Lawful Interception

Being such a specific field surrounded with mystery and controversy, Lawful Interception proved to be a very difficult project. Unlike all other software solutions, documentation and community surrounding this particular field is very scarce, and information is almost impossible to obtain without proper connections or significant financial support.

Apart from this, there is only a handful of LI solution providers out there, making huge profits and having the monopoly on this specific market. The main tool of this apparent monopoly is a big effort to withhold the freedom of information and portray Lawful Interception as an extremely complicated solution. On top of that, operators are obliged by law to have their networks provide LI functionality for Law Enforcement Agencies. We have decided to put a stop to all this. Being in this world for some time now, a decision has been made to release the first alternative ETSI compliant Lawful Interception solution in the market.

What is Lawful Interception?

Lawful interception’s main task is to silently obtain network communications, giving access to intercepted traffic to lawful authorities for the purpose of data analysis and/or evidence. Such data generally consist of signaling, network management information, or in fewer instances, the content of network communications. If data cannot be obtained in real-time, the activity is referred to as access to retained data (data retention).

LI Overview

In normal circumstances, network operator is required to provide 3 different Handover Interfaces (HI) to Law Enforcement Monitoring Facilities (LEMF). This is a standard requirement needed for successful data retrieval and analysis.
Interface list:

  • HI1
  • HI2
  • HI3
  • HIA (not shown on the picture)
  • HIB (not shown on the picture)

The main purpose of this interface is to transfer the LEMF issued warrants to Lawful Interception Mediation device. Apart from this, it is also used to provide various system information like uptime, target states, performance level, availability status, etc. It typically consists of:

  • target information (i.e. WHO to monitor)
  • targeting period
  • delivery location (used for HI2 and HI3 delivery)

This interface is used for delivery of Interception Related Information (IRI) to LEMF facilities. The actual content of intercepted traffic is not relevant in this case, and therefore not recorded. Interception Related Information consists of event like messages describing specific actions taken by person under surveillance. A simple example for this scenario would be a regular email message being sent from person A to person B. The actual text of the message would not be intercepted, but sender and recipient information along with other header related fields would silently become a part of IRI. The actual definition of IRI messages is defined by ETSI using ASN.1 notation. Basic Encoding Rules (BER) are used to encode and transfer ASN.1 data over the wire.


The last handover interface from the list, HI3, is used for Content of Communication or CC in short. We have mentioned the actual intercepted content in the previous section, describing it as an irrelevant part of IRI. Unlike before, Content of Communication (CC) becomes the center point of HI3 interface. There are couple of predefined data formats used when sending the actual data to LEMF back-end. ETSI does not enforce these data formats but leaves room to accommodate for different types of back-ends. To the best of our knowledge, these are the formats currently used is various LEMF back end systems:

  • BER encoded ASN.1 – single packet per file
  • BER encoded ASN.1 – multiple packets per file
  • PCAP
  • E1 delivery of voice with q931 sub-channel correlation data

Last two of the interfaces are used when dealing with retained data. The first retained data interface, HIA, serves the purpose of receiving data query requests which among other search fields, typically consist of at least two fields; time period and protocol dependent target.


The last data retention interface, HIB, is used to generate a reply consisting of IRI information that matches a search query received over previously mentioned HIA interface.

What is openLI?

openLI is a Release14 initiative for saying NO to MAINSTREAM Lawful Interception solutions. We recognize Lawful Interception being a huge financial burden borne solely by the operators. Such high profile systems usually come with high price tags, maintenance costs and not so rare complicated implementation procedures. Release14 offers a competely new LI approach with emphasis on flexibility and low cost. It is another NO to never ending vendor lock-down/licensing story.

There are three openLI modes of operation:
  • Active traffic mapping method
    • JUNOSe LI
    • Release14 openCLASS5 LI
  • Passive traffic mapping method
    • Port Span (port mirror)
    • Port TAP (physical)
  • Any combination of above
Active Flow monitoring example

Passive Flow monitoring example

Passive monitoring – How it works?

Active monitoring – How it works?

Typical implementation

Standards compliance

OK, so what does this actually mean?
If you’ve never heard of ETSI TS 102-232, there is chance that Lawful Interception is not required by law in your country. If that is not the case and your country uses different standards and conventions to describe the same LI requirement proscribed by ETSI, openLI is the right solution for you. It will provide your network with LI features and keep your local law enforcement agencies happy, providing their LEMF systems with all the data they need. These are the services usually required to provide interception capabilities:

  • EMAIL Services
    • POP3
    • IMAP
    • SMTP
  • WEBMAIL Services
  • Layer 3 interception
    • RADIUS Username targeting
    • IP Targeting
  • Layer 2 interception
    • DHCP targeting (MAC Address or Option 82)
    • MAC Address Targeting
  • HTTP
  • MSN
  • IRC
  • SIP
Data retention
  • Option to store all HI2 information to database, virtually having the entire network as target (not just a single users)
  • Time period dependant on country’s legislation (typically 1 year)
  • Option to also store HI3 (CC) information (high storage capacity needed!)
We would like to say Thank You to Juniper Networks for using some of their old pictures in our attempt to portray the logic behind Lawful Interception as simple as possible.