Cisco Cisco IOS Software Release 12.4(22)XR
160
Cisco Packet Data Serving Node Release 5.5 for Cisco IOS Release 12.4(22)XR9
OL-19026-02
Lawful Intercept Processing
–
Converts the intercepted traffic into the format required by the LEA (which can vary from
country to country) and sends a copy of the intercepted traffic to the LEA without the target’s
knowledge.
country to country) and sends a copy of the intercepted traffic to the LEA without the target’s
knowledge.
Note
If multiple LEAs are performing intercepts on the same target, the mediation device
must make a copy of the intercepted traffic for each LEA. The mediation device is also
responsible for restarting any lawful intercepts that are disrupted due to a failure.
must make a copy of the intercepted traffic for each LEA. The mediation device is also
responsible for restarting any lawful intercepts that are disrupted due to a failure.
•
Intercept Access Point—An intercept access point (IAP) is a device that provides information for
the lawful intercept.
the lawful intercept.
•
Collection Function—The collection function is a program that stores and processes traffic
intercepted by the service provider. The program runs on equipment at the LEA.
intercepted by the service provider. The program runs on equipment at the LEA.
Lawful Intercept Processing
After acquiring a court order or warrant to perform surveillance, the LEA delivers a surveillance request
to the target’s service provider. Service provider personnel use an admin function that runs on the
mediation device to configure a lawful intercept to monitor the target’s electronic traffic for a specific
period of time (as defined in the court order).
to the target’s service provider. Service provider personnel use an admin function that runs on the
mediation device to configure a lawful intercept to monitor the target’s electronic traffic for a specific
period of time (as defined in the court order).
After the intercept is configured, user intervention is no longer required. The admin function communicates
with other network devices to set up and execute the lawful intercept. The following sequence of events
occurs during a lawful intercept:
with other network devices to set up and execute the lawful intercept. The following sequence of events
occurs during a lawful intercept:
1.
The admin function contacts the ID IAP for intercept-related information (IRI), such as the target’s
username and the IP address of the system, to determine which content IAP (router) the target’s traffic
passes through.
username and the IP address of the system, to determine which content IAP (router) the target’s traffic
passes through.
2.
After identifying the router that handles the target’s traffic, the admin function sends SNMPv3 get
and set requests to the router’s MIBs to set up and activate the lawful intercept. The PDSN lawful
intercept MIBs include the CISCO-TAP2-MIB and the CISCO-MOBILITY-TAP-MIB.
and set requests to the router’s MIBs to set up and activate the lawful intercept. The PDSN lawful
intercept MIBs include the CISCO-TAP2-MIB and the CISCO-MOBILITY-TAP-MIB.
3.
During the lawful intercept, the router:
a.
Examines incoming and outgoing traffic and intercepts any traffic that matches the
specifications of the lawful intercept request.
specifications of the lawful intercept request.
b.
Creates a copy of the intercepted traffic and forwards the original traffic to its destination so the
target does not suspect anything.
target does not suspect anything.
c.
Encapsulates the intercepted traffic in UDP packets and forwards the packets to the mediation
device without the target’s knowledge.
device without the target’s knowledge.
Note
The process of intercepting and duplicating the target’s traffic adds no detectable latency in
the traffic stream.
the traffic stream.
4.
The mediation device converts the intercepted traffic into the required format and sends it to a
collection function running at the LEA. Here, the intercepted traffic is stored and processed.
collection function running at the LEA. Here, the intercepted traffic is stored and processed.
Note
If the router intercepts traffic that is not allowed by the judicial order, the mediation device
filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.
filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.