Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Lawful Intercept on Junos Multi-Access User Plane

Lawful intercept is a process for obtaining communications network data related to a target individual or organization, as authorized by a judicial or administrative order.

Junos Multi-Access User Plane supports 4G and 5G compliance for lawful interception. You can lawfully intercept up to two percent of the maximum subscribers that the platform supports.

Lawful intercept on the Junos Multi-Access User Plane supports graceful Routing Engine switchover (GRES). It does not currently support unified ISSU.

Lawful Intercept on 4G Networks

The Junos Multi-Access User Plane supports 4G-compliant lawful intercept only over the System Architecture Evolution Gateway-User Plane (SAEGW-U).

Figure 1 shows the entities involved in lawful interception on 4G networks and the interfaces between them.

Figure 1: Lawful intercept on 4G networks Lawful intercept on 4G networks

The process for lawful interception on 4G networks is as follows:

  1. The Administrative Function (ADMF) performs the overall management of the lawful intercept system. It sends signals containing targeting information to the control plane over the X1 interface. The ADMF also informs the control plane which subscribers’ traffic to duplicate and to send to the law enforcement agency.

  2. The control plane (SAEGW-C) triggers the user plane over the Sx interface to start duplicating the subscriber traffic. It also sends the address of the Mediation and Delivery Function (MDF) to which the data is to be forwarded.

  3. The Junos Multi-Access User Plane (SAEGW-U) sends the duplicated traffic to the split X3 lawful intercept internetworking function (SX3LIF) over the X3u interface. The SX3LIF then forwards it to the MDF over the X3 interface.

  4. The MDF derives the intercept-related information from the LI_X3 headers sent along with the duplicated traffic. It then forwards the intercepted traffic to the law enforcement agency over the HI3 interface.

Lawful Intercept on 5G Networks

The Junos Multi-Access User Plane supports 5G-compliant lawful intercept only over the user plane function (UPF) or content of communication point of interception (CC-POI).

Figure 2 shows the entities involved in lawful interception on 5G networks and the interfaces between them.

Figure 2: Lawful intercept on 5G networks Lawful intercept on 5G networks

The process for lawful interception is as follows:

  1. The Administrative Function (ADMF) performs the overall management of the lawful intercept system. It sends signals containing targeting information to the control plane over the LI_X1 interface. It also informs the control plane which subscribers’ traffic to duplicate and to send to the law enforcement agency.

  2. The control plane (SMF) triggers the user plane over the LI_T3 interface to start duplicating the subscriber traffic. It also sends the address of the Mediation and Delivery Function (MDF) to which the data is to be forwarded.

  3. The Junos Multi-Access User Plane (UPF) sends the duplicated traffic to the MDF over the LI_X3 interface.

  4. The MDF derives the intercept-related information from the LI_X3 headers sent along with the duplicated traffic. It then forwards the intercepted traffic to the law enforcement agency over the HI3 interface.

Requirements for Lawful Intercept

To configure lawful intercept for 4G networks, you must:

  • Configure a loopback address on the Junos Multi-Access User Plane. This address is used as the source address for the lawfully intercepted traffic.

  • Configure the destination address of the IPsec peer on the Junos Multi-Access User Plane under the [edit services mobile-edge gateways saegw system destination] hierarchy.

To configure lawful intercept for 5G networks, you must:

  • Set the loopback address to 127.0.0.1/32 on the Junos Multi-Access User Plane. This address is used as the source address for the lawfully intercepted traffic.

  • Configure the destination address of the IPsec peer on the Junos Multi-Access User Plane under the [edit services mobile-edge gateways saegw system destination] hierarchy.

  • Configure the HTTPS server on the Junos Multi-Access User Plane using the REST-API under the [edit system services rest https-5g] hierarchy.

    For more information on the REST API, see Configuring the REST API.

    For information on certificate authority and public key infrastructure, see PKI in Junos OS.

  • (Optional) Configure the connection limit for the REST-API. We recommend this configuration to enhance the performance of lawful intercept.

Security Considerations for Lawful Intercept

Due to its nature, lawfully intercepted data must be transmitted in a secure manner. The 3GPP standards require that lawful intercept traffic on 5G networks must be sent to the Mediation and Delivery Function (MDF) using Transport Layer Security (TLS).

The Junos Multi-Access User Plane does not support TLS, but can send lawful intercept traffic to the MDF over IPsec tunnels. When using IPsec on the Junos Multi-Access User Plane, make sure that you:

  • Configure the virtual multiservices interfaces and the next-hop-style service set.

    Use the following commands to configure the virtual multiservices interfaces:

    Use the following commands to configure a next-hop-style service set:

    The inside-service-interface must be a service interface logical unit that is configured with service-domain inside The outside-service-interface must be a service interface logical unit that is configured with service-domain outside.

  • Configure the Internet Key Exchange (IKE).

    For more information on IKE, see Internet Key Exchange (IKE) for IPsec VPN.

  • Use the IPsec tunnel mode.

    Note:

    To use IPsec, you must have an MX-SPC3 services card installed on your device.

    For more information on configuring IPsec tunnels, see IPsec VPN Configuration Overview.

If IPsec cannot be used, we recommend using a content of communication point of aggregation (CC-PAG) device, which encrypts the data using TLS before sending it to the MDF.

Note:

You can still lawfully intercept traffic on 5G networks without configuring IPsec. However, we recommend that you use IPsec to comply with 3GPP standards.

The LI_T3 interface between the SMF and UPF supports TLS encryption. You can enable this by configuring a server certificate and mutual authentication on the local HTTPS server under the [edit system services rest https-5g] hierarchy.