Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Components of Flow-Tap
This section describes the major components used in lawful intercept applications, including flow-tap.
Analyzer Device
An analyzer device is used for reporting and analyzing the captured data. The analyzer can be a hardware device separate from the mediation device, or it can be a single hardware device that integrates mediation and analyzer software. Analyzer devices are provided by outside vendors.
For testing and simulation, you can use Wireshark open source software for multiplatform protocol analysis, or a similar software.
Content Destination
The content destination is the recipient of the matched packets from the monitoring device. Typically the matched packets are sent using an IP Security (IPSec) tunnel from the monitoring device to another router connected to the content destination. The content destination and the mediation device can be physically located on the same host.
Dynamic Filters
When flow-tap is configured and the LEA filters have been provisioned, the Packet Forwarding Engine automatically generates a firewall filter that is applied to all IPv4 routing instances. Each term in the filter includes a flow-tap action; when at least one of the filter terms matches an incoming packet, the router copies the packet and forwards it to the services PIC that is configured for flow-tap. The services PIC runs the packet through the client filters and sends a copy to each matching content destination.
Dynamic Flow Capture
The DFC process parses DFC configurations and performs related tasks. The DFC process (dfcd) on Juniper Networks devices can be used either for DFC or for flow-tap, but not for both at the same time.
Flow
For DFC, a flow is a stream of IP packets that flow in a direction with identical Layer 3 and Layer 4 information. It is possible to use wildcards in any of the Layer 3 and Layer 4 fields. MPLS packets are not considered to be a flow and cannot be captured by DFC.
Mediation Device
A mediation device is a client that monitors electronic data or voice transfer over the network. It is supplied by a third-party vendor to handle the majority of the processing for LI, including providing the interface for the LI, generating requests to network devices for flow-tap applications, receiving packets that match filter criteria from a router, converting intercepted traffic into the format required by the requesting LEAs, and forwarding copies of intercepted traffic to requesting LEAs. All of this activity is unknown to the target.
Authorized personnel of an ISP communicate with a Juniper Networks routing device from a mediation device using DTCP over a secure channel (SSH). A user ID that has a flow-tap permission bit explicitly configured in CLI or through RADIUS is available on the router to the authorized personnel.
Multiple mediation devices can communicate with a single Juniper device over multiple SSH sessions. The client software running at the mediation device is not provided by Juniper Networks.
Monitoring Platform
The monitoring platform processes the requests from the mediation devices, applies the dynamic filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations. The Juniper Networks monitoring platform for LI is an M Series or T Series router (except M160 routers and TX Matrix routers) with one or more Adaptive Services (AS) or MultiServices PICs configured to support the flow-tap application.
Parameter File
When the filters for flow-tap are provisioned by a Linux device, a parameter file must be supplied containing details about the flow, the traffic analyzer device location, and the new Layer 4 header details of the resultant packet. This information is interpreted by the DFC process and passed to the services PIC. For more information about the parameter file, see Table 1.
Relay Agent
A DTCP relay agent (RA) is spawned by the SSH process whenever a mediation device opens an SSH connection on the flow-tap port. The RA is responsible for authenticating the user using a RADIUS or CLI-configured list of flow-tap users. Upon successful authentication, the RA establishes a UNIX domain socket connection with the DFC process and hands over its UNIX socket side to the SSH process. At this point, the RA process ends.
