Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Configuring Flow-Tap Services for Lawful Intercept
This section includes the following topics:
- Requirements For Establishing a Flow-Tap Session
- Flow-Tap Topology
- Configuring Flow-Tap Services
- Flow-Tap Configuration on Juniper Networks Router
Requirements For Establishing a Flow-Tap Session
The following steps are required to establish a flow-tap session for lawful intercept:
- LEA obtains a court warrant to capture packets to and from the intended target and provides it to the authorized user at the Internet service provider (ISP).
- Using a mediation device administered by LEA, an authorized user issues a DTCP request over SSH to the routing device to add a flow-tap filter for the targeted flow. The selected flow is known only to the LEA administrator of the mediation device.
- At the router, the DTCP request is handed over to the
DFC process on the Routing Engine. The DFC process takes appropriate
actions, which typically include:
- Issuing a request to the firewall process on the Routing Engine to add the filter to the Packet Forwarding Engine.
- Issuing a request to the services PIC to run a flow-tap service and add the filter to its software state.
- The services PIC appends an IP/UDP header onto matched packets and sends the appended packets to any mediation devices that have matching filters for that traffic.
Flow-Tap Topology
An example of flow-tap topology is shown in Figure 1. The architecture in the example consists of two mediation devices, each from a different agency, that send requests to a Juniper Networks router to monitor incoming data and forward any packets matching specific filter criteria to one or more content destinations.
A services PIC runs the flow-tap service and conveys flow-tap filters from the mediation devices to the router over an SSH channel. The filters are automatically installed in the services PIC and in the Packet Forwarding Engine, and are applied on all IPv4 traffic. The services PIC receives packets matching the filters from the Packet Forwarding Engine, appends an IP/UDP header, and sends the filtered packets to the content destination specified for each LEA.
The original packets are forwarded to their intended destination, with no perceptible delay from the flow-tap interception, and with no knowledge of the interception by the intended target or by any other clients that may also be applying flow-tap filters to this or any other targeted flow.
Figure 1: Flow-Tap Topology
Configuring Flow-Tap Services
In the Junos OS, the flow-tap application creates firewall filters and pushes them to all the active Packet Forwarding Engines. This method captures the matching flows occurring in any interface and any Packet Forwarding Engine and sends the flow to the services PIC. The services PIC constructs a new IP header, using the details in the parameter file.
Use the following steps to perform basic configuration of flow-tap:
- Configure flow-tap services by including the flow-tap statement at the [edit services] hierarchy
level.
Note: Other statements are configured at the [edit interfaces] and [edit system] hierarchy levels.
flow-tap {interface interface-name;} - Configure a services PIC interface by
including the interface statement at the [edit services
flow-tap] hierarchy level. You can assign any AS or MultiServices
PIC in the active monitoring router for flow-tap service, and use
any logical unit on the PIC.sp-fpc/pic/port.unit-number;
- You must also configure the logical interface
at the [edit interfaces] hierarchy level:sp-fpc/pic/port {unit logical-unit-number {family inet;}}
- Configure flow-tap DTCP by including
the flow-tap-dtcp statement at the [edit system services] hierarchy level. This enables DTCP sessions on top of the SSH layer,
providing authentication and privacy for LI flow-tap users. The flow-tap-dtcp service can only be used by those who have the
flow-tap operation permission bit set in their login class and in
the RADIUS server.
Note: You cannot configure dynamic flow capture (DFC) and flow-tap features on the same router simultaneously.
In the following DTCP configuration, connection-limit is the maximum number of allowed connections (default = 75) and rate-limit is the maximum number of connections per minute (default = 150).
system {services {flow-tap-dtcp {ssh {connection-limit 5;rate-limit 5;}}} - Configure client permissions for viewing
and modifying flow-tap configurations and for receiving targeted traffic
by including the permissions statement at the [edit system
login class class-name] hierarchy level.permissions [permissions];
The permissions options available to use flow-tap features are:
flow-tap---Can view flow-tap configurationflow-tap-control---Can modify flow-tap configurationflow-tap-operation---Can tap flows - Specify RADIUS server user permissions
for flow-tap by using the defined attribute Juniper-User-Permissions. This attribute lets the RADIUS server match flow-tap permission
bits to those specified in RADIUS or in a local user's login class.
The permission bits are read by the Junos OS on the router.
When using the RADIUS method of specifying permission bits, the bit granting permission to LI does not need to be on the Juniper device, so anyone looking at the configuration on the Juniper device can neither see nor guess who the LI users are.
Bob Auth-Type := Local, User-Password = = "abc123" Juniper-User-Permissions = "flow-tap-operation"Then, if the RADIUS server returns:
Juniper-User-Permissions = "flow-tap-operation configure"and the user's login class in the configuration specifies permission for:
[admin system]then the user effectively has this permission:
[flow-tap-operation configure admin system]
Flow-Tap Configuration on Juniper Networks Router
The following shows an example flow-tap configuration on a Juniper Networks router:
