Lawful Intercept - Cisco ASR 5000 series Product Overview

PDG/TTG Overview
To support subscribers while they attempt to access multiple services, the PDG/TTG enables multiple subscriber
authorizations via multiple wireless APNs. Each time a UE attempts to access a service, the PDG/TTG receives a new
APN from the UE in the IDr payload of its first IKE_AUTH_REQ message, and the PDG/TTG initiates a new
authorization as a distinct session.

Lawful Intercept

The PDG/TTG supports lawful interception of subscriber session information to provide telecommunication service
providers (TSPs) with a mechanism to assist law enforcement agencies (LEAs) in the monitoring of suspicious
individuals (referred to as targets) for potential criminal activity.
LEAs provide one or more TSPs with court orders or warrants requesting the monitoring of a particular target. The
targets are identified by information such as their Network Access Identifier (NAI), Mobile Station Integrated Services
Digital Network (MSISDN) number, or International Mobile Subscriber Identification (IMSI) number.
Once the target has been identified, the PDG/TTG serves as an access function (AF) and performs monitoring for either
new PDP contexts or PDP contexts that are already in progress. While monitoring, the system intercepts and duplicates
Content of Communication (CC) and/or Intercept Related Information (IRI) and forwards it to a Delivery Function (DF)
over an extensible, proprietary interface.
Note that when a target establishes multiple, simultaneous PDP contexts, the system intercepts CC and IRI for each of
them. The DF, in turn, delivers the intercepted content to one or more Collection Functions (CFs).
For more information about the lawful intercept feature, see the Lawful Intercept Configuration Guide.
IMS Emergency Call Handling
The PDG/TTG supports IMS emergency call handling per 3GPP TS 33.234. This feature is enabled by configuring a
special WLAN access point name (W-APN), which includes a W-APN network identifier for emergency calls (sos, for
example), and can be configured with no authentication.
The DNSs in the network are configured to resolve the special W-APN to the IP address of the PDG/TTG. When a
WLAN UE initiates an IMS emergency call, the UE sends a W-APN that includes the same W-APN network identifier
(sos) as the one that is configured on the PDG/TTG. This W-APN network identifier is prefixed to the W-APN operator
identifier per 3GPP TS 23.003. The W-APN operator identifier sent by the UE must match the PLMN ID (MCC and
MNC) that is configured on the PDG/TTG (visited network). When the PDG/TTG receives the W-APN from the UE in
the IDr, the PDG/TTG marks the call as an emergency call and proceeds with call establishment, even in the event of an
authentication or EAP failure from the AAA/EAP server.
If the PDG/TTG detects that an old IKE SA for the special W-APN already exists, it deletes the IKE SA and sends an
INFORMATIONAL message with a Delete payload to the WLAN UE to delete the old IKE SA on the UE.
IPSec Session Recovery Support
The IPSec session recovery feature is a licensed feature on the PDG/TTG. It provides seamless failover and nearly
instantaneous reconstruction of subscriber session information in the event of a hardware or software fault within the
OL-22938-02
Features and Functionality ▀
Cisco ASR 5000 Series Product Overview ▄