The X1 X2 X3 5G interface architecture represents a fundamental evolution in lawful interception design. The arrival of 5G has brought fundamental changes to how telecommunications networks are designed, deployed, and operated. For lawful interception, these changes are equally profound. The 3GPP LI architecture for 5G introduces a new set of interfaces — X1, X2, and X3 — that replace the traditional trigger and delivery mechanisms used in previous network generations. For operators deploying 5G networks, understanding the X1/X2/X3 architecture is essential to building LI capabilities that meet regulatory requirements and function effectively in the new network environment.
This article provides a detailed explanation of the 3GPP LI architecture for 5G, focusing on the X1, X2, and X3 interfaces, their relationship to the ETSI HI interfaces, and the practical implications for operators and LI solution providers.
The X1 X2 X3 5G Architecture
The 5G core network, as defined by 3GPP, uses a service-based architecture (SBA) that is fundamentally different from the node-based architectures of 3G and 4G. Instead of dedicated network elements performing specific functions, the 5G core consists of a set of network functions (NFs) that communicate with each other through service-based interfaces. Key network functions include the Access and Mobility Management Function (AMF), the Session Management Function (SMF), the User Plane Function (UPF), and many others.
This architectural shift has significant implications for LI. In previous generations, interception was typically implemented at specific network nodes — the MSC for voice in 3G, the P-GW for data in 4G — which were well-defined points where the target’s signalling and user-plane traffic converged. In 5G, the distributed and virtualised nature of network functions means that interception must be approached differently. The 3GPP LI architecture addresses this by defining standardised interfaces between the LI system and the network functions, rather than relying on node-specific interception mechanisms.
The LI Architecture in 3GPP TS 33.127 and TS 33.128
The 3GPP LI architecture for 5G is defined primarily in two specifications: TS 33.127 (Lawful Interception architecture and functions) and TS 33.128 (Lawful Interception requirements). These specifications define the functional components of the LI system within the 5G network, the interfaces between them, and the interfaces to the law enforcement domain.
The key functional components defined in the 3GPP architecture include the LI Administration Function (LIAF), which manages interception orders and configures the LI system; the LI Internal Interception Function (LIIF), which interfaces with the network functions to trigger and capture interceptions; the LI Mediation and Delivery Functions (LI MDF), which process intercepted data and deliver it to law enforcement; and the Point of Interception (POI), which is the specific location within a network function where interception is performed.
The interfaces between these components are designated X1, X2, and X3. These interfaces are internal to the operator’s domain — they connect the LI management and delivery functions to the network functions — and are distinct from the ETSI HI interfaces, which connect the operator to the LEMF. In practice, however, there is a clear mapping between the X and HI interfaces: X1 corresponds functionally to HI1, X2 to HI2, and X3 to HI3.
X1: The Administration Interface
X1 is the administration interface between the LI Administration Function and the Points of Interception within the network functions. Through X1, the LIAF sends instructions to the POIs to activate, modify, or deactivate interceptions. The X1 interface carries the target identification parameters, the scope of the interception, and any technology-specific configuration information needed by the POI.
In the 5G architecture, X1 is implemented using a RESTful API over HTTP/2, consistent with the service-based interface model used by the 5G core. The X1 messages are encoded in JSON or XML format, and the interface uses mutual TLS authentication for security. This is a significant departure from the X1 implementations in previous network generations, which typically used proprietary or less standardised interfaces.
The X1 interface supports various target identification methods, including SUPI (Subscription Permanent Identifier), GPSI (Generic Public Subscription Identifier), PEI (Permanent Equipment Identifier), and IP addresses. The LIAF must be able to translate law enforcement target identifiers into the internal network identifiers used by the POIs, which may require interaction with subscriber management systems and identity resolution functions.
X2: The IRI Delivery Interface
X2 is the interface for delivering intercept-related information from the Points of Interception to the LI Mediation and Delivery Function. When a target’s communications trigger events at the POI — such as registration, session establishment, mobility events, or session termination — the POI generates IRI records and sends them to the LI MDF over the X2 interface.
The X2 IRI records in the 5G architecture are significantly richer than those in previous generations, reflecting the more complex signalling and session management in 5G networks. X2 records may include information about PDU (Protocol Data Unit) session establishment, QoS (Quality of Service) flow creation and modification, handover events, network slice selection, and service-specific parameters. The data structures for X2 records are defined in TS 33.128 and use both ASN.1 and JSON encoding.
The X2 interface operates in a push model — the POI generates and sends IRI records to the LI MDF as events occur, without waiting for a request. The delivery must be timely and reliable, as the IRI forms a critical part of the intercepted material delivered to law enforcement. The LI MDF receives X2 records from potentially multiple POIs across the network, correlates them, and formats them for delivery to the LEMF over the HI2 interface.
X3: The CC Delivery Interface
X3 is the interface for delivering the content of communications from the User Plane Function (UPF) to the LI Mediation and Delivery Function. When an interception is activated, the UPF duplicates the target’s user-plane traffic — IP packets carrying voice, data, messaging, and other services — and sends the duplicated traffic to the LI MDF over the X3 interface.
The X3 interface handles potentially large volumes of data, particularly for data-heavy targets. The interface must be dimensioned to handle the throughput requirements without packet loss, and the delivery mechanism must maintain the integrity and ordering of the intercepted packets. The LI MDF receives the X3 traffic, processes it as needed, and delivers it to the LEMF over the HI3 interface.
In the 5G architecture, the UPF is the primary POI for user-plane interception. However, the UPF may be deployed in different locations within the network — at the edge, in regional data centres, or in central facilities — depending on the network architecture and the services being provided. The LI system must be capable of interacting with UPFs wherever they are deployed, which may require distributed X3 collection points and centralised processing at the LI MDF.
Network slicing adds an additional dimension to X3 interception. A single target may have traffic flowing through multiple network slices, each with its own UPF instance. The LI system must identify and intercept the target’s traffic across all relevant slices, ensuring complete coverage of the target’s communications.
Relationship Between X1/X2/X3 and HI1/HI2/HI3
The X interfaces and the HI interfaces serve different but complementary roles in the overall LI architecture. The X interfaces operate within the operator’s domain, connecting the LI management and delivery functions to the network infrastructure. The HI interfaces operate at the boundary between the operator and law enforcement, defining how intercepted material is delivered to the LEMF.
The LI Mediation and Delivery Function serves as the bridge between these two interface sets. It receives X2 IRI records from the POIs, processes and formats them, and delivers the resulting ETSI-compliant IRI over the HI2 interface to the LEMF. Similarly, it receives X3 content from the UPFs, processes it, and delivers it over the HI3 interface. On the administration side, it translates HI1 interception orders from law enforcement into X1 activation messages for the POIs.
This layered architecture provides a clean separation between the internal network interception mechanisms and the external handover to law enforcement. It allows the network functions to implement interception using standardised X interfaces without needing to understand the specific requirements of the national HI interface implementation, and it allows the LI MDF to adapt between different internal and external interface versions as standards evolve.
Practical Implications for Operators
For operators deploying 5G networks, the X1/X2/X3 architecture has several practical implications. First, LI must be considered from the earliest stages of 5G network design. The POI interfaces within the network functions must be planned and provisioned, the LI MDF must be dimensioned for the expected interception volumes, and the connectivity between the POIs and the LI MDF must be established.
Second, operators must ensure that their 5G network function vendors support the X1, X2, and X3 interfaces as defined in TS 33.127 and TS 33.128. Vendor support for the LI interfaces has historically been uneven, and operators should include LI interface compliance as a requirement in their procurement specifications.
Third, the virtualised and cloud-native nature of 5G networks introduces new challenges for LI deployment. The LI MDF and POIs may need to operate in containerised environments, scale dynamically, and maintain performance and reliability across distributed deployments. Operators must ensure that their LI solutions are designed for cloud-native operation and can keep pace with the dynamic nature of the 5G network.
Conclusion
The X1/X2/X3 interfaces represent a significant evolution in the 3GPP LI architecture, reflecting the fundamental changes that 5G brings to network design and operation. X1 provides the administration channel for managing interceptions, X2 delivers the rich metadata that law enforcement needs for investigation, and X3 delivers the content of intercepted communications. Together with the ETSI HI interfaces, they form a comprehensive, layered architecture that enables lawful interception in the most advanced telecommunications networks. For operators, understanding and implementing these interfaces is essential to meeting their legal obligations and ensuring that their 5G networks support effective, compliant lawful interception capabilities.
As 5G standalone deployments accelerate, the X1 X2 X3 5G interfaces become increasingly critical. Operators must ensure their X1 X2 X3 5G implementations align with the latest 3GPP specifications.
Related Articles
For further reading on related topics, explore these articles:
- HI1 vs HI2 vs HI3: Understanding the Three Lawful Interception Interfaces
- SIPREC vs ETSI LI: What’s the Difference and When Does Each Apply?
- Network Slicing in 5G SA: How It Complicates (and Can Simplify) LI Targeting
External Resources
The following external resources provide additional context and official documentation:
