As CSPs are preparing to deploy 5G cores to their network,
it's time to ensure lawful interception compliance.
EVE has been part of the 5G LI standardization
process from the start. Let us explain.
The 3GPP SA3-LI working group decided to start with a
fresh set of specifications for the implementation of LI for
5G. This resulted in the publication of
3GPP TS 33.126 (requirements),
3GPP TS 33.127 (architecture)
and 3GPP TS 33.128 (implementation).
A fresh set was necessary as the introduction of 5G
requires LI environments to support additional use cases.
Predominantly in the area of virtualization and the surrounding
Where the previous 2G/3G/4G LI specifications contained
technical interfaces for HI2/HI3, for 5G reuse of
ETSI TS 102 232-7
for HI2/HI3 transport was implemented.
This means that SA3-LI can focus on supporting LI in the
network functions without having to deal with handover aspects
(buffering, interfacing, encoding).
Note that 3GPP TS 33.128 does implement new IRI and CC PDU
structures, requiring both LI and LEMF systems to upgrade.
With every new generation, 3GPP introduces (or renames) network
functions (NFs). The following NFs are in scope of LI:
The AMF provides information on registrations to the networ
and location update events.
The SMF provides information on PDU sessions as initiated by
the user. And is responsible for triggering the relevant
UPF(s) to perform interception of the user plane.
The UPF provides a copy of user plane packets as exchanged
between the user and the connected networks.
The UDM provides information when a user roams into another
The SMSF provides information on SMS messages that are
transmitted across the Non-Access Stratum (NAS). IMS
subscribers typically send SMS messages through IMS though.
To ensure user privacy, temporary identifiers are now used
in the radio and core network signalling. This ensures that
malicious actors are not capable of identifying users by
passively intercepting signalling.
This however also affects lawful interception implementations
as intercepts are typically based on permanent identifiers.
The SMF is typically provisioned with a permanent identifier.
As the user establishes a PDU session, the SMF will have to
instruct a UPF to intercept that specific session.
This concept is called triggering and ensures that provisioning
is possible on a permanent identifier, while the SMF maintains
state to properly trigger the UPF.
The interface in 3GPP TS 33.128 to accomplish this is called
LI_T3. It reuses the X1 interface as specified in
ETSI TS 103 221.
As CSPs are looking to lower their operational costs, using
virtualization and containerization is a major aspect of 5G
The result is more dynamic deployment. In order to perform
LI on freshly running network functions, the LI system
needs to become aware of dynamic network topology.
3GPP SA3-LI and the NFV ISG are currently working on
interfaces to exchange the dynamic topology information.
With dynamic instantiation also comes configuration of LI
capabilities in the NF. This includes generating certificates
and ensuring connectivity to the LI environment.
5G NFs are typically virtualized and are even moving to
containerized deployment. This requires stricter
security measures on the LI functions.
Protection of the provisioned information becomes harder as
restricting access to the underlying hypervisors is not always
By enforcing the use of TLS on the X1/X2/X3 interfaces and
requiring mututal authentication between MF and NF, a big
step forward is made.
But to ensure security on the application level, it is also
recommended to run LI functions on separate hypervisors to
ensure access to sensitive information is protected as much as
A study within TC-LI is currently exploring this subject in
Last but not least, the 5G LI specifications mandate support
ETSI TS 103 221 based X1/X2/X3 interfaces.
EVE is actively contributing to this specification to ensure
it allows a smooth implementation in the networks.