ANSI ATIS 1000013-2015 Lawfully Authorized Electronic Surveillance (LAES) For Internet Access and Services Version 2 (Version 2).pdf

1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-1000013.v2.2015 Lawfully Authorized Electronic Surveillance (LAES) for Internet Access and Services, Version 2 As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (ATIS) brings

2、together the top global ICT companies to advance the industrys most pressing business priorities. ATIS nearly 200 member companies are currently working to address the All-IP transition, network functions virtualization, big data analytics, cloud services, device solutions, emergency services, M2M,

3、cyber security, network evolution, quality of service, billing support, operations, and much more. These priorities follow a fast-track development lifecycle from design and innovation through standards, specifications, requirements, business use cases, software toolkits, open source solutions, and

4、interoperability testing. ATIS is accredited by the American National Standards Institute (ANSI). The organization is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of the oneM2M global initiative, a member of and major U.S. contributo

5、r to the International Telecommunication Union (ITU), as well as a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit www.atis.org. AMERICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the requirements for due p

6、rocess, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much mo

7、re than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made towards their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude any

8、one, whether he has approved the standards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any A

9、merican National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on

10、the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchasers of American Natio

11、nal Standards may receive current information on all standards by calling or writing the American National Standards Institute. Notice of Disclaimer or 2) Content Associated Communications Identifying Information. Communications Identifying Information is “reasonably available” to an Internet Access

12、 and Services Provider if it is present at an intercept access point and can be made available without the provider being unduly burdened 6This document is available from the Alliance for Telecommunications Industry Solutions (ATIS), 1200 G Street N.W., Suite 500, Washington, DC 20005. 7This documen

13、t is available from the Alliance for Telecommunications Industry Solutions (ATIS), 1200 G Street N.W., Suite 500, Washington, DC 20005. ATIS-1000013.v2.2015 4 with network modifications. CmII is delivered by the set of messages defined in this Standard and the set of mandatory and conditional parame

14、ters contained therein. 3.1.6 Communication: Any wire or electronic communication, as defined in Ref 4. 3.1.7 Content Associated Communications Identifying Information (CACmII): Communication Identifying Information associated with the delivery and routing of the subjects packets in the network (i.e

15、., the headers of the IP packets). 3.1.8 Dynamic IP Address: An IP address that is temporarily assigned to a subscribers equipment for a limited or specified duration. 3.1.9 Electronic Surveillance: The statutory-based legal authorization, process, and associated technical capabilities and activitie

16、s of LEAs related to the interception of wire, oral, or electronic communications while in transmission. As used herein, also includes the acquisition of communication identifying information. As used herein, surveillance refers to a single communication intercept, pen register, or trap and trace. I

17、ts usage herein does not include administrative subpoenas for obtaining a subscribers billing records and information about a subscribers service that an LEA may employ before the start of a communication intercept, pen register, or trap and trace. 3.1.10 IASP Domain: See 4.1. 3.1.11 Intercept: Defi

18、ned in Ref 4 section 2510(4) to be “the aural or other acquisition of the content of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 3.1.12 Intercept Access Point (IAP): A point within an Internet and Access Services Provider domain where

19、some of the communications or communications identifying information of an intercept subjects equipment, facilities, and services are accessed. 3.1.13 Intercept Subject: A subscriber whose communications, communications identifying information, or both, have been authorized by a court to be intercep

20、ted and delivered to a Law Enforcement Agency. The identification of the intercept subject is limited to identifiers used to access the particular equipment, facility, or communication service (e.g., network address, terminal identity, subscription identity). 3.1.14 Intermediate Network: See 4.1. 3.

21、1.15 Internet Service Provider (ISP) Network: See 4.1. 3.1.16 Law Enforcement Agency (LEA): A government entity with the legal authority to conduct electronic surveillance (e.g., the Federal Bureau of Investigation or a state or local police department). 3.1.17 Packet: An IP packet Ref 9, 10. 3.1.18

22、 Packet Data Session: The time interval during which the user is granted resources to send or receive packets to or from the Internet. 3.1.19 Session: A set of multimedia senders and receivers and the data streams flowing from senders to receivers. 3.1.20 Static IP Address: An IP address that is per

23、manently assigned to a subscribers equipment. 3.1.21 Subject: See intercept subject. 3.1.22 Subject Domain: See 4.1. 3.1.23 Surveillance: See electronic surveillance. 3.2 Acronyms AAA Authorization, Authentication, and Accounting AACmII Access Associated CmII AH Authentication Header ANSI American N

24、ational Standards Institute A-PDU or APDU Application Protocol Data Unit ATIS-1000013.v2.2015 5 ASCII American Standard Code for Information Interchange ASN.1 Abstract Syntax Notation One Ref 5 ATIS Alliance for Telecommunication Industry Solutions ATM Asynchronous Transfer Mode CACmII Content Assoc

25、iated CmII CALEA Communications Assistance for Law Enforcement Act. CF Collection Function CHAP Challenge Handshake Authentication Protocol CmC Communication Content CmC-APDU Communication Content Application Protocol Data Unit CmII Communication-Identifying Information. CmII-MF CmII Mediation Funct

26、ion CMTS Cable Modem Termination System CPE Customer Premise Equipment DCCP Datagram Congestion Control Protocol DF Delivery Function DHCP Dynamic Host Configuration Protocol FCC Federal Communications Commission GMT Greenwich Mean Time GWR Gateway Router IAP Intercept Access Point IC-APDU Intercept

27、 Content Application Protocol Data Unit IETF Internet Engineering Task Force IAS Internet Access and Services IASP Internet Access or Services Provider IP Internet Protocol IPCP IP Control Protocol IPsec Internet Protocol Security ITU-T International Telecommunication Union Telecommunication Standar

28、dization Sector LAES Lawfully Authorized Electronic Surveillance LEA Law Enforcement Agency LI Lawful Intercept MAC Media Access Control MF Mediation Function MOC Mandatory Optional Conditional NAS Network Access Server OSI Open Systems Interconnect PADT PPPoE Active Discovery Terminate PC Personal

29、Computer PDU Protocol Data Unit PPP Point-to-Point Protocol PPPoA PPP over ATM PPPoE PPP over Ethernet QoS Quality of Service RADIUS Remote Authentication Dial In User Service ATIS-1000013.v2.2015 6 SA Security Association SCTP Stream Control Transmission Protocol TCP Transmission Control Protocol R

30、ef 7 UDP User Datagram Protocol UTC Coordinated Universal Time VPN Virtual Private Network 3.3 Definitions for “Mandatory,” “Optional,” and 2. IAS Communication Content IAPs (CmC-IAPs). CmII-IAPs and CmC-IAPs are associated with CmII and CmC intercept functions respectively that perform the actual i

31、nterception of CmII and CmC. These CmII and CmC intercept functions are incorporated into one or more network elements. CmII and CmC intercept functions may be collocated within the same network element, or may be distributed among many network elements. See 4.4 for examples of distributions of the

32、IAPs in various network providers within the IASP domain. 4.2.2.1 CmII-IAPs A CmII-IAP captures the information necessary to generate CmII. CmII may be categorized as Access Associated CmII (AACmII) or Content Associated CmII (CACmII). a. Access Associated CmII: CmII associated with communication be

33、tween the subject and the IASP domain for the purposes of login, logout, access authorization, access authentication, or resource allocation caused by the use of, or attempted use of, the IAS network by the subject. All AACmII signaled to and from the network shall be reported to law enforcement. AT

34、IS-1000013.v2.2015 10 b. Content Associated CmII: CmII associated with the delivery and routing of the subjects content in the network, derived from specific fields in the Layer 3 IP headers and Layer 4 headers of the IP packets, as defined 5.2.11 and 5.2.12. Two options exist for delivering CACmII:

35、 Delivering the records for the specified header fields of each intercepted packets to law enforcement; or Delivering summary records. 4.2.2.2 CmC-IAPs A CmC-IAP intercepts the full packets to and from an intercept subject. The CmC-IAP intercepts the required content and presents it to the DF or to

36、the Mediation Function (MF). The CmC-IAP can reside in a number of places. The CmC-IAP used in a particular network is an IASP design decision. 4.2.3 Functional Electronic Surveillance Architecture Figure 4.3 shows a general functional Lawful Intercept (LI) architecture for IAS where both CmC and Cm

37、II are intercepted and delivered to LEAs. This functional architecture assumes that one IASP is providing IAS. Three domains are identified: 1. Subject Domain: Consists of the subjects equipment, network access equipment-facilities, and associated functions. 2. IASP Domain: Consists of the IASPs net

38、work equipment-facilities and associated functions. This could be one or more of the networks in the IASP domain discussed in 4.1. 3. LEA Domain: Consists of LEAs LI collection equipment-facilities and associated functions. The IASP Domain includes the following functions: CmII Access Functions: One

39、 or more functions responsible for isolating and presenting CmII to the CmII MF or DF. CmC Access Functions: One or more functions responsible for isolating and presenting CmC to the CmC MF or DF. CmII Delivery Function: A function responsible for delivering the CmII, which is specified in a lawful

40、authorization, to the LEAs. The CmII DF contains a CmII Application Protocol Data Unit (APDU) Demarcation Point. The CmII APDU Demarcation Point is the point in the DF where a CmII APDU is presented to the delivery method for delivering CmII over the e interface to the LEAs CF. CmC Delivery Function

41、: A function responsible for delivering the CmC, which is specified in a lawful authorization, to the LEAs. The CmC DF contains a CmC APDU Demarcation Point. The CmC APDU Demarcation Point is the point in the DF where CmC is presented to the Delivery Method for delivering CmC over the e interface to

42、 the LEAs Collection Function. CmII Mediation Function: A function responsible for the presentation8of the CmII. This function maps or encapsulates IAS subject access and network signaling messages onto e interface messages. CmC Mediation Function: A function responsible for the presentation9of the

43、CmC. 8Presentation, as used here, means the form and style of the CmII information and includes the conversion or mapping of information from one form or style to another. 9Presentation, as used here, means the form and style of the CmC and includes the conversion of CmC from one form or style to an

44、other. ATIS-1000013.v2.2015 11 As discussed in 4.1, the IASP domain consists of the access network, the intermediate network, and the ISP network. The above functions may be performed by one or more networks in the IASP domain. The following physical demarcation point(s) appear at the boundary betwe

45、en the IASP Domain and the LEA Domain: CmII Physical Demarcation Point: Point where CmII is presented to the LEAs procured functions and facilities for delivering CmII over the e interface to the LEAs Collection Function. CmC Physical Demarcation Point: Point where CmC is presented to the LEAs procu

46、red functions and facilities for delivering CmC over the e interface to the LEAs Collection Function. CmII and CmC physical demarcation points may be one and the same, allowing CmII and CmC to be delivered over the same physical interface. Figure 4.3 Functional LI Architecture for IAS Note that the

47、LI architecture presented in Figure 3 is functional in nature and the functions may be distributed and grouped into various network elements and nodes. In Figure 4.3, the prime () and double prime () symbols indicate that the format of the CmII and CmC may be different. ATIS-1000013.v2.2015 12 The M

48、F and DF are logical functions, not physical entities. They may be implemented in separate physical entities or in a single physical entity. 4.2.4 Demarcation Figure 4.4 shows the A-PDU Demarcation Point to be that point in the DF where the LI-formatted CmII and CmC (i.e., the CmII or CmC A-PDUs) ar

49、e presented to the Delivery Method at Open Systems Interconnect (OSI) Application Layer 710. The Delivery Method then delivers the A-PDUs to the LEAs Collection Function. The DF Application function formats the CmC and CmII into A-PDUs according to the e interface requirements and presents the formatted A-PDUs to the Delivery Method. The Delivery Method, via the selected protocols (e.g., TCP/IP), sends the encapsulated A-PDUs to the CF. 7654321OSIProtocol StackDeliveryMethodDF ApplicationDeliveryFunctione