[go: up one dir, main page]

WO2023284942A1 - A request for information that identifies an access and mobility management function - Google Patents

A request for information that identifies an access and mobility management function Download PDF

Info

Publication number
WO2023284942A1
WO2023284942A1 PCT/EP2021/069360 EP2021069360W WO2023284942A1 WO 2023284942 A1 WO2023284942 A1 WO 2023284942A1 EP 2021069360 W EP2021069360 W EP 2021069360W WO 2023284942 A1 WO2023284942 A1 WO 2023284942A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
communicating entity
identifies
admf
amf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2021/069360
Other languages
French (fr)
Inventor
Maurizio Iovieno
Dario DE VITO
Biagio Maione
Antonio Vitiello
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to PCT/EP2021/069360 priority Critical patent/WO2023284942A1/en
Publication of WO2023284942A1 publication Critical patent/WO2023284942A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • Embodiments herein relate to a method performed by a computer system in a telecommunication network, said computer system hosting at least a lawful interception (LI) administrative function (ADMF), a unified data management function (UDM), and at least one access and mobility management function (AMF), corresponding computer systems as well as computer programs and carriers of such computer programs.
  • LI lawful interception
  • ADMF administrative function
  • UDM unified data management function
  • AMF access and mobility management function
  • BACKGROUND Lawful interception of traffic between communicating entities in a telecommunication network involves interaction between several functions in a core network that is part of the telecommunication network.
  • an ADMF an AMF and a UDM and these entities are part of a fifth generation (5G) core network (5GC) as described in the 3rd Generation Partnership Project (3GPP) release 17 of the technical specification (TS) of LI architecture and functions TS 33.127 V17.1.0.
  • the ADMF comprises a Lawful Interception Control Function (LICF) and a Lawful Interception Provisioning Function (LIPF).
  • the LICF receives so-called LI warrants from a law enforcement agency (LEA) and derives, from the warrants, necessary intercept information that is provided, via the LIPF, to points of interception (POI) in other 5GC entities such as the AMF.
  • LAA law enforcement agency
  • POI points of interception
  • Communication between the entities in the 5GC is subject to technical specifications set by the European Telecommunications Standards Institute (ETSI).
  • ETSI TS 103221-1 current version V1.8.1
  • the ADMF, the AMF and the UDM exchange messages between each other on an X1 interface.
  • 3GPP TS 33.127 V17.1.0 the most sensitive information in an LI context is the target list, i.e. information that specifies identities of communicating entities that are to be subject of LI.
  • the security measures used by a communication service provider (CSP) of the telecommunication network to ensure unauthorized access to this list is not subject to standardization, but the architectural choices made in the design of the LI entities in the 5GC do impact the security of the target list directly.
  • CSP communication service provider
  • 3GPP TS 33.127 V17.1.0 provides the following architectural alternatives: a full target list available at every POI or a full target list available only in the LICF.
  • a CSP may choose to deploy the full target list at all POIs, such that when a communicating entity, identified by a communicating entity identifier, arrives in the telecommunication network and commences registration, the POI is fully armed and in position to recognize if the target identifier is in the target list.
  • 3GPP TS 33.127 V17.1.0 specifies provisioning for registered users.
  • a CSP may choose to selectively distribute specific target identifiers to specific POIs, rather than distributing the full target list to all POIs.
  • the POI shall query the ADMF/LICF to find out if the communicating entity identifier is part of the target list.
  • the POI in the network function (NF) or network element (NE)
  • NF network function
  • NE network element
  • the CSP may choose to delay completion of the registration for all communicating entities for the time it takes the ADMF/LICF to answer, thus inducing a registration delay in all registrations, whether the communicating entity is a target or not, or
  • the CSP may choose to cache the reportable registration events while the POI- (ADMF/LICF)-POI query/reply communication is running, and either report them if the answer is positive, or delete them if the answer is negative.
  • 3GPP TS 33.127 requires that the ADMF can poll every serving UDM POI for all target communicating entities and arm the associated POI, which implies that the UDM has an active POI and the communicating entity is a target in the UDM POI.
  • an object of the present disclosure is to overcome drawbacks related to provision of LI target identifiers to entities in a core network in a telecommunication network.
  • This object is achieved in a first aspect by a method performed by a computer system in a telecommunication network.
  • the computer system is hosting at least an ADMF, a UDM and at least one AMF.
  • the method of the first aspect comprises receiving, by the ADMF from a LEA via a first handover interface (H11 ), a warrant for lawful interception associated with a target communicating entity identified by a target identifier.
  • the ADMF transmits, to the UDM, a request for information that identifies an AMF that is currently serving the target communicating entity and receives, from the UDM, a response comprising the information that identifies the AMF that is currently serving the target communicating entity 101.
  • the ADMF then transmits, to a POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity.
  • such a method enables a CSP to selectively distribute target identifies to POIs in AMFs where the target for LI is registered, rather than distributing the target identifiers to all instantiated AMFs in the core network. It has been recognized that there are scenarios where a communicating entity is subject to very low or even no mobility in the access network. In such cases, the serving AMF does not change over time in which the communicating entity is registered. In such cases, it is inefficient to provision the POIs in all AMFs in the core network to ensure that LI is performed for the communication activities of the communicating entity.
  • An advantage of such a method is that the target identifiers are provisioned only to the POI in the AMF where the communicating entities are registered avoiding having full target list at every POI, which in turn minimizes the risk of unauthorized access to sensitive information, i.e. information about targets, in a LI context.
  • the transmitting by the ADMF to the UDM of a request for information that identifies the AMF that is currently serving the target communicating entity comprises transmitting over an X1 interface as specified in TS103221-1 by ETSI, a request message that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity.
  • the receiving, by the ADMF from the UDM, of a response comprising the information that identifies the AMF that is currently serving the target communicating entity comprises receiving over the X1 interface as specified in technical specification 103221-1 by ETSI a response message that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity and a data field that identifies the AMF that is currently serving the target communicating entity.
  • the response message comprises a data field that identifies a type of an access network in which the target communicating entity is communicating.
  • the transmitting, by the ADMF to the POI in the AMF that is currently serving the target communicating entity, of the target identifier of the target communicating entity is conditionally performed depending on the type of access network in which the target communicating entity is communicating.
  • the data field that identifies a type of an access network in which the target communicating entity is communicating may comprise information that the target communicating entity is communicating in a 3GPP radio access network (RAN), and as a consequence performing the transmitting, by the ADMF to the POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity 101.
  • RAN 3GPP radio access network
  • the data field that identifies a type of an access network in which the target communicating entity is communicating may comprise information that the target communicating entity is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting, by the ADMF to a POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity.
  • a conditional transmission of the target identifier to the AMF provides advantages in that transmission to an AMF that serves communicating entities in non- 3GPP access networks can be prevented, noting the fact that non-3GPP access networks may be subject of different legal regulations than 3GPP access networks in terms of LI. For example, if a local regulation does not require, or even forbid, interception of communications over non-3GPP access networks, it is not necessary to provide a POI in an AMF with target identifiers.
  • a computer system comprising a processor and a memory, said memory containing instructions executable by said processor whereby said computer system is operative to/configured to perform a method as summarized above.
  • a computer program comprising instructions which, when executed on at least one processor in a computer system, cause the computer system to carry out a method as summarized above.
  • a carrier comprising the computer program as summarized above, wherein the carrier is one of an electronic signal, an optical signal, a radio signal and a computer readable storage medium.
  • Figures 1a-b are schematically illustrated block diagrams of LI systems
  • figures 2 is a flowchart of a method
  • figure 3 is a signaling diagram illustrating signals transmitted in the method illustrated in figure 2
  • figure 4 schematically illustrates a computer system
  • figure 5 schematically illustrates a computer system.
  • FIG 1a schematically illustrates a first functional representation of a telecommunication network 100 comprising a core network 105 and an access network 103 in which two communicating entities, a first communicating entity 101 and a second communicating entity 102 are connected.
  • the access network may, e.g., be in the form of a 3GPP radio access network (RAN) or any other type of non-3GPP communication network that may connect to the core network 105
  • the core network 105 may be, e.g., an Evolved Packet Core (EPC), a 5G core network (5GC) or any future core network in which the skilled person would understand that the methods and arrangements described herein can be implemented in.
  • the core network 105 may be the core network of a serving network (SN), which may be a Home Public Land Mobile Network (HPLMN).
  • SN serving network
  • HPLMN Home Public Land Mobile Network
  • the core network 105 may comprise network elements (NE) (used interchangeably with NF throughout this disclosure) in the form of an AMF 107 and an UDM 117.
  • NE network elements
  • the AMF 107 handles access and mobility functions as well as provides or facilitates delivery, to other network elements, of location information associated with the communicating entities 101, 102, and the UDM 117 provides the unified data management for the communicating entities 101, 102.
  • the UDM 114 also comprises a user information function (UIF) 118, the functionality of which will be described in some more detail below.
  • UPF user information function
  • 5G core network NEs include, e.g., a policy control function (PCF), a session management function (SMF), an SMS-Function (SMSF) etc.
  • PCF policy control function
  • SMS session management function
  • SMS-Function SMS-Function
  • network elements may include a mobility management entity (MME), a serving gateway (S-GW), a packet data network gateway (P-GW) etc.
  • MME mobility management entity
  • S-GW serving gateway
  • P-GW packet data network gateway
  • a common characteristic of such functional units, as represented by the AMF 107 and the UDM 117, in the core network 105 is that they may comprise LI functionality in the form of a POI.
  • a POI is in figure 1a thus depicted as respective POIs 135, 136 being a part of the AMF 107 and the UDM 117, or embedded therein, but a POI may also be separate from network elements with which it is associated.
  • the core network 105 also comprises an administrative function (ADMF) 108 (also called LI ADMF) and a mediation and delivery function (MDF) 132 that connects to a law enforcement agency (LEA) 131.
  • the ADMF 108 comprises functional units including a lawful interception control function (LICF) 114 and a lawful interception provisioning function (LIPF) 113.
  • the LICF 114 receives warrants from the LEA 131, derives the intercept information from the warrant and provides it to the LIPF 113, which provides the intercept information to POIs in network elements in the core network 105.
  • the LICF 114 controls the management of the end-to-end life cycle of a warrant.
  • the LICF 114 contains a master record of all sensitive information and LI configuration data.
  • the LICF 114 is ultimately responsible for all decisions within the overall LI system.
  • the LICF 114 via the LIPF 113 acting as its proxy is responsible for auditing other LI components (POIs, MDFs etc.).
  • the LICF 114 is responsible for communication with the LEA 131.
  • the LICF 114 provides the intercept information derived from the warrant for provisioning at a POI. With the exception of the communication with the LEA 131 , all other communication between the LICF 114 and any other entities is proxied by the LIPF 113.
  • the ADMF 108 also comprises a user query function (UQF) 115, the functionality of which will be described in some more detail below.
  • UQF user query function
  • Wthin the MDF 132 a mediation function (MF) 133 and a delivery function (DF) 134 are configured to handle an intercept product in the form of intercept related information (IRI) and content of communication (CC) received from the POIs 135, 136 and provide the IRI and CC to the LEA 131.
  • the LEA 131 manages a LEA communication device in the form of a law enforcement monitoring facility (LEMF) 136, which receives IRI and CC from the DF 134.
  • LEMF law enforcement monitoring facility
  • the ADMF 108 communicates with at least the MF 133, DF 134, the POIs 135, 136 via the X1 interface.
  • the ADMF 108 also communicates with the LEA 131 via an HI1 interface, and the DF 134 communicates with the LEMF 136 in the LEA 131 via HI2 and HI3 interfaces.
  • FIG. 1b schematically illustrates the telecommunication network 100 as it is realized using hardware wherein virtual network functions (VNF) are executed on virtual nodes 110 that utilize a hardware server platform 170.
  • VNF virtual network functions
  • the MF 133, the DF 134, the ADMF 108 with its LIPF 113, LICF 114 and UQF 115, the AMF 107, the UDM 117 and the POIs 135, 136 are realized in a functional layer 130 of VNFs that execute in the virtual nodes 110 via a virtualization layer 120.
  • a virtual node 111 is a collection of software instructions as well as associated data 112 as the skilled person will realize.
  • the LEA 131 with its LEMF 136 is connected to the hardware platform 170 via an intermediate network 109, the details of which are outside the scope of the present disclosure.
  • communication between entities via the X1, X2, X3, H11 , HI2 and HI3 interfaces take place as described above in connection with figure 1a.
  • FIG 2 the flowchart illustrated in figure 2 and the signalling diagram illustrated in figure 3, and with continued reference to figures 1a-b, embodiments of methods in the telecommunication network 100 will be described in some more detail. The embodiments will exemplify how the various functional units described above may be enhanced in order to provide the effect and advantages associated with provision of LI target identifiers to entities in a core network.
  • Figure 2 and figure 3 illustrate a method that comprises actions performed by a computer system in a telecommunication network 100, said computer system hosting at least the ADMF 108, the U DM 117, and at least one AMF 107, 119, introduced and described above in connection with figures 1 a-b:
  • the ADMF 108 receives, from the LEA 131, via a first handover interface, H11 , a warrant 301 for lawful interception associated with a target communicating entity 101 identified by a target identifier.
  • the ADMF 108 transmits, to the UDM 117, a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101.
  • the ADMF 108 receives, from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101.
  • the ADMF 108 transmits, to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
  • the transmitting in action 203, by the ADMF 108 to the UDM 117, a request for information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises transmitting over an X1 interface, as specified in TS 103221-1, e.g. V1.8.1 and V1.7.1, by ETSI, a request message 305 that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity 101.
  • the receiving 205, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises receiving over the X1 interface as specified in technical specification 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI a response message 307 that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity 101 and a data field that identifies the AMF 107 that is currently serving the target communicating entity 101.
  • the transmission in action 207 by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, of the target identifier of the target communicating entity 101 may take place using, e.g., an X1 ActivateTask message as specified in TS 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI.
  • the response message 307 received by the ADMF 108 in action 205 comprises a data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating.
  • the transmitting in action 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101 the target identifier of the target communicating entity 101 is conditionally performed 208 depending on the type of access network in which the target communicating entity 101 is communicating.
  • conditionally performed transmission in action 207 in case the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in a 3GPP RAN, a consequence is performing the transmitting in action 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
  • the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in an access network that is not a 3GPP RAN, a consequence is not performing the transmitting 207, by the ADMF 108 to a POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
  • Conditionally performed transmission of the target identifier to the POI 135 in the AMF 107 enables prevention of transmission to an AMF that serves communicating entities in non-3GPP access networks, noting the fact that non-3GPP access networks may be subject of different legal regulations than 3GPP access networks in terms of LI. For example, if a local regulation does not require, or even forbid, interception of communications over non-3GPP access networks, it is not necessary to provide a POI in an AMF with target identifiers.
  • the conditionally performed transmission of the target identifier to the POI 135 in the AMF 107 may hence involve checking whether or not such a regulatory requirement exists and, as a consequence of such a check, performing or not performing the transmission of the target identifier to the POI 135 in the AMF 107.
  • the reception in action 201 by the ADMF 108 of the warrant 301 takes place in the LICF 114.
  • the LICF 114 then creates an ADMF-internal query to the UQF 115, the UQF 115 being a function responsible for receiving and responding to LICF real-time queries for getting user registration information.
  • the UQF 115 is a sub-function of the ADMF 108.
  • the communication between the LICF 114 and the UQF 115 may take place using an ADMF-internal interface, e.g. denoted LI_XUQF.
  • the LI_XUQF interface may be used by the LICF 114 to send a registration information query 303 to the UQF 115 and from the UQF 115 to return the registration information to the LICF 114 in a response 309, the registration information being information that identifies an AMF 107 that is currently serving the target communicating entity 101.
  • the registration information being information that identifies an AMF 107 that is currently serving the target communicating entity 101.
  • information that may be passed over LI_XUQF from the UQF 115 to the LICF 114 include:
  • the LICF 114 Having received the response 309, the LICF 114 then transmits an ADMF-internal request 311 via the ADMF-internal interface LI_ADMF to the LIPF 113, the request 311 comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101.
  • the LIPF 113 then transmits an ActivateTaskRequest message as specified in TS 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101.
  • the UQF 115 transmits a registration information query to the UIF 118 in the UDM 117 and receives from the UIF 118 the registration information in response.
  • the UIF 118 is a function responsible for caching the registration information detected in the UDM 117 and responding to queries from the UQF 115.
  • the UIF 118 stores the registration information detected in the UDM 117 and holds it indefinitely until deregistration.
  • the UIF 118 may be co-located with UDM 117.
  • the UIF 118 is a function of the UDM 117 that is protected from unauthorized access to the same extent as a POI is protected from unauthorized access, whereas other functionality of the UDM 117 may be less protected from unauthorized access.
  • Such communication between the UQF 115 and the UIF may take place using an interface, e.g. denoted LI_XUQR.
  • the LI_XUQR interface may pass information from the UQF 115 to the UIF 118:
  • information that may be passed over the LI_XUQR interface from the UIF 118 to the UQF 115 include:
  • the LI_XUQR interface between the UQF 115 in the ADM F 108 and the UIF 118 in the UDM 117 may be implemented by means of an addition to the X1 interface, as indicated herein.
  • the transmission by the ADMF 108 to the UDM 117, in action 203, of a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101 may be realized by a message, e.g. denoted GetUserDetailsRequest, having data fields according to table 1: Table 1: GetUserDetailsRequest
  • user identifier is to be understood as identifier of a target that is to be subject to LI, as requested by the LEA 131.
  • the field M/C/O specifies whether the data in the field is mandatory, conditional or optional, as the skilled person will realize.
  • the acronyms SUPIIMSI, SUPINAI, PEIIMEI, PEIIMEISV, GPSINAI and GPSIMSISDN have the following meanings:
  • SUPIIMSI Subscription Permanent Identifier in IMSI format as defined in ETSI TS 103280, where IMSI is short for International Mobile Subscriber Identity.
  • SUPINAI Subscription Permanent Identifier in NAI format as defined in defined in ETSI TS 103280, where NAI is short for Network Access Identifier.
  • PEIIMEI Permanent Equipment Identifier in IMEI format as defined in in ETSI TS 103280, where IMEI is short for International Mobile station Equipment Identity.
  • PEIIMEISV Permanent Equipment Identifier in IMEISV format as defined in ETSI TS 103280, where IMEISV is short for International Mobile station Equipment Identity and Software Version Number.
  • GPSINAI Generic Public Subscription Identifier in NAI format as defined in ETSI TS 103 280.
  • GPSIMSISDN Generic Public Subscription Identifier in MSISDN format as defined in ETSI TS 103280, where MSISDN is short for Mobile Station International PSTN/ISDN number, where PSTN is short for Public Switched Telephone Network and ISDN is short for Integrated Services Digital Network.
  • the reception by the ADMF 108 from the UDM 117, in action 205, of a response comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101 may be realized by a message, e.g. denoted GetUserDetailsResponse, having data fields according to table 2:
  • user identifier is to be understood as identifier of a target that is to be subject to LI, as requested by the LEA 131.
  • the field M/C/O specifies whether the data in the field is mandatory, conditional or optional, as the skilled person will realize.
  • the computer system 400 which may correspond to at least part of the telecommunication network 100, comprises at least a processor 402 and a memory 404.
  • the memory 404 contains instructions executable by the processor 402 whereby the computer system 400 is hosting at least a lawful interception administrative function 108, ADMF, a unified data management function 117, UDM, and at least one access and mobility management function 107, 119, AMF, and where the computer system 400 is operative to/configured to:
  • the computer system 400 comprises one or more compute hosts 411 , said one or more compute hosts 411 comprising at least a processor 402 and a memory 404.
  • the instructions that are executable by the processor 402 may be software in the form of a computer program 443.
  • the computer program 443 may be contained in or by a carrier 442, which may provide the computer program 443 to the memory 404 and processor 402.
  • the carrier 442 may be in any suitable form including an electronic signal, an optical signal, a radio signal or a computer readable storage medium.
  • the computer system 400 is operative/configured such that:
  • a request for information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises transmitting over an X1 interface as specified in technical specification
  • a request message 305 that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity 101 , and
  • a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises receiving over the X1 interface as specified in technical specification 103221-1, .e.g. V1.7.1 and V1.8.1, by ETSI a response message 307 that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity 101 and a data field that identifies the AMF 107 that is currently serving the target communicating entity 101.
  • X1 interface as specified in TS 103221- 1 is intended to cover all X1 interfaces that fulfil the technical specification of e.g. V1.7.1 and V1.8.1 even if not explicitly mentioned as being configured according to exactly one of those versions.
  • the reference to TS 103221-1 is intended to also include future standard specifications of TS 103221-1 as long as they includes the features of the published specifications at the time of filing this application.
  • the computer system 400 is operative/configured such that:
  • the response message 307 comprises a data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating, and
  • the target identifier of the target communicating entity 101 is conditionally performed 208 depending on the type of access network in which the target communicating entity 101 is communicating.
  • the computer system 400 is operative/configured such that the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in a 3rd generation partnership project,
  • the computer system 400 is operative/configured such that the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
  • FIG. 5 a computer system 500 will be described in some detail.
  • the computer system 500 comprises:
  • a receiving module 501 configured to receive, by an ADMF 108 from a LEA 131 via a first handover interface, H11 , a warrant 301 for lawful interception associated with a target communicating entity 101 identified by a target identifier,
  • a transmitting module 503 configured to transmit, by the ADMF 108 to an UDM 117, a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101,
  • a receiving module 505 configured to receive, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101, and
  • the computer system 500 may comprise further modules that are configured to perform in a similar manner as, e.g., a computer system 400 described above in connection with figure 4.

Landscapes

  • Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A computer system in a telecommunication network (100) hosts a lawful interception administrative function, ADMF (108), a unified data management function, UDM (117), and an access and mobility management function, AMF (107). The ADMF (108) receives from a law enforcement agency a warrant for lawful interception associated with a target communicating entity identified by a target identifier. The ADMF (108) transmits, to the UDM (117), a request for information that identifies an AMF (107) that is currently serving the target communicating entity and receives, from the UDM (117), a response comprising the information that identifies the AMF (108) that is currently serving the target communicating entity (101). The ADMF (108) transmits, to a point of interception in the AMF (107) that is currently serving the target communicating entity, the target identifier of the target communicating entity. Communication system providers are thus enabled to selectively distribute target identifies to POIs in AMFs where the target for lawful interception is registered, rather than distributing the target identifiers to all instantiated AMFs in a core network.

Description

A REQUEST FOR INFORMATION THAT IDENTIFIES AN ACCESS AND MOBILITY
MANAGEMENT FUNCTION
TECHNICAL FIELD
Embodiments herein relate to a method performed by a computer system in a telecommunication network, said computer system hosting at least a lawful interception (LI) administrative function (ADMF), a unified data management function (UDM), and at least one access and mobility management function (AMF), corresponding computer systems as well as computer programs and carriers of such computer programs.
BACKGROUND Lawful interception of traffic between communicating entities in a telecommunication network involves interaction between several functions in a core network that is part of the telecommunication network. For the purpose of the present disclosure, it is enough to mention an ADMF, an AMF and a UDM and these entities are part of a fifth generation (5G) core network (5GC) as described in the 3rd Generation Partnership Project (3GPP) release 17 of the technical specification (TS) of LI architecture and functions TS 33.127 V17.1.0. The ADMF comprises a Lawful Interception Control Function (LICF) and a Lawful Interception Provisioning Function (LIPF). The LICF receives so-called LI warrants from a law enforcement agency (LEA) and derives, from the warrants, necessary intercept information that is provided, via the LIPF, to points of interception (POI) in other 5GC entities such as the AMF. Communication between the entities in the 5GC is subject to technical specifications set by the European Telecommunications Standards Institute (ETSI). According to ETSI TS 103221-1 (current version V1.8.1), the ADMF, the AMF and the UDM exchange messages between each other on an X1 interface.
As indicated in 3GPP TS 33.127 V17.1.0, clause 8.2, the most sensitive information in an LI context is the target list, i.e. information that specifies identities of communicating entities that are to be subject of LI. The security measures used by a communication service provider (CSP) of the telecommunication network to ensure unauthorized access to this list is not subject to standardization, but the architectural choices made in the design of the LI entities in the 5GC do impact the security of the target list directly. More specifically, 3GPP TS 33.127 V17.1.0 provides the following architectural alternatives: a full target list available at every POI or a full target list available only in the LICF. With regard to the alternative of having a full target list at every POI, a CSP may choose to deploy the full target list at all POIs, such that when a communicating entity, identified by a communicating entity identifier, arrives in the telecommunication network and commences registration, the POI is fully armed and in position to recognize if the target identifier is in the target list. Moreover, 3GPP TS 33.127 V17.1.0 specifies provisioning for registered users.
With regard to the alternative of having a full target list only in the LICF, a CSP may choose to selectively distribute specific target identifiers to specific POIs, rather than distributing the full target list to all POIs. When the communicating entity arrives in the telecommunication network and commences registration, the POI shall query the ADMF/LICF to find out if the communicating entity identifier is part of the target list. As the registration sequence progresses, the POI in the network function (NF) (or network element (NE)) with which the communicating entity is registering is waiting for a response from the ADMF/LICF. When the reply arrives, the POI can act if the reply is positive. If the reply is negative, the POI's involvement ends.
A choice to provide the full target list to every POI is the simplest, and the riskiest since the compromise of any NF will leak the complete target list. This risk is mitigated by the architecture choice to handle the full target list only in the LICF. However, such a solution introduces a race condition. That is, if the POI is involved, depending on the duration of a POI-(ADMF/LICF)-POI round trip for a query/reply communication, it is possible that some reportable events, i.e. events relating to communication by the communicating entity that is to be subject of LI, are missed. To mitigate this there are two further alternatives:
1) the CSP may choose to delay completion of the registration for all communicating entities for the time it takes the ADMF/LICF to answer, thus inducing a registration delay in all registrations, whether the communicating entity is a target or not, or
2) the CSP may choose to cache the reportable registration events while the POI- (ADMF/LICF)-POI query/reply communication is running, and either report them if the answer is positive, or delete them if the answer is negative.
With regard to provisioning of registered user, 3GPP TS 33.127 requires that the ADMF can poll every serving UDM POI for all target communicating entities and arm the associated POI, which implies that the UDM has an active POI and the communicating entity is a target in the UDM POI.
SUMMARY
In view of the above, an object of the present disclosure is to overcome drawbacks related to provision of LI target identifiers to entities in a core network in a telecommunication network. This object is achieved in a first aspect by a method performed by a computer system in a telecommunication network. The computer system is hosting at least an ADMF, a UDM and at least one AMF.
The method of the first aspect comprises receiving, by the ADMF from a LEA via a first handover interface (H11 ), a warrant for lawful interception associated with a target communicating entity identified by a target identifier. The ADMF transmits, to the UDM, a request for information that identifies an AMF that is currently serving the target communicating entity and receives, from the UDM, a response comprising the information that identifies the AMF that is currently serving the target communicating entity 101. The ADMF then transmits, to a POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity.
In other words, such a method enables a CSP to selectively distribute target identifies to POIs in AMFs where the target for LI is registered, rather than distributing the target identifiers to all instantiated AMFs in the core network. It has been recognized that there are scenarios where a communicating entity is subject to very low or even no mobility in the access network. In such cases, the serving AMF does not change over time in which the communicating entity is registered. In such cases, it is inefficient to provision the POIs in all AMFs in the core network to ensure that LI is performed for the communication activities of the communicating entity. An advantage of such a method is that the target identifiers are provisioned only to the POI in the AMF where the communicating entities are registered avoiding having full target list at every POI, which in turn minimizes the risk of unauthorized access to sensitive information, i.e. information about targets, in a LI context.
In some embodiments, the transmitting by the ADMF to the UDM of a request for information that identifies the AMF that is currently serving the target communicating entity comprises transmitting over an X1 interface as specified in TS103221-1 by ETSI, a request message that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity. In such embodiments, the receiving, by the ADMF from the UDM, of a response comprising the information that identifies the AMF that is currently serving the target communicating entity comprises receiving over the X1 interface as specified in technical specification 103221-1 by ETSI a response message that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity and a data field that identifies the AMF that is currently serving the target communicating entity.
That is, by implementing the method using the X1 interface, an already existing infrastructure of signalling methods may be utilized by the introduction of new request and response messages as defined herein.
In some embodiments, the response message comprises a data field that identifies a type of an access network in which the target communicating entity is communicating. In such embodiments, the transmitting, by the ADMF to the POI in the AMF that is currently serving the target communicating entity, of the target identifier of the target communicating entity is conditionally performed depending on the type of access network in which the target communicating entity is communicating.
The data field that identifies a type of an access network in which the target communicating entity is communicating may comprise information that the target communicating entity is communicating in a 3GPP radio access network (RAN), and as a consequence performing the transmitting, by the ADMF to the POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity 101.
Alternatively, the data field that identifies a type of an access network in which the target communicating entity is communicating may comprise information that the target communicating entity is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting, by the ADMF to a POI in the AMF that is currently serving the target communicating entity, the target identifier of the target communicating entity.
In other words, a conditional transmission of the target identifier to the AMF provides advantages in that transmission to an AMF that serves communicating entities in non- 3GPP access networks can be prevented, noting the fact that non-3GPP access networks may be subject of different legal regulations than 3GPP access networks in terms of LI. For example, if a local regulation does not require, or even forbid, interception of communications over non-3GPP access networks, it is not necessary to provide a POI in an AMF with target identifiers.
In a further aspect, there is provided a computer system comprising a processor and a memory, said memory containing instructions executable by said processor whereby said computer system is operative to/configured to perform a method as summarized above.
In yet a further aspect, there is provided a computer program comprising instructions which, when executed on at least one processor in a computer system, cause the computer system to carry out a method as summarized above.
In yet a further aspect, there is provided a carrier, comprising the computer program as summarized above, wherein the carrier is one of an electronic signal, an optical signal, a radio signal and a computer readable storage medium.
These further aspects and embodiments of these further aspects provide the same effects and advantages as summarized above in connection with the method of the first aspect.
BRIEF DESCRIPTION OF THE DRAWINGS
Figures 1a-b are schematically illustrated block diagrams of LI systems, figures 2 is a flowchart of a method, figure 3 is a signaling diagram illustrating signals transmitted in the method illustrated in figure 2, figure 4 schematically illustrates a computer system, and figure 5 schematically illustrates a computer system.
DETAILED DESCRIPTION
Figure 1a schematically illustrates a first functional representation of a telecommunication network 100 comprising a core network 105 and an access network 103 in which two communicating entities, a first communicating entity 101 and a second communicating entity 102 are connected. The access network may, e.g., be in the form of a 3GPP radio access network (RAN) or any other type of non-3GPP communication network that may connect to the core network 105 The core network 105 may be, e.g., an Evolved Packet Core (EPC), a 5G core network (5GC) or any future core network in which the skilled person would understand that the methods and arrangements described herein can be implemented in. The core network 105 may be the core network of a serving network (SN), which may be a Home Public Land Mobile Network (HPLMN).
As the skilled person will realize, communication performed by the first and second communicating entities 101, 102 is enabled by several functional units in both the access network 103 and the core network 105. In a 5G context, the core network 105 may comprise network elements (NE) (used interchangeably with NF throughout this disclosure) in the form of an AMF 107 and an UDM 117. As the skilled person will realize, the AMF 107 handles access and mobility functions as well as provides or facilitates delivery, to other network elements, of location information associated with the communicating entities 101, 102, and the UDM 117 provides the unified data management for the communicating entities 101, 102. As illustrated in figure 1a, the UDM 114 also comprises a user information function (UIF) 118, the functionality of which will be described in some more detail below. It is to be noted that the concept of “user” herein is to be understood as an identifier of a communicating entity. Specifically, a target user is to be understood as a target communicating entity identified by a target identifier.
Other 5G core network NEs include, e.g., a policy control function (PCF), a session management function (SMF), an SMS-Function (SMSF) etc. For the sake of clarity of description, such network elements are not illustrated in figure 1a. In a 4G context, network elements may include a mobility management entity (MME), a serving gateway (S-GW), a packet data network gateway (P-GW) etc.
A common characteristic of such functional units, as represented by the AMF 107 and the UDM 117, in the core network 105 is that they may comprise LI functionality in the form of a POI. A POI is in figure 1a thus depicted as respective POIs 135, 136 being a part of the AMF 107 and the UDM 117, or embedded therein, but a POI may also be separate from network elements with which it is associated.
The core network 105 also comprises an administrative function (ADMF) 108 (also called LI ADMF) and a mediation and delivery function (MDF) 132 that connects to a law enforcement agency (LEA) 131. The ADMF 108 comprises functional units including a lawful interception control function (LICF) 114 and a lawful interception provisioning function (LIPF) 113. The LICF 114 receives warrants from the LEA 131, derives the intercept information from the warrant and provides it to the LIPF 113, which provides the intercept information to POIs in network elements in the core network 105. The LICF 114 controls the management of the end-to-end life cycle of a warrant. The LICF 114 contains a master record of all sensitive information and LI configuration data. The LICF 114 is ultimately responsible for all decisions within the overall LI system. The LICF 114, via the LIPF 113 acting as its proxy is responsible for auditing other LI components (POIs, MDFs etc.). The LICF 114 is responsible for communication with the LEA 131. The LICF 114 provides the intercept information derived from the warrant for provisioning at a POI. With the exception of the communication with the LEA 131 , all other communication between the LICF 114 and any other entities is proxied by the LIPF 113.
As illustrated in figure 1a, the ADMF 108 also comprises a user query function (UQF) 115, the functionality of which will be described in some more detail below.
Wthin the MDF 132 a mediation function (MF) 133 and a delivery function (DF) 134 are configured to handle an intercept product in the form of intercept related information (IRI) and content of communication (CC) received from the POIs 135, 136 and provide the IRI and CC to the LEA 131. The LEA 131 manages a LEA communication device in the form of a law enforcement monitoring facility (LEMF) 136, which receives IRI and CC from the DF 134.
Communication between the entities in the telecommunication system 100 takes place via X1, X2, X3, and H11 , HI2 and HI3 interfaces. That is, the ADMF 108 communicates with at least the MF 133, DF 134, the POIs 135, 136 via the X1 interface. The POIs 135, 136 in the AMF107 and the UDM 117, respectively, communicate with the MF 133 via the X2 interface. The ADMF 108 also communicates with the LEA 131 via an HI1 interface, and the DF 134 communicates with the LEMF 136 in the LEA 131 via HI2 and HI3 interfaces.
Figure 1b schematically illustrates the telecommunication network 100 as it is realized using hardware wherein virtual network functions (VNF) are executed on virtual nodes 110 that utilize a hardware server platform 170. The MF 133, the DF 134, the ADMF 108 with its LIPF 113, LICF 114 and UQF 115, the AMF 107, the UDM 117 and the POIs 135, 136 are realized in a functional layer 130 of VNFs that execute in the virtual nodes 110 via a virtualization layer 120. For example, a virtual node 111 is a collection of software instructions as well as associated data 112 as the skilled person will realize. The LEA 131 with its LEMF 136 is connected to the hardware platform 170 via an intermediate network 109, the details of which are outside the scope of the present disclosure. Although not explicitly illustrated in figure 1b, communication between entities via the X1, X2, X3, H11 , HI2 and HI3 interfaces take place as described above in connection with figure 1a. Turning now to the flowchart illustrated in figure 2 and the signalling diagram illustrated in figure 3, and with continued reference to figures 1a-b, embodiments of methods in the telecommunication network 100 will be described in some more detail. The embodiments will exemplify how the various functional units described above may be enhanced in order to provide the effect and advantages associated with provision of LI target identifiers to entities in a core network.
Figure 2 and figure 3 illustrate a method that comprises actions performed by a computer system in a telecommunication network 100, said computer system hosting at least the ADMF 108, the U DM 117, and at least one AMF 107, 119, introduced and described above in connection with figures 1 a-b:
Action 201
The ADMF 108 receives, from the LEA 131, via a first handover interface, H11 , a warrant 301 for lawful interception associated with a target communicating entity 101 identified by a target identifier.
Action 203
The ADMF 108 transmits, to the UDM 117, a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101.
Action 205
The ADMF 108 receives, from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101.
Action 207
The ADMF 108 transmits, to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
In some embodiments, the transmitting in action 203, by the ADMF 108 to the UDM 117, a request for information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises transmitting over an X1 interface, as specified in TS 103221-1, e.g. V1.8.1 and V1.7.1, by ETSI, a request message 305 that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity 101. In such embodiments, the receiving 205, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises receiving over the X1 interface as specified in technical specification 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI a response message 307 that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity 101 and a data field that identifies the AMF 107 that is currently serving the target communicating entity 101.
As illustrated in figure 3, the transmission in action 207 by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, of the target identifier of the target communicating entity 101 may take place using, e.g., an X1 ActivateTask message as specified in TS 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI.
In some embodiments, the response message 307 received by the ADMF 108 in action 205 comprises a data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating. In such embodiments, the transmitting in action 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101 , the target identifier of the target communicating entity 101 is conditionally performed 208 depending on the type of access network in which the target communicating entity 101 is communicating.
With regard to the conditionally performed transmission in action 207 in such embodiments, in case the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in a 3GPP RAN, a consequence is performing the transmitting in action 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
Alternatively, in case the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in an access network that is not a 3GPP RAN, a consequence is not performing the transmitting 207, by the ADMF 108 to a POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
Conditionally performed transmission of the target identifier to the POI 135 in the AMF 107 enables prevention of transmission to an AMF that serves communicating entities in non-3GPP access networks, noting the fact that non-3GPP access networks may be subject of different legal regulations than 3GPP access networks in terms of LI. For example, if a local regulation does not require, or even forbid, interception of communications over non-3GPP access networks, it is not necessary to provide a POI in an AMF with target identifiers. The conditionally performed transmission of the target identifier to the POI 135 in the AMF 107 may hence involve checking whether or not such a regulatory requirement exists and, as a consequence of such a check, performing or not performing the transmission of the target identifier to the POI 135 in the AMF 107.
The embodiments involving conditionally performed transmission in action 207 is illustrated in figure 2 by an optional decision action 208.
As illustrated in figure 3, the reception in action 201 by the ADMF 108 of the warrant 301 takes place in the LICF 114. The LICF 114 then creates an ADMF-internal query to the UQF 115, the UQF 115 being a function responsible for receiving and responding to LICF real-time queries for getting user registration information. The UQF 115 is a sub-function of the ADMF 108. The communication between the LICF 114 and the UQF 115 may take place using an ADMF-internal interface, e.g. denoted LI_XUQF. As such, the LI_XUQF interface may be used by the LICF 114 to send a registration information query 303 to the UQF 115 and from the UQF 115 to return the registration information to the LICF 114 in a response 309, the registration information being information that identifies an AMF 107 that is currently serving the target communicating entity 101. The following are examples of some of the information that may be passed over such a LI_XUQF interface from the LICF 114 to the UQF 115:
- Information relating to the type of query.
- Warrant/authorization identifier.
- Other information associated with target identifier required for retrieval user registration information.
Similarly, information that may be passed over LI_XUQF from the UQF 115 to the LICF 114 include:
- Information relating to the type of query being responded to.
- User registered or not.
- Type of access registration (3GPP, non-3GPP access or both).
- List of Serving AMFs information/identity.
Having received the response 309, the LICF 114 then transmits an ADMF-internal request 311 via the ADMF-internal interface LI_ADMF to the LIPF 113, the request 311 comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101. The LIPF 113 then transmits an ActivateTaskRequest message as specified in TS 103221-1, e.g. V1.7.1 and V1.8.1, by ETSI comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101.
Continuing with reference to figure 3, having received a query 303 from the LICF 114, the UQF 115 transmits a registration information query to the UIF 118 in the UDM 117 and receives from the UIF 118 the registration information in response. The UIF 118 is a function responsible for caching the registration information detected in the UDM 117 and responding to queries from the UQF 115. The UIF 118 stores the registration information detected in the UDM 117 and holds it indefinitely until deregistration. The UIF 118 may be co-located with UDM 117. It is to be noted that the UIF 118 is a function of the UDM 117 that is protected from unauthorized access to the same extent as a POI is protected from unauthorized access, whereas other functionality of the UDM 117 may be less protected from unauthorized access. Such communication between the UQF 115 and the UIF may take place using an interface, e.g. denoted LI_XUQR. As such, the LI_XUQR interface may pass information from the UQF 115 to the UIF 118:
- Information relating to the type of query.
- Target identifier provided by the LEA 131.
- Other information associated with target identifier required for retrieval user registration information.
Similarly, information that may be passed over the LI_XUQR interface from the UIF 118 to the UQF 115 include:
- Information relating to the type of query being responded to.
- User registered or not.
- Type of access registration (3GPP, non-3GPP access or both).
- List of Serving AMFs information/identity.
The LI_XUQR interface between the UQF 115 in the ADM F 108 and the UIF 118 in the UDM 117 may be implemented by means of an addition to the X1 interface, as indicated herein. For example, the transmission by the ADMF 108 to the UDM 117, in action 203, of a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101 may be realized by a message, e.g. denoted GetUserDetailsRequest, having data fields according to table 1: Table 1: GetUserDetailsRequest
Figure imgf000014_0001
In table 1 , user identifier is to be understood as identifier of a target that is to be subject to LI, as requested by the LEA 131. The field M/C/O specifies whether the data in the field is mandatory, conditional or optional, as the skilled person will realize. Similarly, as the skilled person will realize, the acronyms SUPIIMSI, SUPINAI, PEIIMEI, PEIIMEISV, GPSINAI and GPSIMSISDN have the following meanings:
SUPIIMSI: Subscription Permanent Identifier in IMSI format as defined in ETSI TS 103280, where IMSI is short for International Mobile Subscriber Identity. SUPINAI: Subscription Permanent Identifier in NAI format as defined in defined in ETSI TS 103280, where NAI is short for Network Access Identifier.
PEIIMEI: Permanent Equipment Identifier in IMEI format as defined in in ETSI TS 103280, where IMEI is short for International Mobile station Equipment Identity.
PEIIMEISV: Permanent Equipment Identifier in IMEISV format as defined in ETSI TS 103280, where IMEISV is short for International Mobile station Equipment Identity and Software Version Number.
GPSINAI: Generic Public Subscription Identifier in NAI format as defined in ETSI TS 103 280.
GPSIMSISDN: Generic Public Subscription Identifier in MSISDN format as defined in ETSI TS 103280, where MSISDN is short for Mobile Station International PSTN/ISDN number, where PSTN is short for Public Switched Telephone Network and ISDN is short for Integrated Services Digital Network. The reception by the ADMF 108 from the UDM 117, in action 205, of a response comprising the information that identifies an AMF 107 that is currently serving the target communicating entity 101 may be realized by a message, e.g. denoted GetUserDetailsResponse, having data fields according to table 2:
Table 2: GetUserDetailsResponse
Figure imgf000015_0001
In table 2, as for table 1, user identifier is to be understood as identifier of a target that is to be subject to LI, as requested by the LEA 131. The field M/C/O specifies whether the data in the field is mandatory, conditional or optional, as the skilled person will realize.
Table 3: AMFInfo
Figure imgf000015_0002
Turning now to figure 4, and with continued reference to figures 1-3, a computer system 400 will be described in some detail. The computer system 400, which may correspond to at least part of the telecommunication network 100, comprises at least a processor 402 and a memory 404. The memory 404 contains instructions executable by the processor 402 whereby the computer system 400 is hosting at least a lawful interception administrative function 108, ADMF, a unified data management function 117, UDM, and at least one access and mobility management function 107, 119, AMF, and where the computer system 400 is operative to/configured to:
- receive, by the ADMF 108 from a law enforcement agency 131, LEA, via a first handover interface, H 11 , a warrant 301 for lawful interception associated with a target communicating entity 101 identified by a target identifier,
- transmit, by the ADMF 108 to the UDM 117, a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101,
- receive, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101, and
- transmit, by the ADMF 108 to a point of interception 135, POI, in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101.
In some embodiments, the computer system 400 comprises one or more compute hosts 411 , said one or more compute hosts 411 comprising at least a processor 402 and a memory 404.
The instructions that are executable by the processor 402 may be software in the form of a computer program 443. The computer program 443 may be contained in or by a carrier 442, which may provide the computer program 443 to the memory 404 and processor 402. The carrier 442 may be in any suitable form including an electronic signal, an optical signal, a radio signal or a computer readable storage medium.
In some embodiments, the computer system 400 is operative/configured such that:
- the transmitting, by the ADMF 108 to the UDM 117, a request for information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises transmitting over an X1 interface as specified in technical specification
103221-1, e.g. V1.7.1 and V1.8.1,by the European Telecommunications Standards Institute, ETSI, a request message 305 that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity 101 , and
- the receiving, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101 comprises receiving over the X1 interface as specified in technical specification 103221-1, .e.g. V1.7.1 and V1.8.1, by ETSI a response message 307 that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity 101 and a data field that identifies the AMF 107 that is currently serving the target communicating entity 101.
It should be understood that the reference to the X1 interface as specified in TS 103221- 1 is intended to cover all X1 interfaces that fulfil the technical specification of e.g. V1.7.1 and V1.8.1 even if not explicitly mentioned as being configured according to exactly one of those versions. Instead, the reference to TS 103221-1 is intended to also include future standard specifications of TS 103221-1 as long as they includes the features of the published specifications at the time of filing this application.
In some embodiments, the computer system 400 is operative/configured such that:
- the response message 307 comprises a data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating, and
- the transmitting, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101 , the target identifier of the target communicating entity 101 is conditionally performed 208 depending on the type of access network in which the target communicating entity 101 is communicating.
In some embodiments, the computer system 400 is operative/configured such that the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in a 3rd generation partnership project,
3GPP, radio access network, RAN, and as a consequence performing the transmitting 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101 , the target identifier of the target communicating entity 101.
In some embodiments, the computer system 400 is operative/configured such that the data field that identifies a type of an access network 103 in which the target communicating entity 101 is communicating comprises information that the target communicating entity 101 is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting 207, by the ADMF 108 to the POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101. Turning now to figure 5, and with continued reference to figures 1 to 4, a computer system 500 will be described in some detail. The computer system 500 comprises:
- a receiving module 501 configured to receive, by an ADMF 108 from a LEA 131 via a first handover interface, H11 , a warrant 301 for lawful interception associated with a target communicating entity 101 identified by a target identifier,
- a transmitting module 503 configured to transmit, by the ADMF 108 to an UDM 117, a request for information that identifies an AMF 107 that is currently serving the target communicating entity 101,
- a receiving module 505 configured to receive, by the ADMF 108 from the UDM 117, a response comprising the information that identifies the AMF 107 that is currently serving the target communicating entity 101, and
- a transmitting module 507 configured to transmit, by the ADMF 108 to a POI 135 in the AMF 107 that is currently serving the target communicating entity 101, the target identifier of the target communicating entity 101. The computer system 500 may comprise further modules that are configured to perform in a similar manner as, e.g., a computer system 400 described above in connection with figure 4.

Claims

1. A method performed by a computer system (400) in a telecommunication network
(100), said computer system (400) hosting at least a lawful interception administrative function (108), ADMF, a unified data management function (117), UDM, and at least one access and mobility management function (107, 119), AMF, the method comprising:
- receiving (201), by the ADMF (108) from a law enforcement agency (131), LEA, via a first handover interface, H11 , a warrant (301) for lawful interception associated with a target communicating entity (101) identified by a target identifier,
- transmitting (203), by the ADMF (108) to the UDM (117), a request for information that identifies an AMF (107) that is currently serving the target communicating entity
(101),
- receiving (205), by the ADMF (108) from the UDM (117), a response comprising the information that identifies the AMF (107) that is currently serving the target communicating entity (101), and
- transmitting (207), by the ADMF (108) to a point of interception (135), POI, in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
2. The method of claim 1, wherein:
- the transmitting (203), by the ADMF (108) to the UDM (117), a request for information that identifies the AMF (107) that is currently serving the target communicating entity (101) comprises transmitting over an X1 interface as specified in technical specification 103221-1 by the European Telecommunications Standards Institute, ETSI, a request message (305) that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity (101), and
- the receiving (205), by the ADMF (108) from the UDM (117), a response comprising the information that identifies the AMF (107) that is currently serving the target communicating entity (101) comprises receiving over the X1 interface as specified in technical specification 103221-1 by ETSI a response message (307) that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity (101) and a data field that identifies the AMF (107) that is currently serving the target communicating entity (101).
3. The method of claim 2, wherein:
- the response message (307) comprises a data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating, and - the transmitting (207), by the ADMF (108) to the POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101) is conditionally performed (208) depending on the type of access network in which the target communicating entity (101) is communicating.
4. The method of claim 3, wherein the data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating comprises information that the target communicating entity (101) is communicating in a 3rd generation partnership project, 3GPP, radio access network, RAN, and as a consequence performing the transmitting (207), by the ADMF (108) to the POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
5. The method of claim 3, wherein the data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating comprises information that the target communicating entity (101) is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting (207), by the ADMF (108) to a POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
6. A computer system (400) comprising at least a processor (402) and a memory (404), said memory (404) containing instructions executable by said processor (402) whereby said computer system (400) hosting at least a lawful interception administrative function (108), ADMF, a unified data management function (117), UDM, and at least one access and mobility management function (107, 119), AMF, said computer system (400) being operative to:
- receive, by the ADMF (108) from a law enforcement agency (131), LEA, via a first handover interface, H11 , a warrant (301) for lawful interception associated with a target communicating entity (101) identified by a target identifier,
- transmit, by the ADMF (108) to the UDM (117), a request for information that identifies an AMF (107) that is currently serving the target communicating entity (101),
- receive, by the ADMF (108) from the UDM (117), a response comprising the information that identifies the AMF (107) that is currently serving the target communicating entity (101), and
- transmit, by the ADMF (108) to a point of interception (135), POI, in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
7. The computer system (400) of claim 6, operative such that:
- the transmitting, by the ADMF (108) to the UDM (117), a request for information that identifies the AMF (107) that is currently serving the target communicating entity (101) comprises transmitting over an X1 interface as specified in technical specification
103221-1 by the European Telecommunications Standards Institute, ETSI, a request message (305) that comprises a data field that identifies the request for information and a data field that identifies the target communicating entity (101), and - the receiving, by the ADMF (108) from the UDM (117), a response comprising the information that identifies the AMF (107) that is currently serving the target communicating entity (101) comprises receiving over the X1 interface as specified in technical specification 103221-1 by ETSI a response message (307) that comprises a data field that identifies the request for information, a data field that identifies the target communicating entity (101) and a data field that identifies the AMF (107) that is currently serving the target communicating entity (101).
8. The computer system (400) of claim 7, operative such that:
- the response message (307) comprises a data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating, and
- the transmitting, by the ADMF (108) to the POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101) is conditionally performed (208) depending on the type of access network in which the target communicating entity (101) is communicating.
9. The computer system (400) of claim 8, operative such that the data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating comprises information that the target communicating entity (101) is communicating in a 3rd generation partnership project, 3GPP, radio access network, RAN, and as a consequence performing the transmitting (207), by the ADMF (108) to the POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
10. The computer system (400) of claim 8, operative such that the data field that identifies a type of an access network (103) in which the target communicating entity (101) is communicating comprises information that the target communicating entity (101) is communicating in an access network that is not a 3GPP RAN, and as a consequence not performing the transmitting (207), by the ADMF (108) to the POI (135) in the AMF (107) that is currently serving the target communicating entity (101), the target identifier of the target communicating entity (101).
11. The computer system (400) of any one of claims 6 to 10, comprising one or more compute hosts (411), said one or more compute hosts (411) comprising at least a processor (402) and a memory (404).
12. A computer program (443) comprising instructions which, when executed on at least one processor (402) in a computer system (400), cause the computer system (400) to carry out the method according to any one of claims 1 to 6. 13. A carrier (442), comprising the computer program (443) of claim 12, wherein the carrier is one of an electronic signal, an optical signal, a radio signal and a computer readable storage medium.
PCT/EP2021/069360 2021-07-12 2021-07-12 A request for information that identifies an access and mobility management function Ceased WO2023284942A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/069360 WO2023284942A1 (en) 2021-07-12 2021-07-12 A request for information that identifies an access and mobility management function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/069360 WO2023284942A1 (en) 2021-07-12 2021-07-12 A request for information that identifies an access and mobility management function

Publications (1)

Publication Number Publication Date
WO2023284942A1 true WO2023284942A1 (en) 2023-01-19

Family

ID=77021325

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/069360 Ceased WO2023284942A1 (en) 2021-07-12 2021-07-12 A request for information that identifies an access and mobility management function

Country Status (1)

Country Link
WO (1) WO2023284942A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025112761A1 (en) * 2023-11-27 2025-06-05 中国电信股份有限公司技术创新中心 Session management method, apparatus and system for multipath transmission, and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021126020A1 (en) * 2019-12-16 2021-06-24 Telefonaktiebolaget Lm Ericsson (Publ) Managing lawful interception information

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021126020A1 (en) * 2019-12-16 2021-06-24 Telefonaktiebolaget Lm Ericsson (Publ) Managing lawful interception information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security; Lawful Interception (LI) architecture and functions (Release 17)", vol. SA WG3, no. V17.1.0, 24 June 2021 (2021-06-24), pages 1 - 130, XP052029658, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/33_series/33.127/33127-h10.zip 33127-h10.docx> [retrieved on 20210624] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025112761A1 (en) * 2023-11-27 2025-06-05 中国电信股份有限公司技术创新中心 Session management method, apparatus and system for multipath transmission, and storage medium

Similar Documents

Publication Publication Date Title
US12328343B2 (en) Managing lawful interception information
CA2491816C (en) Informing a lawful interception system of the serving system serving an intercepted target
US7283521B1 (en) System and method for reporting communication related information in a packet mode communication
US9042388B2 (en) Lawful interception for 2G/3G equipment interworking with evolved packet system
US20140293836A1 (en) Lawful interception for targets in a proxy mobile internet protocol network
WO2011155884A1 (en) User data automatic lookup in lawful interception
US8666405B2 (en) LI/DR service continuity in case of number portability
US11363136B2 (en) Lawful interception manifesto
WO2023284942A1 (en) A request for information that identifies an access and mobility management function
US12432259B2 (en) Obtaining information pertaining to a network function in lawful interception
US9166885B2 (en) Lawful identification of unknown terminals
US12341825B2 (en) Transmitting or receiving version information of transmission protocol
KR20240004619A (en) Lawful wiretapping methods, devices and systems by subscription to notification
US20110026686A1 (en) Use of unique references to facilitate correlation of data retention or lawful interception records
EP4430802B1 (en) Lawful interception method, communication devices and system
Abdelrazek et al. SigPloit: A new signaling exploitation framework
EP2862341B1 (en) Methods, computer program products and apparatuses enabling to conceal lawful interception from network operators

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21745281

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21745281

Country of ref document: EP

Kind code of ref document: A1