OPSAWG WG B. Pularikkal Internet-Draft S. Gundavelli Intended status: Informational M. Grayson Expires: September 14, 2013 Cisco R. Ghai Benu Networks March 13, 2013 Lawful-Intercept Support for SP Wi-Fi Deployments draft-pularikkal-opsawg-lawful-intercept-spwifi-01.txt Abstract Lawful Intercept stands for legally authorized capture & delivery of subscriber communications data by a communications provider to a law enforcement agency.This document describes Generic Lawful Intercept Architecture Models & implementation considerations for Service Provider Wi-Fi deployments. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 14, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Pularikkal, et al. Expires September 14, 2013 [Page 1] Internet-Draft Lawful Intercept Support March 2013 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Generic SP Wi-Fi Deployment Model with Inter-Operator Roaming (Model-1) . . . . . . . . . . . . . . . . . . . . . . 5 4. Generic SP Wi-Fi Deployment Model without Inter-Operator Roaming (Model-2) . . . . . . . . . . . . . . . . . . . . . . 11 5. Lawful Intercept Deployment Considerations for SP Wi-Fi . . . 14 5.1. Proprietary versus Standards based Implementation . . . . 14 5.2. Subscriber Location Tracking Requirements . . . . . . . . 15 5.3. Handling SIPTO Traffic for Lawful Intercept . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 9. Informative References . . . . . . . . . . . . . . . . . . . . 16 Appendix A. Applicability of LI Architecture Min a PMIPv6 based Service Provider Wi-Fi Implementation . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Pularikkal, et al. Expires September 14, 2013 [Page 2] Internet-Draft Lawful Intercept Support March 2013 1. Introduction Lawful Intercept stands for legally authorized capture & delivery of subscriber communications data by a communications provider to a law enforcement agency (LEA). The communications data, which the LEA will intercept as part of the target subscriber surveillance, is classified into two types, Communication Content (CC) and Intercept Related Information (IRI). CC is the bearer data exchanged to and from the subscriber. IRI provides the relevant context information for the CC. IRI is a loosely defined term and the scope varies for different end user applications. In most of the countries, there are legal obligations for Service Providers to facilitate the intercept of any subscriber's communication, if requested by law enforcement agencies. Communications Assistance for Law Enforcement Act (CALEA), the United States wiretapping law passed in 1994 is an example for such legal mandates. The objective of this document is to describe generic LI architecture models and implementation considerations for Service Provider Wi-Fi deployments.In this document two type of SP Wi-Fi deployment scenarios are covered from the LI implementation perspective. 1. SP Wi-Fi Deployment Models with Inter-Operator Roaming (Model-1) 2. SP Wi-Fi Deployment Models without Inter-Operator Roaming (Model-2) 2. Terminology All the Lawful Intercept related terms used in this document are to be interpreted as defined in [RFC3924]. Additionally, this document uses the following terms: Lawful Intercept (LI) Lawful Intercept stands for legally authorized capture & delivery of a subscriber's communications data by a communications provider to a law enforcement agency. Law Enforcement Agency (LEA) Various government agencies at National, Regional and Local levels which are responsible for the enforcement of laws. Pularikkal, et al. Expires September 14, 2013 [Page 3] Internet-Draft Lawful Intercept Support March 2013 Intercept Related Information (IRI) Information related to the subscriber data traffic of interest. IRI is a loosely defined term and the scope varies for different end user applications. Communications Content (CC) CC refers to the subscriber data traffic of interest. Intercept Access Point (IAP) An IAP is a device within the network that is used for intercepting lawfully authorized intercept information. There are two types of IAPs, IAPs those provide communication content (CC IAP) & IAPs those provide intercept related information (IRI IAP). Mediation Device (MD) Mediation Devices is the entity which provisions and activates LI on the relevant network elements. The Service Provider LI Admin Function (AF) is used to configure the Mediation Device based up on the Intercept request received from the LEA. Delivery Function (DF) Delivery function is responsible for the collection of IRI and CC data from the relevant IAPs, reformat those to match the appropriateLEA Handover Interface Standards and forward the same to LEA. In some deployment models, MD and DF may be collocated on the same system. Collection Function (CF) The entity on the LEA side which receives the IRI and CC data over standard Handover Interfaces. Wireless Access Gateway (WAG) A network element in a Service Provider Wi-Fi deployment which is used to implement and enforce per subscriber policies. WAG typically interacts with external policy provisioning and authorization systems to implement per subscriber policies and regulate the service access for the subscribers. Pularikkal, et al. Expires September 14, 2013 [Page 4] Internet-Draft Lawful Intercept Support March 2013 Proxy Mobile IPv6 (PMIPv6) A network based mobility management protocol standardized by IETF and is specified in RFC 5213 Generic Routing Encapsulation (GRE) A tunneling protocol that can encapsulate a wide variety of Network Layer Protocols inside virtual point-to-point links over an Internet Protocol Internetwork. CAPWAP CAPWAP stands for Control And Provisioning of Wireless Access Points. The protocol specification is described in RFC 5415 and an IEEE 802.11 binding is provided in RFC 5416. GPRS Tunneling Protocol (GTP) A group of IP based communications protocols used to carry general packet radio service (GPRS) with in GSM, UMTS and LTE networks. Home Gateway In an inter-operator roaming scenario, Home Gateway is the network layer topological anchor point for a roaming partner's subscriber. Example of a Home Gateway is an LMA in a PMIPv6 based deployment. 3. Generic SP Wi-Fi Deployment Model with Inter-Operator Roaming (Model-1) Illustrated in Figure 1 below is a generic SP Wi-Fi deployment model with Inter-Operator Roaming. In this model, Wi-Fi operator has roaming relationship with two partners A and B. Roaming architectures typically use standard protocols such as PMIPv6 or GTP for signaling and data offload between the home operator and the access provider. Pularikkal, et al. Expires September 14, 2013 [Page 5] Internet-Draft Lawful Intercept Support March 2013 | Roaming Partner A +-----+ | * * * | AP1 |----------+ | * * +-----+ | | * * +------+ | +---------+ * * | WAC1 |-----+ _____|____| HOME |---* Partner-A * +------+ | | | | GATEWAY | * NWK * +-----+ | | | | +---------+ * * | AP2 |----------+ | | | * * +-----+ | | | * * * * +--------+ | | WAG | | +--------+ |------------------------------ +-----+ | | | | * * * | AP1 |----------+ | | | | * * +-----+ | | | | | * * +------+ | | | | +---------+ * * | WAC2 |-----+ | +_____|____| HOME |---* Partner-B * +------+ | | | GATEWAY | * NWK * +-----+ | * * * | +---------+ * * | AP2 |----------+ * * | * * +-----+ * * | * * * * * * | * Internet * | Wi-Fi Operator * * | Roaming Partner B * * * * * | | Figure 1: Generic SP Wi-Fi Deployment with Inter-Operator Roaming In SP Wi-FI Deployments with Inter-Operator roaming scenarios, LI will have to account for intercept corresponding to two types of subscribers. o Native subscribers accessing the Wi-Fi Operator's Network o Subscribers from Roaming Partners accessing the Wi-Fi Operator's Network. For the first type of subscribers, a typical LI deployment would be similar to the one described earlier for the scenario without roaming. For Inter-Operator roaming, there are three deployment scenarios for handling subscriber traffic: Pularikkal, et al. Expires September 14, 2013 [Page 6] Internet-Draft Lawful Intercept Support March 2013 o All the traffic will be tunnelled towards the Home Gateway in the Partner network o Selective local breakout of subscriber traffic into the Wi-Fi Operators network o Full local break out of subscriber traffic into the Wi-Fi Operators network Depending up on the country specific legal requirements, it is possible for both Roaming partner as well as Wi-Fi operator to be responsible for intercepting the subscribers traffic flow while connected to the Wi-Fi operator's network. Even in cases where only the roaming partner is responsible, the LI implementation will need to account for the LBO which potentially happens in the Wi-Fi operator's network. As such, a standardized LI implementation will be desirable for most of the Inter- Operator Roaming scenarios. One approach would be to leverage the existing protocols such as PMIPv6 and come up with the required extensions to support standards based LI solution for inter-operator roaming scenarios. A generic LI deployment model with Inter-Operator roaming is illustrated in Figure 2 below: Pularikkal, et al. Expires September 14, 2013 [Page 7] Internet-Draft Lawful Intercept Support March 2013 Wi-Fi Operator | Roaming Partner A | LEA | | | +-----------+ | (a) +-------+ | | LI Admin |<-|-----| LI | +-----+ +-----+ | +-----------+ +-----------+ | | Admin | | AP1 | | AP2 | | | AAA | | | +-------+ +-----+ +-----+ | | (IRI IAP) |<----+ |(b) | | | | +-----------+ (c) | V | | | | | +-----------+ | | +------+ | | | (d) | | (g)| +------+ +-| WAC |-+ | +------>| MD / DF |-------|----->| | +------+ | +------>| |<------|------| CF | | | | +-----------+ (h)| +------+ | | (f)| ^ | | | | |(e) | +-----------+ | | V | | |--|-----+ +-----------+ | | WAG / LBO |<-|-----(i)---->| HOME | | | (CC IAP) |--|-------------| GATEWAY | | +-----------+ PMIPv6/GTP +-----------+ | | | | | | | | | | * * * | | * * | | * * | | * * | | * Internet * | | * * | | * * | | * * * * | | Figure 2: Generic LI deployment model with Inter-Operator Roaming LI specific functional elements and the interfaces defined in the above architecture model is also based up on the reference model documented in RFC 3924.How ever there are additional components and protocol interfaces required to cover the Inter-Operator roaming. LI specific control plane interactions between various network elements are described in the following steps. o Step-1: Law Enforcement Agency informs the roaming partner about the legally authorized intercept requirement for a target subscriber. Roaming partner is the home operator for this subscriber. Typically it will be a manual process of delivering Pularikkal, et al. Expires September 14, 2013 [Page 8] Internet-Draft Lawful Intercept Support March 2013 the court order to the Roaming Partner's side personel in charge of the LI admin function. Some LI network element vendors may also allow interfaces to automate this delivery. LEA is expected to provide a unique Target identifier along with other key variables such as duration of the Intercept, whether both IRI and CC needs to be forwarded to the LEA etc. Interface (a) in Figure 4 represents the administrative handover interface between LEA and the Wi-Fi Operator. o Step-2:Roaming Partner side LI Admin network element uses interface (b) to provision the Roaming partner's MD with the details of the Intercept target. Depending up on the type of the target unique identifier provided by the LEA, it may be required by the Roaming Partner's LI Admin function to lookup a corresponding subscriber identifier and forward the same to the MD.In this case it is assumed that the subscriber session was not active at the time of the Intercept. o Step-3:At this point the MD is not aware on which Home Gateway the subscriber session may become active. So MD uses the interface (c) to provision the IRI network element. The IRI network element in the partner network typically will be an Authentication/ Authorization & or Accounting (AAA) System such as a RADIUS or DIAMETER server. o Step-4: Target subscriber of the Roaming Partner uses a client device to associate to the Wi-Fi Operator's wireless network. Depending up on the implementation, subscriber may be able to either automatically login using a pre-registered mac-address, or some EAP authentication method or he may have to go through a Web Portal based authentication. o Step-5: WAG in the Wi-Fi Operator's network,up on detecting a new subscriber session will send an Authorization request to the Roaming Partner's AAA server which is the IRI IAP.In typical deployments there will be a Proxy AAA server on the Wi-Fi operators network which will act as the intermediary between the WAG and the Roaming Partner's AAA server. But this is omitted for the sake of simplicity. At this stage it is assumed that the subscriber is already authenticated and is authorized to access the network.AAA server on the Roaming partner's network sends an Authorization Accept back to the WAG so that WAG can install the relevant policies to allow network access for the subscriber. The Policy will include the identity of the Home Gateway to which the subscriber session will be anchored on the Roaming Partners network. Typically standards based protocol interfaces such as RADIUS or DIAMETER will be used for interaction between WAG and the AAA server. Pularikkal, et al. Expires September 14, 2013 [Page 9] Internet-Draft Lawful Intercept Support March 2013 o Step-6: WAG will establish a packet data session with the subscriber's Home Gateway. As part of this session establishment process, Home Gateway will assign an IP address for the subscriber and provide it to WAG. WAG in turn will complete the necessary control plane exchanges with Subscriber User Equipment (UE) to complete address assignment. After the packet data session establishment is complete, WAG will typically send an Accounting Start Message to the AAA server and this message will include the IP address of the subscriber along with other relevant info. If the subscriber policy does not allow any Local Breakout (LBO) then WAG will forward all data traffic from the subscriber to the Home Gateway. if LBO is allowed, the traffic matching the LBO criteria will be locally routed by WAG and all other traffic from the subscriber will be forwarded to the Home Gateway. o Step-7: The authorization request from the WAG typically carries a subscriber identifier such as username or IMSI. Since the subscriber identifier matched a target intercept provisioned on the Roaming Operator's AAA server (IRI IAP), IRI IAP will send a "Target Active"notification to the MD. This notification will include the Home Gateway identity for the subscriber, the IP address of the subcriber and any other relevant IRI information. o Step-8: Mediation device establishes a secured session over interface (g) with the LEA collection function and forwards the IRI information corresponding to the target subscriber. o Step-9: Mediation Device uses interface (e) to activate the CC intercept on the Home Gateway in the Roaming Partner's network. MD will include all the required information to duplicate and forward the intercepted content such as, a) the destination address and port to which the intercepted packets need to be forwarded, the duration of the intercept, any applicable filters, encryption keys etc. o Step-10: In this model, the WAG residing in the Wi-Fi Operator's network is the CC IAP. This will make sure that that all the traffic to and from the subscriber, including any LBO traffic, will be duplicated and forwarded to the MD. Home Gateway uses interface (i) to command the WAG to activate intercept for the target subscriber.The Home Gateway will forward all the relevant information it received from MD related to the Intercept. o Step-11: WAG starts duplicating the target subscriber's communication content and forwards the same to the Mediation Device over interface (f) Pularikkal, et al. Expires September 14, 2013 [Page 10] Internet-Draft Lawful Intercept Support March 2013 o Step-12: MD re-packages the communication content in the required format for the LEA and forwards it over interface (h). 4. Generic SP Wi-Fi Deployment Model without Inter-Operator Roaming (Model-2) Figure 3 below illustrates a generic SP Wi-Fi deployment without Inter-Operator Roaming support.In this architecture model, AP's may be deployed in autonomous mode or in a split-MAC using centralized wireless controllers. Depending up on the implementation model in use, different tunnel technologies may be in use between AP/WAC and the Wireless Access Gateway. Some of these tunnel technologies are CAPWAP, PMIPv6, Ethernet over GRE etc. Typically all the traffic for the subscriber session gets aggregated on the Wireless Access Gateway. +-----+ | AP1 |----------+ +-----+ | | +------+ +------+ | WAC1 |----------+ +-----| AAA | +------+ | | +------+ | | | +-----+ | | | | AP2 |----------+ | | +-----+ | | _----_ +-----+ _( )_ | WAG |-------------( IP ) +-----+ (_ _) +-----+ | '----' | AP1 |----------+ | +-----+ | | | | +------+ | | WAC1 |------------+ +------+ | +-----+ | | AP2 |----------+ +-----+ Figure 3: Generic SP Wi-Fi Deployment without Inter-Operator Roaming In most of the deployments WAG will be the appropriate Communication Pularikkal, et al. Expires September 14, 2013 [Page 11] Internet-Draft Lawful Intercept Support March 2013 Content Intercept Access Point for the Lawful Intercept. Illustrated in Figure 4 below is the integration of the Lawful Intercept components with the Generic SP Wi-Fi Deployment model. These Lawful Intercept related, network and admin elements are described in the reference document RFC 3924.Refer the afore mentioned RFC for a description of the LI elements and the interfaces defined in the reference model here. +--------+ (a) | +--------+ |LI Admin|<-----------------|----|LI Admin| +--------+ | +--------+ | | | (b) | V | +-----------+ (c) +--------+ (g) | +--------+ | AAA |<----------| |------------------|--->| | | (IRI IAP) |---------->| MD/DF |------------------|--->| CF | +-----------+ (d) +--------+ (h) | +--------+ | ^ | | | | +-----+ (e)| | (f) | | AP1 |------+ | | | +-----+ | | | | | V | _---_ | +-----+ +----------+ _( )_ | | WAC |----- | WAG |---( IP ) | +-----+ | (CC IAP) | (_ _) | | +----------+ '----' | | | +-----+ | | | AP1 |------+ | +-----+ | | Wi-Fi Operator | LEA Figure 4: LI support for generic SP WiFi Deployment model without inter-operator roaming LI specific Control plane interactions between the various functional components illustrated in figure-4 are described in the following steps: Pularikkal, et al. Expires September 14, 2013 [Page 12] Internet-Draft Lawful Intercept Support March 2013 o Step-1: Law Enforcement Agency informs the Wi-Fi Operator about the legally authorized intercept requirement for a target subscriber. Typically it will be a manual process of delivering the court order to the Wi-Fi Operator side personnel in charge of the LI admin function. Some LI network element vendors may also allow interfaces to automate this delivery. LEA is expected to provide a unique Target identifier along with other key variables such as duration of the Intercept, whether both IRI and CC needs to be forwarded to the LEA etc. Interface (a) in Figure 2 represents the administrative handover interface between LEA and the Wi-Fi Operator. o Step-2:Operator side LI Admin network element uses interface (b) to provision the Mediation Device with the details of the Intercept target. Depending up on the type of the target unique identifier provided by the LEA, it may be required by the Provider LI Admin function to lookup a corresponding subscriber identifier and forward the same to the MD.In this case it is assumed that the subscriber session was not active at the time of the Intercept. o Step-3:At this point the MD is not aware on which WAG, the subscriber session may become active. So MD uses the interface (c) to provision the IRI network element. The IRI network element in an SP Wi-Fi network typically will be an Authentication/ Authorization & or Accounting System such as a RADIUS server. o Step-4: Target subscriber uses a client device to associate to the wireless network. Depending up on the implementation, subscriber may be able to either automatically login using a pre-registered mac-address, or some EAP authentication method or he may have to go through a Web Portal based authentication. o Step-5: WAG up on detecting a new subscriber session will send an Authorization request to the IRI network element. At this stage it is assumed that the subscriber is already authenticated and is authorized to access the network.IRI network element sends an Authorization Accept back to the WAG so that WAG can install the relevant policies to allow network access for the subscriber. Typically standards based protocol interfaces such as RADIUS or DIAMETER will be used for interaction between WAG and the IRI element. o Step-6: The authorization request from the WAG typically carries a subscriber identifier such as username or IMSI. Typical authorization request will also carry the source IP address of the subscriber. Since the subscriber identifier matched a target intercept provisioned on the IRI, IRI will send a "Target Active" notification to the MD over interface (d). This notification will Pularikkal, et al. Expires September 14, 2013 [Page 13] Internet-Draft Lawful Intercept Support March 2013 include the IP address of the subscriber and any relevant IRI information. o Step-7: IRI Network element sends an authorization response back to the WAG and WAG implements applicable subscriber policies and enables service access for the subscriber session. o Step-8: Mediation device establishes a secured session over interface (g) with the LEA collection function and forwards the IRI information corresponding to the target subscriber. o Step-9: Mediation Device uses interface (e) to activate the CC intercept on the WAG. MD will include all the required information to duplicate and forward the intercepted content such as the destination address and port to which the packets need to be forwarded, the duration of the intercept, any applicable filters etc o Step-10: WAG starts duplicating the target subscriber's communication content and forwards the same to the Mediation Device over interface (f) o Step-11: MD re-packages the communication content in the required format for the LEA and forwards it over interface (h). 5. Lawful Intercept Deployment Considerations for SP Wi-Fi 5.1. Proprietary versus Standards based Implementation LI implementation is fairly straight forward for the deployments which do not support Inter-Operator roaming. Most of the LI equipment vendors accommodate vendor specific protocol interfaces for interworking with IAP network elements from various network equipment vendors. Standards based interfaces are primarily confined to the Interconnect between the LEA Collection Function Elements and the Mediation Device. However for the SP Wi-Fi deployment models which supports inter- operator roaming, there will be significant advantages in standardizing some of the protocol interfaces. Typically standards based protocols such as PMIPv6 or GTP will be used for the control plane and data plane connectivity between the WAG in the Wi-Fi Operator network and the Home Gateway in the Roaming Partner's network. By defining some protocol extensions, the same control plane interface can be leveraged for implementing standards based LI related signaling as well. Pularikkal, et al. Expires September 14, 2013 [Page 14] Internet-Draft Lawful Intercept Support March 2013 5.2. Subscriber Location Tracking Requirements Unlike fixed broadband deployments where the location of the subscriber can be tracked easily from the source IP address assigned to the end user device, the basic nature of Wi-Fi networks makes it more complex to track the location of the subcriber under surveillance. A sample IP lookup will not suffice due to the layer-2 and layer-3 roaming supported by most of the deployments. Additional intelligence can be implemented to collect the location specific information and it can be provided as the IRI data to the LEA if required by law. In Inter- Operator roaming scenarios, it is possible to carry the location data also over the standards based protocols such as PMIPv6 or GTP by using some relevant protocol extensions. 5.3. Handling SIPTO Traffic for Lawful Intercept For Inter-operator roaming deployments, local breakout of roaming subscriber in the visited WiFi network is a typical implementation scenario. This Local Breakout is also known as Selective IP Traffic Offload (SIPTO). When SIPTO is enabled in the Inter-operator roaming scenario, it typically happens at the WAG in the Wi-Fi Operators network. There are two scenarios with handling SIPTO traffic. SIPTO without NAT and SIPTO with NAT. For the scenario without NAT, dealing with SIPTO for LI is fairly straight forward. In the LI Architecture model covered for the Inter-Operator Roaming Scenario in this document, WAG acting as the CC IAP can forward both SIPTO and non-SIPTO traffic towards the MD in the Roaming Partner's network. For a scenario where IAP Intercept happens at the Home Gateway instead of at the WAG, some additional signaling can be done over the control plane between Home Gateway and WAG to temporarily disable SIPTO for the target subscriber when the target is under surveillance. SIPTO with NAT can make the implementation more complex. If the NAT function for SIPTO traffic is done at the WAG itself, WAG has access to the NAT binding info per subscriber. If WAG is the CC IAP in the Inter-Operator roaming scenario for the roaming partner's subscriber the WAG can forward the NAT binding info over the control plane to the Home Gateway in the roaming partner's network. This can be included in the scope of the protocol extensions required on the tunneling technologies for LI related signaling between Home Gateway and WAG. Since Home Gateway actively participates in the Intercept for the target in the Inter-Operator Roaming Scenario, Home Gateway can forward this info to the MD over the interface between Home Gateway and Mediation Device. If the NAT function for SIPTO traffic runs on a separate box than the WAG , then alternative options will need to be considered. Pularikkal, et al. Expires September 14, 2013 [Page 15] Internet-Draft Lawful Intercept Support March 2013 6. IANA Considerations This document does not requires any IANA actions. 7. Security Considerations In order to make sure that only authorized personal can enable the intercept for a target subscriber and an active intercept is undetectable by the intercept target and any individuals within or outside the Wi-Fi Operators and Roaming partners network LI implementation will need to make sure that all the LI specific protocol signaling is carried out over secured encrypted transport. For example if PMIPv6 is the tunnel technology used for an Inter- operator roaming scenario, any LI specific signaling carried over the PMIPv6 control plane must be encrypted. Also proper privacy mechanisms should be implemented for the transport of IRI and CC data from the corresponding IAPs to the Mediation device. And this is particularly important when IAP for CC is in the Wi-Fi operators network and the MD is in the roaming partners network. 8. Acknowledgements The authors would like to thank Fred Baker for his review and feedback on the document. 9. Informative References [RFC3924] Baker, F., Foster, B., and C. Sharp, "Cisco Architecture for Lawful Intercept in IP Networks", RFC 3924, October 2004. Appendix A. Applicability of LI Architecture Min a PMIPv6 based Service Provider Wi-Fi Implementation In a PMIPv6 based implementation, Local Mobility Anchor (LMA) would be the Home Gateway and Mobile Access Gateway (MAG) would be the WAG. The PMIPv6 based Architecture may be used for both Intra-Operator Mobility and Inter-Operator Mobility scenarios. PMIPv6 based LI deployment model with Inter-Operator roaming is illustrated in Figure 5 below: Pularikkal, et al. Expires September 14, 2013 [Page 16] Internet-Draft Lawful Intercept Support March 2013 Wi-Fi Operator | Roaming Partner A | LEA | | | +-----------+ | (a) +-------+ | | LI Admin |<-|-----| LI | +-----+ +-----+ | +-----------+ +-----------+ | | Admin | | AP1 | | AP2 | | | AAA | | | +-------+ +-----+ +-----+ | | (IRI IAP) |<----+ |(b) | | | | +-----------+ (c) | V | | | | | +-----------+ | | +------+ | | | (d) | | (g)| +------+ +-| WAC |-+ | +------>| MD / DF |-------|----->| | +------+ | +------>| |<------|------| CF | | | | +-----------+ (h)| +------+ | | (f)| ^ | | | | |(e) | +-----------+ | | V | | |--|-----+ +-----------+ | | MAG |<-|-----(i)---->| LMA | | | (CC IAP) |--|-------------| (Home GW) | | +-----------+ PMIPv6/GTP +-----------+ | | | | | | | | | | * * * | | * * | | * * | | * * | | * Internet * | | * * | | * * | | * * * * | | Figure 5: PMIPv6 based LI deployment model with Inter-Operator Roaming In the PMIPv6 based LI Architecture model covered here, LMA is designated as the control point for the Intercept Provisioning and activation. And MAG acts as the CC IAP. LMA which is the Home Gateway in the Roaming Partner's network uses the PMIPv6 control plane to carry the LI specific provisioning and activation information to the MAG residing in the Wi-Fi Operator's Network. This can be accomplished by leveraging the existing control plane messages with some additional protocol TLVs defined for the Pularikkal, et al. Expires September 14, 2013 [Page 17] Internet-Draft Lawful Intercept Support March 2013 support of Lawful Intercept. A secured control plane is already part of the PMIPv6 standard and may be enabled optionally. But when LI specific information is carried over the PMIPv6 control plane, data privacy must be enabled for the control plane messages by using ESP protection. MAG will receive all the necessary information to establish a secured communication channel to the Mediation Device and transport the intercepted packets. Privacy and Confidentiality of the Intercept will be maintained by enabling data privacy for this communication channel. LMA can collect the encription keys from the MD over interface (e) and forward them over the PMIPv6 signaling plane along with other LI specific parameters. MAG can leverage these keys to encrypt the intercepted packets it forwards to the Mediation Device. If the Intercept Target roams from one MAG to another while the CC Intercept is active, the LMA will provide the LI specific parameters to the new MAG along with standard mobility related information via the PMIPv6 Control Plane. Old MAG will cease the intercept operation since the target is no longer attached to it and the new MAG will start forwarding the Intercepted packets to the Mediation Device. LMA in the background will have informed MD about the Inter-MAG handover of the Intercept Target over interface (e). It is possible that the Intercept of a Target is conditional to the location in which the target is active. In the case of an Inter-MAG handover, if the new MAG on which the target has become active is outside the location of "interest", MD will inform LMA to cease the intercept and LMA in this case will not provide any LI specific information to the new MAG. As long as the LI provisioning of the Target is valid on the LMA, LMA will keep informing the MD about the location changes of the target, every time the inter-MAG hand over happens and MD can instruct LMA to re-activate the intercept if the target ends up getting back on a MAG which is with in the "location" of interest. Authors' Addresses Byju Pularikkal Cisco 7200-12 Kit Creek Road, PO Box 14987 Research Triangle Park, NC 27709-4987 USA Email: byjupg@cisco.com Pularikkal, et al. Expires September 14, 2013 [Page 18] Internet-Draft Lawful Intercept Support March 2013 Sri Gundavelli Cisco 170 West Tasman Drive San Jose, CA 95134 USA Email: sgundave@cisco.com Mark Grayson Cisco 11 New Square Park Bedfont Lakes, FELTHAM TW14 8HA ENGLAND Email: mgrayson@cisco.com Rajat Ghai Benu Networks 300 Concord Rd, suite # 110 Billerica, MA 01812 USA Email: rghai@benunets.com Pularikkal, et al. Expires September 14, 2013 [Page 19]