WO2023113661A1 - Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale - Google Patents

Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale Download PDF

Info

Publication number
WO2023113661A1
WO2023113661A1 PCT/SE2021/051256 SE2021051256W WO2023113661A1 WO 2023113661 A1 WO2023113661 A1 WO 2023113661A1 SE 2021051256 W SE2021051256 W SE 2021051256W WO 2023113661 A1 WO2023113661 A1 WO 2023113661A1
Authority
WO
WIPO (PCT)
Prior art keywords
liph
traffic
policy
vnf
network device
Prior art date
Application number
PCT/SE2021/051256
Other languages
English (en)
Inventor
Biagio Maione
Dario DE VITO
Antonio Vitiello
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/SE2021/051256 priority Critical patent/WO2023113661A1/fr
Publication of WO2023113661A1 publication Critical patent/WO2023113661A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/065Generation of reports related to network devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV

Definitions

  • the invention relates to a communication network device hosting a virtualised network function, VNF, which includes a lawful interception, LI, application level controller.
  • VNF virtualised network function
  • the invention further relates to a communication network device hosting a VNF which includes an LI policy handler function, LIPH.
  • LIPH LI policy handler function
  • the invention further relates an LI system for a communication network.
  • the invention further relates to a method of providing an LI policy for LI traffic monitoring in a communication network.
  • the invention further relates to a method of performing LI traffic monitoring in a communication network.
  • Figure 1 shows an exemplary Lawful Interception, LI, network and system according to document ETSI GR NFV-SEC 011 V1.1.1.
  • Figure 1 shows a simplified high level trusted virtualised LI architecture with an embedded virtualized point of interception, vPOI. Entities are logically represented, therefore it does not necessary reflect separate physical entities. Entities will be described herein for a non-virtualized environment and then for a virtualized environment.
  • the exemplary LI system comprises a Law Enforcement Agency, LEA, network and a Communications Service Provider, CSP, network.
  • LEA is an organization authorized by a lawful authorization based on the applicable jurisdiction to request and receive the results of telecommunications interceptions of an interception target.
  • the target is a person of interest and/or user equipment possessed or used by the person of interest being surveyed by the LEA.
  • Said LEA communicates with the CSP network through a network interface, called Handover Interface, HI.
  • LEA comprises a Warrant Issuing Authority/Warrant Issuing Authority device and a Law Enforcement Monitoring Facility, LEMF.
  • the Warrant Issuing Authority 102 issues an intercept request, e.g. lawful authorization or warrant to the CSP through a first Handover Interface, HI1 .
  • the LEMF collects the intercepted information of the interception target.
  • the LEMF communicates with an LI site through a second Handover Interface, HI2, for receiving Intercept Related Information, IRI, and through a third Handover Interface, HI3, for receiving Content of Communication, CC.
  • Interfaces HI1 , HI2, and HI3 are specified in more detail in the ETSI TS 102 232-1 V3.21.1 standard, “Lawful Interception (LI); Part 1 : Internal Network Interface X1 for Lawful Interception”.
  • Entities within the CSP network communicate through internal network interfaces.
  • the LI site comprises an LI Administration Function, ADMF, and a Mediation and Delivery Function, MF/DF.
  • the LI ADMF communicates with the MF/DF through an X1_2 interface and an X1_3 interface.
  • the LI ADMF generate, based on said received intercept request, a warrant comprising one or more interception target identities, and send the warrant to a Point Of Interception, POI, 107, within an NE via an interface denoted by X1_1 ; the NE is an entity that performs the interception.
  • Said POI detects the interception target communication, derives the IRI or CC from the target communications, and delivers the POI Output to the MD/MF.
  • IRI- POI delivers Intercept Related Information to the MF through an X2 interface
  • CC-POI delivers CC to the MF through an X3 interface.
  • IRI are collection of information or data associated with telecommunications services involving the interception target identity, specifically call associated information or data (e.g. unsuccessful call attempts), service associated information or data (e.g. service profile management by subscriber) and location information.
  • the CC is information exchanged between two or more users of a telecommunications service, excluding IRI.
  • the MF receives IRI and CC and transforms them from internal interface format to Handover Interface format.
  • the DF will then handle dispatching of said data to the one or more designated LEAs 101 .
  • NFV Network Functions Virtualization
  • environment MF/DF and POI may be embedded within a virtualized Network Function, VNF, hosted by a network device.
  • an X1_DC interface is used by a virtualized POI, vPOl and virtualized MF/DF, vMF/vDF to inform each other of changes (e.g. scaling or mobility) in the virtualized environment.
  • An NFV Management and Orchestration function, MANO, and/or a Security Orchestrator, SO handle the management and orchestration of all resources in a virtualized data center including computing, networking, storage, and virtual machine, VM, resources.
  • An LI controller is responsible for creating, modifying, deleting, and auditing vPOl and vMF/vDF configuration during their lifecycle.
  • the LI controller is composed of two sub-functions: LI controller at network service application level, called LI App Controller, and LI controller at NFV level, called LI NFV controller.
  • LI App Controller and LI ADMF communicate through an Ll-Os- 0 interface; LI App controller and vPOl communicate through an X0_1 interface; LI App controller and vMF/vDF communicate through an X0_2 interface.
  • the LI NFV controller is managed by the LI App controller via an LI-OS-1 interface.
  • X1_DC, X0_1 , X0_2, LI-OS-O and LI-OS-1 interfaces are specified in more detail in ETSI GR NFV-SEC 01 1 V1 .1 .1 .
  • a Lawful Interception Routing Proxy Gateway can be used to provide a Handover Interface proxy function to isolate the LEMF 103 and prevent the LEMF to be visible to MANO. This function is optional.
  • vPOIs may be embedded within a “target” VNF, i.e. a VNF at which a traffic event is received, or may be implement as a separate LI VNF (a “non-embedded” vPOl) deployed in secured location to perform LI for a target VNF.
  • Non-embedded vPOIs have several major limitations. Firstly, being external to the target VNF they can only operate using communications content and metadata that is available external to the target VNF. VNFs may implement Span ports or similar monitoring ports for external POIs but these tend to be unreliable if the VNF is under high service load (legacy span ports tend to be low CPU priority). Moreover, nonembedded vPOIs are limited to utilizing the communications links around a VNF and are therefore limited by any encryption being applied to those links and cannot recreate the internal state machines of the application layer VNF functions.
  • a first aspect provides a communication network device hosting a virtualised network function, VNF, which includes a lawful interception, LI, application level controller.
  • the communication network device comprises interface circuitry, at least one processor and memory comprising instructions which when performed by the at least one processor cause the communication network device to perform operations as follows.
  • the message includes at least one lawful interception policy to be applied by the LIPH to perform traffic monitoring of traffic events.
  • the LI application level controller may enable different LI policies to be provided to an LIPH to vary how traffic monitoring is performed at embedded and non-embedded vPOIs in a communication network.
  • the communication network device may enable improved flexibility in the network design for LI functionalities and may enable LI policies to be changed without requiring vPOIs to be reinitialised, so an LI policy may be applied even at run time.
  • Providing LI policies to an LIPH may enable LI policy to be applied at a vPOl, for example, in terms of applicable traffic type and target type, to be quickly changed.
  • Providing LI policies to an LIPH may enable LI traffic monitoring to be performed based on a target type, without updating a target list, and may enable turn on/off a specific traffic type to be monitored or not, without using normal operations and management, O&M, signalling.
  • the at least one lawful interception policy specifies at least one traffic type to be monitored and specifies traffic event data to be sent to a virtual point of interception, vPOI. This may enable LI traffic monitoring to be performed at a vPOl without requiring all received traffic to be provided to the vPOI, such as would occur in the case of a span port.
  • the operations further include determining the at least one traffic type to be monitored based on information indicative of a network slice to which the LIPH is instantiated. This may enable the application of different LI policies depending on the network slice.
  • a second aspect provides a communication network device hosting a virtualised network function, VNF, which includes a lawful interception policy handler function, LIPH.
  • the communication network device comprises interface circuitry, at least one processor and memory comprising instructions which when performed by the at least one processor cause the communication network device to perform operations as follows.
  • the message includes at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events received by a target VNF.
  • An operation of applying the at least one lawful interception policy to traffic events received by the target VNF to obtain traffic event data from the traffic events.
  • the LIPH may enable different LI policies to be provided to embedded and nonembedded vPOIs to vary how LI traffic monitoring is performed.
  • the LIPH may enable improved flexibility in the network design for LI functionalities and may enable LI policies to be changed without requiring vPOIs to be reinitialised, so an LI policy may be applied even at run time.
  • the LIPH may enable LI policy to be applied by a vPOI, for example, in terms of applicable traffic type and target type, to be quickly changed.
  • Receiving LI policy in this way may enable the LIPH to apply traffic monitoring based on a target type, without updating a target list, which may enable turn on/off a specific traffic type to be monitored or not, without using normal O&M signalling.
  • the operation of applying the at least one lawful interception policy comprises filtering traffic events received by the target VNF according to the at least one LI policy to obtain traffic event data from the traffic events. This may reduce the amount of data that is sent to a vPOI for LI traffic monitoring, thus reducing the amount of data transmitted over the communication network, which may reduce network load and may improve security.
  • the at least one LI policy specifies at least one traffic type to be monitored and specifies traffic event data to be sent to the vPOI. This may reduce the amount of data that is sent to a vPOI for LI traffic monitoring, thus reducing the amount of data transmitted over the communication network, which may reduce network load and limit the carbon footprint of LI functionalities, and may improve security.
  • traffic event data comprises intercept related information and content of communication. This may reduce the amount of data sent to a vPOI to just the information and content required for LI traffic monitoring and generation of xIRI and xCC messages at the vPOI.
  • the VNF including the LIPH is the target VNF and the vPOI is provided as a further VNF separate to the target VNF.
  • the LIPH is advantageously able to be deployed for non-embedded vPOIs, which may enable LI policies applied at non-embedded vPOIs to be updated without requiring reinitialization of vPOIs.
  • the obtained traffic event data is sent to the vPOI on at least one LI interface between the LIPH and the vPOI.
  • Using an LI interface may avoid the need to mirror the entire traffic towards the vPOI, so that only data required for LI traffic monitoring at the vPOI is sent to the vPOI.
  • the at least one LI interface between the LIPH and the vPOI is an LI interface based on the LI_X2 or LI_X3 interface defined in ETSI TS 103 221-2. Basing the LI interface on existing LI interfaces may enable what has been implemented for the LI X2 and X3 interfaces to be re-used.
  • the vPOI is provided as a further VNF separate to the target VNF and the VNF including the LIPH is the vPOI.
  • the LIPH is advantageously able to be deployed for non-embedded vPOIs, which may enable LI policies applied at non-embedded vPOIs to be updated without requiring reinitialization of vPOIs.
  • the VNF including the LIPH is the target VNF and additionally includes the vPOI, and wherein the LIPH is included within the vPOI.
  • the LIPH is advantageously able to be deployed for embedded vPOIs, which may enable LI policies applied at embedded vPOIs to be updated without requiring reinitialization of vPOIs.
  • a third aspect provides a lawful interception, LI, system for a communication network.
  • the LI system comprises a communication network device hosting a virtualised network function, VNF, which includes a lawful interception, LI, application level controller.
  • the communication network device comprises interface circuitry, at least one processor and memory comprising instructions which when performed by the at least one processor cause the communication network device to perform operations as follows.
  • the message includes at least one lawful interception policy to be applied by the LIPH to perform traffic monitoring of traffic events.
  • the LI system further comprises a communication network device hosting a virtualised network function, VNF, which includes a lawful interception policy handler function, LIPH.
  • the communication network device comprises interface circuitry, at least one processor and memory comprising instructions which when performed by the at least one processor cause the communication network device to perform operations as follows.
  • the message includes at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events received by a target VNF.
  • An operation of applying the at least one lawful interception policy to traffic events received by the target VNF to obtain traffic event data from the traffic events.
  • the LI system further comprises an LI interface between the LI application level controller and the LIPH.
  • a fourth aspect provides a method of providing a lawful interception, LI, policy for LI traffic monitoring in a communication network.
  • the method comprises the following steps at an LI application level controller.
  • a message to be sent to a lawful interception policy handler function, LIPH, is generated.
  • the message includes at least one LI policy to be applied by the LIPH to perform LI traffic monitoring of traffic events.
  • the message is sent to the LIPH on an LI interface between the LI application level controller and the LIPH.
  • a fifth aspect provides a method of performing lawful interception, LI, traffic monitoring in a communication network.
  • the method comprises the following steps at an LI policy handler.
  • a message is received from a lawful interception, LI, application level controller, on an LI interface between the LI application level controller and the LIPH.
  • the message includes at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events received by a target VNF.
  • the at least one LI policy is applied to traffic events received by the target VNF to obtain traffic event data from the traffic events. Obtained traffic event data is sent to a virtual point of interception, vPOI.
  • a sixth aspect provides a computer program comprising instructions which when performed by at least one processor cause the at least one processor to perform any of the above steps of the method of providing a lawful interception, LI, policy for LI traffic monitoring in a communication network.
  • a seventh aspect provides a computer program comprising instructions which when performed by at least one processor cause the at least one processor to perform any of the above steps of the method of performing lawful interception, LI, traffic monitoring in a communication network.
  • Figure 1 is a block diagram of an exemplary LI network and system according to prior art
  • FIGS. 2 to 9 are block diagrams illustrating embodiments of communications network devices
  • Figures 10 and 11 are block diagrams illustrating embodiments of lawful interception systems
  • Figures 12 to 16 are block diagrams illustrating embodiments of lawful interception systems.
  • Figures 17 and 18 are flowcharts illustrating embodiments of method steps.
  • an embodiment provides a communication network device 100 hosting a virtualised network function, VNF, 120 which includes a lawful interception, LI, application level controller 122.
  • the communication network device comprises interface circuitry 102, a processor 104 and memory 106 comprising instructions 110 which when performed by the processor cause the communications network device to perform operations of: generating a message to be sent to a lawful interception policy handler function, LIPH, 222 the message including at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events; and sending the message to the LIPH on an LI interface 112 between the LI application level controller and the LIPH.
  • the LI Controller is composed by two management functions, one at application level and one at network functions virtualization, NFV, level, with a different logical interface at each level.
  • the LI Controller creates, modifies, deletes and audits the vPOl and the virtual mediation and distribution function vMF/vDF vPOl configuration during their lifecycle. It does not handle LI target administration.
  • the LI Controller has two sub-functions: LI controller at network service application level (referred to herein as the “LI Application level controller”); and LI controller at NFV level.
  • the LI application level controller performs the following functions:
  • Activate, configure and audit the configuration of vPOl and/or vMF/vDF e.g. configure certificates for SSL, modify triggering option and apply national parameter
  • the at least one LI policy specifies at least one traffic type to be monitored and specifies traffic event data to be sent to a virtual point of interception, vPOl.
  • the operations further include determining the at least one traffic type to be monitored based on information indicative of a network slice to which the LIPH is instantiated.
  • Network slicing enables the creation of parallel, virtualized and mutually isolated networking solutions that share a common, distributed cloud infrastructure.
  • a Network Slice is a separate logical mobile network that provides specific network capabilities and network characteristics.
  • Each Network Slice Instance (NSI) has its own required resources (e.g. compute, storage and networking resources) which form a deployed Network Slice.
  • the creation of a slice can be triggered not only by a telco operator or 3rd parties (tenants), but in some cases also by the end-users.
  • the network slicing technology is seen as one of the key foundations of the 5G network.
  • each of, for example three, network slices may have a respective LIPH instance 222 in respective vPOIs 424, 524 provided in respective VNFs 420, 520.
  • the LI application level controller 122 operations include determining the traffic type to be specified in LI policies sent to the LIPHs in the three network slices according to the respective network slice in which each LIPH is instantiated.
  • the LI application level controller enables different LI policies to be applied at vPOIs (regardless of whether they are embedded or not), depending on the network slice traffic type and LI requirements. This advantageously reduces the amount of traffic data sent over slice-internal and slice-external interfaces.
  • an embodiment provides a communication network device 200 hosting a virtualised network function, VNF, 220 which includes a lawful interception policy handler function, LIPH, 222.
  • the communication network device comprises interface circuitry 202, a processor 204 and memory 206 comprising instructions 210 which when performed by the processor cause the communication network device to perform operations of: receiving a message from an LI application level controller 122, on an LI interface 112 between the LI application level controller and the LIPH, the message including at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events received by a target VNF; applying the at least one lawful interception policy to traffic events received by the target VNF to obtain traffic event data from the traffic events; and sending obtained traffic event data 226 to a virtual point of interception, vPOl.
  • a Point-of-lnterception, POI is a VNF internal interception function that detects a target communication, derives intercept related information and/or communication content from the target communication and delivers the POI output to the mediation function
  • POIs may be divided into two categories: directly provisioned POIs; and triggered POIs.
  • Directly Provisioned POIs Detect an LI target’s communications that need to be intercepted, and then obtain intercept related information, IRI, and/or communication content, CC, from the target communications.
  • Triggered POIs detect target communications based on a trigger received from an associated Triggering Control Function, TCF, and then obtain IRI and/or or CC of target communications.
  • a TCF is a LI specific VNF which: fully meets LI security requirements for holding and processing sensitive LI information (e.g., target lists); is provisioned with the full target list by the LI ADMF (or at least that portion of the target list applicable for the vPOI(s) that the TCF is managing); is responsible for processing signalling session information for all communications visible to the VNF instance in which the vPOl is embedded; is responsible for identifying which traffic events match the target list provided by the LI ADMF; and is responsible for informing the vPOl to start and stop intercepting specific communications.
  • sensitive LI information e.g., target lists
  • the LI ADMF or at least that portion of the target list applicable for the vPOI(s) that the TCF is managing
  • is responsible for processing signalling session information for all communications visible to the VNF instance in which the vPOl is embedded is responsible for identifying which traffic events match the target list provided by the LI ADMF; and is responsible for informing the vPOl to start and stop intercepting specific communications.
  • a virtual POI, vPOl is a dedicated LI function which may be either a dedicated VNF component instance within a VNF instance or a separate VNF instance.
  • ETSI GR NFV-SEC 011 on NFV LI Architecture specifies different types of vPOl: embedded vPOl; embedded vPOl with external TCF; and non-embedded vPOl.
  • An embedded vPOl is embedded in the VNF and is a directly provisioned POI, as described above.
  • the requirements for a generic VNF must be mixed with LI requirements, to allow the NE to handle target list, triggering functionalities, warrant provisioning interface and command handling, mediation and delivery functionalities to interact with LI-MF/DF and so on.
  • An embedded vPOl with external TCF is triggered by an external TCF.
  • the requirements for a generic VNF must be still mixed with LI ones, to allow the VNF mediation and delivery functionalities to interact with LI-MF/DF.
  • target list handling, triggering functionalities, warrant provisioning interface and command handling are performed by the TCF.
  • the TCF holds the full target list and drives the VNF to start LI traffic monitoring.
  • the TCF and LI-MF/DF must be located in a secure location fully meeting LI security requirements.
  • a non-embedded vPOl is implemented as separate VNF deployed in a secured location to perform LI for the target VNF.
  • the operation of applying the at least one LI policy comprises filtering traffic events 230 received by the target VNF according to the at least one LI policy to obtain traffic event data 226 from the traffic events.
  • the at least one LI policy specifies at least one traffic type to be monitored and specifies traffic event data 226 to be sent to the vPOl.
  • the traffic event data 226 comprises intercept related information, IRI, and content of communication, CC.
  • the content of communication, CC is a copy of the content of a traffic event that the LI policy specifies is to be sent to the vPOI.
  • the VNF 220 including the LIPH 222 is the target VNF.
  • the vPOI 224 is provided as a further VNF separate to the target VNF, i.e. the vPOI is a non-embedded vPOI.
  • the LIPH 222 receives a message from an LI application level controller 122, on an LI interface 112 between the LI application level controller and the LIPH.
  • the message includes an LI to be applied by the LIPH.
  • the LIPH applies the LI policy to traffic events 230 received by the target VNF 220 to obtain traffic event data from the traffic events.
  • the LIPH sends the traffic event data 226 obtained from the traffic events to the vPOI 224 on an LI interface 240 between the LIPH and the vPOI.
  • the LIPH checks if LI is applicable, based on the LI policy. If LI applies, relevant traffic event data is sent to the nonembedded vPOI. If LI does not apply, no data is sent to the non-embedded vPOI.
  • the LIPH 222 thus implements a Traffic Filtering Service as end-point for the LI interface between the target VNF 220 and the non-embedded vPOI 224.
  • the LI policy applied by the LIPH results in the LIPH sending information for all users, but only for the traffic type specified by the LI policy, needed for the non-embedded vPOI 224 to identify traffic to be monitored based on the content of an LI target list held by the vPOI. There is therefore no ‘span port-like’ traffic, only communications data (intercept related information) and a copy of content of communication of the traffic event needed for the vPOI to perform LI is sent to the vPOI.
  • the LI interface 240 between the LIPH 222 and the vPOI 224 is an LI X2/X3 type interface.
  • X1 is the interface that allows the Lawful Interception system to provision tasks on an Network Function (NF).
  • the X1 interface is specified in ETSI TS 103 221-1 , e.g. V1.7.1.
  • X2 is the LI interface that is used to transmit intercepted signalling (intercept related information) and
  • X3 is the interface that is used for transmission of intercepted content (content of communication).
  • the X2 and X3 interfaces are specified in ETSI TS 103 221-2, e.g. V1.4.1.
  • the vPOI 324 is provided as a further VNF separate to the target VNF 320.
  • the VNF including the LIPH 222 in this embodiment is the vPOI 324.
  • a copy of traffic events 230 received by the target VNF 320 are sent to the LIPH 222 in the vPOI 324 via a span port 322.
  • the LIPH applies the LI policy to the copy traffic events 230 received over the span port to obtain traffic event data from the traffic events.
  • the LIPH sends the traffic event data 226 obtained from the traffic events to the vPOI 324.
  • the LIPH 222 thus implements a Traffic Filtering Service as end-point for the LI interface 322 between the target VNF 220 and the non-embedded vPOI 224.
  • the LI policy applied by the LIPH results in the LIPH sending information for all users, but only for the traffic type specified by the LI policy, needed for the non-embedded vPOI 324 to identify traffic to be monitored based on the content of an LI target list held by the vPOI. While span port traffic is sent from the target VNF 320 to the LIPH 222, only communications data (intercept related information) and a copy of content of communication of the traffic event needed for the vPOI to perform LI according to the LI policy is sent from the LIPH to the vPOI.
  • the VNF 420 including the LIPH 222 is the target VNF.
  • the vPOI 424 is provided within the target VNF 420, i.e. the vPOI is an embedded vPOI.
  • the LIPH 222 is included within the embedded vPOI 424.
  • Traffic events 230 received by the VNF 420 are received by the LIPH 222. Receipt of traffic events causes the LIPH to apply the LI policy to the traffic events to obtain traffic event data from the traffic events.
  • the LIPH sends the traffic event data 226 obtained from the traffic events to the vPOI 424.
  • the LI policy applied by the LIPH results in the LIPH sending information for all users, but only for the traffic type specified by the LI policy, needed for the embedded vPOI 524 to identify traffic to be monitored based on the content of an LI target list held by the vPOI.
  • the VNF 520 including the LIPH 222 is the target VNF.
  • the vPOI 524 is provided within the target VNF 520, i.e. the vPOI is an embedded vPOI.
  • the LIPH 222 is included within the embedded vPOI 524.
  • a triggering control function, TCF, 530 is also provided.
  • Traffic events 230 received by the VNF 520 are received by the LIPH 222. Receipt of traffic events causes the LIPH to apply the LI policy to the traffic events to obtain traffic event data from the traffic events.
  • the LIPH sends the traffic event data 226 obtained from the traffic events to the vPOI 524.
  • the LI policy applied by the LIPH results in the LIPH sending information for all users, but only for the traffic type specified by the LI policy, needed for the embedded vPOI 524 to identify traffic to be monitored.
  • the LI target list is held by the PCF 530, it is not provided to the vPOI in this embodiment.
  • the vPOI intercepts trigger signalling information for the traffic event data received from the LIPH and passes it to the TCF for processing via an XT interface 532. LI traffic monitoring at the vPOI is triggered by the TCF via the XT interface, based on the target list held by the TCF.
  • an embodiment provides an LI system 600 comprising a communication network device 100 hosting a VNF 120 which includes an LI application level controller 122, as described above with reference to Figures 2 and 3, a communication network device 200 hosting a VNF 220 which includes an LIPH 222, as described above with reference to Figures 4 and 5, and an LI interface 112 between the LI application level controller and the LIPH.
  • an embodiment provides an LI system 700 in which the VNF 720 which includes an LI application level controller 122, is an Admin Functions VNF.
  • the LI application level controller is as described above with reference to Figures 2 and 3.
  • the target VNF 220 including the LIPH 222 is as described above with reference to Figure 6.
  • the remainder of the LI system 700 is as described above with reference to Figure 1 .
  • an embodiment provides an LI system 800 in which the LIPH 222 is provided within a non-embedded vPOl 324, separate to the target VNF 320, as described above with reference to Figure 7.
  • the LI system comprises a further LIPH in the target VNF 320, as described above with reference to Figures 6 and 12.
  • the two LIPHs co-exist in this scenario, each receiving messages from the LI application level controller 122, on respective LI interfaces 112, the messages containing at least one LI policy.
  • An LIPH is thus provided in both the target VNF 320 and within the non-embedded vPOl 324, each LIPH containing specific policies.
  • an embodiment provides an LI system 900 in which the LIPH 222 is provided within an embedded vPOl 424 within the target VNF 420, as described above with reference to Figure 8.
  • an embodiment provides an LI system 1000 in which the LIPH 222 is provided within an embedded vPOl 424 within the target VNF 520 and the LI system further comprises a TCF 530, as described above with reference to Figure 9.
  • an embodiment provides an LI system 1100 comprising a communication network device hosting an ADMF VNF 120 which includes an LI application level controller 122, as described above with reference to Figures 2 and 3, and at least one communication network device hosting three VNF instances, VNFI, 420, 520 each of which includes an LIPH 222, as described above with reference to Figures 8 and 9, and LI interfaces 112 between the LI application level controller and each LIPH.
  • Each VNFI is instantiated to a respective on of three network slices, Slice 1 , Slice 2, Slice 3.
  • the LI application level controller 122 provides a respective LI policy to the LIPH 222 in each network slice.
  • Each LI policy specifies at least one traffic type to be monitored based on information relating to the respective network slice, so that different LI policies may be applied depending on slice traffic type and LI requirements.
  • an embodiment provides a method 1200 of providing a lawful LI policy for LI traffic monitoring in a communication network.
  • the method comprises an LI application level controller generating 1202 a message to be sent to a LIPH.
  • the message includes at least one LI policy to be applied by the LIPH to perform LI traffic monitoring of traffic events.
  • the message is then sent 1204 by LI application level controller to the LIPH on an LI interface between the LI application level controller and the LIPH.
  • an embodiment provides a method 1300 of LI traffic monitoring in a communication network.
  • the method comprises steps an LIPH receiving 1302 a message from a LI application level controller, on an LI interface between the LI application level controller and the LIPH.
  • the message includes at least one LI policy to be applied by the LIPH to perform traffic monitoring of traffic events received by a target VNF.
  • the at least one LI policy is applied 1304 by the LIPH to traffic events received by the target VNF to obtain traffic event data from the traffic events.
  • the obtained traffic event data is sent 1306 by the LIPH to a virtual point of interception, vPOI.
  • an embodiment provides a computer program 108 comprising instructions 110 which when performed by at least one processor 104 cause the at least one processor to perform steps of the method 1200 of providing a lawful LI policy for LI traffic monitoring in a communication network.
  • an embodiment provides a computer program 208 comprising instructions 210 which when performed by at least one processor 204 cause the at least one processor to perform steps of the method 1300 of LI traffic monitoring in a communication network.
  • the described embodiments enable the possibility of applying LI policies to differentiate how LI is performed, for example: to limit (even at run time) the amount of data transmitted over the network to allow the application of different monitoring levels depending on the type of traffic managed (e.g. slice based) to enable traffic filtering functions for non-embedded vPOIs, reducing network load and limiting the footprint of LI functionalities.
  • LI policies for example: to limit (even at run time) the amount of data transmitted over the network to allow the application of different monitoring levels depending on the type of traffic managed (e.g. slice based) to enable traffic filtering functions for non-embedded vPOIs, reducing network load and limiting the footprint of LI functionalities.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système d'interception légale, LI, (600) comprenant des dispositifs de réseau de communication (100, 200) hébergeant des fonctions de réseau virtualisées, VNF, (120, 220) qui comprennent respectivement un contrôleur de niveau d'application de LI (122) et une fonction de gestionnaire de politique de LI, LIPH, (222), et une interface de LI (112) entre le contrôleur de niveau d'application de LI et le LIPH. Le contrôleur de niveau d'application de LI génère un message à envoyer à un LIPH, le message comprenant au moins une politique de LI à appliquer par le LIPH pour effectuer une surveillance de trafic d'événements de trafic, et envoie le message au LIPH sur l'interface de LI. Le LIPH reçoit ledit message de la part du contrôleur de niveau d'application de LI, applique ladite politique de LI à des événements de trafic reçus par une VNF cible pour obtenir des données d'événement de trafic à partir des événements de trafic, et envoie des données d'événement de trafic obtenues (226) à un point d'interception virtuel, vPOI.
PCT/SE2021/051256 2021-12-14 2021-12-14 Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale WO2023113661A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2021/051256 WO2023113661A1 (fr) 2021-12-14 2021-12-14 Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2021/051256 WO2023113661A1 (fr) 2021-12-14 2021-12-14 Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale

Publications (1)

Publication Number Publication Date
WO2023113661A1 true WO2023113661A1 (fr) 2023-06-22

Family

ID=86773276

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2021/051256 WO2023113661A1 (fr) 2021-12-14 2021-12-14 Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale

Country Status (1)

Country Link
WO (1) WO2023113661A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020263141A1 (fr) * 2019-06-27 2020-12-30 Telefonaktiebolaget Lm Ericsson (Publ) Procédé, nœud et programme informatique de systèmes et réseaux d'interception légale

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020263141A1 (fr) * 2019-06-27 2020-12-30 Telefonaktiebolaget Lm Ericsson (Publ) Procédé, nœud et programme informatique de systèmes et réseaux d'interception légale

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security; Lawful Interception (LI) architecture and functions (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.127, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V16.3.0, 26 March 2020 (2020-03-26), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 88, XP051861191 *
"Network Functions Virtualisation (NFV); Security; Report on NFV LI Architecture", ETSI DRAFT; ETSI GR NFV-SEC 011, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, vol. ISG - NFV, no. V1.1.1, 6 April 2018 (2018-04-06), 650, route des Lucioles ; F-06921 Sophia-Antipolis ; France , pages 1 - 49, XP014328979 *

Similar Documents

Publication Publication Date Title
US10873584B2 (en) Secure network-accessible system for executing remote applications
EP3974975B1 (fr) Noeud dans un réseau de télécommunication, un élément de réseau virtuel et procédés de récupération d'informations d'identification de ressources
US9686301B2 (en) Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
US9866435B2 (en) Lawful intercept management modules and methods for LI-configuration of an internal interception function in a cloud based network
US11880490B2 (en) Context-based access control and revocation for data governance and loss mitigation
US20150222653A1 (en) Method and system for extrusion and intrusion detection in a cloud computing environment
US20150215327A1 (en) Method and system for extrusion and intrusion detection in a cloud computing environment using network communications devices
CN104903861B (zh) 剪贴板管理
US10637829B2 (en) Passport-controlled firewall
US20040199647A1 (en) Method and system for preventing unauthorized action in an application and network management software environment
WO2021126020A1 (fr) Gestion d'informations d'interceptions légales
US20220263873A1 (en) Method, node and computer program of lawful interception systems and networks
US20230370501A1 (en) Methods, Communication Devices and System Relating to Performing Lawful Interception
WO2023113661A1 (fr) Dispositifs et procédés de réseau de communication pour la surveillance de trafic d'interception légale
US20230107763A1 (en) Trusted execution mechanisms for protecting cipher solutions
US11818134B1 (en) Validating application programming interface (API) requests to infrastructure systems hosted in a cloud computing environment
US20230224337A1 (en) Methods, System and Communication Devices Related to Lawful interception
WO2023287328A1 (fr) Fonction de hachage et interception légale
WO2024080901A1 (fr) Gestion de sécurité dans un système d'interception légale
CN115987534A (zh) 一种资源访问方法及装置
WO2023059573A1 (fr) Solutions de chiffrement sensibles au contexte dans des communications sécurisées
CN115549966A (zh) 业务请求的安全审计方法和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21968309

Country of ref document: EP

Kind code of ref document: A1