IIF

Internal Interception Function

Security
Introduced in Rel-8
A standardized network function responsible for the lawful interception of communications within a 3GPP network. It interfaces with law enforcement agencies, providing intercepted content and intercept-related information in a secure, regulated manner as mandated by national laws.

Description

The Internal Interception Function (IIF) is a critical security and surveillance component within the 3GPP network architecture, defined specifically for Lawful Interception (LI). It acts as the network-internal entity that performs the actual interception of communication content (CC) and the collection of intercept-related information (IRI) for a specific target (e.g., a subscriber or IP address). The IIF is the point where the network's normal user traffic and signaling are duplicated and diverted for lawful purposes. It is implemented within various network elements that handle user data, such as the Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN), Packet Data Network Gateway (PGW), Serving Gateway (SGW), Mobility Management Entity (MME), and IP Multimedia Subsystem (IMS) nodes like the Proxy-Call Session Control Function (P-CSCF).

Operationally, the IIF is activated upon receiving a lawful interception warrant from a legally authorized entity. This activation is mediated through the Administration Function (ADMF), another component of the LI architecture. The ADMF sends the interception request, including the target identifier, to the relevant IIF residing in the network element that serves that target. Once activated, the IIF performs two primary tasks: it generates Intercept Related Information (IRI), which includes signaling data about the communication (e.g., call setup time, parties involved, location), and it provides the Content of Communication (CC), which is the actual voice, data, or messaging payload. The IIF must perform this interception covertly, ensuring the target is unaware of the surveillance.

The IIF does not communicate directly with external law enforcement agencies. Instead, it delivers the intercepted data to intermediary functions within the network operator's domain. The IRI is sent to a Delivery Function for IRI (DF2), and the CC is sent to a Delivery Function for CC (DF3). These Delivery Functions then forward the data securely over standardized interfaces (HI2 and HI3 respectively) to the Law Enforcement Monitoring Facility (LEMF). The architecture ensures a clear separation between the network's internal interception mechanisms (IIF, ADMF, DF) and the external law enforcement domain. The specifications, particularly 3GPP TS 33.108, meticulously define the handover interfaces (HI1, HI2, HI3), the data formats (e.g., using ETSI standards like XSD), and the protocols for this communication to ensure interoperability and compliance with legal frameworks.

From a technical implementation perspective, the IIF involves deep integration into the call and session control logic of network nodes. For circuit-switched voice, it may tap into the call control signaling. For packet data, it involves duplicating IP packets associated with the target and mirroring them to the DF3. The IIF must handle various services: voice calls (CS and VoLTE/VoNR), SMS, MMS, and general IP data sessions. Its design must also account for subscriber mobility, ensuring interception continues seamlessly as the target moves between cells or network areas. The function is a cornerstone of the network operator's obligation to provide legally mandated interception capabilities, forming a complex subsystem that balances technical efficiency, security, privacy for non-targeted users, and strict regulatory compliance.

Purpose & Motivation

The Internal Interception Function exists to fulfill legal obligations imposed on telecommunications service providers by national governments and regulatory bodies. These laws require operators to have the technical capability to assist law enforcement agencies (LEAs) in the lawful interception of communications for purposes of criminal investigation, national security, and intelligence gathering. Prior to standardized functions like the IIF, interception methods were often proprietary, non-scalable, and could not easily keep pace with evolving network technologies like GPRS, 3G, and IMS. This created a problem for both operators, who faced complex integration challenges, and for LEAs, who needed a consistent, reliable method to receive intercepted data regardless of the underlying network technology or vendor equipment.

The creation and standardization of the IIF within 3GPP (starting in Rel-8 as part of a consolidated LI architecture) solved these problems by providing a unified, vendor-agnostic framework. It defined exactly *where* and *how* interception should occur within the network architecture. This addressed the limitations of ad-hoc solutions by ensuring that every compliant network element (SGSN, GGSN, MME, etc.) would have a consistent internal function for generating IRI and CC. Standardization was motivated by the need for cost-effectiveness for operators (who could deploy multi-vendor networks) and for operational efficiency for LEAs, who could use standardized equipment to receive data from any operator's network.

Furthermore, the IIF framework incorporates crucial principles of privacy and security. By strictly defining the internal interfaces between the IIF, ADMF, and Delivery Functions, it creates an auditable and controlled interception environment within the operator's domain. This design helps prevent unauthorized access or abuse of interception capabilities. It also future-proofs the capability, as the core concept of the IIF can be extended to new network functions in 5G (like the Session Management Function - SMF, User Plane Function - UPF) and new services, ensuring that lawful interception remains possible even as network architectures evolve from EPC to 5GC. Thus, the IIF serves the dual purpose of enabling legal state authority while enforcing a disciplined, standardized, and secure technical implementation.

Key Features

  • Performs actual interception of content (CC) and collection of signaling data (IRI) within network nodes
  • Activated covertly via the Administration Function (ADMF) based on a lawful warrant
  • Implemented in core network elements (e.g., MME, SGW, PGW, CSCF)
  • Delivers intercepted data to internal Delivery Functions (DF2, DF3)
  • Supports interception across multiple services (voice, SMS, packet data)
  • Designed to handle subscriber mobility and session continuity

Evolution Across Releases

Rel-8 Initial

Introduced as a core component of the redefined 3GPP Lawful Interception architecture, consolidating interception capabilities for 3G and evolving EPS networks. Specified its role in generating IRI and CC, and its interfaces to the Administration Function and Delivery Functions, establishing a standardized model for all subsequent releases.

TS 33.108

Defining Specifications

SpecificationTitle
TS 33.108 3GPP TR 33.108