Cisco Cisco IOS Software Release 12.2(33)SB
1-17
Cisco 10000 Series Router Lawful Intercept Configuration Guide
OL-3426-03
Chapter 1 Lawful Intercept Overview
Information About Lawful Intercept
Note
The content IAP sends a single copy of intercepted traffic to the mediation device. If
multiple LEAs are performing intercepts on the same target, the mediation device must make
a copy of the intercepted traffic for each LEA.
multiple LEAs are performing intercepts on the same target, the mediation device must make
a copy of the intercepted traffic for each LEA.
Collection Function
The collection function is a program that stores and processes traffic intercepted by the service provider.
The program runs on equipment at the LEA.
The program runs on equipment at the LEA.
Lawful Intercept Processing
After acquiring a court order or warrant to perform surveillance, the LEA delivers a surveillance request
to the target’s service provider. Service provider personnel use an admin function that runs on the
mediation device to configure a lawful intercept to monitor the target’s electronic traffic for a specific
period of time (as defined in the court order).
to the target’s service provider. Service provider personnel use an admin function that runs on the
mediation device to configure a lawful intercept to monitor the target’s electronic traffic for a specific
period of time (as defined in the court order).
After the intercept is configured, user intervention is no longer required. The admin function communicates
with other network devices to set up and execute the lawful intercept. The following sequence of events
occurs during a lawful intercept:
with other network devices to set up and execute the lawful intercept. The following sequence of events
occurs during a lawful intercept:
1.
The admin function contacts the ID IAP for intercept related information (IRI), such as the target’s user
name and the IP address of their system, to determine which content IAP (router) the target’s traffic
passes through.
name and the IP address of their system, to determine which content IAP (router) the target’s traffic
passes through.
2.
After identifying the router that handles the target’s traffic, the admin function issues SNMPv3 get
and set requests to the router’s MIBs to set up and activate the lawful intercept. The router’s MIBs
include the CISCO-TAP2-MIB, CISCO-IP-TAP-MIB, and
CISCO-USER-CONNECTION-TAP-MIB.
and set requests to the router’s MIBs to set up and activate the lawful intercept. The router’s MIBs
include the CISCO-TAP2-MIB, CISCO-IP-TAP-MIB, and
CISCO-USER-CONNECTION-TAP-MIB.
3.
During the lawful intercept, the router:
a.
Examines incoming and outgoing traffic and intercepts any traffic that matches the
specifications of the lawful intercept request.
specifications of the lawful intercept request.
b.
Creates a copy of the intercepted traffic and forwards the original traffic to its destination so the
target does not suspect anything.
target does not suspect anything.
c.
Encapsulates the intercepted traffic in UDP packets and forwards the packets to the mediation
device without the target’s knowledge.
device without the target’s knowledge.
Note
The process of intercepting and duplicating the target’s traffic adds no detectable latency in
the traffic stream.
the traffic stream.
4.
The mediation device converts the intercepted traffic into the required format and sends it to a
collection function running at the LEA. Here, the intercepted traffic is stored and processed.
collection function running at the LEA. Here, the intercepted traffic is stored and processed.
Note
If the router intercepts traffic that is not allowed by the judicial order, the mediation device
filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.
filters out the excess traffic and sends the LEA only the traffic allowed by the judicial order.