As CSPs are preparing to deploy 5G cores to their network, it's time to ensure lawful interception compliance. EVE has been part of the 5G LI standardization process from the start. Let us explain.

New specifications

The 3GPP SA3-LI working group decided to start with a fresh set of specifications for the implementation of LI for 5G. This resulted in the publication of 3GPP TS 33.126 (requirements), 3GPP TS 33.127 (architecture) and 3GPP TS 33.128 (implementation).

A fresh set was necessary as the introduction of 5G requires LI environments to support additional use cases. Predominantly in the area of virtualization and the surrounding security aspects.

Where the previous 2G/3G/4G LI specifications contained technical interfaces for HI2/HI3, for 5G reuse of ETSI TS 102 232-7 for HI2/HI3 transport was implemented.

This means that SA3-LI can focus on supporting LI in the network functions without having to deal with handover aspects (buffering, interfacing, encoding).

Note that 3GPP TS 33.128 does implement new IRI and CC PDU structures, requiring both LI and LEMF systems to upgrade.

New network functions

With every new generation, 3GPP introduces (or renames) network functions (NFs). The following NFs are in scope of LI:

  • AMF: Access and Mobility Management Function
  • SMF: Session Management Function
  • UPF: User Plane Function
  • UDM: Unified Data Management
  • SMSF: SMS Function

The AMF provides information on registrations to the network and location update events.

The SMF provides information on PDU sessions as initiated by the user. And is responsible for triggering the relevant UPF(s) to perform interception of the user plane.

The UPF provides a copy of user plane packets as exchanged between the user and the connected networks.

The UDM provides information when a user roams into another network.

The SMSF provides information on SMS messages that are transmitted across the Non-Access Stratum (NAS). IMS subscribers typically send SMS messages through IMS though.

Temporary and permanent identifiers

To ensure user privacy, temporary identifiers are now used in the radio and core network signalling. This ensures that malicious actors are not capable of identifying users by passively intercepting signalling.

This however also affects lawful interception implementations as intercepts are typically based on permanent identifiers.


The SMF is typically provisioned with a permanent identifier. As the user establishes a PDU session, the SMF will have to instruct a UPF to intercept that specific session.

This concept is called triggering and ensures that provisioning is possible on a permanent identifier, while the SMF maintains state to properly trigger the UPF.

The interface in 3GPP TS 33.128 to accomplish this is called LI_T3. It reuses the X1 interface as specified in ETSI TS 103 221.

Virtualization and containerization

As CSPs are looking to lower their operational costs, using virtualization and containerization is a major aspect of 5G deployments.

The result is more dynamic deployment. In order to perform LI on freshly running network functions, the LI system needs to become aware of dynamic network topology.

3GPP SA3-LI and the NFV ISG are currently working on interfaces to exchange the dynamic topology information.

With dynamic instantiation also comes configuration of LI capabilities in the NF. This includes generating certificates and ensuring connectivity to the LI environment.


5G NFs are typically virtualized and are even moving to containerized deployment. This requires stricter security measures on the LI functions.

Protection of the provisioned information becomes harder as restricting access to the underlying hypervisors is not always a possiblity.

By enforcing the use of TLS on the X1/X2/X3 interfaces and requiring mututal authentication between MF and NF, a big step forward is made.

But to ensure security on the application level, it is also recommended to run LI functions on separate hypervisors to ensure access to sensitive information is protected as much as possible.

A study within TC-LI is currently exploring this subject in depth.

Standardized X-interfaces

Last but not least, the 5G LI specifications mandate support for the ETSI TS 103 221 based X1/X2/X3 interfaces.

EVE is actively contributing to this specification to ensure it allows a smooth implementation in the networks.

Want to learn more about 5G and Lawful Interception? Let us contact you.