[an error occurred while processing this directive][an error occurred while processing this directive]

Example: IPv6 Support for FlowTapLite

This example describes how to configure IPv6 support for FlowTapLite on an M120 router with Enhanced III FPCs. The configuration of FlowTapLite is similar on an M320 router and an MX Series router with Enhanced III FPCs. However, because the MX Series routers do not support Tunnel Services PICs, you configure a DPC and the corresponding Packet Forwarding Engine to use tunneling services at the [edit chassis] hierarchy level.

With JUNOS Release 10.1, the FlowTapLite service supports lawful interception of IPv6 packets; previously only interception of IPv4 packets was supported. The intercepted packets are sent to a content destination, while the flow of original packets to the actual destination is unaffected.

A mediation device installs dynamic filters on the router (or server) by sending DTCP requests. These filters include the quintuple information (source address, destination address, source port, destination port, and protocol) about the intercepted flows and the details (IP addresses and port information) of the content destination.

Below is an example of such a filter:

ADD DTCP/0.8
Csource-ID: ftap
Cdest-ID: cd1
Source-Address: 7234:5678:ABCD:EF12:3456:78AB:ABC8:1235/112
Dest-Address: affe::1:1
Source-Port: 1234
Dest-Port: 2345
Protocol: *
Priority: 2
X-JTap-Input-Interface: ge-2/0/1
X-JTap-Cdest-Dest-Address: 6.3.4.5
X-JTap-Cdest-Dest-Port: 2300
X-JTap-Cdest-Source-Address: 208.223.208.9
X-JTap-Cdest-Source-Port: 65535
X-JTap-Cdest-TTL: 255
X-JTap-IP-Version: ipv6
Flags: STATIC

Following are descriptions of the parameters in the dynamic filter:

  • Csource-ID—The username configured in the router at the [edit system login user] hierarchy level.
  • Cdest-ID—The content destination identifier.
  • Source-Address, Dest-Address Source-Port, Dest-Port, Protocol—Parameters that determine which packet flows need to be intercepted.
  • X-JTap-Input-Interface—The interface through which the actual flows are coming into the router. Depending on the type of filters installed, the value in this field can include the following: X-JTap-Output-Interface to install output interface filters; X-JTap-VRF-NAME to install VRF filters; and to install global filters, no parameters are specified.
  • X-JTap-Cdest-Dest—All parameters that start with this string specify different parameters associated with the content destination.
  • X-JTap-IP-Version–Differentiates between IPv6 and IPv4 filters.

From the Packet Forwarding Engine console, you can verify that the filters are installed and working correctly.

This example describes how to configure IPv6 support for FlowTapLite on an M120 router:

Requirements

This example uses the following hardware and software components:

  • JUNOS Release 10.1 or later
  • M120 router with a tunnel (vt) interface

Before you configure IPv6 FlowTapLite on your router, be sure you have:

  • A tunnel PIC that is up
  • A connection from the router to the mediation device and the content destination
  • Traffic flow to and from the router

Overview and Topology

Figure 1 shows the FlowTapLite configuration for one M120 router to lawfully intercept packets.

Figure 1: FlowTapLite Topology

Image g003149.gif

In this example, the IPv6 packets enter the Packet Forwarding Engine and, depending on the filters installed, a new flow is created for the intercepted packets while the original packets are forwarded normally. The new flow is rerouted through the tunnel PIC back to the Packet Forwarding Engine for a route lookup, and then on to the content destination.

Configuration

To configure IPv6 FlowTapLite on an M120 router, perform these tasks:

CLI Quick Configuration

To quickly configure IPv6 FlowTapLite, copy the following commands and paste them into the CLI:

set system login class flowtap permissions flow-tap-operation
set system login user ftap uid 2000
set system login user ftap class flowtap
set system login user ftap authentication encrypted-password "xxxxxx"
set system services flow-tap-dtcp ssh
set interfaces vt-4/0/0 unit 0 family inet
set interfaces vt-4/0/0 unit 0 family inet6
set services flow-tap tunnel-interface vt-4/0/0.0

Configuring User Credentials

Step-by-Step Procedure

The username and password configured here are used by the mediation device when connecting and sending out DTCP requests.

  1. Define a login class called flowtap:

    [edit system]
    user@router# set login class flowtap permissions flow-tap-operation
  2. For the meditation device, configure a user called ftap with a unique identifier (UID):

    [edit system]
    user@router# set login user ftap uid 2000
  3. Apply the flowtap class to the ftap user:

    [edit system]
    user@router# set login user ftap class flowtap
  4. Configure the password used by the mediation device:

    [edit system]
    user@router# set login user ftap authentication encrypted-password xxxxxx
  5. Commit the configuration:

    [edit system]
    user@router# commit

Configuring the Tunnel Interface for FlowTapLite

Step-by-Step Procedure

You can add an extra level of security to DTCP transactions between the mediation device and the router by enabling DTCP sessions on top of the SSH layer.

  1. Configure SSH from the [edit system] hierarchy level:

    [edit system]
    user@router# set services flow-tap-dtcp ssh
  2. Commit the configuration:

    [edit system]
    user@router# commit

Configuring the Logical Tunnel Interface

Step-by-Step Procedure

  1. Configure the logical interface and assign it to the dynamic flow control process (dfcd) at the [edit interfaces] hierarchy level:

    [edit interfaces]
    user@router# set vt-4/0/0 unit 0 family inet
  2. Include the mandatory inet6 statement:

    [edit interfaces]
    user@router# set vt-4/0/0 unit 0 family inet6
  3. Commit the configuration:

    [edit interfaces]
    user@router# commit

Configuring FlowTapLite

Step-by-Step Procedure

  1. Include the flow-tap statement and the tunnel interface at the [edit services] hierarchy level:

    [edit services]
    user@router# set flow-tap tunnel-interface vt-4/0/0.0
  2. Commit the configuration:

    [edit services]
    user@router# commit

Results

Check the results of the configuration:

[edit]
user@router-re0# show
system {
    [...Output Truncated...]
    login {
        class flowtap {
            permissions flow-tap-operation;
        }
        user ftap {
            uid 2000;
            class flowtap;
            authentication {
                encrypted-password "xxxxxx"; ## SECRET-DATA
            }
        }
    }
    services {
        telnet;
        flow-tap-dtcp {
            ssh;
        }
    }
}
interfaces {
    vt-4/0/0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
}
[...Output Truncated...]
services {
    flow-tap {
        tunnel-interface vt-4/0/0.0;
    }
}

Verification

To confirm that the configuration is working properly, perform the following tasks:

Verifying That the Router Received the Filter Request

Purpose

After the mediation device sends the filters to the router, the mediation device must receive a message from the router confirming that the router has received the filter request.

Action

Check that the mediation device has received a message similar to the one below:

DTCP/0.8 200 OK
SEQ: 1
CRITERIA-ID: 1
TIMESTAMP: 2009-09-29 06:12:05.725
AUTHENTICATION-INFO: 55f9dc3debd3c7356951410f165f2a9cc5606063

Meaning

The message above is an example of a successfully received filter request.

Checking That Filters Are Installed and Working on the Router

Purpose

Action

Use the show filter and the show filter index commands to check that filters are installed:

ADPC2(diving vty)# show filter
Program Filters:
---------------
   Index     Dir     Cnt    Text     Bss  Name
--------  ------  ------  ------  ------  --------
       1     104       0      20      20  __default_bpdu_filter__
   17000      52       0       4       4  __default_arp_policer__
  	57007     104     144      16      16  __flowtap_inet__
   65280      52       0       4       4  __auto_policer_template__
   65281     104       0      16      16  __auto_policer_template_1__
   65282     156       0      32      32  __auto_policer_template_2__
   65283     208       0      48      48  __auto_policer_template_3__
   65284     260       0      64      64  __auto_policer_template_4__
   65285     312       0      80      80  __auto_policer_template_5__
   65286     364       0      96      96  __auto_policer_template_6__
   65287     416       0     112     112  __auto_policer_template_7__
   65288     468       0     128     128  __auto_policer_template_8__
37748736     156     144      80      80  __ftaplite_filter__ifl__70__out__ipv6_
37748737     156     144      80      80  __ftaplite_filter__vrf__4__in__ipv6_
37748738     156     144      80      80  __ftaplite_filter__ifl__71__in__ipv6_
37748739     156     144      80      80  __ftaplite_filter__vrf__0__in__ipv6_

ADPC2(diving vty)# show filter index 37748738 counters    
Filter Counters/Policers:
   Index               Packets                 Bytes  Name
--------  --------------------  --------------------  --------
37748738               8851815             601923420  __ftaplite_term_ftap_3___counter

Meaning

The last four filters in the output for the show filter command above are the filters installed on the Packet Forwarding Engine. The show filter index command shows a non-zero packet count, indicating that the packets are hitting the filter.

Sending a List Request

Purpose

To verify that the correct filters are installed in the Packet Forwarding Engine.

Action

Use client software to send a list request to the Packet Forwarding Engine. In your list request, you can include the following three parameters individually or together: CSource-Id, CDest-ID, and Criteria-ID. With all requests, you must include the CSource-Id. Below is an example of a list request using the CSource-Id:

LIST DTCP/0.8
Csource-ID: ftap1
Flags: Both

Below is an example of a response:

DTCP/0.8 200 OK
SEQ: 51
TIMESTAMP: 2009-10-04 07:56:43.003
CRITERIA-ID: 1
CSOURCE-ID: ftap1
CDEST-ID: cd1
CSOURCE-ADDRESS: 10.209.152.15
FLAGS: Static
AVERAGE-BANDWIDTH: 0
MATCHING-PACKETS: 0
MATCHING-BYTES: 0
NUM-REFRESH: 0
LAST-REFRESH: 2009-10-04 07:54:30.870
X-JTAP-INPUT-INTERFACE: ge-2/1/1.0,ge-2/1/1.1,ge-2/1/1.2
SOURCE-ADDRESS: 40.0.0.1
DEST-ADDRESS: 50.0.0.1/32
SOURCE-PORT: 1000
DEST-PORT: 2000
PROTOCOL: 17
X-JTAP-CDEST-DEST-ADDRESS: 212.25.99.81
X-JTAP-CDEST-DEST-PORT: 8001
X-JTAP-CDEST-SOURCE-ADDRESS: 208.223.208.9
X-JTAP-CDEST-SOURCE-PORT: 34675
X-JTAP-CDEST-TTL: 64
CRITERIA-NUM: 1
CRITERIA-COUNT: 1
AUTHENTICATION-INFO: 0f49ff600a3d8d7d312c5031f74cc17540bc9200

You can also delete the request. Below is an example of a delete request:

DELETE DTCP/0.8
Csource-ID: ftap
CDest-ID: cd1
Flags: STATIC

Published: 2010-04-15

[an error occurred while processing this directive]