Lawful Interception (LI); Part 1: Internal Network Interface X1 for Lawful Interception

The internal network interface covers wide area connections between LI systems and (depending on the network) lots of network elements from different vendors. Nearly every network element has its own interface with different transport protocols, authentication (if any), encryption (if any), commands etc. This makes every new connection highly complicated and costly.  The interfaces between Administration and Mediation Functions are usually proprietary and internally within a product for LI and therefore need not be compatible between products of different vendors.  Traditionally X1 and HI1 interfaces have not been standardised. Given the experience of standardisation in HI2 and HI3 industry has received benefits from this by way of interoperability, security and cost reduction.  This WI does not intend to force compatibility on legacy equipment although should that be possible it will be welcomed. An inability by the LEMF to support this proposed standard should not allow a fall back to a less secure protocol. The initial focus is on newer IP related systems (but not limited to IP). However there is no intention to exclude circuit switch or other elements from using this output.  With a view to the future, as network and services become virtualised this WI intends to support newer implementations by ensuring a standard interface is available to the provisioning equipment or service.  The ADMF (provisioning system) translates HI1 messages to X1 and vice versa. It is effectively a proxy between the LEA/LEMF and the network operator. This allows insulation for the CSP to manage their network as they see fit without untoward impact on the LEMF, and vice versa. It also allows for enhanced security management. Maintaining this concept is key to this work item. It is intended to start work with the X1 interface and follow with interfaces X3 and X2.  Scope 1.   Alignment to Dynamic Triggering 2.   Usage scenarios a.   Start of an interception b.   Modification of a running interception c.   Stopping an interception d.   Retrieval of details of a running interception e.   Retrieval of details of all running interceptions f.   Error reporting 3.   Transport protocol 4.   Transport Security / Encryption 5.   Authorisation and authentication 6.   Communication Protocol (or command line interface?) 7.   Nomenclature and data model

General Information

Status
Published
Publication Date
25-Oct-2017
Technical Committee
Current Stage
12 - Completion
Due Date
17-Nov-2017
Completion Date
26-Oct-2017
Ref Project

Buy Standard

Standard
ETSI TS 103 221-1 V1.1.1 (2017-10) - Lawful Interception (LI); Part 1: Internal Network Interface X1 for Lawful Interception
English language
36 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

ETSI TS 103 221-1 V1.1.1 (2017-10)






TECHNICAL SPECIFICATION
Lawful Interception (LI);
Part 1: Internal Network Interface X1 for Lawful Interception



---------------------- Page: 1 ----------------------
2 ETSI TS 103 221-1 V1.1.1 (2017-10)



Reference
DTS/LI-00104-1
Keywords
interface, lawful interception
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2017.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM® and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 103 221-1 V1.1.1 (2017-10)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 8
4 Overview . 9
4.1 Reference model . 9
4.2 Reference model for X1: requesting and responding . 9
4.3 Overview of security . 10
4.4 Relationship to other standards . 10
4.5 Release management . 10
5 Basic concepts . 11
5.1 The lifecycle of a Task . 11
5.1.1 Start and end of a Task . 11
5.1.2 Identification of a Task . 11
5.1.3 Destinations . 11
5.2 The lifecycle of an X1 request/response . 11
5.2.1 Identification of X1 request/response . 11
5.2.2 Responding to the request . 11
5.2.3 Behaviour if a response is not received . 12
5.3 Warnings and Faults . 12
6 Message Structure and Data Definitions . 12
6.1 X1 Message details . 12
6.2 Message definitions: starting, modifying and stopping tasks . 13
6.2.1 ActivateTask . 13
6.2.1.1 Summary . 13
6.2.1.2 TaskDetails. 14
6.2.2 ModifyTask. 16
6.2.3 DeactivateTask . 16
6.2.4 DeactivateAllTasks . 16
6.3 Message definitions: creating, modifying and removing Destinations . 17
6.3.1 CreateDestination . 17
6.3.1.1 Summary . 17
6.3.1.2 DestinationDetails . 17
6.3.2 ModifyDestination . 18
6.3.3 RemoveDestination . 18
6.3.4 RemoveAllDestinations . 19
6.4 Message details: Getting information from NE . 19
6.4.1 Introduction. 19
6.4.2 GetTaskDetails . 19
6.4.2.1 Summary . 19
6.4.2.2 TaskStatus . 20
6.4.3 GetDestinationDetails . 20
6.4.3.1 Summary . 20
6.4.3.2 DestinationStatus . 21
6.4.4 GetNEStatus . 21
6.4.4.1 Summary . 21
6.4.5 GetAllDetails . 22
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 103 221-1 V1.1.1 (2017-10)
6.4.5.1 Summary . 22
6.4.6 ListAllDetails . 22
6.4.6.1 Summary . 22
6.5 Message details: Reporting issues from the NE . 23
6.5.1 Introduction. 23
6.5.2 ReportTaskIssue on given XID . 23
6.5.2.1 Summary . 23
6.5.2.2 Task report types . 23
6.5.3 ReportDestinationIssue on given DID . 24
6.5.3.1 Summary . 24
6.5.4 ReportNEIssue . 24
6.6 Message details: Pings and Keepalives . 25
6.6.1 Ping . 25
6.6.2 Keepalive . 25
6.7 Protocol error details . 26
7 Transport and Encoding . 27
7.1 Introduction . 27
7.2 Profile A . 28
7.2.1 Encoding . 28
7.2.2 Transport layer . 28
7.2.2.1 HTTPS and HTTP . 28
7.2.2.2 How HTTP is used . 28
7.2.2.3 Profile . 28
8 Security. 29
8.1 Introduction . 29
8.2 Transport Security . 29
8.2.1 Summary . 29
8.2.2 Profile . 29
8.2.3 Key generation, deployment and storage . 29
8.2.4 Authentication . 29
8.3 Additional security measures (beyond transport layer) . 30
Annex A (normative): Requirements . 31
A.1 Basic requirements . 31
A.1.1 Existing standards. 31
A.2 Protocol & Architecture requirements. 31
A.3 Security requirements . 32
A.4 Other requirements . 33
A.4.1 Performance statistics (For Further Study) . 33
A.4.2 Capability detection . 34
A.4.3 Remote triggering . 34
A.4.4 Requirements to be handled by the transport layer . 34
Annex B (normative): Use of extensions . 35
B.1 Introduction . 35
B.2 Extension definitions . 35
History . 36


ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 103 221-1 V1.1.1 (2017-10)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Lawful Interception (LI).
The present document is part 1 of a multi-part deliverable covering the internal network interfaces for Lawful
Interception as identified below:
Part 1: "Internal network interface X1 for Lawful Interception";
Part 2: "Internal network interface X2 for Lawful Interception";
Part 3: "Internal network interface X3 for Lawful Interception".
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 103 221-1 V1.1.1 (2017-10)
1 Scope
The present document defines an electronic interface for the exchange of information relating to the establishment and
management of Lawful Interception. Typically, this interface would be used between a central LI administration
function and the network internal interception points.
Typical reference models for LI define an interface between law enforcement agencies (LEAs) and communication
service providers (CSPs), called the handover interface. They also define an internal network interface within the CSP
domain between administration and mediation functions for lawful interception and network internal functions, which
facilitates the interception of communication. This internal network interface typically consists of three sub-interfaces;
administration (called X1), transmission of intercept related information (X2) and transmission of content of
communication (X3). The present document specifies the administration interface X1.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 133 107: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Lawful interception architecture and functions (3GPP TS 33.107)".
[2] IETF RFC 4122: "A Universally Unique Identifier (UUID) URN Namespace".
[3] W3C Recommendation 28 October 2004: "XML Schema Part 2: Datatypes Second Edition".
[4] ETSI TS 103 280: "Lawful Interception (LI); Dictionary for common parameters".
[5] Recommendation ITU-T E.212: "The international identification plan for public networks and
subscriptions".
[6] ETSI TS 123 003: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); Numbering, addressing and identification
(3GPP TS 23.003)".
[7] IETF RFC 3261: "SIP: Session Initiation Protocol".
[8] IETF RFC 3966: "The tel URI for Telephone Numbers".
[9] IETF RFC 3508: "H.323 Uniform Resource Locator (URL) Scheme Registration".
[10] IETF RFC 4282: "The Network Access Identifier".
[11] IETF RFC 2865: "Remote Authentication Dial In User Service (RADIUS)".
[12] IETF RFC 2818: "HTTP over TLS".
[13] IETF RFC 7230: "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing".
[14] IETF RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".
[15] IETF RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 103 221-1 V1.1.1 (2017-10)
[16] IETF RFC 7525: "Recommendations for Secure Use of Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS)".
[17] IETF RFC 6125: "Representation and Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of
Transport Layer Security (TLS)".
[18] IETF RFC 4519: "Lightweight Directory Access Protocol (LDAP): Schema for User
Applications".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] OWASP TLS Cheat Sheet.
NOTE: Available at https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet.
[i.2] ETSI TR 103 308: "CYBER; Security baseline regarding LI and RD for NFV and related
platforms".
[i.3] ETSI GS NFV-SEC 009: "Network Functions Virtualisation (NFV); NFV Security; Report on use
cases and technical approaches for multi-layer host administration".
[i.4] ETSI GS NFV-SEC 012: "Network Functions Virtualisation (NFV) Release 3; Security; System
architecture specification for execution of sensitive NFV components".
[i.5] OWASP XML Security Cheat Sheet.
NOTE: Available at https://www.owasp.org/index.php/XML_Security_Cheat_Sheet.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
destination: Point to which IRI and/or CC is delivered by the NE
Destination Identifier (DID): identifier to uniquely identify a Destination internally to the X1 interface
protocol error: error at the X1 protocol level (rather than any fault with ADMF or NE)
NOTE: In the present document, the term "error" in general refers to a protocol error, whereas issues with
systems not behaving correctly are called "faults".
task: continuous instance of interception at a single NE carried out against a set of target identifiers, identified by an X1
Identifier, starting from an activate command and ending with a deactivate command or terminating fault
terminating fault: fault signalled from NE to ADMF which terminates the specific Task
X1: LI interfaces internal to the CSP for management tasking
X2: LI interfaces internal to the CSP for IRI delivery
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 103 221-1 V1.1.1 (2017-10)
X3: LI interfaces internal to the CSP for CC delivery
X1 Identifier (XID): identifier to uniquely identify a Task internally to the X1 interface
X1 Transaction ID: identifier used to identify a specific request/response pair
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ADMF Administration Function
AVP Attribute-Value Pair
CC Content of Communication
CIDR Classless Inter Domain Routing
CSP Communication Service Provider
DID Destination IDentifier
FQDN Full Qualified Domain Name
FTP File Transfer Protocol
GTP-C GPRS Tunnel Protocol (control plane)
GTP-U GPRS Tunnel Protocol ( user plane)
HI Handover Interface
HTML HyperText Markup Language
HTTP Hyper Text Transfer Protocol
HTTPS HTTP over TLS
IMEI International Mobile Equipment Identity
IMPI IP Mutltimedia Private Identity
IMPU IP Mutltimedia Public identity
IMSI International Mobile Station Identity
IP Internet Protocol
IRI Intercept Related Information
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
MAC Media Access Control
NAI Network Access Identifier
NAT Network Address Translation
NE Network Element
NOTE: The element or function performing the interception
NFV Network Functions Virtualisation
OWASP Open Web Application Security Project
SGSN Serving GPRS Support Node
SIP Session Initiation Protocol
SNMP Simple Network Management Protocol
TCP Transmission Control Protocol
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
TPM Trusted Platform Module
UDP User Datagram Protocol
UID Unique IDentifier
URI Uniform Resource Identifier
UTF UCS Transformation Formats
UUID Universally Unique IDentifier
XID X1 IDentifier
XML eXtended Markup Language
XSD XML Schema Definition
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 103 221-1 V1.1.1 (2017-10)
4 Overview
4.1 Reference model
The X1 interface is based on communication between two entities; the CSP Administration Function (ADMF), and the
Network Element (NE) performing interception. The X1 reference model is shown in figure 1.
NENE
NENE X1
X1
ADMF Law Enforcement
NENE X1
Tasking interface
X1
e.g. HI-1
NENE
(out of scope)

Figure 1: X1 reference model
Only one ADMF shall make changes by X1 to a given NE. This is called the ADMF which is "responsible" for that NE.
Onward delivery of information from the NE is called X2 (for IRI) and X3 (for CC). The choice of protocols for X2 and
X3 are out of scope of the present document.
Some deployments may involve multiple ADMFs for redundancy or other purposes; where multiple ADMFs are
required, the NE shall be implemented such that it presents itself as a separate NE to each ADMF.
ADMF and NE shall implement time synchronization where possible; in situations where it is not possible, the ADMF
shall maintain knowledge of the timing offset between the ADMF and NE.
NOTE: The present document may be used in direct delivery scenarios, in which the NE delivers directly to the
LEMF. Any consequences of using direct delivery are out of scope of the present docum
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.