Title: How I Implemented a CALEA Solution (With Juniper JUNOS)

Draft Version: 0.1.1

Service: Flow-Tap, IPSec and Dynamic Tasking Control Protocol (DTCP)

Operating System: Juniper JUNOS 8.2R2.4

Draft Date: 11/15/2007     Jeff Neuffer Jr.     jneufferjr@gmail.com

Last Updated: $Id: calea_junos_implementation.html 81 2012-12-22 04:01:26Z jneuffer $

As of right now... flow-tap does not work if the ip-sec tunnel to the mediation device is configured on the same router. From what I understand, this is supposed to be fixed down the road, but as of now this issue renders this solution useless.

This issue was discovered during testing. Only after working with JTAC was it learned that the issue existed.

arrow up contents arrow up top of page

Preamble

These are my notes from how I implemented CALEA capabilies on a Juniper Networks router.

During the last several months I did not have a readily available resource (of any type, human or document) which explained how to take the existing IP network I manage and re-engineer it to provide CALEA intercept capabilities.

I would like to stress that there is a difference between a basic packet capture with a protocol analyzer and a purpose built intercept mechanism; whether that mechanism be an appliance or daughter-card installed into a router chassis. Intercept depth and duration can very per intercept warrant.

Let me say now that I am very open to construtive critism. I do not know everything, and do not imply nor suggest such. Please send your correction, suggestion or comment.

There are several facets to CALEA and this document only covers the IP aspect from a narrow point of view, mine. Please see the referecne section for links to Internet destinations concerning CALEA.

The content in this document is NOT indended to explain all the aspects of CALEA, which I know I can not possibly do anyway, nor is it trying to present a complete definition of all CALEA components.

The most current version of this document may be found at http://www.unixadmin.cc/calea/

Creative Commons License
Except where otherwise noted, unixadmin.cc/calea/ site content is licensed under a Creative Commons Attribution 3.0 License off site link.
Please provide the following attribution if you copy or distribute the contents of this document in whole or part:
"Originial content by Jeff Neuffer Jr (jneufferjr@gmail.com) located at http://www.unixadmin.cc/calea/"

arrow up contents arrow up top of page

Abstract

The following example has been applied to multiple autonomous system edge routers, however the example in this document will show a single router.

The following definitions are used...

  • AS: Autonomous System
  • Hair-pin IP flows: Traffic that originates and terminates on the same router. Traffic does not traverse the network outside of this physical chassis.
  • DTCP: Dynamic Tasking Control Protocol, Intercept Commands issued via DTCP
  • NE: Network Element, in this case my router
  • Entities
    • TTP: Trusted Third Party
    • NETOP: Network Operator (my employer/me)
  • IKE Security Association End Point (AKA IPSec Gateway):
    • TTP IKE security-association: 123.123.123.123/32
    • NETOP IKE security-association: 100.100.100.100/32
  • IPSec Security Association (what qualifies to be sent over the IPSec tunnel):
    • TTP IPSec Encryption Domain: 2.2.2.0/27
    • NETOP IPSec Encryption Domain: 100.100.100.101/32
  • SSH End Point
    • TTP Mediation Device: 2.2.2.2.2
    • NETOP NE: 100.100.100.101/32

The NETOP has contracted with a TTP.

The TTP demands the type of VPN be that of a Lan-2-Lan/Site-2-Site only.

All physical interfaces on the NE are public.

NE is used soley for IP transit to and from the Internet.

The NE has full BGP routes from it's eBGP and iBGP peers.

The NE has an AS-II PIC installed.

DTCP is tunneled via an SSH connection.

IPSec tunnels are used to transport the SSH protocol.

IPSec tunnels are used to transport the intercepted data back to the TTP's mediation device.

IPSec tunnels are terminated directly to the NE.

SSH connections are terminated directly to the NE.

DTCP and SSH are considered control plain operations in this document.

IPSec is considered the data plain in this document.

arrow up contents arrow up top of page

Router Diagram

Click to enlarge

router diagram

arrow up contents arrow up top of page

Flow-Tap Configuration

These are the additional commands I added to my existing configuration.


system {
    login {
        class ft-class {
            permissions [ flow-tap flow-tap-control flow-tap-operation ];
        }
        user ft-ttp {
            uid 2200;
            class ft-class;
            authentication {
                encrypted-password "password_for_ft-ttp";
            }
        }
    services {
        flow-tap-dtcp {
            ssh {
                connection-limit 5;
                rate-limit 5;
            }
        }
    }
}
chassis {
    fpc 0 {
        pic 3 {
            adaptive-services {
                service-package layer-3;
            }
        }
    }
}
interfaces {
    sp-0/3/0 {
        unit 0 {
            description "For Flow-Tap";
            family inet;
        }
    }
}
services {
    flow-tap {
        interface sp-0/3/0.0;
    }
}
    

arrow up contents arrow up top of page

IPSec Configuration

Setup IPSec

Firewall filters need to permit the following protocol/port values:
TCP/32001 (SSH)
UDP/1814 (DTCP)
ESP (IPSec)


interfaces {
    sp-0/3/0 {
        unit 1 {
            description "For IPSec TTP";
            family inet;
            service-domain inside;
        }
        unit 2 {
            description "For IPSec TTP";
            family inet;
            service-domain outside;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                /* this address was already present and is primary */
                address 100.100.100.101/32 {
                    primary;
                }
                /* this address was added just for the VPN */
                address 100.100.100.100/32;
            }
        }
    }
}


routing-options {
    static {
        /* 2.2.2.0/27 is a TTP-CALEA related prefix */
        route 2.2.2.0/27 next-hop sp-0/3/0.1;
    }
}


services {
    service-set IPSEC-TTP-Company-1 {
        next-hop-service {
            inside-service-interface sp-0/3/0.1;
            outside-service-interface sp-0/3/0.2;
        }
        ipsec-vpn-options {
            local-gateway 100.100.100.100;
        }
        ipsec-vpn-rules To-TTP-Company;
    }
    ipsec-vpn {
        rule To-TTP-Company {
            term 1 {
                from {
                    source-address {
                        100.100.100.101/32;
                    }
                    destination-address {
                        2.2.2.0/27;
                    }
                }
                then {
                    remote-gateway 123.123.123.123;
                    dynamic {
                        ike-policy 123_123_123_123;
                        ipsec-policy dynamic-policy-1;
                    }
                }
            }
            match-direction input;
        }
        ipsec {
            proposal dynamic-1 {
                description "Mimick TTP Company Phase 2";
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 3600;
            }
            policy dynamic-policy-1 {
                proposals dynamic-1;
            }
        }
        ike {
            proposal proposal-1 {
                description "Mimick TTP Company Phase 1";
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 86400;
            }
            policy 123_123_123_123 {
                mode main;
                proposals proposal-1;
                pre-shared-key ascii-text "a_password_here";
            }
        }
    }
}
    

Verify IPSec

Verify the IPSec tunnels by manually generating some traffic.


operator@router> ping source 100.100.100.101 2.2.2.2


operator@router> show services ipsec-vpn ike security-associations
Remote Address  State         Initiator cookie  Responder cookie  Exchange type
123.123.123.123 Matured       2d79657b04657b2f  9a5223ce9a529048  Main


operator@router> show services ipsec-vpn ipsec security-associations
Service set: IPSEC-TTP-Company-1, IKE Routing-instance: default

  Rule: To-TTP-Company, Term: 1, Tunnel index: 1
  Local gateway: 100.100.100.100, Remote gateway: 123.123.123.123
  IPSec inside interface: sp-0/3/0.1, Tunnel MTU: 1500
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   4075957595  0           tunnel     dynamic  ESP
    outbound  3306433064  0           tunnel     dynamic  ESP
    

arrow up contents arrow up top of page

Miscellaneous Notes

Coverage of the IP Network

I work for a small ISP; at the time this document was drafted, the IP coverage of this solution is roughly 80% to 90% converage. The setup used in this document is applied at the AS edge which should explain why 100% IP converage is not realized. "Hair-pin" IP flows are not accounted for and neither are inter-AS IP flows.

arrow up contents arrow up top of page

Appendix - References and Credits
References:
  1. Trademarks Related: JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
  2. JUNOS 8.2 - Flow-Tap Configuration Guidelines
  3. JUNOS 8.2 - IPSec Services Configuration Guidelines
  4. http://www.fcc.gov/calea/
  5. http://www.askcalea.net/
  6. http://www.opencalea.org/
  7. http://www.nanog.org/mtg-0006/calea.html - Impact of CALEA on Network Operators
  8. http://www.tiaonline.org/standards/technology/calea/
  9. RFC2804 - IETF Policy on Wiretapping
  10. DTCP, see draft-cavuto-dtcp-01.txt (local copy) or at http://www.ietf.org/ID.html

Contributed Credits:
  • None

arrow up contents arrow up top of page

Appendix - To do
  1. Maybe expand on "hair-pinning" solutions once a solution is understood or concieved. Presently exploring MPLS-TE approach, however a preliminary concern with MPLS is not knowing if Flow-tap filters will extract an IPv4 datagram from an LSP.

arrow up contents arrow up top of page

Appendix - Change log

1/13/2008 - Added the following warning to the top of the howto.
            "As of right now... flow-tap does not work if the ip-sec tunnel to 
            the mediation device is configured on the same router. From what I 
            understand, this is supposed to be fixed down the road, but as of 
            now this issue renders this solution useless."