Technical Components of Lawful Intercept

Today’s CALEA solutions include several technical components that need to be properly implemented and capable of communicating with network elements and sub-systems before accurate intelligence can be delivered to a authorized Law Enforcement Agency (LEA). Here Subsentio will provide details covering possible elements of the intercept technologies.

Supported network topologies – current deployments include multiple network types which are listed below with a high-level technical overview:

  • Circuit-Switched – These solutions usually involve legacy time-division multiplexing switches in a class 5 switching environment. The access function enables target provisioning and interception of call-data and call-content and in some cases the call-content is handled independently via dial-out function.  Targeted traffic is routed to the Subsentio Network Operations Center (NOC) through a secure VPN tunnel. Once in the NOC, the stream is converted into a Lawful Intercept standardized format and then transported to an existing Law Enforcement Agency’s VPN tunnel for collection.
  • Voice over IP (VoIP) – This solution usually involves session border controllers, soft-switches, SIP proxies and RTP relays. The deployment can be either in an active or passive configuration. In an active deployment the access function would allow target provisioning and then deliver a proprietary data stream of CII/CC to the mediation server for mediation and delivery to the LEA.  In a passive deployment the Subsentio Safe Harbor Probe monitors the signaling and audio traffic on a TAP or SPAN port and then once the target traffic is identified a filter captures the traffic and mediates the streams into a standardized data stream which delivers it to the Subsentio NOC through a secure VPN tunnel. Once in the NOC, Subsentio routes the traffic to an existing VPN tunnel for collection by the Law Enforcement Agency.
  • ISP Networks – This solution usually involves IP routers, DSLAMs, and other network elements. The deployment can be either in an active or passive configuration. In an active deployment the access function would allow target provisioning and then deliver the data streams to the mediation server for LEA CmII and CmC delivery. In a passive deployment Subsentio’s Safe Harbor Probe monitors the authentication and IP traffic on a TAP or SPAN port and then once a target is identified a filter captures the traffic and mediates the stream into a standardized Lawful Intercept data stream which delivers it to the Subsentio NOC through a secure VPN tunnel. Once in the NOC, Subsentio routes the traffic to an existing LEA VPN tunnel for collection.
  • Mobile Packet-data – This solution usually includes PDSN, SGSN, S/P-GW, and other network elements. The deployment can be either in a active or passive configuration. In an active deployment the access function would allow target provisioning and then deliver the data streams to the mediation server for LEA CmII and CmC delivery. In a passive deployment the Subsentio Safe Harbor Probe monitors the authentication and IP traffic on a TAP or SPAN port and then once a target is identified it filters and mediates the streams into a LI standardized data stream and delivers it to the Subsentio  NOC through a secure VPN tunnel.  Once in the NOC, Subsentio routes the traffic to an existing LEA VPN tunnel for collection.

LEA Monitoring Center Collection Servers – these would include servers and client applications that are used by law enforcement and intelligence agencies to decode, display, and record the delivered standardized data from mediation servers or probes. These devices are used by DEA, FBI, CIA, Secret Service, US Marshals, Department of Homeland Security, and many other agencies for decoding, displaying, and recording.

Provisioning Administration – The administration interface or terminal offers a unified mechanism to administrate different network and target types. The provisioning processes could use some of the following connectivity protocols and/or application – Telnet, SSH, HTTP, HTTPS, X1, or proprietary mechanism.

Provisioning Database – This database stores the system configuration data, target criteria information, users’ information and activity logs.  In most cases this data is encrypted “in flight” and “at rest”.  The database could be MySQL, Orcacle, dBASE, or other industry standard databases.

Mediation/delivery Server and Probe Types– these servers could be implemented in one of the following configurations.

  • Active Solutions  – intercepts based on a protocol between the mediation server and the network element. In this configuration the mediation server is communicating with the network element on setting up the intercept using specific commands and syntaxes that is required by the LI software loaded on the network element. This would include target interception criteria and delivery addresses
  • Passive Interface – intercepts are based on creating a filter or capture criteria on the probe which is connect to a network TAP or SPAN port (mirror port) that would have normal network segment traffic.

Mediation/deliver Servers and Probes Responsibilities – these systems are used to intercept the data and content of targeted subjects and then converts the intercepted traffic into the lawful delivery standard for transmitting to a Law Enforcement Agency. The mediation server or probe typically have three main tasks:

  • Target/provisioning – programming network nodes or probes with target interception criteria and destination parameters of the law enforcement monitoring centers.
  • Call/session Collection – collecting intercept activity from the network elements that are under surveillance.
  • Call/session  Delivery – delivery intercepted communication to the appropriate law enforcement agency in a standard LI protocol and method.

Delivery to Law Enforcement Agency – The mediation server delivers the call-data and call-content of an intercepted call or session to the Law Enforcement Agency’s collection server in a method and format that complies with a industry standard protocol designed just for lawful interceptions – J-STD-025 A/B, T1.678, T1.IAS, 3GPP 33.108, PacketCable PKT-SP-ESP3.0. Transporting these standardizes protocols involves establishing a TCP/IP socket but can include UDP/IP sessions from the Subsentio NOC to the LEA collection points. Some less used delivery methods include X.25, STCP, FSK GR30, and TDM dial-out.

IPSec VPN Connectivity Between Network and Delivery Elements – Subsentio’s connections to service providers involve a site-to-site IPSec VPN tunnel that is used for target provisioning and receipt of intercepted call-data and call-content. It is also used when delivering LI standardized messages to the Law Enforcement Agencies using a site-to-site IPSec VPN tunnel. Setting up and testing VPN tunnels involves exchanging public and private addresses, confirming the phase 1 and phase 2 IPSec and ISAKMP parameters, and matching encryption domains. All Subsentio’s data connectivity sessions and transactions are encapsulated in a ESP layer which provides end-to-end confidentiality, authentication, and data integrity.

Copyright © Subsentio, LLC. 2025 All Rights Reserved. No part of this website may be reproduced without Subsentio’s express consent.