Lawful intercept filter attachment times may be slower than expected

Dynamic lawful intercept filters are created and attached slowly on a scaled system.

In a scaled system with over 100,000 subscribers, slow lawful intercept filter attachment times were noticed. The system has over 63,000 Dynamic Host Configuration Protocol (DHCP) subscribers, terminating over dynamic virtual LAN (VLAN) demux interfaces:

Initially, there are no active taps on the system:

A tap is then added for a subscriber that is currently logged in:

The router reports to a DTCP query that the tap is present:

However, the tap is actually not programmed. A check of the filters that are active on the Packet Forwarding Engine (PFE) will show that there are no dynamic lawful intercept filters programmed:

It actually ends up taking almost 6 minutes for the PFE to have the filters active and programmed:

That delay means that there is a long span where the tapped subscriber traffic is not sent to the mediation device, even though the tap is technically applied.

The MX is functioning as designed with respect to the delay in filter definition and attachment. The lawful intercept code handles adds and deletes in a time-sliced manner. The system scans 2,000 subscribers every 10 seconds to process the tap change. With over 100,000 subscribers, that translates into a maximum time of over 500 seconds (8 minutes) to walk the entire list and find a match based on the credentials used to apply (or remove) the tap.

About the author

James Palmer

Leave a Comment