1、 ETSI TS 102 234 V1.6.1 (2006-07)Technical Specification Lawful Interception (LI);Service-specific details for internet access servicesETSI ETSI TS 102 234 V1.6.1 (2006-07) 2 Reference RTS/LI-00036 Keywords access, internet, IP, Lawful Interception, security, service ETSI 650 Route des Lucioles F-06
2、921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.ets
3、i.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on
4、 ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.
5、etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the fore
6、going restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered b
7、y ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 234 V1.6.1 (2006-07) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 References 6 3 Definitions and
8、 abbreviations.7 3.1 Definitions7 3.2 Abbreviations .7 4 General .8 4.1 Internet Access Service (IAS) 8 4.2 Target identity and IP address 8 4.3 Lawful Interception requirements 9 4.3.1 Target identity.9 4.3.2 Result of interception9 4.3.3 Intercept related information messages.10 4.3.4 Time constra
9、ints10 4.3.5 Preventing over and under collection of intercept data.11 5 System model .11 5.1 Reference network topologies 11 5.1.1 Dial-up access.11 5.1.2 xDSL access12 5.1.3 Cable modem access.13 5.1.4 IEEE 802.11 13 Access (with Wireless LAN profile)14 5.2 Reference scenarios14 5.2.1 Logon14 5.2.
10、2 Multi logon .15 5.2.3 Multilink logon .15 5.2.4 IP transport15 5.2.5 Logoff .15 5.2.6 Connection loss.15 6 Intercept Related Information (IRI) .16 6.1 IRI events .16 6.2 HI2 attributes17 7 Content of Communication (CC) .17 7.1 CC events .17 7.2 HI3 attributes18 8 ASN.1 for IRI and CC18 Annex A (in
11、formative): Stage 1 - RADIUS characteristics.22 A.1 Network topology.22 A.1.1 RADIUS server 22 A.1.2 RADIUS proxy.23 A.2 RADIUS service.24 A.2.1 Authentication service24 A.2.2 Accounting service.24 A.3 RADIUS protocol.25 A.3.1 Authentication protocol25 A.3.2 Accounting protocol.26 ETSI ETSI TS 102 2
12、34 V1.6.1 (2006-07) 4 A.4 RADIUS main attributes 26 A.5 RADIUS interception.27 A.5.1 Collecting RADIUS packets.27 A.5.2 Processing RADIUS packets27 A.5.2.1 Mapping events to RADIUS packets27 A.5.2.2 Functional model 28 A.5.2.3 RADIUS spoofing 31 A.5.3 Mapping RADIUS on the IRI structure31 Annex B (i
13、nformative): Stage 1 - DHCP characteristics.33 B.1 Network topology.33 B.2 DHCP service.33 B.3 BOOTP protocol 34 B.4 DHCP protocol.34 B.4.1 Address assignment36 B.4.2 Message transmission and relay agents 36 B.4.3 Security and authentication 36 B.5 DHCP main attributes 36 B.6 DHCP interception .37 B
14、.6.1 Introduction 37 B.6.2 DHCP packets 38 B.6.3 State machine .38 B.6.3.1 Mapping DHCP packets to events 39 B.6.3.2 Timers and administrative events .39 B.6.3.3 State information 39 B.6.3.4 State machine diagram40 B.6.4 Mapping DHCP on the IRI structure40 Annex C (informative): IP IRI interception.
15、42 C.1 Introduction 42 C.2 Requirements42 C.3 Proposed implementation.42 Annex D (informative): TCP and UDP IRI interception 43 D.1 Introduction 43 D.2 Requirements43 D.3 HI2 requirements43 D.4 HI3 requirements44 D.5 General requirements .44 Annex E (informative): Bibliography.45 Annex F (informativ
16、e): Change Request history.46 History 47 ETSI ETSI TS 102 234 V1.6.1 (2006-07) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI mem
17、bers and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.e
18、tsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, e
19、ssential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Lawful Interception (LI). Introduction The intention of the present document has been to follow the advice given at ETSI meetings in all cases. The present document focuses on i
20、ntercepting IP data in relation to the use of Internet Access Services (IAS) and is to be used in conjunction with TS 102 232 2. In the latter document the handing over of the intercepted data is described. ETSI ETSI TS 102 234 V1.6.1 (2006-07) 6 1 Scope The present document contains a stage 1 descr
21、iption of the interception information in relation to the process of binding a “target identity“ to an IP address when providing Internet access and a stage 2 description of when Intercept Related Information (IRI) and Content of Communication (CC) shall be sent, and what information it shall contai
22、n. The study shall include but not be restricted to IRI based on application of Dynamic Host Configuration Protocol (DHCP) and Remote Authentication Dial-in User Service (RADIUS) technology for binding a “target identity“ to an IP address and CC for the intercepted IP packets. The definition of the
23、Handover Interface 2 (HI2) and Handover Interface 3 (HI3) is outside the scope of the present document. For the handover interface is referred to TS 102 232 2. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document
24、. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly
25、 available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 ETSI TS 101 671: “Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic“. 2 ETSI TS 102 232: “Lawful Interception (LI); Handover specification for IP delivery“. 3
26、 IETF RFC 1122: “Requirements for Internet Hosts - Communication Layers“. 4 IETF RFC 1570: “PPP LCP Extensions“. 5 IETF RFC 1990: “The PPP Multilink Protocol (MP)“. 6 IETF RFC 2131: “Dynamic Host Configuration Protocol“. 7 IETF RFC 2486: “The Network Access Identifier“. 8 IETF RFC 2865: “Remote Auth
27、entication Dial In User Service (RADIUS)“. 9 IETF RFC 2866: “RADIUS Accounting“. 10 IETF RFC 3046: “DHCP Relay Agent Information Option“. 11 IETF RFC 3118: “Authentication for DHCP Messages“. 12 IETF RFC 3396: “Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4)“. 13 IEEE 802.1
28、1: “(ISO/IEC 8802-11) IEEE Standards for Information Technology -Telecommunications and Information Exchange between Systems - Local and Metropolitan AreaNetwork - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications“. 14 ITU-T Recommendat
29、ion X.680: “Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation“. ETSI ETSI TS 102 234 V1.6.1 (2006-07) 7 15 IETF RFC 2132: “DHCP Options and BOOTP Vendor Extensions“. 16 ETSI TR 102 205: “Methods for Testing and Specification (MTS); UML 2.0 action syntax f
30、easibility study“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 102 232 2 and the following apply: access provider: Communications Service Provider (CSP), providing access to a network NOTE: In the context of the pres
31、ent document, the network access is defined as IP based network access to the Internet. access service: set of access methods provided to a user to access a service and/or a supplementary service NOTE: In the context of the present document, the service to be accessed is defined as the Internet. acc
32、ounting: act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation authentication: property by which the correct identity of an entity or party is established with a required assurance authorization: property by which the access rights t
33、o resources are established and enforced 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA Authentication, Authorization and Accounting ANP Access Network Provider AP Access Provider ASN.1 Abstract Syntax Notation One ATM Asynchronous Transfer Mode BO
34、OTP BOOTstrap Protocol CC Content of Communication CHAP Challenge Handshake Authentication Protocol CIN Communication Identity Number CMTS Cable Modem Termination System CPE Customer Premises Equipment CSP Communications Service Provider (covers all AP/NWO/SvP) DHCP Dynamic Host Configuration Protoc
35、ol DNS Domain Name System DoS Denial of Service DSL Digital Subscriber Line DSLAM Digital Subscriber Line Access Multiplexer FQDN Fully Qualified Domain Name GWR GateWay Router HI1 Handover Interface 1 (for Administrative Information) HI2 Handover Interface 2 (for Intercept Related Information) HI3
36、Handover Interface 3 (for Content of Communication) IAP Internet Access Provider IAS Internet Access Service IP Internet Protocol IRI Intercept Related Information ISDN Integrated Services Digital Network ISP Internet Service Provider LAN Local Area Network ETSI ETSI TS 102 234 V1.6.1 (2006-07) 8 LC
37、P Link Control Protocol LEA Law Enforcement AgencyLEMF Law Enforcement Monitoring Facility LI Lawful Interception MAC Media Access Control NAS Network Access Server NWO NetWork Operator OID Object IDentifier PAP Password Authentication Protocol PDA Personal Digital Assistant PPP Point-to-Point Proto
38、col PPPoA Point-to-Point Protocol over ATM PPPoE Point-to-Point Protocol over Ethernet PSTN Public Switched Telephone Network QoS Quality of Service RADIUS Remote Authentication Dial-In User Service SLIP Serial Line Interface Protocol SvP Service Provider TCP Transmission Control Protocol TLV Type-L
39、ength-ValueUDP User Datagram Protocol 4 General 4.1 Internet Access Service (IAS) An Internet Access Service (IAS) provides access to the Internet to end users via a modem connected to a telephone, cable or wireless access network owned by a NetWork Operator (NWO). The IAS is typically provided by a
40、n Internet Access Provider (IAP) or Internet Service Providers (ISP), where an ISP also provides supplementary services such as E-Mail, Chat, News, etc. For the remainder of the document, the provider of the Internet Access Service (IAS) will be referred to as IAP and although NWO and IAP may be the
41、 same party, in all figures in the present document, they are depicted as separate entities. IAP/ISP Customer NWO Customer Premises Equipment (CPE) IAP Network Access Network Internet Figure 1: Internet access The customer typically connects to the IAP via a Telco or cable company owned access netwo
42、rk, such as the PSTN/ISDN telephony network for dial-up and xDSL access, the cable-TV network for cable modem access or alternatively a IEEE 802.11 13 Wireless LAN. The service provided by the IAP is no more and no less than to provide a user with a valid IP address for transporting and receiving da
43、ta over an IP based network and to provide transit access to the Internet for this data. 4.2 Target identity and IP address Before the IAP can provide a user with a valid IP address, there is a need for Authentication, Authorization and during or at the end of the communication session there is a ne
44、ed for Accounting. ETSI ETSI TS 102 234 V1.6.1 (2006-07) 9 In order to perform these functions, the IAP may deploy equipment in its network that implements an Authentication, Authorization and Accounting (AAA) protocol such as RADIUS. The other protocol mentioned in the scope declaration, DHCP, is n
45、ot really an AAA protocol, since it does very limited authentication and no authorization or accounting. DHCP can assign IP addresses and provide network configuration information to the user and is therefore often used in combination with RADIUS or other (proprietary) equipment. When a user is auth
46、enticated and authorized, the IAP will assign an IP address to the user. The assignment of the IP address can be performed by using RADIUS, DHCP or a combination of the two. In the latter case, often the RADIUS server will act as a client to the DHCP server, where the DHCP server assigns the IP addr
47、ess and the RADIUS server forwards the information towards the user. The user will use the assigned IP address to communicate over the Internet and therefore, for the duration of the session, traffic from and to this user can be identified by means of this IP address. In some cases (e.g. dial-up acc
48、ess), the Network Access Server (NAS) may assign the IP address to the user; either from a local IP address pool or by using DHCP and does not use RADIUS authentication for IP address assignment. From an LI perspective, the moments of assignment and deassignment of the IP address and the protocol us
49、ed for it are of interest. It is at the moment of assignment, and only at that particular moment, that the target identity can be tied to a dynamically assigned IP address, which can then further be used to intercept IP traffic from the particular user. At the moment of deassignment, interception of IP data based on that particular IP address must stop immediately, since the IP address may be handed out to another user shortly after. 4.3 Lawful Interception requirements This clause lists the requirements for Lawful Interception. T
