SX3LIF

Split X3 LI Interworking Function

Security
Introduced in Rel-14
A functional entity that enables lawful interception (LI) in networks with a split architecture, specifically between the Control Plane (CP) and User Plane (UP). It acts as an intermediary, collecting and correlating interception-related information from both planes and delivering it to law enforcement agencies as mandated by regulations.

Description

The Split X3 LI Interworking Function (SX3LIF) is a standardized network function introduced to support Lawful Interception (LI) in modern 3GPP architectures where the control and user planes are separated, such as in 5G Core (5GC) with its Service-Based Architecture (SBA). Its primary role is to act as a mediation and delivery function that interfaces with both the Control Plane (CP) and User Plane (UP) network functions to gather interception-related information (IRI) and content of communication (CC). The SX3LIF is defined in specifications such as 29.244 (for the protocol) and 33.107 (for the overall LI architecture and requirements). It essentially implements the X3 interface in a split architecture context.

Architecturally, the SX3LIF sits within the network operator's domain, interfacing on one side with the CP functions (like the SMF or AMF) and UP functions (like the UPF), and on the other side with the Law Enforcement Monitoring Facility (LEMF). It receives interception triggers and data via internal interfaces (e.g., from the SMF over a service-based interface or from the UPF over the N4 interface). The SX3LIF is responsible for correlating the IRI (metadata about the communication, such as identities, time, and location) received from the CP with the corresponding CC (the actual voice, data, or signaling content) received from the UP. This correlation is crucial for providing a complete intercept record to the LEMF.

Operationally, upon activation of a lawful interception warrant for a target identity, the relevant CP function is configured to report IRI to the SX3LIF. Concurrently, the SX3LIF instructs the relevant UP function to duplicate and forward the target's user plane traffic (CC). The SX3LIF then formats, packages, and encrypts this combined information according to standardized formats (like ETSI standards) and delivers it securely over the standardized X3 interface to one or more LEMFs. It handles administrative functions such as managing multiple simultaneous intercepts, maintaining secure associations, and ensuring the reliable and sequence-preserving delivery of intercepted data, all while maintaining the secrecy of the interception act.

Purpose & Motivation

The SX3LIF was created to address the specific challenges of implementing lawful interception in next-generation networks that employ control and user plane separation (CUPS). Traditional monolithic network architectures had integrated LI capabilities, but the decoupling of CP and UP in architectures like 5GC and evolved EPC introduced a technical gap. In a split architecture, the IRI and CC are generated and available in different logical nodes (CPF and UPF), requiring a dedicated function to collect, correlate, and deliver this disjointed information.

Its introduction in Release 14 was driven by regulatory compliance requirements that mandate network operators to provide LI capabilities, regardless of the underlying network architecture. The SX3LIF solves the problem of how to efficiently and standardly mediate between the new, disaggregated network functions and the existing, standardized LI handover interfaces (like X3). It ensures that law enforcement agencies continue to receive a consistent, correlated stream of interception data without needing to understand the internal split of the operator's network, thereby future-proofing LI capabilities for cloud-native and software-defined networks.

Key Features

  • Correlates Interception Related Information (IRI) from Control Plane with Content of Communication (CC) from User Plane
  • Implements the standardized X3 interface towards Law Enforcement Agencies
  • Supports activation and management of intercepts in a CUPS (Control and User Plane Separation) architecture
  • Handles secure, reliable, and sequence-preserving delivery of intercepted data
  • Interworks with both service-based (e.g., SMF) and packet-forwarding (e.g., UPF) network functions
  • Manages multiple concurrent intercepts and associated administrative functions

Evolution Across Releases

Rel-14 Initial

Introduced the SX3LIF to support Lawful Interception in networks with Control and User Plane Separation (CUPS). Defined its fundamental role as an interworking function that collects IRI from CP functions and CC from UP functions, correlates them, and delivers the combined data over the X3 interface to the LEMF.

TS 29.244TS 33.107

Defining Specifications

SpecificationTitle
TS 29.244 3GPP TS 29.244
TS 33.107 3GPP TR 33.107