Overview of Lawful Intercept Using Flow-Tap

This document explains flow-tap configuration, testing, and basic troubleshooting on Juniper Networks M Series Multiservice Edge Routers and Juniper Networks T Series Core Routers using Juniper Networks Junos® Platform configuration commands and third party scripts. Flow-tap is the Junos OS application used for performing lawful intercept of targeted packet flows.

Lawful intercept (LI) is a process for obtaining communications network data related to an individual (a target), as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to explicitly support authorized electronic surveillance on their networks to facilitate the interception of telecommunications by law enforcement agencies (LEAs), regulatory or administrative agencies, and intelligence services, in accordance with local law.

The Junos operating system uses the flow-tap application to dynamically capture network flows as required for lawful intercept. Dynamic Tasking Control Protocol (DTCP) is the basis of the dynamic flow capture (DFC) feature in the Junos OS. DFC uses DTCP requests to capture packet flows based on dynamic filtering criteria.

The flow-tap application extends the use of DTCP and DFC to intercept IPv4 packets in an active monitoring router, and sends a copy of packets that match filter criteria to one or more content destinations, including mediation devices and traffic analyzers.

Flow-tap is supported on Juniper Networks M Series and T Series routers, with the exception of the M160 routers and the TX Matrix routers.

Note: More information regarding DTCP can be found in Internet draft draft-cavuto-dtcp-00.txt, DTCP: Dynamic Tasking Control Protocol at http://www.ietf.org/internet-drafts.

Primary Requirements for Lawful Intercept

The primary requirements for a Juniper Networks (or any vendor’s) device to participate in lawful intercept include:

• It must provide an interface and mechanism by which a mediation device can connect to the routing device and request a copy of packets sent to and from an intended target, based on the Layer 3 and Layer 4 parameters of the packet flow.
• It must maintain separation of different LEAs on the device. If multiple agencies are requesting LI action on the same device or for the same target, the agencies must not be aware of each other’s presence, and they must not be able to see each other's LI configuration and status.
• The configuration for deciding which packet flow to capture (the identity of the target) and the intercept function on the router must be visible only to authorized personnel.
• The intended target of the LI interception must not be aware of the interception.
• A mediation device is required to simulate and test the interception application (flow-tap). The mediation device can be a Linux server with SSH capabilities.

Flow-Tap Features

These are the major features of Junos OS flow-tap:

• Flow-tap uses DTCP protocol for communication between a mediation device and a network device (router).
• LEA filters installed by one flow-tap user are not visible to another flow-tap user. This maintains separation between LEA users.
• The flow-tap function is applied on all IPv4 routing instances; therefore, all traffic passing through the instance is subject to monitoring. This intercept function does not create any perceptible delay in forwarding the packets.
• The flow-tap configuration on the device does not reveal the identity of the monitored target. However, the services Physical Interface Card (PIC) running the flow-tap service is visible to all users on the routing device.
• Flow-tap and the DFC feature cannot both be configured on the router at the same time; if attempted, the configuration will fail to commit.
• Only one instance of flow-tap service is supported per chassis, therefore, only one services PIC in the chassis can be used for flow-tap.
• For flow-tap, a services PIC supports a total limit of 20 Kpps ingress and 20 Kpps egress traffic, assuming 256 bytes per packet. Carefully select the match conditions in the LEA filter so that these limits are not exceeded when traffic comes from a high-speed interface. Ensure that only necessary traffic will be sent by the Packet Forwarding Engine firewall filter to the services PIC.
• Flow-tap supports up to 20 filters per chassis, therefore, each chassis can monitor a maximum of bidirectional traffic from 10 users.
• Junos OS does not support flow-tap for VPLS and MPLS protocol packets, and support for IPv6 protocol packets is only available in Junos OS version 10.1R1 and later.
• Graceful Routing Engine switchover can be configured, but upon switchover, the services PIC and the DFC process restart and all LEA filters are lost. If this occurs, the mediation device is expected to replay the LEA filters to the router.
• Target packets are those that match the LEA filters. The target packets are appended with an IP/UDP header and then sent from the services PIC to a content destination. If the target packets need to have high priority for queuing while forwarding, an input filter should be configured in CLI and be visible to all users on the logical interface of the services PIC on which flow-tap is configured.
• Client tools running on the mediation device are not provided by Juniper Networks.

Related Topics

• Components of Flow-Tap
• Configuring Flow-Tap Services for Lawful Intercept
• Flow-Tap Filter Operation
• Frequently Asked Questions About Using Flow-Tap
• Provisioning Flow-Tap to a Linux Mediation Device
• Troubleshooting Flow-Tap