1、 ETSI GS NFV-SEC 004 V1.1.1 (2015-09) Network Functions Virtualisation (NFV); NFV Security; Privacy and Regulation; Report on Lawful Interception Implications Disclaimer This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG)
2、 and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 004 V1.1.1 (2015-09)2 Reference DGS/NFV-SEC004 Keywords interception, NFV, privacy, regulation, security ETSI 6
3、50 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/ww
4、w.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived diffe
5、rence in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or cha
6、nge of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx
7、Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI.
8、 The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks
9、of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 004 V1.1.1 (2015-09)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g31
10、Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Requirements for Lawful Interception . 7g34.1 General CSP obligations 7g34.2 Root of trust in LI . 7g34.3 Core requirements 8g34.4 PoI
11、 location attestation . 9g34.5 LI undetectability . 9g35 Analysis and recommendations 9g35.1 Overview 9g35.2 The LI service shall always be provided 10g35.3 The LI service shall be activated upon receipt of a valid interception authorization from an LEA . 10g35.4 The LI service shall be deactivated
12、when the interception authorization expires or as defined by the LEA 10g35.5 Interrogation shall be possible only from an authorized user . 10g35.6 What the PoI delivers . 10g3Annex A (informative): Architectures and structures for LI in networks composed from VNFs 11g3Annex B (informative): Authors
13、 Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carri
14、ed out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Spec
15、ification Group (ISG) Network Functions Virtualisation (NFV). NOTE: Where the word “shall“ appears in clauses 4 and 5 it has been taken from text originated in reference documents and offers a requirement against the operator of networks and services and in general does not place any additional tech
16、nical constraints or conformance obligations on the NFV beyond those specified in the reference documents. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in cla
17、use 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 004 V1.1.1 (2015-09)5 1 Scope The present document provides a problem statement on implementing LI
18、in NFV and identifies the necessary capabilities to be provided in NFV to meet the requirements outlined for telecommunications capabilities in general in ETSI TS 101 331 i.2. The present document identifies the challenges of providing LI in an NFV. The present document is intended to give guidance
19、to the NFV community and to the wider LI community on the provision of LI in an NFV. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version appli
20、es. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this
21、 clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication an
22、d/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of
23、 publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 101 671: “Lawful Interception (LI); Handover interface for the
24、 lawful interception of telecommunications traffic“. i.2 ETSI TS 101 331: “Lawful Interception (LI); Requirements of Law Enforcement Agencies“. i.3 ETSI TR 102 528: “Lawful Interception (LI) Interception domain Architecture for IP networks“. i.4 ETSI TS 103 120: “Lawful Interception; Interface for w
25、arrant information; Q b) remove any service coding or encryption which has been applied to the content of communication and the intercept related information at the instigation of the network operator/service provider; NOTE 3: If coding/encryption cannot be removed through means which are available
26、to the CSP for the given communication the content is provided as received. NOTE 4: The semantic meaning has to always be transferred even if the exact syntax (encoding) is modified. c) provide the LEA with any other decryption keys whose uses include encryption of the content of communication, wher
27、e such keys are available; d) intercept related information shall be provided: 1) when communication is attempted; 2) when communication is established; 3) when no successful communication is established; 4) on change of status (e.g. in the access network); 5) on change of service or service paramet
28、er; 6) on change of location (this can be related or unrelated to the communication or at all times when the apparatus is switched on); and ETSI ETSI GS NFV-SEC 004 V1.1.1 (2015-09)9 7) when a successful communication is terminated. NOTE 5: In the present document, service should be taken to include
29、 supplementary services. NOTE 6: For those protocols of type Representational State Transfer (REST) (e.g. SIP, HTTP) each transaction is considered as unique unless the signalling itself contains a means to link signals (e.g. session identity). e) intercept related information shall contain: 1) the
30、identities that have attempted telecommunications with the target identity, successful or not; 2) the identities which the target has attempted telecommunications with, successful or not; 3) identities used by or associated with the target identity; 4) details of services used and their associated p
31、arameters; 5) information relating to status; 6) time stamps; 7) location of the target. NOTE 7: The identity to be supplied should be that visible to the CSP and may take one or many forms including but not restricted to IMSI, IMEI, MSISDN, email address, SIP-identity. f) the conditions mentioned a
32、bove also apply to multi-party or multi-way telecommunication if and as long as the target is known to participate. NOTE 8: Where the user has initiated and applied end-to-end encryption, the content is provided as received. 4.4 PoI location attestation The lawful authorization that invokes the lawf
33、ul interception facilities has to identify the jurisdiction in which the authorization is valid, and the CSP has to ensure that the LI facilities operate within the same jurisdiction. The underlying hardware of any NFV is physically located in specific jurisdictions and whilst the VMs are intended t
34、o run on any viable hardware and not to have knowledge of which instance of the hardware they run on this knowledge has to be within the system and should be able to be reported to the LEA. Furthermore when LI is activated against a target, the system management (e.g. MANO) cannot instantiate any VM
35、 required to support LI for the user service outside the jurisdiction if the target is in the jurisdiction of the lawful authorization. 4.5 LI undetectability Much of the data for the provision of LI is sensitive and should be protected from illicit exposure including transfer across jurisdictional
36、borders. In particular the knowledge of targets of interception (often referred to as the target list) shall not be visible to any unauthorized party. 5 Analysis and recommendations 5.1 Overview It should be noted that LI has often looked at the interception of communication between 2 parties, or at
37、 the communications initiating or terminating at a single party (the target). In this respect much of the terminology may be considered to be based on conventional circuit switching but that is an over-simplification. The aim in general is to ensure that whenever a target is involved in a communicat
38、ion that the knowledge of that communication, and the content of that communication, is also delivered to the facilities of the Law Enforcement Agency (typically referred to as Law Enforcement Monitoring Facility (LEMF). ETSI ETSI GS NFV-SEC 004 V1.1.1 (2015-09)10 5.2 The LI service shall always be
39、provided This is straightforward. A functioning NFV deployment serving as a platform for the provision of services (through a CSP) has to have an LI service. What is much more difficult to answer is - where does the LI service sit in the NFV architecture and function suite? The main issue here is th
40、e identification of points of interception in the NFV. In theory any NFV node that is used to offer service to a customer and where any object is instantiated for a customer that is also a target then that object has to be considered as a point of interception. There is also a geographic or jurisdic
41、tion concern for LI as in a fully virtualised environment with the potential to allocate resources anywhere globally there may be a requirement to restrict where services can be provided. This class of requirement is not specific to LI but also covers personal information and financial information.
42、The main impact is that objects that are able to act as PoIs shall be able to report their location (either directly or through a management entity) in addition to the geographic location of the target. This knowledge of where the PoI and any supporting functions are located with respect to the juri
43、sdiction may be critical and thus has to be treated as highly trusted data. 5.3 The LI service shall be activated upon receipt of a valid interception authorization from an LEA This requirement underpins the access control for the LI service. Quite simply the always provided service cannot actually
44、run unless there is a valid LEA request. The LEA request has not been fully defined in ETSIs TC LI as yet but there is work in progress to look at the use of digital signature based schemes for dissemination of warrants (or LI authorization certificates). If such warrants exist the signed authority
45、may be used as part of the access control mechanism. LI activation for IRI records may take the form of a publish/subscribe model. In this case when activated IRI data is forwarded to the subscriber where the only valid subscribers are of type “LEMF“ and the authorization shall be from the LEA. 5.4
46、The LI service shall be deactivated when the interception authorization expires or as defined by the LEA If solved as above the original authorization shall include an expiry time and as with any PKC based system the authorization certificate can be revoked (with revocation it is necessary to check
47、that authorization remains valid whatever the model indicates that transmission of an IRI is required). 5.5 Interrogation shall be possible only from an authorized user In this the term “interrogation“ is used to mean identifying the state of the LI function. It is very unlikely that the administrat
48、or of a conventional hypervisor or orchestrator will be authorized as an interrogator who should be allowed to know that the LI function is activated, and against whom, as information that has to be strictly controlled. This is consistent with the requirement from clause 4 “An authorized user for th
49、e purposes of interrogation is one who is allowed and authorized by both LEA and the CSP to administer the LI interface“. The use of some form of Role Based Access Control that can explicitly deny access to a super-user form is probably a pre-requisite. This goes even further as it also means many forms of analytic software that gather data on which functions are active will have to maintain the same level of access control. 5.6 What the PoI delivers The requirements on what the Point of Interception delivers to the LEA/LEMF are quite clear from clause 4.3 and do
