Lawful Interception

Overview

ETSI describes Lawful Interception function in TS 103 221-1 and TS 103 221-2 standard. 6WIND Virtual Service Router implements Network Equipement Lawful Interception function.

../../../_images/etsi_lawful_interception.svg

By default, once activated, all Virtual Service Router traffic may be intercepted according to Task Target Identifiers. Lawful Interception can be restricted on a specific VRF.

Note

If Task Target Identifiers do not identify a unique object, no interception will be performed.

Supported Target Identifiers

The following table shows all Target Identifiers combinations 6WIND Virtual Service Router supports.

Target Identifier

Supported

Radius

Yes

Configuration examples

By default, Lawful Interception is disabled. You can activate it by configuring X1, X2 and X3, it is done thanks to the control (for X1) and delivery (X2,X3) words.

The Lawful Interception configuration needs at least 3 certificates to import:

-The Virtual Service Router machine certificate.

-The ADMF certificate store.

-The MDF certificate store.

vsr running config# / vrf main lawful-interception control identifier admf
vsr running config#! / vrf main lawful-interception control local-certificate vsr_cert
vsr running config#! / vrf main lawful-interception control trust certificate-store admf_cert
vsr running config#! / vrf main lawful-interception delivery local-certificate vsr_cert
vsr running config#! / vrf main lawful-interception delivery trust certificate-store mdf_cert

See also

The Import certificate command reference for details.

The state of the lawful-interception service configuration can be checked with the following command:

vsr> show state / vrf main lawful-interception
lawful-interception
    enabled true
    control
        idle-probe-interval 3600
        idle-probe-timeout 60
        port 443
        identifier admf
        local-certificate vsr_cert
        trust
            certificate-store admf_cert
            ..
        ..
    delivery
        keepalive-interval 60
        keepalive-timeout 180
        local-certificate vsr_cert
        trust
            certificate-store mdf_cert
            ..
        ..
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute vrf main lawful-interception
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <lawful-interception xmlns="urn:6wind:vrouter/lawful-interception">
      <enabled>true</enabled>
      <control>
        <idle-probe-interval>3600</idle-probe-interval>
        <idle-probe-timeout>60</idle-probe-timeout>
        <port>443</port>
        <identifier>admf</identifier>
        <local-certificate>vsr_cert</local-certificate>
        <trust>
          <certificate-store>admf_cert</certificate-store>
        </trust>
      </control>
      <delivery>
        <keepalive-interval>60</keepalive-interval>
        <keepalive-timeout>180</keepalive-timeout>
        <local-certificate>vsr_cert</local-certificate>
        <trust>
          <certificate-store>mdf_cert</certificate-store>
        </trust>
      </delivery>
    </lawful-interception>
  </vrf>
</config>