Lawful Interception Control Function

Description

The Lawful Interception Control Function (LICF) is a standardized 5G Core Network function defined within the 3GPP Security Assurance Specification (SCAS) framework. It serves as the master controller for all Lawful Interception activities within a 5G standalone (SA) network. The LICF resides in the operator's administrative domain and interfaces with the Law Enforcement Monitoring Facility (LEMF) via the standardized Handover Interface (HI). Its primary role is to authenticate and authorize interception requests, validate their legal scope (e.g., target identity, interception content, duration), and then provision the interception order to the relevant intercepting network functions.

Architecturally, the LICF interacts with other 5G Core functions through service-based interfaces. Upon receiving a valid warrant, the LICF identifies which Network Functions (NFs) are involved in the target subscriber's sessions—such as the Access and Mobility Management Function (AMF) for control-plane events, the Session Management Function (SMF) for session data, and the User Plane Function (UPF) for the actual content of communications. The LICF sends activation commands to these NFs, instructing them to begin collecting and duplicating the specified Interception Related Information (IRI) and Content of Communication (CC).

The function manages the entire lifecycle of an interception, including activation, modification, deactivation, and query of status. It ensures that interception is performed precisely as authorized, preventing over-collection. The LICF also handles the secure delivery of intercepted data to the Mediation Function (MF), which formats it according to the ETSI standards before transmission to the LEMF. This centralized control model simplifies security auditing, logging, and compliance reporting for network operators, as all interception commands flow through a single, secured function.

Purpose & Motivation

The LICF was introduced in 5G to address the architectural shift from the monolithic network elements of previous generations (2G/3G/4G) to a cloud-native, service-based architecture (SBA). In legacy systems, LI functionality was embedded within individual network nodes (like the MSC, SGSN, or MME), leading to complex, distributed provisioning and inconsistent security controls. The decentralized approach made it difficult to ensure uniform policy enforcement and maintain a secure audit trail across the entire network.

The creation of the LICF provides a centralized, standardized control plane for LI that is independent of the underlying network functions. This solves key problems: it offers a single, secure point of entry for law enforcement requests, simplifies the implementation of LI across a virtualized and sliced network, and enhances the overall security assurance of the interception system itself. By decoupling the control logic from the intercepting entities, the LICF enables more agile deployment in 5G core clouds and ensures that LI capabilities can evolve independently of other network services, all while meeting stringent legal and regulatory compliance requirements globally.

Key Features

• Centralized authorization and activation of interception warrants
• Service-based interface (e.g., Nlicf) for communication with 5G Core NFs
• Lifecycle management (activate, modify, deactivate, query) of interception orders
• Target identification and mapping to serving network functions
• Secure interface (HI2) to the Law Enforcement Monitoring Facility (LEMF)
• Integration with the 5G Mediation Function for standardized data delivery

Evolution Across Releases

Defining Specifications