What is LISSF? Lawful Interception State Storage Function

Description

The Lawful Interception State Storage Function (LISSF) is a core component within the 3GPP Lawful Interception (LI) architecture, specifically defined from Release 16 onwards. It operates as a centralized state repository, decoupling the storage of LI-related state information from the individual network functions that perform the interception, such as the Lawful Interception Function (LIF) or various Application Functions (AFs). This architectural separation is a key principle of modern, cloud-native network design. The LISSF stores critical data including the identities of targets under interception (e.g., IMSI, SUPI, MSISDN), the details of the authorized interception warrants, the current activation status of intercepts, and associated metadata required for session correlation and data delivery to the Law Enforcement Monitoring Facility (LEMF).

From a functional perspective, the LISSF provides a standardized state management service to other LI entities. When a new lawful interception authorization is received, the relevant administrative function (e.g., the Administration Function, ADMF) writes the target and warrant information into the LISSF. Subsequently, network functions like the Access Network, Core Network, or service delivery platforms query the LISSF to determine if a particular user session or service data unit is subject to interception. This query-response mechanism allows intercepting functions to apply the correct interception rules without needing to maintain complex, distributed state themselves. The LISSF ensures consistency and persistence of this state, which is crucial for intercept continuity during user mobility, handovers, or network function failures.

Its role is integral to achieving reliable and compliant LI in 5G System (5GS) and evolved networks. By providing a single source of truth for interception state, it simplifies the implementation of LI capabilities across a disaggregated and virtualized network environment. It supports interfaces defined in 3GPP TS 33.127 and TS 33.128, ensuring interoperability between different vendor implementations. The LISSF is a foundational element for enabling lawful access in a manner that aligns with network function statelessness principles, where the compute (intercepting function) and state (LISSF) are separated for improved scalability, resilience, and operational flexibility.

Purpose & Motivation

The LISSF was introduced to address the challenges of implementing Lawful Interception in modern, cloud-native 5G networks based on service-based architectures (SBA). Previous 3GPP releases relied on integrated LI state management within individual network elements, which became complex and inefficient in a disaggregated environment with stateless network functions. The move towards microservices and containerized functions, where instances can be dynamically created and destroyed, necessitated a centralized, external state storage mechanism to ensure intercept sessions were not lost during scaling events or failures.

Its creation was motivated by the need for a standardized, resilient, and scalable approach to LI state management. Without the LISSF, each network function would need to implement its own persistent storage and synchronization mechanisms for LI data, leading to duplication, potential inconsistencies, and increased development overhead. The LISSF solves this by providing a common service, simplifying the LI logic within intercepting functions and ensuring that the state of an active interception is maintained independently of the lifecycle of any specific network function instance. This is critical for meeting regulatory obligations that require reliable and uninterrupted interception capabilities, even as the underlying network infrastructure becomes more software-defined and elastic.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (20 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 7 changes

In Release 15, the LISSF was introduced to manage the interception state, ensuring the correct interception state is maintained at triggered functions. This function is responsible for retrieving information about the current interception state from the triggered function and reporting it to the LIPF, and it may take corrective action when a discrepancy is discovered.

Missing trigger for the start of interception with established PDU session TS 33.128CR0004
Missing Stage 3 text - Start of Interception with registered UE from MDF2 TS 33.128CR0006
Missing stage 3 text - Start of Interception with established PDU session from MDF2 TS 33.128CR0007
In-bound roaming interception at anchor UPFs TS 33.128CR0010
Anchor UPF interception clarification TS 33.128CR0014
Branching UPF interception correction TS 33.128CR0015

+ 1 more changes

Rel-17 7 changes

In Release 17, the LISSF (Lawful Interception State Storage Function) enhancements focused on improving state management and reporting accuracy. Specifically, updates were made to ensure reliable LI state transfers within SMF sets and to include the time of registration or session establishment in the Start of Interception related xIRIs. These changes provided more precise triggering and reporting for interceptions initiated at the start of a UE's registration or session establishment at network functions like the AMF and SMF.

IMS: Addressing the interception due to the application of special media TS 33.127CR0119
LI state transfers in SMF sets TS 33.128CR0215
GPSI for AIC - State 2 TS 33.127CR0156
Update to start of interception with registered UE record at the AMF TS 33.128CR0253
Interception at SMF+PGW-C TS 33.128CR0354
LI state transfers in SMF sets TS 33.127CR0134

+ 1 more changes

Rel-18 2 changes

In Release 18, the LISSF (Lawful Interception State Storage Function) was enhanced to support a delegated state model for the LI_X1 interface and the capability to generate start of interception records for RCS reporting. These additions specifically empower the Lawful Interception Provisioning Function (LIPF) to manage dynamic interceptions while delegating persistent state storage, ensuring the LIPF itself does not store static or historic LI data. The new start of interception records provide a formal mechanism to initiate reporting for Rich Communication Services (RCS) upon warrant activation.

Delegated State for LI_X1 TS 33.128CR0495
Addition of Start of Interception Records for RCS reporting TS 33.128CR0610

Rel-19 4 changes

In Release 19, the LISSF (Lawful Interception State Storage Function) was enhanced with new capabilities for managing interception state, including the addition of an IP address to delegated task state. The release also introduced specific procedures for the start of interception for IMS Data Channels and for email to MMS translation scenarios, ensuring these services are properly handled within the lawful interception architecture.

Addition of IP address to delegated Task state TS 33.128CR0720
Alignment of PTC Start of Interception record TS 33.128CR0789
Solution for email to MMS translation interception TS 33.127CR0270
IMS Data Channel Start of Interception TS 33.127CR0271

Explore further

Broader topics and technologies where LISSF plays a role.

Topics

Authentication (5G-AKA, EAP)Service Based Architecture IMS & Voice (VoLTE, VoNR)MEC (Edge Computing)Lawful Intercept SMS & Messaging

Technologies

Defining Specifications

3GPP specifications that define or reference LISSF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 33.127 vj50	Lawful Interception Architecture and Functions	Rel-19
TS 33.128 vj50	3GPP TS 33.128: Lawful Interception Protocols	Rel-19