LICF

Lawful Interception Control Function

Security →
Introduced in Rel-16

LICF is the core 5G network function that manages, authorizes, and activates lawful interception orders from law enforcement, orchestrating interception across the network.

Category
Security
Introduced
Rel-16
Where
Core Network › 5G Core
Specifications
2 specs
LICF Description Purpose Related Classification Detected Changes Specifications

Description

The Lawful Interception Control Function (LICF) is a standardized 5G Core Network function defined within the 3GPP Security Assurance Specification (SCAS) framework. It serves as the master controller for all Lawful Interception activities within a 5G standalone (SA) network. The LICF resides in the operator's administrative domain and interfaces with the Law Enforcement Monitoring Facility (LEMF) via the standardized Handover Interface (HI). Its primary role is to authenticate and authorize interception requests, validate their legal scope (e.g., target identity, interception content, duration), and then provision the interception order to the relevant intercepting network functions.

Architecturally, the LICF interacts with other 5G Core functions through service-based interfaces. Upon receiving a valid warrant, the LICF identifies which Network Functions (NFs) are involved in the target subscriber's sessions—such as the Access and Mobility Management Function (AMF) for control-plane events, the Session Management Function (SMF) for session data, and the User Plane Function (UPF) for the actual content of communications. The LICF sends activation commands to these NFs, instructing them to begin collecting and duplicating the specified Interception Related Information (IRI) and Content of Communication (CC).

The function manages the entire lifecycle of an interception, including activation, modification, deactivation, and query of status. It ensures that interception is performed precisely as authorized, preventing over-collection. The LICF also handles the secure delivery of intercepted data to the Mediation Function (MF), which formats it according to the ETSI standards before transmission to the LEMF. This centralized control model simplifies security auditing, logging, and compliance reporting for network operators, as all interception commands flow through a single, secured function.

Purpose & Motivation

The LICF was introduced in 5G to address the architectural shift from the monolithic network elements of previous generations (2G/3G/4G) to a cloud-native, service-based architecture (SBA). In legacy systems, LI functionality was embedded within individual network nodes (like the MSC, SGSN, or MME), leading to complex, distributed provisioning and inconsistent security controls. The decentralized approach made it difficult to ensure uniform policy enforcement and maintain a secure audit trail across the entire network.

The creation of the LICF provides a centralized, standardized control plane for LI that is independent of the underlying network functions. This solves key problems: it offers a single, secure point of entry for law enforcement requests, simplifies the implementation of LI across a virtualized and sliced network, and enhances the overall security assurance of the interception system itself. By decoupling the control logic from the intercepting entities, the LICF enables more agile deployment in 5G core clouds and ensures that LI capabilities can evolve independently of other network services, all while meeting stringent legal and regulatory compliance requirements globally.

Classification

Part ofIRI
Related approachesAMF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (18 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 7 changes

In Release 15, the Lawful Interception Control Function (LICF) saw enhancements to address missing triggers and procedures, specifically for starting interception with an established PDU session and for a registered UE. It also introduced clarifications for interception in scenarios involving in-bound roaming, anchor UPFs, and branching UPFs, and added support for reporting the SUCI (Subscription Concealed Identifier) at the start of interception.

  • Missing trigger for the start of interception with established PDU session TS 33.128CR0004
  • Missing Stage 3 text - Start of Interception with registered UE from MDF2 TS 33.128CR0006
  • Missing stage 3 text - Start of Interception with established PDU session from MDF2 TS 33.128CR0007
  • In-bound roaming interception at anchor UPFs TS 33.128CR0010
  • Anchor UPF interception clarification TS 33.128CR0014
  • Branching UPF interception correction TS 33.128CR0015

+ 1 more changes

Rel-17 4 changes

In Release 17, the LICF updates included enhancements for starting interception upon UE registration at the AMF and enabling interception at the SMF+PGW-C node. It also introduced provisions for capturing the time of registration and session establishment within the relevant xIRI events. Furthermore, the release addressed specific IMS interception scenarios involving the application of special media.

  • IMS: Addressing the interception due to the application of special media TS 33.127CR0119
  • Update to start of interception with registered UE record at the AMF TS 33.128CR0253
  • Interception at SMF+PGW-C TS 33.128CR0354
  • Time of registration/session establishment in Start of Interception related xIRIs TS 33.128CR0334
Rel-18 3 changes

In Release 18, the Lawful Interception Control Function (LICF) was enhanced to support the interception of 5G Media Streaming (5GMS) services on the control plane. Additionally, the release introduced new Start of Interception Records for reporting related to Rich Communication Services (RCS). These updates expanded the scope of interceptable services and the detail of Intercept Related Information (IRI) events provided to law enforcement.

  • LI of 5G Media Streaming (5GMS) (Control plane) TS 33.127CR0186
  • LI of 5G Media Streaming (5GMS) (Control plane) TS 33.128CR0435
  • Addition of Start of Interception Records for RCS reporting TS 33.128CR0610
Rel-19 4 changes

In Release 19, the Lawful Interception Control Function (LICF) was enhanced to support proxying information via the LIPF and to ensure alignment for the PTC Start of Interception record. Furthermore, new interception capabilities were introduced, specifically a solution for email to MMS translation interception and support for IMS Data Channel Start of Interception procedures.

  • Proxying Information from LICF via LIPF TS 33.127CR0260
  • Alignment of PTC Start of Interception record TS 33.128CR0789
  • Solution for email to MMS translation interception TS 33.127CR0270
  • IMS Data Channel Start of Interception TS 33.127CR0271

Explore further

Broader topics and technologies where LICF plays a role.

Topics
Authentication (5G-AKA, EAP)Service Based ArchitectureLawful InterceptManagement & OperationsServices & ApplicationsRadio Access Network
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference LICF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.128 vj50 3GPP TS 33.128: Lawful Interception Protocols Rel-19