SOI

Start Of Interception

Security →
Introduced in Rel-16

SOI is the standardized reference point in a 3GPP network that marks the beginning of a lawful interception data flow for authorized agencies.

Category
Security
Introduced
Rel-16
Where
Radio Access Network › NG-RAN (5G)
Specifications
3 specs
SOI Description Purpose Detected Changes Specifications

Description

Start Of Interception (SOI) is a fundamental architectural concept defined within the 3GPP specifications for Lawful Interception (LI). It represents the precise logical point within a network node or function where the duplication of intercept-related information (IRI) and content of communication (CC) for a specific target begins. The SOI is not a physical interface but a standardized reference location that ensures consistent implementation across different vendors and network elements. Its definition is crucial for demarcating responsibilities and ensuring that the intercepted data is complete, accurate, and legally admissible.

Architecturally, the SOI sits within the Intercepting Control Element (ICE), which is the network node (e.g., MME, SMF, UPF, AMF) that performs the actual interception. When a lawful authorization is activated for a target, the ICE identifies the relevant communication sessions or events associated with that target. The SOI is the instantiation point where the ICE starts copying the designated IRI (metadata like call records, location) and CC (voice, data, messaging content) from its internal processing paths. This copied data is then formatted and delivered via the Handover Interface (HI) to the Law Enforcement Monitoring Facility (LEMF).

The role of SOI is to provide a clear and unambiguous technical definition for where interception commences. This is vital for network operators to prove compliance with legal frameworks, as it defines the scope of data collection. It ensures that interception is applied correctly only after authorization and that all required data from the point of interception onward is captured without omission. The specifications detailing SOI, such as TS 33.128, provide the framework for its implementation within various 5G network functions, including the User Plane Function (UPF) for content interception and the Access and Mobility Management Function (AMF) for intercept-related information.

Purpose & Motivation

SOI was created to address the need for a standardized, reliable, and legally defensible mechanism to initiate lawful interception within 3GPP-based mobile networks. As telecommunications became essential infrastructure, legal frameworks worldwide mandated that operators provide capabilities for lawful interception to support criminal investigations and national security. Without a standardized definition for where interception starts, implementations could vary, leading to incomplete data capture, challenges in verifying compliance, and potential legal disputes over the admissibility of evidence.

Historically, interception mechanisms were often proprietary and integrated in an ad-hoc manner. The 3GPP standardization of SOI, particularly emphasized from Release 16 onwards with the 5G system, provides a common reference that all network equipment vendors and operators must adhere to. This solves the problem of interoperability and ensures that law enforcement agencies receive a consistent format and complete data stream, regardless of the underlying network vendor. It addresses the technical and legal requirement to precisely define the moment and location of data duplication to maintain the integrity of the interception process from start to finish.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (15 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 7 changes

In Release 15, the SOI (Start of Interception) function was enhanced to address missing procedures for initiating interception on a target with an already established PDU session and for a registered UE via the MDF2. It also introduced specific support for in-bound roaming interception at anchor UPFs and clarified the handling of interception at branching UPFs, while adding the capability to report a SUCI at the start of interception.

  • Missing trigger for the start of interception with established PDU session TS 33.128CR0004
  • Missing Stage 3 text - Start of Interception with registered UE from MDF2 TS 33.128CR0006
  • Missing stage 3 text - Start of Interception with established PDU session from MDF2 TS 33.128CR0007
  • In-bound roaming interception at anchor UPFs TS 33.128CR0010
  • Anchor UPF interception clarification TS 33.128CR0014
  • Branching UPF interception correction TS 33.128CR0015

+ 1 more changes

Rel-16 1 change

In Release 16, the SOI function was enhanced by introducing Packet Flow Description (PFD) management triggers for the start and end of a flow as a new interception criterion. This allowed the lawful interception architecture to use PDSR (Packet Flow Description Service Request) events to initiate and conclude interception for specific data flows. The specification ensured these triggers were integrated into the existing provisioning procedures between the ADMF, LIPF, and interception points.

  • PDSR triggers for start and end of flow TS 33.128CR0120
Rel-17 3 changes

In Release 17, the Start Of Interception (SOI) function was enhanced to include the capture of the time of registration or session establishment within the related xIRIs. Furthermore, updates were specified for the start of interception when a registered UE record is present at the AMF, and interception capabilities were explicitly defined for the SMF+PGW-C node.

  • Update to start of interception with registered UE record at the AMF TS 33.128CR0253
  • Interception at SMF+PGW-C TS 33.128CR0354
  • Time of registration/session establishment in Start of Interception related xIRIs TS 33.128CR0334
Rel-18 2 changes

In Release 18, the SOI (Start of Interception) function was enhanced with the addition of new reporting records. Specifically, the release introduced Start of Interception records for the Unified Data Management (UDM) function and for Rich Communication Services (RCS) reporting. These additions provide new, standardized event notifications for the activation of an interception at these specific points within the network architecture.

  • Addition of UDM Start of Intercept and De-Reg Records TS 33.128CR0428
  • Addition of Start of Interception Records for RCS reporting TS 33.128CR0610
Rel-19 2 changes

In Release 19, the Start of Interception (SOI) function was updated to include the alignment of the PTC (Packet Traffic Control) Start of Interception record and to introduce a new IMS Data Channel Start of Intercept procedure. These changes ensure the standardized generation and delivery of interception product for these specific service types, aligning with the internal and external handover interfaces defined for lawful interception. The updates provide precise targeting and data format specifications for these interception points within the 3GPP network architecture.

  • Alignment of PTC Start of Interception record TS 33.128CR0789
  • IMS Data Channel Start of Intercept TS 33.128CR0703

Explore further

Broader topics and technologies where SOI plays a role.

Topics
Authentication (5G-AKA, EAP)Testing & ConformanceMEC (Edge Computing)Lawful InterceptSMS & MessagingManagement & Operations
Technologies
5G

Defining Specifications

3GPP specifications that define or reference SOI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.128 vj50 3GPP TS 33.128: Lawful Interception Protocols Rel-19
TR 38.820 vg10 NR; 7-24 GHz Frequency Range Study Rel-16
TR 38.877 vi10 Technical Report Rel-18