Implementation of Lawful Interception Within IMS

Zhang Lu，Kong Min

（Central R&D Institute of ZTE Corporation， Nanjing 210012， P. R. China）

Abstract:Lawful Interception（LI）is a system which monitors a user or a communication in support of criminal investigation.It is a necessary function of the telecommunication operator.The telecommunication standards bodies such as ETSI，3GPP are producing technical specifications on LI system，and have developed standards on handover areas and interception areas which can guide the implement.IP Multimedia Subsystem（IMS）is a new core-network architecture introduced after the version of 3GPP Release 5，which is layer-designed，IP-based，and using Session Initiation Protocol（SIP）as application protocol.There are two typical implementations of LI within IMS，distributed type and centralized type.

1 Introduction to IMS

I PMultimedia Subsystem（IMS）is a subsystem supporting IPmultimedia services，which was proposed by the 3GPPin Release 5.Its main features include layered architecture，IP-based core network and using Session Initiation Protocol（SIP）as its communication protocol[1-2].

2 Lawful Interception Overview

Lawful Interception（LI）is the interception of telecommunications by security authorities for the purpose of law enforcement.It involves two aspects:signaling and content of communication.Figure 1 is an interception framework proposed by the ETSI[3].

3GPPand ETSIhave done lots of work in developing standards for LI.Up to now，they have worked out the standard for handover interface between Law Enforcement Monitoring Facility（LEMF）and Administration Function（ADMF）[4-5]as well as the standard for the interface between communications device and LIdevice[6].However，in the Next Generation Networks（NGNs），represented by IMS，implementation of interception data collection in the core network is still not clearly defined.One key problem is how to deploy the interception data collection function into IMSnetwork.In an interception system，the interception data collection is a logic function，which can either be integrated into each functional entity of IMSor be performed with an independent device.By the arrangement of interception data collection unit，the interception can be divided into two types:distributed and centralized.Below the two interception types，especially the centralized one，will be discussed in detail.

3 Implementation of LI

3.1 Distributed Interception

▲Figure 1. Interception framework proposed by ETSI.

In distributed interception[7]，the Lawful Interception Collection Facility（LICF）is arranged between IMSnetwork elements that perform interception functions.Often，the LICFis placed between the access device and a Proxy-Call Session Control Function（P-CSCF）device or a Serving-Call Session Control Function（S-CSCF）device.

The implementation of distributed interception proceeds as follows:

（1）Configure the identification information of interception target on the LICF，such as user ID or service ID[8].The user ID should be the unique information of the user，for instance，the user identity or the user's telephone number；while the service ID can be the service feature code that uniquely identifies the user service.

（2）The LICFreceives signaling streams and media streams from other network nodes.

（3）Upon receiving the streams，the LICFchecks whether the messages of the interception target are included in these streams.

（4）If the messages of interception target are contained，the LICFsends the signaling streams and media streams to both their receivers and monitoring device；otherwise，it only sends these streams to their receivers.

3.2 Centralized Interception

In centralized interception[9]，the LICFis placed in the IMS'core network.One scenario is to use the LICFas a SIP Application Server（AS）of IMSnetwork.

The LICFis used with the Home Subscriber Server（HSS）to implement or release interception of a target user by dynamically changing the Initial Filter Criteria（iFC）[10].In the following chapters，we will discuss this interception mode from three aspects:setting，releasing，and implementing.

3.2.1 Interception Setting

To intercept the telecommunications of a specific user，it is necessary to follow the steps below to set the interception target.

（1）The interception center gives an interception instruction to an interception AS，where the target user identity and contents for interception are included.

（2）The interception ASthen makes a request to the HSS，asking to activate the subscription rule of the target user if it already exists or to add and activate the subscription rule if it does not exist.The iFC that triggers the interception can be configured in the HSSin advance and activated by the interception AS；or it can be first changed by the interception AS or other network elements through the interface the HSSprovides，and then dynamically added into the HSSby the interception AS.

（3）After the HSSupdates the subscription rule of the interception target，it notifies the S-CSCFof the updated information.

（4）Upon receiving an initial request related to the interception target，the S-CSCFsends the request to the interception ASbased on the subscription rule[11].

Now，the signaling and media streams of the target user can be intercepted.

3.2.2 Interception Release

To release the interception of a specific user，do the following:

（1）The interception center sends an interception release instruction to an interception AS，where the identification information of the user which will be released from the interception is included.

（2）The interception ASthen sends a request to the HSS，asking to deactivate the subscription rule of the user.

（3）The HSSupdates the subscription rule of the user and notifies the S-CSCF of the updated information.

（4）When receiving an initial request related to the user，the S-CSCFdoes not send the request to the interception AS.

So far，the interception of the specific user is released.

3.2.3 Interception Implementation

Suppose the interception center instructs to intercept the conversations of user A.

The implementation procedure is illustrated in Figure 2.

（1）The interception center sends an interception instruction to the interception AS，instructing to intercept the conversations of user A.

（2）The interception ASsends a subscription rule modification request to the HSSto activate the interception subscription rule of user A.

（3）The HSSnotifies the S-CSCFof the change of user A's interception subscription rule.

（4）User A initiates an INVITEcall request to user B，where user A's media description（SDPA）is included.

（5）The S-CSCFsends the INVITE request to the interception ASbased on user A's interception subscription rule.

（6）The interception ASupdates the media description in the INVITErequest，adding itself as a receiver（SDPAS）.

（7）The interception ASreports signaling messages to the interception center.

（8）The interception ASforwards the updated INVITErequest to the S-CSCF.

（9）The S-CSCFforwards the INVITE request to user B.

（10）User Breplies with Response 183，where user B's media description（SDPB）is included.

（11）The S-CSCFforwards Response 183 to the interception AS.

（12）The interception ASupdates the media description in Response 183，and changes the destination as itself.

（13）The interception ASforwards the updated Response 183 to the S-CSCF.

（14）The S-CSCFforwards Response 183 to user A.

（15）The interception ASreports signaling messages to the interception center.

（16）User A exchanges signaling messages with user B via the S-CSCF and the interception ASto set up a call.

（17）User A sends media to the interception AS.

（18）The interception ASforwards media to the interception center.

（19）The interception ASforwards the media to user B.

（20）User Bsends the media to the interception AS.

（21）The interception ASforwards the media to the interception center.

（22）The interception ASforwards the media to user A.In this way，the interception of user A's conversation is completed.This procedure is designed for user A-originated calls.For user A-terminated calls，the interception procedure is similar.

3.3 Comparison between Two Interception Modes

Distributed interception is a traditional solution.Its advantage is that many interception points can be set，allowing relatively comprehensive information to be collected.Its disadvantage is the interception points are distributed.In IMS，there is a large number of access networks，P-CSCFs and S-CSCFs，so the interception is difficult to implement and the networking is restricted.Moreover，because the signaling and media streams of all users are collected by the LICF，the network's fault points and the risk of congestion increase.

▲Figure 2. Interception implementation procedure.

The centralized interception adopts IMSnetwork architecture and has the following advantages；

（1）The centralized arrangement of interception devices effectively solves the engineering and management problems of interception devices，which always perplex distributed interception.

（2）By modifying the iFC，the centralized interception method ensures the interception device to collect specific user's signaling and media for interception.As a result，the load of the interception device is considerably decreased and congestion is unlikely to occur.

（3）The centralized interception method treats interception as one application of IMS.All interception operations follow the processing rules of IMSand they have no impact on existing IMS，thus ensuring the feasibility and backward compatibility of this method.

（4）The triggering of interception with iFC will not affect the normal call process even if the interception ASdoes not work.Therefore，the robustness of the entire system is enhanced.

4 Conclusion

IMSis a new network architecture.Taking advantage of the scalability of IMSfor various applications has become an important research topic.The interception solution discussed in this paper not only realizes the interception within existing IMSnetwork，but also provides useful reference for implementation of other applications in IMS.