|
TECHNICAL SPECIFICATION
Lawful Interception (LI);
Part 1: Internal Network Interface X1 for Lawful Interception
---------------------- Page: 1 ----------------------
2 ETSI TS 103 221-1 V1.3.1 (2018-09)
Reference
RTS/LI-00161-1
Keywords
interface, lawful interception
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
If you find errors in the present document, please send your comment to one of the following services:
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2018.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3 ETSI TS 103 221-1 V1.3.1 (2018-09)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 8
4 Overview . 9
4.1 Reference model . 9
4.2 Reference model for X1: requesting and responding . 9
4.3 Overview of security . 10
4.4 Relationship to other standards . 10
4.5 Release management . 10
5 Basic concepts . 11
5.1 The lifecycle of a Task . 11
5.1.1 Start and end of a Task . 11
5.1.2 Identification of a Task . 11
5.1.3 Destinations . 11
5.2 The lifecycle of an X1 request/response . 11
5.2.1 Identification of X1 request/response . 11
5.2.2 Responding to the request . 11
5.2.3 Behaviour if a response is not received . 12
5.3 Warnings and Faults . 12
6 Message Structure and Data Definitions . 12
6.1 X1 Message details . 12
6.2 Message definitions: starting, modifying and stopping tasks . 13
6.2.1 ActivateTask . 13
6.2.1.1 Summary . 13
6.2.1.2 TaskDetails. 14
6.2.2 ModifyTask. 16
6.2.3 DeactivateTask . 16
6.2.4 DeactivateAllTasks . 16
6.3 Message definitions: creating, modifying and removing Destinations . 17
6.3.1 CreateDestination . 17
6.3.1.1 Summary . 17
6.3.1.2 DestinationDetails . 17
6.3.2 ModifyDestination . 18
6.3.3 RemoveDestination . 18
6.3.4 RemoveAllDestinations . 19
6.4 Message details: Getting information from NE . 19
6.4.1 Introduction. 19
6.4.2 GetTaskDetails . 19
6.4.2.1 Summary . 19
6.4.2.2 TaskStatus . 20
6.4.3 GetDestinationDetails . 20
6.4.3.1 Summary . 20
6.4.3.2 DestinationStatus . 21
6.4.4 GetNEStatus . 21
6.4.4.1 Summary . 21
6.4.5 GetAllDetails . 22
ETSI
---------------------- Page: 3 ----------------------
4 ETSI TS 103 221-1 V1.3.1 (2018-09)
6.4.5.1 Summary . 22
6.4.6 ListAllDetails . 22
6.4.6.1 Summary . 22
6.5 Message details: Reporting issues from the NE . 23
6.5.1 Introduction. 23
6.5.2 ReportTaskIssue on given XID . 23
6.5.2.1 Summary . 23
6.5.2.2 Task report types . 23
6.5.3 ReportDestinationIssue on given DID . 24
6.5.3.1 Summary . 24
6.5.4 ReportNEIssue . 24
6.6 Message details: Pings and Keepalives . 25
6.6.1 Ping . 25
6.6.2 Keepalive . 25
6.7 Protocol error details . 26
7 Transport and Encoding . 27
7.1 Introduction . 27
7.2 Profile A . 28
7.2.1 Encoding . 28
7.2.2 Transport layer . 28
7.2.2.1 HTTPS and HTTP . 28
7.2.2.2 How HTTP is used . 28
7.2.2.3 Profile . 28
8 Security. 29
8.1 Introduction . 29
8.2 Transport Security . 29
8.2.1 Summary . 29
8.2.2 Profile . 29
8.2.3 Key generation, deployment and storage . 29
8.2.4 Authentication . 29
8.3 Additional security measures (beyond transport layer) . 30
Annex A (normative): Requirements . 31
A.1 Basic requirements . 31
A.1.1 Existing standards. 31
A.2 Protocol & Architecture requirements. 31
A.3 Security requirements . 32
A.4 Other requirements . 33
A.4.1 Performance statistics (For Further Study) . 33
A.4.2 Capability detection . 34
A.4.3 Remote triggering . 34
A.4.4 Requirements to be handled by the transport layer . 34
Annex B (normative): Use of extensions . 35
B.1 Introduction . 35
B.2 Extension definitions . 35
Annex C (informative): Change request history . 36
History . 37
ETSI
---------------------- Page: 4 ----------------------
5 ETSI TS 103 221-1 V1.3.1 (2018-09)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Lawful Interception (LI).
The present document is part 1 of a multi-part deliverable covering the internal network interfaces for Lawful
Interception as identified below:
Part 1: "Internal Network interface X1 for Lawful Interception";
Part 2: "Internal Network interface X2 for Lawful Interception";
Part 3: "Internal Network interface X3 for Lawful Interception".
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
---------------------- Page: 5 ----------------------
6 ETSI TS 103 221-1 V1.3.1 (2018-09)
1 Scope
The present document defines an electronic interface for the exchange of information relating to the establishment and
management of Lawful Interception. Typically, this interface would be used between a central LI administration
function and the network internal interception points.
Typical reference models for LI define an interface between law enforcement agencies (LEAs) and communication
service providers (CSPs), called the handover interface. They also define an internal network interface within the CSP
domain between administration and mediation functions for lawful interception and network internal functions, which
facilitates the interception of communication. This internal network interface typically consists of three sub-interfaces;
administration (called X1), transmission of intercept related information (X2) and transmission of content of
communication (X3). The present document specifies the administration interface X1.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 133 107: "Universal Mobile Telecommunications System (UMTS); LTE; Digital cellular
telecommunications system (Phase 2+) (GSM); 3G security; Lawful interception architecture and
functions (3GPP TS 33.107)".
[2] IETF RFC 4122: "A Universally Unique Identifier (UUID) URN Namespace".
[3] W3C Recommendation 28 October 2004: "XML Schema Part 2: Datatypes Second Edition".
[4] ETSI TS 103 280: "Lawful Interception (LI); Dictionary for common parameters".
[5] Recommendation ITU-T E.212: "The international identification plan for public networks and
subscriptions".
[6] ETSI TS 123 003: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); Numbering, addressing and identification (3GPP
TS 23.003)".
[7] IETF RFC 3261: "SIP: Session Initiation Protocol".
[8] IETF RFC 3966: "The tel URI for Telephone Numbers".
[9] IETF RFC 3508: "H.323 Uniform Resource Locator (URL) Scheme Registration".
[10] IETF RFC 7542: "The Network Access Identifier".
[11] IETF RFC 2865: "Remote Authentication Dial In User Service (RADIUS)".
[12] IETF RFC 2818: "HTTP over TLS".
[13] IETF RFC 7230: "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing".
[14] IETF RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".
ETSI
---------------------- Page: 6 ----------------------
7 ETSI TS 103 221-1 V1.3.1 (2018-09)
[15] IETF RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0".
[16] IETF RFC 7525: "Recommendations for Secure Use of Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS)".
[17] IETF RFC 6125: "Representation and Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of
Transport Layer Security (TLS)".
[18] IETF RFC 4519: "Lightweight Directory Access Protocol (LDAP): Schema for User
Applications".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] OWASP TLS Cheat Sheet.
NOTE: Available at https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet.
[i.2] ETSI TR 103 308: "CYBER; Security baseline regarding LI and RD for NFV and related
platforms".
[i.3] ETSI GS NFV-SEC 009: "Network Functions Virtualisation (NFV); NFV Security; Report on use
cases and technical approaches for multi-layer host administration".
[i.4] ETSI GS NFV-SEC 012: "Network Functions Virtualisation (NFV) Release 3; Security; System
architecture specification for execution of sensitive NFV components".
[i.5] OWASP XML Security Cheat Sheet.
NOTE: Available at https://www.owasp.org/index.php/XML_Security_Cheat_Sheet.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
destination: point to which IRI and/or CC is delivered by the NE
Destination IDentifier (DID): identifier to uniquely identify a Destination internally to the X1 interface
protocol error: error at the X1 protocol level (rather than any fault with ADMF or NE)
NOTE: In the present document, the term "error" in general refers to a protocol error, whereas issues with
systems not behaving correctly are called "faults".
task: continuous instance of interception at a single NE carried out against a set of target identifiers, identified by an X1
Identifier, starting from an activate command and ending with a deactivate command or terminating fault
terminating fault: fault signalled from NE to ADMF which terminates the specific Task
X1: LI interfaces internal to the CSP for management tasking
ETSI
---------------------- Page: 7 ----------------------
8 ETSI TS 103 221-1 V1.3.1 (2018-09)
X2: LI interfaces internal to the CSP for IRI delivery
X3: LI interfaces internal to the CSP for CC delivery
X1 Identifier (XID): identifier to uniquely identify a Task internally to the X1 interface
X1 Transaction ID: identifier used to identify a specific request/response pair
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ADMF ADMinistration Function
AVP Attribute-Value Pair
CC Content of Communication
CIDR Classless Inter Domain Routing
CSP Communication Service Provider
DID Destination IDentifier
FQDN Full Qualified Domain Name
FTP File Transfer Protocol
GTP-C GPRS Tunnel Protocol (Control plane)
GTP-U GPRS Tunnel Protocol (User plane)
HI Handover Interface
HTML HyperText Markup Language
HTTP HyperText Transfer Protocol
HTTPS HTTP over TLS
IMEI International Mobile Equipment Identity
IMPI IP Multimedia Private Identity
IMPU IP Multimedia PUblic identity
IMSI International Mobile Station Identity
IP Internet Protocol
IRI Intercept Related Information
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
MAC Media Access Control
NAI Network Access Identifier
NAT Network Address Translation
NE Network Element
NOTE: The element or function performing the interception.
NFV Network Functions Virtualisation
OWASP Open Web Application Security Project
RADIUS Remote Authentication Dial In User Service
SGSN Serving GPRS Support Node
SIP Session Initiation Protocol
SNMP Simple Network Management Protocol
TCP Transmission Control Protocol
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
TPM Trusted Platform Module
UDP User Datagram Protocol
UID Unique IDentifier
URI Uniform Resource Identifier
UTF UCS Transformation Formats
UUID Universally Unique IDentifier
XID X1 IDentifier
XML eXtended Markup Language
XSD XML Schema Definition
ETSI
---------------------- Page: 8 ----------------------
9 ETSI TS 103 221-1 V1.3.1 (2018-09)
4 Overview
4.1 Reference model
The X1 interface is based on communication between two entities; the CSP Administration Function (ADMF), and the
Network Element (NE) performing interception. The X1 reference model is shown in figure 1.
NENE
NENE X1
X1
ADMF Law Enforcement
NENE X1
Tasking interface
X1
e.g. HI-1
NENE
(out of scope)
Figure 1: X1 reference model
Only one ADMF shall make changes by X1 to a given NE. This is called the ADMF which is "responsible" for that NE.
Onward delivery of information from the NE is called X2 (for IRI) and X3 (for CC). The choice of protocols for X2 and
X3 are out of scope of the present document.
Some deployments may involve multiple ADMFs for redundancy or other purposes; where multiple ADMFs are
required, the NE shall be implemented such that it presents itself as a separate NE to each ADMF.
ADMF and NE shall implement time synchronization where possible; in situations where it is not possible, the ADMF
shall maintain knowledge
...