ETSI TS 187 005 V3.1.1 (2012-06)

Technical Specification
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Lawful Interception;
Stage 1 and Stage 2 definition

2 ETSI TS 187 005 V3.1.1 (2012-06)

Reference
RTS/TISPAN-07045-NGN-R3
Keywords
IP, lawful interception, security, telephony
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2012.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TS 187 005 V3.1.1 (2012-06)
Contents
Intellectual Property Rights . 5
Foreword . 5
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 9
4 Interception in the NGN . 10
4.0 Structure of analysis . 10
4.0.1 Review of stage 1 requirements . 10
4.0.1.1 Provision/withdrawal . 10
4.0.1.2 Activation/deactivation . 10
4.0.1.3 Invocation and operation . 10
4.0.1.4 Interrogation . 11
4.0.1.5 Interaction with other services . 11
4.1 LI architecture model . 11
4.2 LI reference model . 11
4.2.1 Features of NGN LI Administration function . 14
4.2.2 LI in multiple CSP domains . 14
4.3 Result of interception . 15
5A Stage 2 description of NGN LI . 16
5A.1 Information flow sequences . 16
5A.1.1 LEA control interactions and information flows . 16
5A.1.1.1 LI_ACTIVATE_req . 17
5A.1.1.2 LI_ACTIVATE_conf . 17
5A.1.1.3 LI_MODIFY_req . 17
5A.1.1.4 LI_MODIFY_conf . 18
5A.1.1.5 LI_STATUS_ind . 18
5A.1.1.6 LI_ACTIVATE_ASSOCIATE_ind . 19
5A.1.2 Target signalling and traffic interactions and information flows . 20
5A.1.2.1 TARGET_ACTIVITY_MONITOR_ind. 21
5A.1.2.1.1 Relation to Handover . 21
5A.1.2.2 T_TRAFFIC_ind . 21
5A.1.2.2.1 Relation to Handover . 21
5A.1.2.3 CP_TRAFFIC_ind . 22
5A.1.2.3.1 Relation to Handover . 22
5A.1.2.4 TARGET_COMMS_MONITOR_ind. 22
5A.1.2.4.1 Relation to Handover . 22
5A.2 Data provision and encoding . 23
5A.2.1 Identification of result of interception (Correlation and interception instance identifier). 23
5A.2.2 Provision of identities/addresses . 23
5A.2.3 Provision of details of services used and their associated parameters . 23
5A.2.4 Provision of those signals emitted by the target invoking additional or modified services . 23
5A.2.5 Provision of time-stamps for identifying the beginning, end and duration of the connection . 24
5A.2.6 Provision of actual source, destination and intermediate public IDs in case of communication
diversion . 24
5A.2.7 Provision of location information . 24
5 Interception in NGN subsystems . 25
5.0 Allocation of LI-FEs to NGN-FEs . 25
ETSI
4 ETSI TS 187 005 V3.1.1 (2012-06)
5.1 Architecture for interception of PES . 25
5.2 Architecture for interception of IMS . 26
5.3 Intercept Related Information (PoI IRI-IIF) . 26
5.4 Content of Communication (PoI CC-IIF) . 27
6 Identification of target of interception . 27
6.1 ISDN/PSTN services . 27
6.2 IMS services . 28
6.3 Identification of target when identity protection is enabled . 28
7 Security considerations. 28
Annex A: Void . 29
Annex B: Void . 30
Annex C: Void . 31
Annex D: Void . 32
Annex E (informative): ISDN/PSTN LI reference configurations . 33
Annex F (informative): Selection of handover interface. 36
Annex G (informative): Bibliography . 38
G.1 ETSI Specifications . 38
G.2 3GPP specifications . 38
G.3 ITU-T specifications. 39
G.4 IETF specifications. 39
G.5 ISO specifications . . 39
G.6 ANSI specifications . 39
Annex H (informative): Change history . 40
History . 41

ETSI
5 ETSI TS 187 005 V3.1.1 (2012-06)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
Introduction
The NGN is required to operate within a regulated environment and to comply to the privacy directive EC/2002/58 [i.1]
which identifies in articles 5(2), and 15(1) the framework and obligation for CSPs to provide facilities for Lawful
Interception and Data Retention. These obligations are further extended by the European Union Council Resolution
COM 96/C329/01 [15] along with the International User Requirement (IUR) [16], stating the obligations on member
states to provide facilities for LI. These documents and the requirements in them are respected in a balanced way in the
present document.
ETSI
6 ETSI TS 187 005 V3.1.1 (2012-06)
1 Scope
The present document specifies the stage 2 model for Lawful Interception (LI) of TISPAN NGN services as specified
by TR 180 001 [i.3].
The requirement for provision of lawful interception for all Communication Service Providers (CSP) is described in
TS 101 331 [3] and the present document gives the stage 1 and stage 2 definition for provision of an interception
capability in for the NGN as specified by TISPAN.
The provisions in the present document apply only when the target of interception is an NGN user identified as
specified in TS 184 002 [7], and when the network supplying services on behalf of the CSP is an NGN as specified by
TISPAN in TR 180 001 [i.3] and where the NGN architecture is as specified in ES 282 001 [1]. The present document
takes account of the requirement to support dynamic triggering of interception.
A guide to the application of the handover specifications is given in informative annexes.
NOTE 1: Handover aspects are not specified in the present document but are described in TS 133 108 [9],
TS 101 671 [2] and TS 102 232-1 [4], TS 102 232-5 [5], and TS 102 232-6 [6].
NOTE 2: The present document assumes that the LEA/LEMF receiving intercept related information records from
the NGN is able to decode NGN signalling streams and thus there is no definition in the present document
of how to present NGN data in non-NGN formats.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture".
[2] ETSI TS 101 671: "Lawful Interception (LI); Handover interface for the lawful interception of
telecommunications traffic".
[3] ETSI TS 101 331: "Lawful Interception (LI); Requirements of Law Enforcement Agencies".
[4] ETSI TS 102 232-1: " Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 1: Handover specification for IP delivery".
[5] ETSI TS 102 232-5: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 5: Service-specific details for IP Multimedia Services".
[6] ETSI TS 102 232-6: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 6: Service-specific details for PSTN/ISDN services".
[7] ETSI TS 184 002: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Identifiers (IDs) for NGN".
ETSI
7 ETSI TS 187 005 V3.1.1 (2012-06)
[8] ETSI TS 133 107: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Lawful interception architecture and functions (3GPP TS 33.107)".
[9] ETSI TS 133 108: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Handover interface for Lawful Interception (LI) (3GPP TS 33.108)".
[10] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
[11] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[12] ETSI TS 182 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation Sub-system (PES);
Functional architecture".
[13] ITU-T Recommendation I.130: "Method for the characterization of telecommunication services
supported by an ISDN and network capabilities of an ISDN".
[14] ETSI ES 201 158: "Telecommunications security; Lawful Interception (LI); Requirements for
network functions".
[15] European Union Council Resolution COM 96/C329/01 of 17 January 1995 on the Lawful
Interception of Telecommunications.
[16] International User Requirement (IUR).
NOTE: The IUR was provided as an annex to [15].
[17] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP
network layer security (3GPP TS 33.210)".
[18] ETSI TS 181 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Service and Capability Requirements".
[19] ETSI TS 187 016: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Identity Protection (Protection Profile)".
[20] ETSI TS 102 232-2: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 2: Service-specific details for messaging services".
[21] ETSI TS 102 232-3: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 3: Service-specific details for internet access services".
[22] ETSI TS 102 232-4: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 4: Service-specific details for Layer 2 services".
[23] ETSI TS 102 232-7: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery; Part 7: Service-specific details for Mobile Services".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications).
[i.2] Void.
[i.3] ETSI TR 180 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Release 1; Release definition".
ETSI
8 ETSI TS 187 005 V3.1.1 (2012-06)
[i.4] ETSI TR 102 528: "Lawful Interception (LI); Interception domain Architecture for IP networks".
[i.5] Void.
[i.6] ETSI TR 102 661: "Lawful Interception (LI); Security framework in Lawful Interception and
Retained Data environment".
[i.7] Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework
Directive).
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in TS 101 671 [2] and the following apply:
Content of Communication (CC): information exchanged between two or more users of a telecommunications
service, excluding intercept related information
NOTE: This includes information which may, as part of some telecommunications service, be stored by one user
for subsequent retrieval by another.
corresponding party: correspondent of the target
Handover Interface (HI): physical and logical interface across which the interception measures are requested from
Communications Service Provider (CSP), and the results of interception are delivered from a CSP to a law enforcement
monitoring facility
interception: action (based on the law), performed by a CSP, of making available certain information and providing
that information to a law enforcement monitoring facility
interception interface: physical and logical locations within the CSP telecommunications facilities where access to the
content of communication and intercept related information is provided
NOTE: The interception interface is not necessarily a single, fixed point.
Intercept Related Information (IRI): collection of information or data associated with telecommunication services
involving the target identity, specifically communication associated information or data (e.g. unsuccessful
communication attempts), service associated information or data and location information
Internal Network Interface (INI): network's internal interface between the Internal Intercepting Function (IIF) and a
mediation device
Law Enforcement Agency (LEA): organization authorized by a lawful authorization based on a national law to
request interception measures and to receive the results of telecommunications interceptions
Law Enforcement Monitoring Facility (LEMF): law enforcement facility designated as the transmission destination
for the results of interception relating to a particular interception subject
mediation device: equipment, which realizes the mediation function
Mediation Function (MF): mechanism which passes information between a network operator, an access provider or
service provider and a handover interface, and information between the internal network interface and the handover
interface
Point of Interception (PoI): functional entity in the NGN that hosts the CC-IIF or IRI-IIF
target: interception subject
ETSI
9 ETSI TS 187 005 V3.1.1 (2012-06)
target identity: technical identity (e.g. the interception's subject directory number), which uniquely identifies a target
of interception
NOTE: One target may have one or several target identities.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ADMF ADMinistration Function
AF Administration Function
AGCF Access Gateway Control Function
A-MGF Access Media Gateway Function
ASF Application Server Function
ASN.1 Abstract Syntax Notation 1
C-BGF Core Border Gateway Function
CC Content of Communication
CCCI Content of Communication Control Interface
CCTF Content of Communication Trigger Function
CCTI Content of Communication Trigger Interface
CP Content Provider
CR Change Request
CS Circuit Switched
CSP Communications Service Provider
DF Delivery Function
FE Functional Entity
GPRS General Packet Radio Service
HI Handover Interface
HI1 Handover Interface Port 1 (for Administrative Information)
HI2 Handover Interface Port 2 (for Intercept Related Information)
HI3 Handover Interface Port 3 (for Content of Communication)
IBCF Interconnection Border Control Function
I-BGF Interconnection Border Gateway Function
ID IDentity
IIF Internal Interception Function
IMS IP Multimedia core network Subsystem
INI Internal Network Interface
IP Internet Protocol
IPTV Internet Protocol Television
IRI Intercept Related Information
ISDN Integrated Services Digital Network
IUR International User Requirement
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
LIAF Lawful Interception Administration Function
MF Mediation Function
MGCF Media Gateway Control Function
MRFC Multimedia Resource Function Controller
MRFP Multimedia Resource Function Processor
NGN Next Generation Network
P-CSCF Proxy Call Session Control Function
PES PSTN/ISDN Emulation Subsystem
PoI Point of Interception
PSTN Public Switched Telephone Network
PSS PSTN Simulation Service
RTCP Real-time Transport Control Protocol
RTP Real Time Protocol
S-CSCF Serving Call Session Control Function
SDL Specification and Description Language
SDP Session Description Protocol
ETSI
10 ETSI TS 187 005 V3.1.1 (2012-06)
SIP Session Initiation Protocol
SPDF Service based Policy Decision Function
TDM Time Division Multiplexing
T-MGF Trunking Media Gateway Function
UPSF User Profile Server Function
4 Interception in the NGN
4.0 Structure of analysis
The analysis presented in the present document is based on the recommendations for stage 2 of the method for the
characterization of telecommunication services supported by an ISDN and network capabilities of an ISDN defined in
ITU-T Recommendation I.130 [13]. The steps in expanding a stage 2 specifications are listed below:
• Step 2.1: Derivation of a functional model from requirements stated in stage 1.
• Step 2.2: Information flow diagrams.
• Step 2.3: SDL diagrams for functional entities.
• Step 2.4: Functional entity actions.
• Step 2.5: Does not apply (see note).
NOTE: Step 2.5 in ITU-T Recommendation I.130 [13] addresses the ISDN environment. The NGN specifications
do not describe physical locations, but NGN Functional Entities (NGN-Fes). The present document gives
examples of the allocation of Lawful Interception Functional Entities (LI-Fes) to NGN-Fes.
The primary points of the stage 1 requirements are stated in clause 4.0.1 as a starting point for the further development
of stage 2.
The structure for LI within the NGN should be mapped to the structure for handover of telecommunications defined in
ES 201 158 [14] and provisioned by each of TS 101 671 [2], TS 133 108 [9] and TS 102 232-1 [4].
4.0.1 Review of stage 1 requirements
The stage 1 analysis approach is defined in ITU-T Recommendation I.130 [13] and consists of the following steps:
• Step 1.1: Service prose definition and description.
• Step 1.2: Static description of the service using attributes.
• Step 1.3: Dynamic description of the service using graphic means.
For the purposes of the present document only step 1.1 is summarized.
4.0.1.1 Provision/withdrawal
The LI service shall always be provided.
4.0.1.2 Activation/deactivation
The LI service shall be activated upon issue of a valid interception warrant from an LEA. The LI service shall be
deactivated when the interception warrant expires or as defined by the LEA.
4.0.1.3 Invocation and operation
The LI service shall be invoked on any communication from or to the target visible to the network.
ETSI
11 ETSI TS 187 005 V3.1.1 (2012-06)
4.0.1.4 Interrogation
Interrogation shall be possible only from an authorized user. Where audit records are maintained for the service
(required by the IUR [16]) access shall be possible only from an authorized user.
An authorized user for the purposes of interrogation is one who is allowed and authorised by both LEA and the CSP to
administer the LI interface.
4.0.1.5 Interaction with other services
There shall be no interaction.
NOTE: This means that the invocation of LI is not intended to alter the operation of any service and any resulting
modification implies non compliance to the requirements of the present document.
4.1 LI architecture model
The architecture for lawful interception consists of a Point of Interception (PoI) for each of the signalling plane and the
transport plane, collocated with an NGN Functional Entity (NGN FE) (the specific NGN FE varies with the service
being intercepted), that delivers intercepted material to a Mediation Function (MF). The MF acts to mediate between the
nationally specified handover interface and the internal interception interface of the NGN as specified in the present
document.
The target is a specialist NGN user that receives service from the NGN.
NOTE 1: A service offered to the NGN user may invoke many NGN-Fes.
NOTE 2: There are a number of terms used across ETSI to refer to the various functions outlined in the first
paragraph of this clause (4.1). The MF is also known as a Delivery Function (DF) in 3GPP documents,
the Internal Network Interception interfaces are also referred to in 3GPP as X interfaces.
The LI capability in the NGN shall always be available and shall be invoked on receipt of instruction from the Law
Enforcement Agency or its authorizing agency. The functions of the LI capability shall only be visible to, and their
operation shall only be invoked by, authorized parties within the NGN and shall not alter or be impacted by the
operation of any other functional entity in the NGN.
4.2 LI reference model
The NGN LI architecture model overlays the TISPAN NGN architecture described in ES 282 001 [1] (shown in
figure 1) which has been designed to support the NGN services defined in TS 181 005 [18].
ETSI
Other networks
User Equipment
12 ETSI TS 187 005 V3.1.1 (2012-06)
Applications
Service Layer
Other
Subsyst ems
User
profiles
Core IMS
PSTN/ISDN
Emulat ion
Subsyst em
Transport Layer
Network
Attachment
Resource and
Subsyst em
Admission Control
Subsyst em
Transport processing functions

Figure 4.1: TISPAN NGN overall architecture
As noted in ES 282 001 the functional entities that make up a subsystem may be distributed over many CSP domains
(see figure 2) consistent with the Framework Directive [i.7].
Visited Network Home Network
Distributed Subsystem
Core Network Core Network
(control) (control)
UE
Access
Core Core
Network Networks Networks
(transfer) (transfer) (transfer)

Figure 4.2: Distributed subsystems
The present document adopts the generic reference model for the interception domain from TR 102 528 [i.4], its
internal intercept functions, IRI-IIF, CCTF, and CC-IIF, and the internal interfaces INI1, INI2, INI3, CCTI and CCCI as
shown in Figure 3 and maps them in clause 5.0 to the NGN functional architecture defined in ES 282 001 [1].
ETSI
13 ETSI TS 187 005 V3.1.1 (2012-06)

CSP DOMAIN LEA DOMAIN
HI
LEA
HI1
Administration Function (AF)
Administration
Function
INI1b INI1a
INI1c
IRI Internal Intercept
Function
INI2
(IRI-IIF)
HI2
Law
Mediation
Enforcement
CCTI Function
Monitoring
CC Trigger
(MF)
Facility
Function
(LEMF)
(CCTF)
CCCI
CC Internal Intercept
Function
HI3
INI3
(CC-IIF)
Figure 4.3: Reference Model for Lawful Interception from TR 102 528 [i.4]
The reference model depicts the following functions and interfaces:
• Intercept Related Information Internal Intercept Function (IRI-IIF) generates signalling intercept material.
NOTE 1: The IRI-IIF is also described as the Triggering Origination Function.
• Content of Communication Internal Intercept Function (CC-IIF) generates content intercept material.
NOTE 2: The CC-IIF is also described as the Triggering Receiving Function.
• Content of Communication Trigger Function (CCTF) controls the CC-IIF and is considered in the present
document as a specialisation of the NGN LI Administration Function.
NOTE 3: The CCTF is also described as the Triggering Control Function.
• Internal interface INI1 carries provisioning information from the Lawful Interception Administration Function
(AF) to the Internal Intercept Functions (IIF).
• Internal interface INI2 carries Intercept Related Information (IRI) from the IRI-IIF to the MF.
• Internal interface INI3 carries Content of Communication (CC) information from the CC-IIF to the MF.
• Content of Communication Trigger Interface (CCTI) carries trigger information from the IRI-IIF to the CCTF
and is considered in the present document as a specialisation of INI1.
• Content of Communication Control Interface (CCCI) carries controls information from the CCTF to the
CC-IIF and is considered in the present document as a specialisation of INI1.
• The Mediation Function (MF) acts as the gateway between INI2 and HI2, and between INI3 and HI3. A single
instance of the MF may be used by more than one CSP, or by more than one domain in a single CSP and shall
be identified in the initialisation of the IRI-IIF and the CC-IIF.
ETSI
14 ETSI TS 187 005 V3.1.1 (2012-06)
The reference model introduces the CCTF FE that may be used to in a number of configurations to allow for the
provisioning of CC-IIF in an IP network. The physical location of the CCTF is not defined in the present document as
there are many configuration options available that include the following:
• CCTF co-located with the LIAF: INI1b is internal to the AF and CCTF.
• CCTF co-located with the IRI-IIF: CCTI is internal to the IRI-IIF and CCTF.
• CCTF co-located with the IRI-IIF and CC-IIF: CCTI and CCCI are internal to the IRI-IIF, CCTF and CC-IIF.
• CCTF co-located with the MF: CCTI is merged with INI2.
• A stand alone CCTF: Both CCTI and CCCI are external interfaces.
A complete explanation of the functions and interface is found in clause 4 of TR 102 528 [i.4].
4.2.1 Features of NGN LI Administration function
NOTE: The NGN-LI-AF can be further decomposed but has not been in the present document as it may preclude
optimisations at stage 3.
Within the CSP domain the NGN LI Administration Function (NGN-LI-AF) terminates the signalling from HI1 and
controls the activation and deactivation of the Internal Interception Functions for each of Signalling and Content of
Communication (IRI-IIF and CC-IIF respectively). The Content of Communication Trigger Function (CCTF) is a sub-
element of the NGN LI AF that is used to specifically control the CC-IIF when the specific CC-IIF entity is known only
in the course of an intercepted signalling exchange (this is often referred to as Dynamic Triggering (DT) of
interception).
The NGN-LI-AF shall be maintained in a separate security domain from any other NGN Administration or
Management function.
Where NGN user privacy services as defined in TS 187 016 [19] are implemented the NGN-LI-AF shall interact with
the NGN Identity Provider and NGN Service Authorisation Server entities to identify the current service authorisation
tickets issued to the target.
4.2.2 LI in multiple CSP domains
The present document defines the role of a single CSP in providing LI where LI of the communication cannot rely on a
fixed, or a priori known relationship between identifiers used in different domains (e.g. service and transport domain),
for determination of the traffic to be intercepted within each domain (i.e. traffic to be delivered as Intercept Related
Information (IRI) across Handover Interface port 2 (HI2) and traffic to be delivered as Content of Communication (CC)
across Handover Interface port 3 (HI3)).
The necessary information flows to support Dynamic Triggering in the NGN are described in clause 5A of the present
document and provide support of the Gateway Triggering Origination (GTO) and Gateway Triggering Receiving (GTR)
functional elements described in current work in ETSI TC LI as specialisations of the NGN LI AF, and the reference
points DT1, DT2, DT3, DT4 and DT5 as specialisations of the INI1 reference point.
The NGNLIAdmin function shall generate a Dynamic Triggering Correlation Number (DTCN) as a specialisation of the
Correlation and interception instance identifier that is present in the information flows defined in clause 5A of the
present document.
ETSI
15 ETSI TS 187 005 V3.1.1 (2012-06)
4.3 Result of interception
The CSP at the point of interception shall, in relation to each target service:
a) provide the content of communication;
b) remove any service coding or encryption which has been applied to the content of communication and the
intercept related information at the instigation of the network operator/service provider;
NOTE 1: If coding/encryption cannot be removed through means which are available to the CSP for the given
communication the content is provided as received.
c) provide the LEA with any other decryption keys whose uses include encryption of the content of
communication, where such keys are available;
d) intercept related information shall be provided:
1) when communication is attempted;
2) when communication is established;
3) when no successful communication is established;
4) on change of status (e.g. in the access network);
5) on change of service or service parameter;
6) on change of location (this can be related or unrelated to the communication or at all times when the
apparatus is switched on); and
7) when a successful communication is terminated;
NOTE 2: In the present document, service should be taken to include supplementary services.
NOTE 3: For those protocols identified of type Representational State Transfer (e.g. SIP, HTTP) each transaction is
considered as unique unless the signalling itself contains a means to link signals (e.g. session identity).
e) intercept related information shall contain:
1) the identities that have attempted telecommunications with the target identity, successful or not;
2) the identities which the target has attempted telecommunications with, successful or not;
3) identities used by or associated with the target identity;
4) details of services used and their associated parameters;
5) information relating to status;
6) time stamps;
f) the conditions mentioned above also apply to multi-party or multi-way telecommunication if and as long as the
target is known to participate.
NOTE 4: Where the user has initiated and applied end to end encryption, the content is provided as received.
ETSI
16 ETSI TS 187 005 V3.1.1 (2012-06)
5A Stage 2 description of NGN LI
5A.1 Information flow sequences
5A.1.1 LEA control interactions and information flows
NOTE: The information flows described in this clause do not infer an implementation method. The related
external interface (HI1 from TS 101 671 [2]) may be manual.
Figure 5A.1 shows the stimuli from the LEA and the responses from the NGN that are translated by the mediation
function.
sd LI invocation
Target CC-IIF IRI-IIF NGN-LIAdmin MF LEMF
InterceptionOrder_req()
InterceptionOrder_conf()
LI_ACTIVATE_req()
LI_ACTIVATE_conf()
InterceptionOrder_ind()
LI_ACTIVATE_req()
LI_ACTIVATE_conf()
InterceptionOrder_ind()
LI_ACTIVATE_req()
LI_ACTIVATE_conf()
InterceptionOrder_ind()
NOTE 1: The brackets indicated in each information flow indicate that parameters are contained in the message but
are not expanded in the figure.
NOTE 2: The activation of the CC-IIF (shown boxed in the figure) may take place within a single activation phase or
may be distributed in time in accordance with the Dynamic Triggering of Interception model

Figure 5A.1: External stimuli and information flow sequences for NGN LI
The LI_ACTIVATE_req information flow shall contain sufficient data to allow the NGN Internal Intercept Function to
validate the request and to make the required target activity data available to the MF. The returned information flow
(LI_ACTIVATE_conf) shall contain a unique identifier for the interception applied within the network. Any subsequent
information flows (e.g. LI_MODIFY_req/conf) shall refer to this unique identifier.
The Interception Order received from the LEA may result in the NGN LI AF making many activations of IRI-IIF and
CC-IIF during the lifetime of the Interception Order. This shall especially apply in models of the NGN where signalling
and content processing entities are allocated to the NGN user on demand (i.e. dynamically).
ETSI
17 ETSI TS 187 005 V3.1.1 (2012-06)
5A.1.1.1 LI_ACTIVATE_req
This information flow is sent from the Administrative function internally to the NGN functional entities (the PoIs) to
request interception of traffic and its copy to be sent in T_TRAFFIC_ind (for the target) and CP_TRAFFIC_ind (for the
correspondent of the target if available and relevant), information flows and interception of signalling and a copy to be
sent in TARGET_ACTIVITY_MONITOR_ind and TARGET_COMMS_MONITOR_ind information flows to the MF.
Table 5A.1: LI Activate request information flow content
Information element M/O/C Description
Timestamp M Indicates the time at which the message was sent.
Invocation identifier M Used to allow the CSP to correlate the invocation of PoIs to the requested
interception order.
Target identity M Uniquely identifies the target that the interception shall be invoked against. It
shall be an identifier defined in TS 184 002 [7] and used in the serving NGN, or
shall be an anonymous authorisation assertion ticket reference issued by the
NGN to the target.
Services to be intercepted M A list of the specific services that are to be intercepted. By default all services
(see note) offered to the target at the PoI shall be intercepted.
MF details M Details of the MF to where intercepted information shall be sent.
Activation Authorisation M Credentials that when verified by the receiving PoI give assurance that the
Credentials request to provide the interception service is law
...