Internet DRAFT - draft-pularikkal-opsawg-lawful-intercept-spwifi
draft-pularikkal-opsawg-lawful-intercept-spwifi
OPSAWG WG B. Pularikkal
Internet-Draft S. Gundavelli
Intended status: Informational M. Grayson
Expires: September 14, 2013 Cisco
R. Ghai
Benu Networks
March 13, 2013
Lawful-Intercept Support for SP Wi-Fi Deployments
draft-pularikkal-opsawg-lawful-intercept-spwifi-01.txt
Abstract
Lawful Intercept stands for legally authorized capture & delivery of
subscriber communications data by a communications provider to a law
enforcement agency.This document describes Generic Lawful Intercept
Architecture Models & implementation considerations for Service
Provider Wi-Fi deployments.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Pularikkal, et al. Expires September 14, 2013 [Page 1]
Internet-Draft Lawful Intercept Support March 2013
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Generic SP Wi-Fi Deployment Model with Inter-Operator
Roaming (Model-1) . . . . . . . . . . . . . . . . . . . . . . 5
4. Generic SP Wi-Fi Deployment Model without Inter-Operator
Roaming (Model-2) . . . . . . . . . . . . . . . . . . . . . . 11
5. Lawful Intercept Deployment Considerations for SP Wi-Fi . . . 14
5.1. Proprietary versus Standards based Implementation . . . . 14
5.2. Subscriber Location Tracking Requirements . . . . . . . . 15
5.3. Handling SIPTO Traffic for Lawful Intercept . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
9. Informative References . . . . . . . . . . . . . . . . . . . . 16
Appendix A. Applicability of LI Architecture Min a PMIPv6
based Service Provider Wi-Fi Implementation . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
Pularikkal, et al. Expires September 14, 2013 [Page 2]
Internet-Draft Lawful Intercept Support March 2013
1. Introduction
Lawful Intercept stands for legally authorized capture & delivery of
subscriber communications data by a communications provider to a law
enforcement agency (LEA). The communications data, which the LEA
will intercept as part of the target subscriber surveillance, is
classified into two types, Communication Content (CC) and Intercept
Related Information (IRI). CC is the bearer data exchanged to and
from the subscriber. IRI provides the relevant context information
for the CC. IRI is a loosely defined term and the scope varies for
different end user applications.
In most of the countries, there are legal obligations for Service
Providers to facilitate the intercept of any subscriber's
communication, if requested by law enforcement agencies.
Communications Assistance for Law Enforcement Act (CALEA), the United
States wiretapping law passed in 1994 is an example for such legal
mandates.
The objective of this document is to describe generic LI architecture
models and implementation considerations for Service Provider Wi-Fi
deployments.In this document two type of SP Wi-Fi deployment
scenarios are covered from the LI implementation perspective.
1. SP Wi-Fi Deployment Models with Inter-Operator Roaming (Model-1)
2. SP Wi-Fi Deployment Models without Inter-Operator Roaming
(Model-2)
2. Terminology
All the Lawful Intercept related terms used in this document are to
be interpreted as defined in [RFC3924]. Additionally, this document
uses the following terms:
Lawful Intercept (LI)
Lawful Intercept stands for legally authorized capture & delivery
of a subscriber's communications data by a communications provider
to a law enforcement agency.
Law Enforcement Agency (LEA)
Various government agencies at National, Regional and Local levels
which are responsible for the enforcement of laws.
Pularikkal, et al. Expires September 14, 2013 [Page 3]
Internet-Draft Lawful Intercept Support March 2013
Intercept Related Information (IRI)
Information related to the subscriber data traffic of interest.
IRI is a loosely defined term and the scope varies for different
end user applications.
Communications Content (CC)
CC refers to the subscriber data traffic of interest.
Intercept Access Point (IAP)
An IAP is a device within the network that is used for
intercepting lawfully authorized intercept information. There are
two types of IAPs, IAPs those provide communication content (CC
IAP) & IAPs those provide intercept related information (IRI IAP).
Mediation Device (MD)
Mediation Devices is the entity which provisions and activates LI
on the relevant network elements. The Service Provider LI Admin
Function (AF) is used to configure the Mediation Device based up
on the Intercept request received from the LEA.
Delivery Function (DF)
Delivery function is responsible for the collection of IRI and CC
data from the relevant IAPs, reformat those to match the
appropriateLEA Handover Interface Standards and forward the same
to LEA. In some deployment models, MD and DF may be collocated on
the same system.
Collection Function (CF)
The entity on the LEA side which receives the IRI and CC data over
standard Handover Interfaces.
Wireless Access Gateway (WAG)
A network element in a Service Provider Wi-Fi deployment which is
used to implement and enforce per subscriber policies. WAG
typically interacts with external policy provisioning and
authorization systems to implement per subscriber policies and
regulate the service access for the subscribers.
Pularikkal, et al. Expires September 14, 2013 [Page 4]
Internet-Draft Lawful Intercept Support March 2013
Proxy Mobile IPv6 (PMIPv6)
A network based mobility management protocol standardized by IETF
and is specified in RFC 5213
Generic Routing Encapsulation (GRE)
A tunneling protocol that can encapsulate a wide variety of
Network Layer Protocols inside virtual point-to-point links over
an Internet Protocol Internetwork.
CAPWAP
CAPWAP stands for Control And Provisioning of Wireless Access
Points. The protocol specification is described in RFC 5415 and
an IEEE 802.11 binding is provided in RFC 5416.
GPRS Tunneling Protocol (GTP)
A group of IP based communications protocols used to carry general
packet radio service (GPRS) with in GSM, UMTS and LTE networks.
Home Gateway
In an inter-operator roaming scenario, Home Gateway is the network
layer topological anchor point for a roaming partner's subscriber.
Example of a Home Gateway is an LMA in a PMIPv6 based deployment.
3. Generic SP Wi-Fi Deployment Model with Inter-Operator Roaming
(Model-1)
Illustrated in Figure 1 below is a generic SP Wi-Fi deployment model
with Inter-Operator Roaming. In this model, Wi-Fi operator has
roaming relationship with two partners A and B. Roaming architectures
typically use standard protocols such as PMIPv6 or GTP for signaling
and data offload between the home operator and the access provider.
Pularikkal, et al. Expires September 14, 2013 [Page 5]
Internet-Draft Lawful Intercept Support March 2013
| Roaming Partner A
+-----+ | * * *
| AP1 |----------+ | * *
+-----+ | | * *
+------+ | +---------+ * *
| WAC1 |-----+ _____|____| HOME |---* Partner-A *
+------+ | | | | GATEWAY | * NWK *
+-----+ | | | | +---------+ * *
| AP2 |----------+ | | | * *
+-----+ | | | * * * *
+--------+ |
| WAG | |
+--------+ |------------------------------
+-----+ | | | | * * *
| AP1 |----------+ | | | | * *
+-----+ | | | | | * *
+------+ | | | | +---------+ * *
| WAC2 |-----+ | +_____|____| HOME |---* Partner-B *
+------+ | | | GATEWAY | * NWK *
+-----+ | * * * | +---------+ * *
| AP2 |----------+ * * | * *
+-----+ * * | * * * *
* * |
* Internet * |
Wi-Fi Operator * * | Roaming Partner B
* * * * * |
|
Figure 1: Generic SP Wi-Fi Deployment with Inter-Operator Roaming
In SP Wi-FI Deployments with Inter-Operator roaming scenarios, LI
will have to account for intercept corresponding to two types of
subscribers.
o Native subscribers accessing the Wi-Fi Operator's Network
o Subscribers from Roaming Partners accessing the Wi-Fi Operator's
Network.
For the first type of subscribers, a typical LI deployment would be
similar to the one described earlier for the scenario without
roaming.
For Inter-Operator roaming, there are three deployment scenarios for
handling subscriber traffic:
Pularikkal, et al. Expires September 14, 2013 [Page 6]
Internet-Draft Lawful Intercept Support March 2013
o All the traffic will be tunnelled towards the Home Gateway in the
Partner network
o Selective local breakout of subscriber traffic into the Wi-Fi
Operators network
o Full local break out of subscriber traffic into the Wi-Fi
Operators network
Depending up on the country specific legal requirements, it is
possible for both Roaming partner as well as Wi-Fi operator to be
responsible for intercepting the subscribers traffic flow while
connected to the Wi-Fi operator's network. Even in cases where only
the roaming partner is responsible, the LI implementation will need
to account for the LBO which potentially happens in the Wi-Fi
operator's network. As such, a standardized LI implementation will
be desirable for most of the Inter- Operator Roaming scenarios. One
approach would be to leverage the existing protocols such as PMIPv6
and come up with the required extensions to support standards based
LI solution for inter-operator roaming scenarios.
A generic LI deployment model with Inter-Operator roaming is
illustrated in Figure 2 below:
Pularikkal, et al. Expires September 14, 2013 [Page 7]
Internet-Draft Lawful Intercept Support March 2013
Wi-Fi Operator | Roaming Partner A | LEA
| |
| +-----------+ | (a) +-------+
| | LI Admin |<-|-----| LI |
+-----+ +-----+ | +-----------+ +-----------+ | | Admin |
| AP1 | | AP2 | | | AAA | | | +-------+
+-----+ +-----+ | | (IRI IAP) |<----+ |(b) |
| | | +-----------+ (c) | V |
| | | | +-----------+ |
| +------+ | | | (d) | | (g)| +------+
+-| WAC |-+ | +------>| MD / DF |-------|----->| |
+------+ | +------>| |<------|------| CF |
| | | +-----------+ (h)| +------+
| | (f)| ^ |
| | | |(e) |
+-----------+ | | V |
| |--|-----+ +-----------+ |
| WAG / LBO |<-|-----(i)---->| HOME | |
| (CC IAP) |--|-------------| GATEWAY | |
+-----------+ PMIPv6/GTP +-----------+ |
| | |
| | |
| | |
* * * | |
* * | |
* * | |
* * | |
* Internet * | |
* * | |
* * | |
* * * * | |
Figure 2: Generic LI deployment model with Inter-Operator Roaming
LI specific functional elements and the interfaces defined in the
above architecture model is also based up on the reference model
documented in RFC 3924.How ever there are additional components and
protocol interfaces required to cover the Inter-Operator roaming.
LI specific control plane interactions between various network
elements are described in the following steps.
o Step-1: Law Enforcement Agency informs the roaming partner about
the legally authorized intercept requirement for a target
subscriber. Roaming partner is the home operator for this
subscriber. Typically it will be a manual process of delivering
Pularikkal, et al. Expires September 14, 2013 [Page 8]
Internet-Draft Lawful Intercept Support March 2013
the court order to the Roaming Partner's side personel in charge
of the LI admin function. Some LI network element vendors may
also allow interfaces to automate this delivery. LEA is expected
to provide a unique Target identifier along with other key
variables such as duration of the Intercept, whether both IRI and
CC needs to be forwarded to the LEA etc. Interface (a) in Figure
4 represents the administrative handover interface between LEA and
the Wi-Fi Operator.
o Step-2:Roaming Partner side LI Admin network element uses
interface (b) to provision the Roaming partner's MD with the
details of the Intercept target. Depending up on the type of the
target unique identifier provided by the LEA, it may be required
by the Roaming Partner's LI Admin function to lookup a
corresponding subscriber identifier and forward the same to the
MD.In this case it is assumed that the subscriber session was not
active at the time of the Intercept.
o Step-3:At this point the MD is not aware on which Home Gateway the
subscriber session may become active. So MD uses the interface
(c) to provision the IRI network element. The IRI network element
in the partner network typically will be an Authentication/
Authorization & or Accounting (AAA) System such as a RADIUS or
DIAMETER server.
o Step-4: Target subscriber of the Roaming Partner uses a client
device to associate to the Wi-Fi Operator's wireless network.
Depending up on the implementation, subscriber may be able to
either automatically login using a pre-registered mac-address, or
some EAP authentication method or he may have to go through a Web
Portal based authentication.
o Step-5: WAG in the Wi-Fi Operator's network,up on detecting a new
subscriber session will send an Authorization request to the
Roaming Partner's AAA server which is the IRI IAP.In typical
deployments there will be a Proxy AAA server on the Wi-Fi
operators network which will act as the intermediary between the
WAG and the Roaming Partner's AAA server. But this is omitted for
the sake of simplicity. At this stage it is assumed that the
subscriber is already authenticated and is authorized to access
the network.AAA server on the Roaming partner's network sends an
Authorization Accept back to the WAG so that WAG can install the
relevant policies to allow network access for the subscriber. The
Policy will include the identity of the Home Gateway to which the
subscriber session will be anchored on the Roaming Partners
network. Typically standards based protocol interfaces such as
RADIUS or DIAMETER will be used for interaction between WAG and
the AAA server.
Pularikkal, et al. Expires September 14, 2013 [Page 9]
Internet-Draft Lawful Intercept Support March 2013
o Step-6: WAG will establish a packet data session with the
subscriber's Home Gateway. As part of this session establishment
process, Home Gateway will assign an IP address for the subscriber
and provide it to WAG. WAG in turn will complete the necessary
control plane exchanges with Subscriber User Equipment (UE) to
complete address assignment. After the packet data session
establishment is complete, WAG will typically send an Accounting
Start Message to the AAA server and this message will include the
IP address of the subscriber along with other relevant info. If
the subscriber policy does not allow any Local Breakout (LBO) then
WAG will forward all data traffic from the subscriber to the Home
Gateway. if LBO is allowed, the traffic matching the LBO criteria
will be locally routed by WAG and all other traffic from the
subscriber will be forwarded to the Home Gateway.
o Step-7: The authorization request from the WAG typically carries a
subscriber identifier such as username or IMSI. Since the
subscriber identifier matched a target intercept provisioned on
the Roaming Operator's AAA server (IRI IAP), IRI IAP will send a
"Target Active"notification to the MD. This notification will
include the Home Gateway identity for the subscriber, the IP
address of the subcriber and any other relevant IRI information.
o Step-8: Mediation device establishes a secured session over
interface (g) with the LEA collection function and forwards the
IRI information corresponding to the target subscriber.
o Step-9: Mediation Device uses interface (e) to activate the CC
intercept on the Home Gateway in the Roaming Partner's network.
MD will include all the required information to duplicate and
forward the intercepted content such as, a) the destination
address and port to which the intercepted packets need to be
forwarded, the duration of the intercept, any applicable filters,
encryption keys etc.
o Step-10: In this model, the WAG residing in the Wi-Fi Operator's
network is the CC IAP. This will make sure that that all the
traffic to and from the subscriber, including any LBO traffic,
will be duplicated and forwarded to the MD. Home Gateway uses
interface (i) to command the WAG to activate intercept for the
target subscriber.The Home Gateway will forward all the relevant
information it received from MD related to the Intercept.
o Step-11: WAG starts duplicating the target subscriber's
communication content and forwards the same to the Mediation
Device over interface (f)
Pularikkal, et al. Expires September 14, 2013 [Page 10]
Internet-Draft Lawful Intercept Support March 2013
o Step-12: MD re-packages the communication content in the required
format for the LEA and forwards it over interface (h).
4. Generic SP Wi-Fi Deployment Model without Inter-Operator Roaming
(Model-2)
Figure 3 below illustrates a generic SP Wi-Fi deployment without
Inter-Operator Roaming support.In this architecture model, AP's may
be deployed in autonomous mode or in a split-MAC using centralized
wireless controllers. Depending up on the implementation model in
use, different tunnel technologies may be in use between AP/WAC and
the Wireless Access Gateway. Some of these tunnel technologies are
CAPWAP, PMIPv6, Ethernet over GRE etc. Typically all the traffic for
the subscriber session gets aggregated on the Wireless Access
Gateway.
+-----+
| AP1 |----------+
+-----+ |
|
+------+ +------+
| WAC1 |----------+ +-----| AAA |
+------+ | | +------+
| | |
+-----+ | | |
| AP2 |----------+ | |
+-----+ | | _----_
+-----+ _( )_
| WAG |-------------( IP )
+-----+ (_ _)
+-----+ | '----'
| AP1 |----------+ |
+-----+ | |
| |
+------+ |
| WAC1 |------------+
+------+
|
+-----+ |
| AP2 |----------+
+-----+
Figure 3: Generic SP Wi-Fi Deployment without Inter-Operator Roaming
In most of the deployments WAG will be the appropriate Communication
Pularikkal, et al. Expires September 14, 2013 [Page 11]
Internet-Draft Lawful Intercept Support March 2013
Content Intercept Access Point for the Lawful Intercept.
Illustrated in Figure 4 below is the integration of the Lawful
Intercept components with the Generic SP Wi-Fi Deployment model.
These Lawful Intercept related, network and admin elements are
described in the reference document RFC 3924.Refer the afore
mentioned RFC for a description of the LI elements and the interfaces
defined in the reference model here.
+--------+ (a) | +--------+
|LI Admin|<-----------------|----|LI Admin|
+--------+ | +--------+
| |
| (b) |
V |
+-----------+ (c) +--------+ (g) | +--------+
| AAA |<----------| |------------------|--->| |
| (IRI IAP) |---------->| MD/DF |------------------|--->| CF |
+-----------+ (d) +--------+ (h) | +--------+
| ^ |
| | |
+-----+ (e)| | (f) |
| AP1 |------+ | | |
+-----+ | | | |
| V | _---_ |
+-----+ +----------+ _( )_ |
| WAC |----- | WAG |---( IP ) |
+-----+ | (CC IAP) | (_ _) |
| +----------+ '----' |
| |
+-----+ | |
| AP1 |------+ |
+-----+ |
|
Wi-Fi Operator | LEA
Figure 4: LI support for generic SP WiFi Deployment model without
inter-operator roaming
LI specific Control plane interactions between the various functional
components illustrated in figure-4 are described in the following
steps:
Pularikkal, et al. Expires September 14, 2013 [Page 12]
Internet-Draft Lawful Intercept Support March 2013
o Step-1: Law Enforcement Agency informs the Wi-Fi Operator about
the legally authorized intercept requirement for a target
subscriber. Typically it will be a manual process of delivering
the court order to the Wi-Fi Operator side personnel in charge of
the LI admin function. Some LI network element vendors may also
allow interfaces to automate this delivery. LEA is expected to
provide a unique Target identifier along with other key variables
such as duration of the Intercept, whether both IRI and CC needs
to be forwarded to the LEA etc. Interface (a) in Figure 2
represents the administrative handover interface between LEA and
the Wi-Fi Operator.
o Step-2:Operator side LI Admin network element uses interface (b)
to provision the Mediation Device with the details of the
Intercept target. Depending up on the type of the target unique
identifier provided by the LEA, it may be required by the Provider
LI Admin function to lookup a corresponding subscriber identifier
and forward the same to the MD.In this case it is assumed that the
subscriber session was not active at the time of the Intercept.
o Step-3:At this point the MD is not aware on which WAG, the
subscriber session may become active. So MD uses the interface
(c) to provision the IRI network element. The IRI network element
in an SP Wi-Fi network typically will be an Authentication/
Authorization & or Accounting System such as a RADIUS server.
o Step-4: Target subscriber uses a client device to associate to the
wireless network. Depending up on the implementation, subscriber
may be able to either automatically login using a pre-registered
mac-address, or some EAP authentication method or he may have to
go through a Web Portal based authentication.
o Step-5: WAG up on detecting a new subscriber session will send an
Authorization request to the IRI network element. At this stage
it is assumed that the subscriber is already authenticated and is
authorized to access the network.IRI network element sends an
Authorization Accept back to the WAG so that WAG can install the
relevant policies to allow network access for the subscriber.
Typically standards based protocol interfaces such as RADIUS or
DIAMETER will be used for interaction between WAG and the IRI
element.
o Step-6: The authorization request from the WAG typically carries a
subscriber identifier such as username or IMSI. Typical
authorization request will also carry the source IP address of the
subscriber. Since the subscriber identifier matched a target
intercept provisioned on the IRI, IRI will send a "Target Active"
notification to the MD over interface (d). This notification will
Pularikkal, et al. Expires September 14, 2013 [Page 13]
Internet-Draft Lawful Intercept Support March 2013
include the IP address of the subscriber and any relevant IRI
information.
o Step-7: IRI Network element sends an authorization response back
to the WAG and WAG implements applicable subscriber policies and
enables service access for the subscriber session.
o Step-8: Mediation device establishes a secured session over
interface (g) with the LEA collection function and forwards the
IRI information corresponding to the target subscriber.
o Step-9: Mediation Device uses interface (e) to activate the CC
intercept on the WAG. MD will include all the required
information to duplicate and forward the intercepted content such
as the destination address and port to which the packets need to
be forwarded, the duration of the intercept, any applicable
filters etc
o Step-10: WAG starts duplicating the target subscriber's
communication content and forwards the same to the Mediation
Device over interface (f)
o Step-11: MD re-packages the communication content in the required
format for the LEA and forwards it over interface (h).
5. Lawful Intercept Deployment Considerations for SP Wi-Fi
5.1. Proprietary versus Standards based Implementation
LI implementation is fairly straight forward for the deployments
which do not support Inter-Operator roaming. Most of the LI
equipment vendors accommodate vendor specific protocol interfaces for
interworking with IAP network elements from various network equipment
vendors. Standards based interfaces are primarily confined to the
Interconnect between the LEA Collection Function Elements and the
Mediation Device.
However for the SP Wi-Fi deployment models which supports inter-
operator roaming, there will be significant advantages in
standardizing some of the protocol interfaces. Typically standards
based protocols such as PMIPv6 or GTP will be used for the control
plane and data plane connectivity between the WAG in the Wi-Fi
Operator network and the Home Gateway in the Roaming Partner's
network. By defining some protocol extensions, the same control
plane interface can be leveraged for implementing standards based LI
related signaling as well.
Pularikkal, et al. Expires September 14, 2013 [Page 14]
Internet-Draft Lawful Intercept Support March 2013
5.2. Subscriber Location Tracking Requirements
Unlike fixed broadband deployments where the location of the
subscriber can be tracked easily from the source IP address assigned
to the end user device, the basic nature of Wi-Fi networks makes it
more complex to track the location of the subcriber under
surveillance. A sample IP lookup will not suffice due to the layer-2
and layer-3 roaming supported by most of the deployments. Additional
intelligence can be implemented to collect the location specific
information and it can be provided as the IRI data to the LEA if
required by law. In Inter- Operator roaming scenarios, it is
possible to carry the location data also over the standards based
protocols such as PMIPv6 or GTP by using some relevant protocol
extensions.
5.3. Handling SIPTO Traffic for Lawful Intercept
For Inter-operator roaming deployments, local breakout of roaming
subscriber in the visited WiFi network is a typical implementation
scenario. This Local Breakout is also known as Selective IP Traffic
Offload (SIPTO). When SIPTO is enabled in the Inter-operator roaming
scenario, it typically happens at the WAG in the Wi-Fi Operators
network. There are two scenarios with handling SIPTO traffic. SIPTO
without NAT and SIPTO with NAT. For the scenario without NAT,
dealing with SIPTO for LI is fairly straight forward. In the LI
Architecture model covered for the Inter-Operator Roaming Scenario in
this document, WAG acting as the CC IAP can forward both SIPTO and
non-SIPTO traffic towards the MD in the Roaming Partner's network.
For a scenario where IAP Intercept happens at the Home Gateway
instead of at the WAG, some additional signaling can be done over the
control plane between Home Gateway and WAG to temporarily disable
SIPTO for the target subscriber when the target is under
surveillance.
SIPTO with NAT can make the implementation more complex. If the NAT
function for SIPTO traffic is done at the WAG itself, WAG has access
to the NAT binding info per subscriber. If WAG is the CC IAP in the
Inter-Operator roaming scenario for the roaming partner's subscriber
the WAG can forward the NAT binding info over the control plane to
the Home Gateway in the roaming partner's network. This can be
included in the scope of the protocol extensions required on the
tunneling technologies for LI related signaling between Home Gateway
and WAG. Since Home Gateway actively participates in the Intercept
for the target in the Inter-Operator Roaming Scenario, Home Gateway
can forward this info to the MD over the interface between Home
Gateway and Mediation Device. If the NAT function for SIPTO traffic
runs on a separate box than the WAG , then alternative options will
need to be considered.
Pularikkal, et al. Expires September 14, 2013 [Page 15]
Internet-Draft Lawful Intercept Support March 2013
6. IANA Considerations
This document does not requires any IANA actions.
7. Security Considerations
In order to make sure that only authorized personal can enable the
intercept for a target subscriber and an active intercept is
undetectable by the intercept target and any individuals within or
outside the Wi-Fi Operators and Roaming partners network LI
implementation will need to make sure that all the LI specific
protocol signaling is carried out over secured encrypted transport.
For example if PMIPv6 is the tunnel technology used for an Inter-
operator roaming scenario, any LI specific signaling carried over the
PMIPv6 control plane must be encrypted. Also proper privacy
mechanisms should be implemented for the transport of IRI and CC data
from the corresponding IAPs to the Mediation device. And this is
particularly important when IAP for CC is in the Wi-Fi operators
network and the MD is in the roaming partners network.
8. Acknowledgements
The authors would like to thank Fred Baker for his review and
feedback on the document.
9. Informative References
[RFC3924] Baker, F., Foster, B., and C. Sharp, "Cisco Architecture
for Lawful Intercept in IP Networks", RFC 3924,
October 2004.
Appendix A. Applicability of LI Architecture Min a PMIPv6 based Service
Provider Wi-Fi Implementation
In a PMIPv6 based implementation, Local Mobility Anchor (LMA) would
be the Home Gateway and Mobile Access Gateway (MAG) would be the WAG.
The PMIPv6 based Architecture may be used for both Intra-Operator
Mobility and Inter-Operator Mobility scenarios. PMIPv6 based LI
deployment model with Inter-Operator roaming is illustrated in
Figure 5 below:
Pularikkal, et al. Expires September 14, 2013 [Page 16]
Internet-Draft Lawful Intercept Support March 2013
Wi-Fi Operator | Roaming Partner A | LEA
| |
| +-----------+ | (a) +-------+
| | LI Admin |<-|-----| LI |
+-----+ +-----+ | +-----------+ +-----------+ | | Admin |
| AP1 | | AP2 | | | AAA | | | +-------+
+-----+ +-----+ | | (IRI IAP) |<----+ |(b) |
| | | +-----------+ (c) | V |
| | | | +-----------+ |
| +------+ | | | (d) | | (g)| +------+
+-| WAC |-+ | +------>| MD / DF |-------|----->| |
+------+ | +------>| |<------|------| CF |
| | | +-----------+ (h)| +------+
| | (f)| ^ |
| | | |(e) |
+-----------+ | | V |
| |--|-----+ +-----------+ |
| MAG |<-|-----(i)---->| LMA | |
| (CC IAP) |--|-------------| (Home GW) | |
+-----------+ PMIPv6/GTP +-----------+ |
| | |
| | |
| | |
* * * | |
* * | |
* * | |
* * | |
* Internet * | |
* * | |
* * | |
* * * * | |
Figure 5: PMIPv6 based LI deployment model with Inter-Operator
Roaming
In the PMIPv6 based LI Architecture model covered here, LMA is
designated as the control point for the Intercept Provisioning and
activation. And MAG acts as the CC IAP.
LMA which is the Home Gateway in the Roaming Partner's network uses
the PMIPv6 control plane to carry the LI specific provisioning and
activation information to the MAG residing in the Wi-Fi Operator's
Network. This can be accomplished by leveraging the existing control
plane messages with some additional protocol TLVs defined for the
Pularikkal, et al. Expires September 14, 2013 [Page 17]
Internet-Draft Lawful Intercept Support March 2013
support of Lawful Intercept. A secured control plane is already part
of the PMIPv6 standard and may be enabled optionally. But when LI
specific information is carried over the PMIPv6 control plane, data
privacy must be enabled for the control plane messages by using ESP
protection.
MAG will receive all the necessary information to establish a secured
communication channel to the Mediation Device and transport the
intercepted packets. Privacy and Confidentiality of the Intercept
will be maintained by enabling data privacy for this communication
channel. LMA can collect the encription keys from the MD over
interface (e) and forward them over the PMIPv6 signaling plane along
with other LI specific parameters. MAG can leverage these keys to
encrypt the intercepted packets it forwards to the Mediation Device.
If the Intercept Target roams from one MAG to another while the CC
Intercept is active, the LMA will provide the LI specific parameters
to the new MAG along with standard mobility related information via
the PMIPv6 Control Plane. Old MAG will cease the intercept operation
since the target is no longer attached to it and the new MAG will
start forwarding the Intercepted packets to the Mediation Device.
LMA in the background will have informed MD about the Inter-MAG
handover of the Intercept Target over interface (e).
It is possible that the Intercept of a Target is conditional to the
location in which the target is active. In the case of an Inter-MAG
handover, if the new MAG on which the target has become active is
outside the location of "interest", MD will inform LMA to cease the
intercept and LMA in this case will not provide any LI specific
information to the new MAG. As long as the LI provisioning of the
Target is valid on the LMA, LMA will keep informing the MD about the
location changes of the target, every time the inter-MAG hand over
happens and MD can instruct LMA to re-activate the intercept if the
target ends up getting back on a MAG which is with in the "location"
of interest.
Authors' Addresses
Byju Pularikkal
Cisco
7200-12 Kit Creek Road, PO Box 14987
Research Triangle Park, NC 27709-4987
USA
Email: byjupg@cisco.com
Pularikkal, et al. Expires September 14, 2013 [Page 18]
Internet-Draft Lawful Intercept Support March 2013
Sri Gundavelli
Cisco
170 West Tasman Drive
San Jose, CA 95134
USA
Email: sgundave@cisco.com
Mark Grayson
Cisco
11 New Square Park
Bedfont Lakes, FELTHAM TW14 8HA
ENGLAND
Email: mgrayson@cisco.com
Rajat Ghai
Benu Networks
300 Concord Rd, suite # 110
Billerica, MA 01812
USA
Email: rghai@benunets.com
Pularikkal, et al. Expires September 14, 2013 [Page 19]