This action might not be possible to undo. Are you sure you want to continue?
November, 2005 Aqsacom Document No. 040450
Copyright 2003-2005 Aqsacom Inc. and Aqsacom SA. No portion of this document may be reproduced without the expressed permission of Aqsacom. The data and figures of this document have been presented for illustrative purposes only. Aqsacom assumes no liability for errors or omissions.
Table of Contents
1. Introduction..................................................................................................................... 3 2. Definition of 3G Technology and Deployments............................................................. 3 3. Uses of 3G Technology and Implications for Lawful Interception ................................ 7 4. The Architecture of Lawful Interception ........................................................................ 8 5. Overview of network structure for CDMA and UMTS................................................ 10 6. Lawful Interception in 3G Networks ........................................................................... 13 7. Aqsacom’s ALIS Mediation Function Platform .......................................................... 18 8. Summary ....................................................................................................................... 21 9. References..................................................................................................................... 23
Aqsacom SA Les Conquerants, Bât B Everest 1 avenue de l’Atlantique Les Ulis Courtabeouf Cedex F-91976 France Tel. 33 1 69 29 36 00 Fax 33 1 69 29 84 01 firstname.lastname@example.org www.aqsacom.com
Aqsacom Inc. Washington, DC tel. 202 315 3943
Aqsacom Document No. 040450
and 144 kbs for indoor pico cell. Web browsing).0 3 Aqsacom Document No. paging. 384 kbs. Introduction This White Paper aims to introduce the reader to the formal definition of “3G” mobile services and describe the implications that 3G networks have on lawful interception. 2. Although this standard supports theoretical data transmission rates of 307 kbs. CDMA2000 1X RTT: This standard follows from CDMAOne (CDMA IS95) in that it also occupies 1. video) and applications (E-mail. GPRS) or “2. outdoor micro cell. Finally. Definition of 3G Technology and Deployments Term “3G” is somewhat controversial and rather loosely used. 040450 . cell phone. the implementation of standardsbased interception systems is also at a rather early stage. data.25 MHz channels. Nevertheless. Strict ITU IMT-2000 requirements call for uplink/downlink data transmission speeds 2 Mbs. otherwise informally known as WCDMA because of the UMTS’ use of wideband CDMA modulation in the air space. as its earlier generation system (hence the term 1X). The following summarize the capabilities of the transmission standards. 3G mobile’s broad definition calls for the support of enhanced multimedia services (voice. respectively (see Table 2-1). conforms to the IMT-2000 “3G” requirements. many transmission standards do not fit the speed requirements even though their proponents continue to classify such standards as 3G. 1. operators such as Verizon Wireless support typical rates of 40 to 80 kbs v 4. Given that these networks are at an early stage of deployment. we show how Aqsacom addresses lawful interception requirements as applied to 3G networks..g. RTT stands for Radio Transmission Technology.75G” (CDMA2000 1X RTT). and outdoor macro cell settings. some of which may be better described as “2.Lawful Interception and 3G Networks Aqsacom SA and Aqsacom Inc. data rate 2 Mbps 384 kbs 144 kbs True UMTS. We also discuss standardized approaches to lawful interception for 3G networks. Table 2-1: Summary of IMT 2000 Requirements for “3G” Coverage Indoor (Pico Cell) Local Pedestrian (Micro Cell) Regional or Vehicular Traffic (Macro Cell) Min.5G” (e.
CDMA in the Asia-Pacific region is even stronger at 125 million subscribers (CDMA Development Group Figures. GPRS (General Packet Radio Service): This service complements GSM voice and rides within the 200 kHz band reserved for GSM channelization. Europe represents a weak zone for CDMA in general with most CDMA activity confined to Russia. the Ukraine. KDDI (Japan). CDMA2000 1X EV-DO is now being deployed in major markets by Verizon Wireless and Sprint Nextel. such as throughout Europe. although current operator implementations and handsets typically operate at 10 to 50 kbs. The packet mode enables the service to be “always connected. with over 53 million (3Q05) subscribers. CDMA Deployments CDMA (One and 2000)  has its largest base in North America (over 102 million subscribers as of 3Q 2005 according to the CDMA Development Group ). KT Freetel). which unlike CDMA2000 1X. The Caribbean and Latin America represent a strong CDMA region.” This is the dominant wireless data transmission technology wherever GSM is deployed. In North America. Qualcomm holds core patents to this technology. and can support true mobile 3G services according to the IMT-2000 3G definition. LG. 3Q05). Cingular/AT&T. mainly thanks to the widespread deployments of the system by Sprint Nextel and Verizon Wireless. Telstra (Australia). Not surprisingly. The upgrade is not necessarily trivial to perform on a large scale. Bell Mobility and Telus operate CDMA2000 in most major cities throughout Canada. EDGE (Enhanced Data Rates for GSM and TDMA Evolution): EDGE updates GPRS technology by using higher-order modulation schemes. Carriers now operating and enlarging their CDMA2000 networks include China Unicom (China). and are also deploying CDMA 2000 EV-DO in major markets. CDMA2000 1X EV-DO: This represents the next evolutionary step up from the above standard (hence the term “EV”). 040450 . strictly meets the IMT 2000 definition of “3G” (see  for extensive data on CDMA deployments region-by-region). Operators worldwide are deploying CDMA2000 EV-DO.0 4 Aqsacom Document No. This is the dominant technology of the Verizon Wireless and Sprint PCS networks in their offer of voice and limited data services. and those in South Korea (SK Telecom. and other Eastern European countries.peak.4 Mbs. Deployments of CDMA2000 are scattered throughout these regions. The standard makes use of Qualcomm’s High Data Rate (HDR) system which supports packet data rates of up to 2. Romania. and T-Mobile have been offering calling plans with this technology. as it does in the other technologies behind the CDMA and WCDMA standards. It is a packet-based service with a theoretical transmission speed of up to 172 kbs. Both operators offer US nationwide coverage of CDMA2000. Despite its theoretical v 4.
The standard makes use of 5 MHz for transmission and 5 MHz for reception. Technically. The timeframe for decisions by the Chinese government on the allocation of 3G licenses and use of technology remain unclear. and the US (mainly by Cingular / AT&T) by GSM carriers. Adaptation is expected to pick up with anticipated services involving music downloading and video delivery to wireless devices. TD-SCDMA (Time Domain Synchronous Code Division Multiple Access) This standard was developed by the Chinese Academy of Telecommunications Technology. although its data rates clearly do not conform to the IMT-2000 3G definition. and T-Mobile have adapted this technology as their current “3G” solution. Higher download speeds are anticipated with the deployment of services and handsets based on HSDPA (high-speed downlink packet access). Cingular/AT&T. 040450 . which will augment WCDMA services data rates into the 2 Mbs range. TD-SCDMA supports data links of up to 2 Mbit/sec. especially that of 3G. WCDMA continues to be rolled out throughout Europe. UMTS (WCDMA): UMTS (Universal Mobile Telephone System) has been developed under the 3GPP (3rd Generation Partnership Project) Working Group and proposed as a true 3G standard It is commonly called “WCDMA” (Wideband CDMA) because of its use of CDMA in the air space modulation. the standard is now registered as part of UMTS Release 4. Details on lawful interception for TD-SCDMA networks are v 4. NTT DoCoMo’s FOMA (Freedom Of Mobile Access) is based on an early variant of UMTS that employs a 64 kbs dedicated channel for video and other higher speed delivery to a given handset. users will be more likely to find rates of from about 20 to 100 kbs. 3Q05). which is about 3X the size of China’s fixed-line market. thereby consuming relatively more bandwidth than its distant cousin GSM (200 kHz). many operators have deployed EDGE despite their ongoing efforts to also deploy full UMTS. and proponents of the standard claim that it can achieve 3G functionality at a substantially lower cost than UMTS. It is anticipated that TD-SCDMA will not only serve as a platform for 3G data services. Datong.transmission speed of over 300 kbs. The standard addresses the Chinese government’s concern that China was too dependent on mobile technology.0. In Europe. However. and Siemens .0 5 Aqsacom Document No. Note that in Japan. TD-SCDMA is built upon GSM. In North America. but also facilitate the deployment of conventional voice services competing against wireline voice or where wireline is not available. HSDPA deployments will not begin in earnest until later in 2006. from Western companies. The technology operates within channels allocated for GSM and GPRS. China constitutes the world’s largest cellular telephone market with 300 million subscribers. Asia. although uptake has been slower than anticipated (current worldwide user base at about 35 million according to the GSM Suppliers Association . except that 3G deployment and use should be well underway in time for the 2008 Olympics in Beijing. UMTS can offer 2 Mbs provided sufficient cell sites are in place. thereby qualifying it (in theory) as a true 3G standard. Such dedicated channels are not present in current UMTS and CDMA2000 specifications used in North America and Europe.
By definition. such as EDGE. could support wired or wireless Wi-Fi local networks. however.11a for 5 GHz operation.11g for higher speeds at 2. making the service close in performance to that called for in the IMT-2000 3G requirements. another industry group.5 GHz. only UMTS. Originally intended for fixed-position broadband point-to-multipoint metropolitan area networking. Nevertheless.difficult to obtain. However. Wi-Fi1: Although not classified as a 3G service. 802.” Nevertheless. Fixed range is up to 50 km (30 miles) for line of site spans. coffee shops) and require high speed Internet connectivity. However. would have to be considered as they could mitigate the effectiveness of WiMAX in many locations. WiMAX will provide long range. WiMAX (Worldwide Interoperability for Microwave Access): Given the success of Wi-Fi in spreading the use of low cost 802. In the near term. CDMA2000 1X EV-DO. and perhaps TD-SCDMA conform to the true definition of the term “3G.11i for secure networks). especially in the delivery of broadband wireless data services over areas of several km in diameter. especially for users that frequent common public spaces (e. attenuation.5 GHz operation.11 systems and their compatibility. Wi-Fi represents the standardized implementation of wireless LANs based on the IEEE 802. the term “3G” is often loosely used for services reliant on lower speed technologies.16 standard as well as elements of the similar ETSI HiperMAN standard. CDMA2000 1X RTT. Wi-Fi is often given the title mainly for marketing reasons. or even unrelated technologies such as Wi-Fi. 1 The term Wi-Fi is a trademark of the Wi-Fi Alliance. public Wi-Fi services do typically deliver rates on the order of 1 to 2 Mbs. 802.16 wireless standard. the standard is being extended to support mobility. Vendor products conforming to these implementations will be given WiMAX certification.g. low cost PCbased radio transceivers are now under development that can enable a workstation or even hand-held wireless device to connect directly to a WiMAX-enabled network.0 6 Aqsacom Document No. this data rate is rarely achieved in the outdoor micro cell or indoor pico cell environments to which public and private Wi-Fi networks are deployed. in turn. WiMAX poses a potential source of competition to 3G UMTS and CDMA networks. 802. These network nodes. 040450 . alternative broadband access to network nodes. and 802. etc.11 family of standards (in particular.11b for 2. is now attempting to do the same for the IEEE 802. From a strategic point of view. Wi-Fi may become a formidable competitor to emerging 3G services. Even though transmission speeds on the order of 10 Mbs are stated in the standard. mobile range is 5 to 15 km (3 to 10 miles).11 implementations and assuring cross-vendor interoperation. airport waiting areas. The WiMAX Forum aims to recommend product implementations of the 802. a group of industry players advancing the deployment of 802.. in-building coverage. v 4. issues related to signal obstruction. the WiMAX Forum. its use of UMTS network elements likely would imply that LI network implementations for TD-SCDMA are similar to those for UMTS.
from the operator’s point of view voice will likely remain the dominant application to operate over 3G networks for a long time to come. Of course. video email. including notebook computers (equipped with 2. and with that will likely come copyright violations as has been the case over wired IP networks. General Connectivity to the Internet for email. For example.5/3G modem cards).. As phones with built-in cameras proliferate and improve in image quality. high speed Internet connectivity. Similar trends occur in other countries and will likely continue. will continue to grow. even over 2. especially as younger generations of users grow in proportion to the overall user demographics. Many operators are now offering such services. thus the proportion of Internet communications over mobile networks subject to lawful interception will likely grow in proportion to that of fixed networks. Although not a 3G service in itself. namely the assignment of information flow to the targeted accounts to which IP packets originate and terminate. The increased amount of voice traffic over wireless networks has already had implications for lawful interception. High Speed Photo. 3G networks will nevertheless have to support the proliferation of this service and its growing usage (now amounting to hundreds of millions of users worldwide). Uses of 3G Technology and Implications for Lawful Interception Voice. criminals will likely find mobile Internet connections a “safer” and more convenient means to communicate. Law enforcement will therefore be called to assist in the surveillance of such cases.3.g. exchange of photos). As in the case of voice. LEAs need to be prepared to intercept video and still imagery in the preparation of a case against such abusers. Gross abuse of such services for the purpose of outright privacy invasion can have legal implications. Likewise. Short Message Services (SMS) will also continue to grow.0 7 Aqsacom Document No. the US Dept. in the case of 3G mobile networks there is the added complication of the mobility of the target. Video Clip. etc. of Justice reported that about 90% of lawful interception requests during the year 2003 were for cellular phone taps . v 4. Music downloading to 3G devices will likely be a big application for 3G networks. PDAs. voice traffic over wireless systems. 040450 . Here law enforcement officials are faced with the same set of challenges as in the interception of information on IP networks. privacy concerns become a growing issue. chat. and the number of users making voice calls. and Music upload/download. and related applications. lawful interception will have to meet the growing use of the service among interception targets. especially as messaging migrates to richer multimedia applications (e. Another factor that will drive the growth of Internet over mobile networks are the variety of devices with which to communicate. Web browsing. Although 3G networks are often associated with “killer” applications such as music downloading. therefore.5G networks. who also take advantage of mobility in their communications. As users migrate from wireline to wireless services. where an increasing proportion of lawful interception requests from Law Enforcement Agencies (LEAs) have targeted mobile telephones and their users. and phones with alphanumeric entry/display.
hate-targeting. especially as networks grow in sophistication and scope of services. issues of lawful interception as applied to games can arise. Communications Network Voice Switch Probe Router IN Server LI request formatted interception information Law Enforcement Agency (LEA) MEDIATION PLATFORM Figure 4-1. Voice over IP (VOIP). VOIP will likely become a growing application among mobile users. Clearly. The architecture is now applied worldwide (in some cases with v 4.Multimedia Games. as proposed by the European Telecommunications Standards Institute (ETSI). This architecture attempts to define a systematic and extensible means by which network operators and LEAs can interact. Of primary interest is the use of a Mediation Platform to convey intercepted data from the network to the LEA. yet still generalized view of the ETSI architecture is provided in Figure 4-2 . Simplified view of ETSI architecture. 040450 . VOIP-capable handsets are now on the market and will grow in popularity. gambling. the lawful interception of VOIP traffic raises a number of technical and legal issues that cannot be ignored by the LEAs and network operators. As handsets become more sophisticated in their support of downloadable and networked games.0 8 Aqsacom Document No. Of note is the separation of LEA functions from the interception functions performed by the network operator. such as child pornography. or copyright infringement. As robust 3G networks are deployed. 4. Clearly. especially for operation over Wi-Fi networks. A more detailed. lawful interception has a role in the tracking of users and sources of games with illicit thematic material. The Architecture of Lawful Interception Figure 4-1 depicts a highly general view of lawful interception architecture.
Communications between the network operator and LEA are via the Handover Interfaces (designated HI). passed in 1994. v 4. Note the separation of lawful interception management functions (HI1). Of particular note is the separation of lawful interception management functions (mainly session set-up and tear down. duration. CALEA was an act of US Congress. and delivers the interception data to one or more LEAs. were to have complied with this law by the middle 2003. Aqsacom addresses the functions of the interception entity through its ALIS mediation platform (discussed in Section 7).) from the network operator to the LEA. formats the data into standardized data representations. 2 Communications Assistance for Law Enforcement Agencies.. also from the network operator to the LEA. Keep in mind that the ETSI lawful interception architecture is not only applicable to voice calls.slight variations in terminology). Also of importance is “interception entity. time of the call. and call content (HI3) in the interaction between the LEA and communication service provider (based on ). and conveyance of call content. etc. wireline and wireless. in response to the proliferation of wireless networks and growing sophistication of wireline networks. as demanded from the LEA). destination of call. but to IP data interception as well. 040450 . conveyance of call data (e. All telephone service operators. call-related data (HI2). It has attempted to define specific measures that carriers must take to convey lawful intercept information to LEAs.0 9 Aqsacom Document No. including the US in the context of CALEA2.g. source of a call. Communication Service Provider LEA domain Net Operator Administration Function intercept related information (IRI) (also called Call Data) (Provisioning) HI1 Network Internal Functions Content of Communication (CC) Network Entities Voice / IP Network IRI Mediation Function HI2 (CDC) CC Mediation Function HI3 (CCC) Interception Mediation Law Enforcement Collection & Administration Figure 4-1. ETSI-developed architecture for lawful interception.” which gathers the intercepted data from various switches and probes in the network.
5. circuit switched and packet data are sent. This diagram corresponds to Release 5 and later of the UMTS specification. v 4. and many of the network elements can be combined into a single network device. Configuration is nominal and varies by vendors who furnish equipment. respectively. Note each network device shown does not have to represent a separate physical device. 040450 . These technologies represent the bulk of the 3G networks that are now being deployed worldwide. In a general sense. Generalized view of a mobile 3G network based on UMTS. networks based on UMTS and CDMA are quite similar. To PSTN. There is also some level of overlap in the signaling and database functions. Both interconnect a group of BTS units into a single BSC (see terminology definitions following each figure). Overview of network structure for CDMA and UMTS. to some form of a Mobile Switching Center and packet manipulation system (PSDN for CDMA2000 or SGSN for UMTS). it is instructive to review the overall network topologies of UMTS and CDMA2000 mobile networks. From the BSC. Before discussion the specifics of how lawful interception is applied to 3G networks. Note slight variations can occur depending on the choice of vendors and desired features. other networks HSS MRF BTS VLR To IPv6 Networks MGCF EIR BTS BSC / RNC IMS-MGW CSCF AS SGSN AUC GGSN SMSC BTS switched voice/data packet data signaling and control UMTS TSGW to Internet Figure 5-1. Figures 5-1 and 5-2 provide generalized descriptions of UMTS and CDMA2000 networks. Some functions may be combined into a single network entity.0 10 Aqsacom Document No.
g. Controls the Media Gateway.). SSL) between MGW and PSTN. pre-paid calling. When the user moves outside of the home territory of the HLR. VLR (Visitor Location Register). v 4. Release 5). Core element of GPRS networks and also used in UMTS. Contains RF and other network elements serving as the air interface between the network and mobile handsets. via IP. Responsible for routing of packets between the BSC/RNC and the GGSN. 040450 . Used in later revisions to UMTS (e.. and e) tracks charges to subscriber based on services consumed. conferencing. HSS (Home Subscriber Server). Registers. If the user roams into the network of a different carrier. This is a relic of GPRS that is also implemented in UMTS. the SGSN handles: a) encryption. Controls a group of base stations covering a given territory. etc. Lists all devices that the network considers valid. Controls and coordinates the function and data flow to/from a group of BTSs that are connected to it. b) session management and communication set-up with the mobile subscriber. by interacting with network signaling (e.g. the latter typically the public Internet. the SGSN and GGSN can reside on the same equipment chassis. If a mobile device is stolen.Media Gateway).g.7] BSC (Base Station Controller). including voice mail. in part. Enables packet flow between the SGSN and the outside world.UMTS Network Terms [6. Used in later revisions to UMTS (e. to the PSTN and other public or private networks. Releases 5 and later).. etc. TGSW (Transport Signaling Gateway). RNC (Radio Network Controller). or other NGN type networks. Controllers. messaging.. the EIR would prevent access of this device to the network. SS7). MRF (Media Resource Function). Stores user information for authentication purposes to prevent unauthorized use of a subscriber’s account. Same as BSC. BTS (Base Transceiver Station). the new network’s VLR will record this action. IMS-MGW (IP Multimedia Subsystem . SGSN (Serving GPRS Support Node). Routes switched data from the BSC/RCN.g. the VLR records the presence of the user in a new territory and relays this information back to the user’s home HLR. MGCF (Media Gateway Control Function). EIR (Equipment Identity Register). GGSN. d) packet flow and signaling to/from other nodes (HLR..0 11 Aqsacom Document No. ATM. Includes the functions of the Home Location Register (HLR) as well as other functions for managing user mobility and multimedia applications over IP networks. AUC (Authentication Center). Serves as signaling interface (e. decryption. c) logical link management to the mobile subscriber. More specifically. Signaling Devices AS (Application Server). and authentication of packets. Operates in conjunction with the MRF for executing enhanced calling and data services. In some vendor implementations. Manages enhanced services and other applications over 3G networks. GGSN (Gateway GPRS Support Node). BSC/RCN.
BSC (Base Station Controller). Different manufacturers provide different levels of v 4. Handles user access to the Internet in typical 3G configurations. state and event management. Contains RF and other network elements serving as the air interface between the network and mobile handsets. SMSC (SMS Center). CDMA2000 Network Terms AAA (Authentication. General overview of a typical 3G mobile network based on CDMA2000 technology. IWF (Inter-working Function). location-based services and other functions according to vendor implementation. other networks BTS IWF MSC HLR VLR BSC BTS MRF EIR SMSC PDSN AS AAA AUC BTS CDMA2000 switched voice/data packet data signaling and control to Internet Figure 5-2. BTS (Base Transceiver Station). Handles call set up and termination. 040450 . To PSTN. Generally serves as a gateway between circuit-switched CDMA networking and outside public switched networks. Controls and coordinates the function and data flow to/from a group of BTSs that are connected to it.0 12 Aqsacom Document No.CSCF (Call Session Control Function). and Accounting server). billing information. Authorization. System for managing Short Message Service through network signaling.
System for managing Short Message Service through network signaling. MRF (Media Resource Function). SMSC (SMS Center). Note that the notion of “Content of Communications” (otherwise known as call content) and “call data” (which is also designated as Intercept Related Information or IRI) may seem somewhat inappropriate for characterizing packet data. while accounting for signaling (e. PDSN (Packet Data Serving Node). the VLR records the presence of the user in a new territory and relays this information back to the user’s home HLR. the new network’s VLR will record this action. call content. and where LI management functions flow (Figures 6-1 and 6-2). Registers. HLR (Home Location Register).g. Operates in conjunction with the MRF for executing enhanced calling and data services. Nevertheless. 6.. and likewise routes packets from the Internet to the BSC. from SS7 networks). Signaling Devices AS (Application Server). plus the ETSI framework for LI. interface to Internet effectively making the IWF operate as a PDSN). etc. Contains user profile and handles updates to billing based on usage of the subscribed to services.. Lawful Interception in 3G Networks Given both the network topology of each type of network (CDMA2000 and UMTS). messaging.0 13 Aqsacom Document No. the terms do have well defined meanings in the context of packet (including IP) data: “call content” represents the bulk data that is intercepted from the target. Controllers.functionality in their IWF systems (e. A switch that provides a connection between the local BSC and the MSC of a remote network.9. VLR (Visiting Location Register). Extracts packets from BSC that are destined for transmission over the Internet. MSC (Mobile Switching Center).g. If a mobile device is stolen. Interception Related Information or IRI). pre-paid calling. while “call data” represents information used to set up and tear down a data transmit / receive session between the mobile device and network [8. 040450 . we can visualize where to capture call data (i. Stores user information for authentication purposes to prevent unauthorized use of a subscriber’s account. The MSC establishes circuit-switched call between two networks. remote access. v 4. Manages enhanced services and other applications over 3G networks. Lists all devices that the network considers valid. AUC (Authentication Center). When the user moves outside of the home territory of the HLR.e. Interception for CDMA networks is formalized in the updated J-STD-025B standard . EIR (Equipment Identity Register). If the user roams into the network of a different carrier. including voice mail. conferencing. the EIR would prevent access of this device to the network.10]..
which can be based on IP. probes). Likewise. other networks C. Overview of interception points for a UMTS network (Release 5 and later). interception session set-up can also differ given the at times subtle differences in equipment functions between the two networks. the LI information flow does not consider the underlying network transport technology. We emphasize that the diagrams are mainly conceptual and that many of the network elements can be combined into single pieces of equipment. through database interrogations.D D IMS-MGW CSCF BTS BSC / RNC C. albeit slight differences do occur. v 4.D MRF BTS C D HSS C. For example. Usually only one to three of these points need to be intercepted. depending on equipment design. D To IPv6 Networks To PSTN. The interception functions (designated by the magnifying glasses) may be internal to the equipment (circuitswitched equipment. ATM.D D D MGCF VLR EIR C. or other means.D GGSN SMSC switched voice/data packet data signaling and control UMTS C TSGW to Internet X interception point X=C X=D Content of Communication Call Data (IRI) Figure 6-1. 040450 . whereas CDMA phones do not use these cards. and other factors.0 14 Aqsacom Document No. in particular). The designated network elements and network points denote possible points for intercepting data. access. UMTS target identifiers apply the Subscriber Identify Module (or SIM card) ID of the target’s mobile device.D D SGSN AUC AS BTS C. or via equipment installed for the purpose of interception information collection (routers. Likewise.CDMA and UMTS are generally very similar in their lawful interception implementations.
but only one to three would typically have to be implemented (based in part on .D VLR BSC BTS MRF EIR C. Note that X3 can convey both bulk content (bearer) and signaling information. In summary. other networks C BTS IWF D C.D SMSC PDSN AS AAA BTS D AUC CDMA2000 switched voice/data packet data signaling and control C X interception point X=C X=D Content of Communication Call Data (IRI) to Internet Figure 6-2. A similar diagram pertaining to packet data services is provided in Figure 6-4. in this case for circuit-switched network operation. 040450 . This separation is the core contribution of the ETSI standard (Figure 4-1). the interception points shown are among a pool of suggested points.D D HLR MSC C. It is this separation that enables v 4. Figure 6-3 provides a closer view of the interception topology expected to be found in 3G networks. Overview of interception points for a CDMA2000 network. the ALIS Mediation Platform (discussed further in Section 7). it shows that • LI management commands are conveyed between the Administrative Function (ADMF) and other network elements via the X1 interface. As in the previous figure. and • Intercepted call content are gathered via the X3 interface. The shaded boxes represent functions performed by Aqsacom’s core product. This depiction (based on that published by 3GPP) is sufficiently general to include CDMA2000. which are ultimately conveyed to the LEA via Handover HI3. • Intercepted call data (IRI) are conveyed via the X2 interface.To PSTN. but rather the separation of the LEA and data gathering functions within the network operator via a mediation function. It is important to understand from Figures 6-3 and 6-4 not the definition of another interface.0 15 Aqsacom Document No.
LEAs and network operators to configure interception systems in a generalized manner that covers a wide range of services and technologies. wireless voice. GMSC Server X2 Delivery Function 2 Mediation Function HI2 LEA Monitoring Center HI3 X3 MGW. HI1 X1_1 ADMF Mediation Function X1_2 X1_3 MSC Server. Functions in shaded boxes are implemented in ALIS (Section 7). wired and wireless data. and emerging services such as VOIP. 040450 . Interception interfaces for packet data services (including IP) within a 3G mobile network (generalized for CDMA2000 and UMTS) (based on ).0 16 Aqsacom Document No. HI1 X1_1 ADMF Mediation Function X1_2 X1_3 GSN PDSN HI2 Delivery Function 2 Mediation Function LEA Monitoring Center X2 HI3 X3 Delivery Function 3 Mediation Function Figure 6-4. Functions in the shaded boxes are implemented in ALIS (Section 7). including wireline voice. Interception interfaces for circuit-switched services within a 3G mobile network (generalized for CDMA2000 and UMTS) (based on ). v 4. IWF X3 Delivery Function 3 Mediation Function Figure 6-3.
as useful as this information may appear .Additional Information on 3G Interception Location-Dependent Interception The issue of location of the interception target may come into play for two reasons: 1) to simply track the location of the target and 2) to restrict lawful interception. One reason is that the target may cross boundaries controlled by different LEAs. the SIM card’s International Mobile Subscriber Identity or IMSI.0 17 Aqsacom Document No. and IWF. typically to within the range of the nearest base station. these IAs may correspond to different jurisdictions. when such checks are called for. Therefore. not all of whom have authorized the interception. may not be adequate to pinpoint the location of the target. are performed by the delivery functions and other network elements such as the MSC. to only the geographical territory representing the jurisdiction of the LEA. GMSC. traffic over these networks could be monitored along wired v 4. such as through Global Positioning Satellite (GPS). Nevertheless. There is also the notion of geographic vs.. identity-driven interception. LI could take place at two levels: at the RF level where wireless “sniffers” are used to detect the presence of the Wi-Fi or WiMAX signals and their traffic. as authorized by a given LEA.g. when a moving target’s communications must be intercepted. we mention Wi-Fi and WiMAX for the sake of completeness since these services could constitute reasonable replacements for the 3G services. Another reason is that the required accuracy. a check must be made to ensure that the corresponding LEA initiating the interception can in fact receive intercepted information from the IA where the target is located at a given point in time. As mentioned above. statistical methods that track the motion of the target. This can be useful when tracking the presence of targets in sparsely populated (subscriber-wise) zones. the handset’s International Mobile Equipment Identity or IMEI). Alternatively. or any combination of these. Technical means are generally available to enhance the accuracy of position determination. In the second case. 040450 . The first is when all subjects at a given location become targets of an LI procedure. In both cases. formal LI procedures incorporating these methods have yet to be introduced. novel target detection methods must be employed to include the notion of location in the surveillance. a given BSC may traverse many different Interception Areas (IAs). with each area defined by a set of BTS cells within the BSC. Wi-Fi and WiMAX interception Although not technically 3G services. These sniffers are essentially constructed with wireless base stations operating in a “promiscuous mode” where all OSI Layer 2/3 addresses are sensed and sent to a protocol analyzer. Identity-driven LI is the more common form of LI where targets are identified by specific identity information (e. Execution of the first remains rather vague in that no formal standards have been introduced to formally track the movement of a target for lawful interception purposes. CSCF. Checks for valid IAs. triangulation methods which apply multiple towers.
Both ALIS-M and ALIS-D may reside on the same computing and data collection platform. including those based on wireless 3G. reflects AQSACOM’s ongoing philosophy of meeting the challenges of lawful interception in a highly systematic. geography. while simplifying the processes of data collection and analysis by the law enforcement agency (LEA). Central Management facilities are also available. 040450 . Figure 7-1. access to the trunk lines or base stations would be required. Architecture of the Aqsacom ALIS platform. The overall architecture of the ALIS system is shown in Figure 7-1. If necessary. and other technologies. low cost manner over networks supporting a diversity of services. See our companion White Paper Lawful Interception for IP Networks (Aqsacom Document 040451) for more details on the interception of IP networks. or they may reside on separate platforms. broadband IP. voice-over-IP. ALIS-D platforms may be distributed throughout networks depending on the services. and anticipated surveillance load to be supported. known as ALIS. Of course. v 4. It also addresses the growing lawful interception needs and requirements of newly emerging services.trunks feeding the base stations. which would equally apply to wireless IP networks. The platform makes the deployment of lawful interception systems easier for the communications operator. 7.0 18 Aqsacom Document No. Aqsacom’s ALIS Mediation Function Platform The Aqsacom real time Lawful Interception System. The system’s client/server layered architecture comprises two functional entities: ALISM for target provisioning and ALIS-D for the mediation and delivery of interception content.
etc. Likewise. Specific tasks of provisioning include start. flat rate. The data are also formatted by ALIS-D to conform to national standards such as CALEA. 040450 . In this case. query and modification of lawful interception operations. billing can be addressed to the subscribing network operator. and securely communicated to ALIS. stop. These tasks are generally invoked by the LEA. Logging ALIS provides a wide array of alarms (e. and ISDN). Statistics. Multi-administration More than one LEA can independently manage surveillance sessions over one ALIS platform.. per special service.1 notation. or one of many LEAs ordering the interception request. intercept data takes the form of Call Data (otherwise known as Intercept Related Information) and Content of Communication (Call Content). All data flows are secured to ensure that no interception data are leaked between LEAs. Alarms.0 19 Aqsacom Document No. audit. which typically resides within the network operator’s premises. utilization of LI system resources). Billing ALIS can be adapted to a variety of billing plans where the network operator invoices the LEA. and logs for tracking of past LI events. Both types of data are delivered via separate channels. even when tracking the same target. These plans include billing on a per-LI session basis. v 4. These technologies include smart tokens and biometrics. where several network operators share a common LI infrastructure. As discussed in Section 4. discussed in Figures 6-3 and 6-4 above. Provisioning falls under the ADMF (Administrative Management Function). which gathers data from diverse intercept points within the network. To ensure reliable real time delivery of interception information to the LEA. This configuration is attractive to those operators that are too small to invest in LI equipment and who claim that the frequency of LI requests from LEAs is not sufficient to justify the investment.Features and functions of ALIS include: Provisioning ALIS-M is responsible for provisioning a lawful interception session. formats the data. and other plans. consistency checking. This format typically conforms to ASN. must have highly controlled and secure access allowing for operation only by cleared personnel. Aqsacom takes this point very seriously. ALIS’ user-friendly graphical interface allows for the easy automation of many operational interception tasks. as any lawful interception system. ALIS implements adequate buffering to account for nominal transmission outages or other unforeseen interruptions between the network operator and LEA. and has incorporated a number of safeguard technologies to assure secure access. billing can be configured to facilitate the operation of a LI service bureau. such as the automatic triggering or stopping of an interception operation at predefined dates and times.g. Mediation and Delivery Management Mediation is carried out by the ALIS-D platform. Secure Access Clearly the ALIS. per LI change basis. statistics (number of active interceptions in a given interval in time. and delivers the information to the LEA over a secure network (typically a VPN. secure FTP. notification when a session is interrupted).
Role of ALIS in the interception of UMTS 3G mobile networks (Release 5 and later). where the LI network configuration is quite similar. ALIS and 3G Networks Figure 7-2 depicts the implementation of ALIS as a mediation platform in a UMTS network. To IPv6 Networks MRF BTS To PSTN. Of note are the call data.0 20 Aqsacom Document No.. and LI management paths leading between ALIS-D and ALIS-M and the appropriate network elements and functions. Figure 7-3 provides a similar diagram for CDMA2000.Hardware / Operating System ALIS makes use of off-the-shelf industrial strength PC hardware. we depict a number of different possibilities as to where ALIS-D can receive interception data – not all the connections to ALIS specified in these figures need to be implemented.. FTP ALIS-d LEA n Figure 7-2. call content. VPN. v 4. ISDN. This allows for easy parts replacement and reduced cost. The network configuration follows the generalized views introduced in Sections 5 and 6. 040450 . All software runs under the Windows 2000 and LINUX operating systems. other networks HSS VLR MGCF EIR BTS BSC / RNC IMS-MGW CSCF AS SGSN AUC GGSN SMSC BTS UMTS switched voice/data packet data signaling and control LI management Content of Communication Call Data (IRI) ALIS-m to Internet TSGW LEA 1 . In both diagrams.
including the need to support a diversity of: services. while conforming to emerging mainstream architectures and regulations worldwide in lawful interception: . and other standards bodies. ALIS-d LEA n Figure 7-3. Aqsacom’s ALIS mediation platform offers a comprehensive solution to the above challenges. vendor technologies. wireless networking technologies.. v 4.. ANSI.. that facilitate systematic implementations and provisioning of lawful interception systems. The LI processes are delineated by architectures. No Network Modifications Designed for seamless integration and interoperation with existing mobile networks. voice. 3GPP. and a multiplicty of high speed speed data services. ALIS interoperates with switching and networking equipment from most major vendors. Summary This White Paper has presented an overview of 3G mobile services and methods supporting the lawful interception of targets subscribing to these services. other networks BTS IWF MSC HLR VLR BSC BTS MRF EIR SMSC PDSN AS AAA AUC BTS CDMA2000 switched voice/data packet data signaling and control LI management Content of Communication Call Data (IRI) to Internet ALIS-m VPN. 8.0 21 Aqsacom Document No. ISDN. challenges to lawful interception remain. 040450 . However. such as those specified by ETSI. FTP LEA 1 . Role of ALIS in the interception of CDMA 3G mobile networks.To PSTN. ..
This alows the operators of the system to quickly adapt to new services. and secure operation of the system from both the network operator’s and LEA’s point of view. No Detection by the Mobile Subscriber Subscribers are completely unaware of whether or not they are being tracked. Thus a LEA’s investment in analysis tools remains intact as new networks and services come on line. regardless of the type of service implemented.This equipment vendor independence ensures that no network modifications are needed to support lawful interception.. and legacy 2G (e. The result is rapid lawful interception installation. operator training costs diminish. regardless of what services they are using. and that networks comprising a mix of vendors can be equally well supported. operation of the ALIS platform is essential identical. v 4. subsribers to a network operator’s mixed service offer of wireline and mobile 3G services can be targeted. ALIS’ complete set of funcitonalities The comprehensive set of features and capabilities of the ALIS platform ensures easy. as well as IP. Perhaps more important. hence. Most Technologies and Services Supported ALIS operates over UMTS and CDMA2000 networks. GSM) networks.0 22 Aqsacom Document No. reliable. Thus.g. No Detection by the Mobile Subscriber Standards-compliance also means interoperability of the network with the LEA. wireline. thanks to Aqsacom’s patented use of signalling information that is inherently processed within mobile networks. 040450 . at reduced costs.
1 (2001-09).” March 2004. Lawfully Authorized Electronic Surveillance.pdf ETSI Standard ETSI ES 201 671 V2.106 V5. “Lawful Interception Requirements (Release 5).askcalea.org/servlet/dycon/ztumts/umts/Live/en/umts/Resources_Deployment_index Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire. Oral.0 (2002-09). 3rd Generation Partnership Project.108 V6. “Technical Specification Group Services and System Aspects.107 V6. Available at http://www. See http://www. 3rd Generation Partnership Project.org) UMTS Forum.6.0 23 Aqsacom Document No.tdscdma-forum.002 V6.” September 2003.net/docs/2003wiretap. or Electronic Communications.0.” September 2003. 3rd Generation Partnership Project TR 21. Technical Specification 3GPP TS 33. 3rd Generation Partnership Project TS 23.1. Vocabulary for 3GPP Specifications (Release 6).         v 4. References    TD-SCDMA Forum.” March 2004.umtsforum. 2003.cdg.0 (2003-09).0 (2003-09).4.0. T1P1/T1S1 joint standard. 3rd Generation Partnership Project. Network architecture (Release 6). “Handover interface for Lawful Interception (Release 6).3. “Technical Specification Group Services and Systems Aspects.0 (2004-03).” September 2001. Technical Specification 3GPP TS 33.org CDMA Development Group worldwide statistics (see www.1. “Lawful interception architecture and functions (Release 6). Data are as of January 2005.905 V6. December 2003. Technical Specification 3GPP TS 33.9. document number J-STD-025B. “Handover interface for the lawful interception of telecommunications traffic. 040450 . See http://www.” September 2003.