Dynamic lawful intercept filters are created and attached slowly on a scaled system.
In a scaled system with over 100,000 subscribers, slow lawful intercept filter attachment times were noticed. The system has over 63,000 Dynamic Host Configuration Protocol (DHCP) subscribers, terminating over dynamic virtual LAN (VLAN) demux interfaces:
mx960_RE0> show subscribers summary Subscribers by State Active: 105648 Total: 105648 Subscribers by Client Type DHCP: 63294 VLAN: 41654 Static: 700 Total: 105648
Initially, there are no active taps on the system:
===== SENDING DTCP COMMAND: LIST DTCP/0.7 Csource-ID: dtcp1 Cdest-ID: cd1 Flags: BOTH Seq: 1 Authentication-Info: 1b8da94cf34ee2c54a37fc674833eaa23cfd9a84 ===== RECEIVED DTCP RESPONSE: DTCP/0.7 430 Unknown Content Destination SEQ: 1 AUTHENTICATION-INFO: b248aca45d70dd3e7b76647f18a152668fdaf4ab
A tap is then added for a subscriber that is currently logged in:
===== SENDING DTCP COMMAND: ADD DTCP/0.7 Csource-ID: dtcp1 Cdest-ID: cd1 Priority: 2 Flags: STATIC X-JTap-Cdest-Dest-Address: 55.66.1.2 X-JTap-Cdest-Dest-Port: 65535 X-JTap-Cdest-Source-Address: 10.16.0.20 X-JTap-Cdest-Source-Port: 50000 X-MD-Intercept-Id: 55667788 X-UserName: ae1:[email protected] Seq: 1 Authentication-Info: 62d111c3c35fdf32403306e0f7e90ae81b02c670 ===== RECEIVED DTCP RESPONSE: DTCP/0.7 200 OK SEQ: 1 CRITERIA-ID: 35 TIMESTAMP: 2015-10-21 16:47:38.058 AUTHENTICATION-INFO: 6b0e6dfd215bba226aa4298f300ce0d6a3a3b2f1
The router reports to a DTCP query that the tap is present:
===== SENDING DTCP COMMAND: LIST DTCP/0.7 Csource-ID: dtcp1 Cdest-ID: cd1 Flags: BOTH Seq: 1 Authentication-Info: 1b8da94cf34ee2c54a37fc674833eaa23cfd9a84 ===== RECEIVED DTCP RESPONSE: DTCP/0.7 200 OK SEQ: 1 TIMESTAMP: 2015-10-21 16:48:27.107 CRITERIA-ID: 35 CSOURCE-ID: dtcp1 CDEST-ID: cd1 CSOURCE-ADDRESS: 10.8.52.98 FLAGS: Static AVERAGE-BANDWIDTH: 0 MATCHING-PACKETS: 0 MATCHING-BYTES: 0 NUM-REFRESH: 0 LAST-REFRESH: 2015-10-21 16:47:38.058 X-JTAP-CDEST-DEST-ADDRESS: 55.66.1.2 X-JTAP-CDEST-DEST-PORT: 65535 X-JTAP-CDEST-SOURCE-ADDRESS: 10.16.0.20 X-JTAP-CDEST-SOURCE-PORT: 50000 X-MD-INTERCEPT-ID: 55667788 X-USERNAME: ae1:[email protected] CRITERIA-NUM: 1 CRITERIA-COUNT: 1 AUTHENTICATION-INFO: 289e269d68603b8d5f82c9c4358e0b8428c1a095
However, the tap is actually not programmed. A check of the filters that are active on the Packet Forwarding Engine (PFE) will show that there are no dynamic lawful intercept filters programmed:
% cprod -A fpc2 -c "show filter " | grep dfcd %
It actually ends up taking almost 6 minutes for the PFE to have the filters active and programmed:
% cprod -A fpc2 -c "show filter " | grep dfcd 33554432 Classic - __dfcd_li_43559_inet__ 33554433 Classic - __dfcd_li_43559_inet6__
That delay means that there is a long span where the tapped subscriber traffic is not sent to the mediation device, even though the tap is technically applied.
The MX is functioning as designed with respect to the delay in filter definition and attachment. The lawful intercept code handles adds and deletes in a time-sliced manner. The system scans 2,000 subscribers every 10 seconds to process the tap change. With over 100,000 subscribers, that translates into a maximum time of over 500 seconds (8 minutes) to walk the entire list and find a match based on the credentials used to apply (or remove) the tap.