011: "Network Functions Virtualisation (NFV); Security; Report on NFV LI
Architecture".
[11] 3GPP TS 33.107: "3G Security; Lawful interception architecture and functions".
[12] 3GPP TS 23.214: "Architecture enhancements for control and user plane separation of EPC nodes;
Stage 2".
[13] 3GPP TS 23.228: "IP Multimedia Subsystem (IMS); Stage 2".
[14] 3GPP TS 38.413: "NG-RAN; NG Application Protocol (NGAP)".
[15] 3GPP TS 33.128: "Protocol and Procedures for Lawful Interception; Stage 3".
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 8 ETSI TS 133 127 V15.4.0 (2020-04)
3 Definitions, symbols and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in 3GPP TR 21.905 [1] and the following
apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP
TR 21.905 [1].
Content of Communication (CC): The content of communication as forwarded from the Mediation and Delivery
Function 3 (over the LI_HI3 interface) to the Law Enforcement Monitoring Facility.
CUPS: As defined in 3GPP TS 23.214 [12], represents PLMN with architecture enhancements for control and user
plane separation of EPC nodes.
Intercept Related Information (IRI): The intercept related information as forwarded from the Mediation and Delivery
Function 2 (over the LI_HI2 interface) to the Law Enforcement Monitoring Facility.
IRI event: The network procedure or event that created an xIRI in the Point Of Interception.
LI component: The function and equipment involved in handling the Lawful Interception functionality in the CSP's
network.
LI system: The collection of all LI components involved in handling the Lawful Interception functionality in the CSP's
network.
Provisioning: The action taken by the CSP to provide its Lawful Interception functions information that identifies the
target and the specific communication services of interest to the LEA, sourced from the LEA provided warrant.
Triggering: The action taken by a dedicated function (Triggering Function) to provide another dedicated function
(Triggered POI), that Provisioning could not directly be applied to, with information that identifies the specific target
communication to be intercepted.
Warrant: The formal mechanism to require Lawful Interception from a LEA served to the CSP on a single target
identifier. Depending on jurisdiction also known as: intercept request, intercept order, lawful order, court order, lawful
order or judicial order (in association with supporting legislation).
xCC: The content of communication as forwarded from the Point Of Interception (over the LI_X3) interface to the
Mediation and Delivery Function 3.
xIRI: The intercept related information as forwarded from the Point Of Interception (over the LI_X2) interface to the
Mediation and Delivery Function 2.
3.2 Symbols
3.3 Abbreviations
For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 [1] and the following apply. An
abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in
3GPP TR 21.905 [1].
5GC 5G Core Network
5GS 5G System
ADMF LI Administration Function
AMF Access Management Function
AUSF Authentication Server Function
CC Content of Communication
CSI Cell Supplemental Information
CSP Communication Service Provider
CUPS Control and User Plane Separation
DN Data Network
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 9 ETSI TS 133 127 V15.4.0 (2020-04)
GPSI Generic Public Subscription Identifier
IP Interception Product
IRI Intercept Related Information
LALS Lawful Access Location Services
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
LICA Lawful Interception Certificate Authority
LICF Lawful Interception Control Function
LI_HI1 Lawful Interception Handover Interface 1
LI_HI2 Lawful Interception Handover Interface 2
LI_HI3 Lawful Interception Handover Interface 3
LI_HI4 Lawful Interception Handover Interface 4
LIPF Lawful Interception Provisioning Function
LIR Location Immediate Request
LI_SI Lawful Interception System Information Interface
LI_X0 Lawful Interception Internal Interface 0
LI_X1 Lawful Interception Internal Interface 1
LI_X2 Lawful Interception Internal Interface 2
LI_X3 Lawful Interception Internal Interface 3
LMF Location Management Function
LTF Location Triggering Function
MDF Mediation and Delivery Function
MDF2 Mediation and Delivery Function 2
MDF3 Mediation and Delivery Function 3
N3IWF Non 3GPP Inter Working Function
NPLI Network Provided Location Information
NR New Radio
NRF Network Repository Function
NSSF Network Slice Selection Function
PCF Policy Control Function
PEI Permanent Equipment Identifier
POI Point Of Interception
SIRF System Information Retrieval Function
SMF Session Management Function
SMSF SMS-Function
SUCI Subscriber Concealed Identifier
SUPI Subscriber Permanent Identifier
TF Triggering Function
UDM Unified Data Management
UDR Unified Data Repository
UDSF Unstructured Data Storage Function
UPF User Plane Function
xCC LI_X3 Communications Content
xIRI LI_X2 Intercept Related Information
4 Requirements realisation
The LI architecture set out in the present document is designed to allow CSP deployments to meet the set of LI
requirements described in TS 33.126 [3] that are determined to be applicable by the relevant national regulation for that
deployment. For more details on the relationship between LI requirements and national legislation, see TS 33.126 [3]
clause 4.
A CSP may deploy different network technologies or services considered in the present document. A CSP should
consider each of these network technologies or services separately with respect to the present document, bearing in
mind that a different subset of LI requirements may apply according to relevant national legislation, and that a warrant
may require the CSP to intercept multiple network technologies or services.
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 10 ETSI TS 133 127 V15.4.0 (2020-04)
5 Functional architecture
5.1 General
The following clauses describe the high-level functional architecture for LI for 3GPP-defined services and network
technologies. It describes the architectural elements necessary for LI, their roles and responsibilities, and the interfaces
and interactions between them.
Clauses 6 and 7 of the present document describe how the LI for various 3GPP-defined network technologies and
services are realised within the generic LI architecture, including associations of LI architectural elements with the
network functions involved.
Not all LI architectural elements and interfaces are used in all network technologies and services.
5.2 High-level generic LI architecture
The overall conceptual view of LI architecture is shown in figure 5.2-1 below.
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 11 ETSI TS 133 127 V15.4.0 (2020-04)
System Information
Retrieval Function
(SIRF)
System Information
ADMF
Lawful Interception
Lawful Interception Provisioning Function
Control Function
(LIPF)
(LICF)
Intercept
Intercept
Intercept
Provisioning
Provisioning
Provisioning
Triggering Function
(TF)
Triggering
Management
Point of Interception Point of Interception
(POI) (POI)
POI Output POI Output
Warrant
Mediation and Delivery Function
(MDF)
Interception Product
Law Enforcement
Law Enforcement Monitoring Facility
Agency
(LEMF)
(LEA)
Figure 5.2-1: A high-level generic view of LI architecture
The functional entities of the architecture are described in more detail in clause 5.3 below. Details of the specific
interfaces between these entities are described in clause 5.4.
5.3 Functional entities
5.3.1 Law Enforcement Agency (LEA)
In general the LEA is responsible for submitting the warrant to the CSPs, although in some countries the warrant may
be provided by a different legal entity (e.g. judiciary).
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 12 ETSI TS 133 127 V15.4.0 (2020-04)
5.3.2 Point of Interception (POI)
5.3.2.1 General
The Point of Interception (POI) detects the target communication, derives the intercept related information or
communications content from the target communications and delivers the POI Output as xIRI to the MDF2 or as xCC to
the MDF3. The output of a POI is determined by the type of the NF associated with the POI. A POI may be embedded
within a Network Function (NF) or separate from a NF with which it is associated.
Multiple POIs may have to be involved in executing a warrant.
5.3.2.2 Directly provisioned and triggered POIs
POIs are divided into two categories:
- Directly provisioned POIs are provisioned by the LIPF.
- Triggered POIs are triggered by a Triggering Function (TF) (see clause 5.3.3).
The directly provisioned POIs detect the target's communications that need to be intercepted, and then derive the
intercept related information or communication contents from that target communications depending on the POI type
(see clause 5.3.2.3). The triggered POIs detects the target communications based on the trigger received from an
associated Triggering Function and then derives the intercept related information or communication contents of target
communications depending on the POI type (see clause 5.3.2.3).
5.3.2.3 IRI-POIs and CC-POIs
POIs are divided into two types for each category based on the type of data they send to the MDF (see clause 5.3.4):
- IRI-POI delivers xIRI to the MDF2.
- CC-POI delivers xCC to the MDF3.
Both IRI-POIs and CC-POIs are either directly provisioned or triggered (see clause 5.3.2.2).
5.3.2.4 Failure handling
In case a network procedure involving the target UE and requiring the generation of an xIRI fails, the IRI-POI shall be
able to report the failure reason available from the involved network protocol.
5.3.3 Triggering Function
The Triggering Function is provisioned by the LIPF and is responsible for triggering triggered POIs in response to
network and service events matching the criteria provisioned by the LIPF. The Triggering Function detects the target
communications and sends a trigger to the associated triggered POI.
As a part of this triggering, the Triggering Function shall send all necessary interception rules (i.e. rules that allow the
POIs to detect the target communications), forwarding rules (i.e. MDF2, MDF3 address), target identity, and the
correlation information.
A Triggering Function may interact with other POIs to obtain correlation information. Details of this interface are not
specified by the present document.
The Triggering Function that triggers CC-POI is referred to as a CC-TF and the Triggering Function that triggers an
IRI-POI is referred to as IRI-TF.
5.3.4 Mediation and Delivery Function (MDF)
The Mediation and Delivery Function (MDF) delivers the Interception Product to the Law Enforcement Monitoring
Facility (LEMF).
ETSI
3GPP TS 33.127 version 15.4.0 Release 15 13 ETSI TS 133 127 V15.4.0 (2020-04)
Two variations of MDF are defined: MDF2 and MDF3.
MDF2 generates the IRI messages from the xIRI and sends them to one or more LEMFs. The MDF3 generates the CC
from the xCC and delivers it to one or more intercepting LEMFs. An overview of this is shown in figure 5.3-2 below.
LIPF
Intercept Provisioning
xIRI xCC
MDF
LI_MDF
MDF2 MDF3
CC
IRI
LEMF
LEMF
Figure 5.3-2: MDF2 and MDF3
The MDF2 and MDF3 are provisioned by the LIPF with the intercept information necessary to deliver the IRI and/or
CC to one or more LEMFs.
The LI_MDF interface between MDF2 and MDF3 (shown in figure 5.3-2) allows the MDF3 and MDF2 to exchange
information between the two.
5.3.5 Administrative Function (ADMF)
5.3.5.1 General
The Administration Function (ADMF), responsible for the overall management of the LI system, includes the
...