IPPR

Internet Protocol Packet Reporting

Security
Introduced in Rel-18
IPPR is a Lawful Interception (LI) mechanism that enables the reporting of specific IP packet flows to authorized Law Enforcement Agencies (LEAs). It provides detailed, real-time metadata and content from targeted communications for security and investigative purposes, as mandated by legal frameworks.

Description

Internet Protocol Packet Reporting (IPPR) is a standardized function within the 3GPP Lawful Interception (LI) architecture, defined to facilitate the interception and reporting of Internet Protocol (IP) packet-based communications. It operates as a specific type of Intercept Related Information (IRI) and Content of Communication (CC) reporting, focusing on the granular details of IP data flows associated with a target of interception. The IPPR function is implemented within network nodes that handle user plane traffic, such as the Packet Data Network Gateway (PGW), User Plane Function (UPF), or dedicated mediation devices. When activated by a lawful authorization, these nodes are configured to identify the IP traffic belonging to the specified target—using identifiers like IP address, subscription identifier, or other packet filters—and to duplicate and forward this traffic along with rich metadata to the Law Enforcement Monitoring Facility (LEMF).

The technical operation of IPPR involves several key components and interfaces. First, the Administration Function (ADMF) receives the lawful authorization and target identity from the LEA and distributes the interception commands securely to the relevant Intercepting Control Elements (ICEs) in the network, such as the gateway handling the target's session. The ICE, upon activation, performs deep packet inspection and filtering on the user plane to isolate the target's IP packets. For each intercepted flow, IPPR generates structured reports that include both the CC (the actual payload of the IP packets) and associated IRI, which contains metadata like source and destination IP addresses, port numbers, protocol type (TCP/UDP), timestamps, and packet sizes. This data is formatted according to 3GPP-specified encoding standards (e.g., using IPDR or ETSI HI standards) and is transported over secure, dedicated interfaces (the HI2 and HI3 interfaces) to the Mediation Function (MF), which adapts and delivers it to the LEMF.

IPPR's role is critical in modern networks where virtually all communication is IP-based. It provides law enforcement with the technical capability to monitor targeted internet activities, including web browsing, email, messaging over IP, and Voice over IP (VoIP) calls, in a standardized and reliable manner. The specification ensures that the interception is performed without degrading the quality of service for the target or other users and maintains strict access controls and logging to prevent abuse. The detailed packet-level reporting allows investigators to reconstruct communication sessions, analyze data exchange patterns, and gather digital evidence, making it a powerful tool for lawful surveillance in the digital age.

Purpose & Motivation

IPPR was developed to address the evolving requirements for lawful interception in all-IP telecommunications networks. As mobile networks transitioned from circuit-switched voice to packet-switched data services (culminating in 4G LTE and 5G which are fully IP-based), traditional interception methods designed for voice calls became inadequate. Law Enforcement Agencies (LEAs) worldwide have legal mandates requiring telecommunications operators to provide access to targeted communications for criminal investigations and national security. The purpose of IPPR is to fulfill these legal obligations by providing a standardized, scalable, and technically robust mechanism to intercept and report IP packet flows.

Its creation was motivated by the need for a consistent, vendor-interoperable standard that could handle the complexity and volume of IP traffic. Prior to such standardization, interception capabilities were often proprietary, making it difficult for operators to deploy multi-vendor networks and for LEAs to interface with different operators. IPPR, as part of the broader 3GPP LI framework (TS 33.107 series), defines the precise procedures, interfaces, and data formats for IP packet reporting, ensuring that evidence collected is admissible and that operator implementations comply with regional regulations. It solves the critical problem of how to efficiently filter, capture, and report specific data streams from the high-speed, multiplexed IP traffic in modern core networks without compromising network performance or user privacy for non-targeted individuals.

Key Features

  • Standardized interception and reporting of IP packet flows for Lawful Interception
  • Provides both Content of Communication (CC) and Intercept Related Information (IRI)
  • Utilizes deep packet inspection and filtering based on target identifiers (IP address, etc.)
  • Operates over defined 3GPP interfaces (HI2, HI3) via a Mediation Function
  • Supports real-time, session-based reporting with detailed packet metadata
  • Ensures secure, authenticated, and logged access to prevent unauthorized use

Evolution Across Releases

Rel-18 Initial

Introduced as a new Lawful Interception capability to enhance packet-level reporting granularity and standardization. Defined the architecture, procedures, and data models for IP Packet Reporting within the 5G system and evolved EPC, addressing the requirements for intercepting complex IP-based services and applications.

TS 33.108TS 33.127TS 33.128

Defining Specifications

SpecificationTitle
TS 33.108 3GPP TR 33.108
TS 33.127 3GPP TR 33.127
TS 33.128 3GPP TR 33.128