Month: January 2012

Calculating System Thermal Output

The Internet abounds with information on the topic of thermal output.

I’ve collected the following formulas and placed them here for my quick reference.






















For example,

  • PacketLight PL-1000TN Optical Transport Unit PSU rated at 70 watts is
    238.7 BTU-Hr = 3.41 * 70 watts
  • HP ProLiant DL120 Generation 7 (G7) PSU rated at 570 watts is
    1943.7 BTU-Hr = 3.41 * 570 watts
  • Dell PowerEdge R410 Rack Server with Non-Redundant PSU rated at 480 watts is
    1636.8 BTU-Hr = 3.41 * 480 watts

Volts will change the wattage; consider the following calculation.

Power (watts) = Voltage (volts) * Current (amperes)

If you are looking for information on sizing the thermal footprint of a datacenter there are other factors to take into consideration in addition to server and network equipment.

For example,

  • People (see note 1)
  • Lighting
  • Powered devices (non-IT gear)
  • Windows (sun light)
  • Heat conduction via exterior (outside) facing walls
  • Raised/non-raised floor
  • Humidity

When I set out to research the formula for determining a system’s thermal output I found myself caught up in the additional information I came across.  To me that’s like finding $5 bill in my pocket.

Note 1
There is general agreement that the human body will produce ~100 watts.  The following link has a brief discussion on the topic – interesting I thought.

How I Implemented a CALEA Solution (With Juniper JUNOS)

The following information was first published on 11/15/2007 at
CALEA is an acronym for, “Communications Assistance for Law Enforcement Act“. Enough time has passed that an update to this document is needed. The following should be considered historical.


  • Draft Version: 0.1.2
  • Service: Flow-Tap, IPSec and Dynamic Tasking Control Protocol (DTCP)
  • Operating System: Juniper JUNOS 8.2R2.4
  • Draft Date: 11/15/2007
  • Last Updated: 1/3/2012

As of right now (1/14/2008)… flow-tap does not work if the ip-sec tunnel to the mediation device is configured on the same router. From what I understand, this is supposed to be fixed down the road, but as of now this issue renders this solution useless unless the VPN tunnel is relocated to another router/device. I relocated the VPN tunnel on my network and it worked well for my needs. This issue was discovered during testing. Only after working with JTAC was it learned that the issue existed.


These are my notes from how I implemented CALEA capabilities on a Juniper Networks router.

During the last several months I did not have a readily available resource (of any type, human or document) which explained how to take the existing IP network I manage and re-engineer it to provide CALEA intercept capabilities.

I would like to stress that there is a difference between a basic packet capture with a protocol analyzer and a purpose built intercept mechanism; whether that mechanism be an appliance or daughter-card installed into a router chassis. Intercept depth and duration can very per intercept warrant.

Let me say now that I am very open to constructive criticism. I do not know everything, and do not imply nor suggest such. Please send your correction, suggestion or comment.

There are several facets to CALEA and this document only covers the IP aspect from a narrow point of view, mine. Please see the reference section for links to Internet destinations concerning CALEA.

The content in this document is NOT intended to explain all the aspects of CALEA, which I know I can not possibly do anyway, nor is it trying to present a complete definition of all CALEA components.

The most current version of this document may be found at

Creative Commons License
The blog post content for “How I Implemented a CALEA Solution (With Juniper JUNOS)” is licensed under a Creative Commons Attribution 3.0 License off site link.
Please provide the following attribution if you copy or distribute the contents of this particular blog post in whole or part:
“Original content by Jeff Neuffer Jr ( located at


The following example has been applied to multiple autonomous system edge routers, however the example in this document will show a single router.

The following definitions are used…

  • AS: Autonomous System
  • Hair-pin IP flows: Traffic that originates and terminates on the same router. Traffic does not traverse the network outside of this physical chassis.
  • DTCP: Dynamic Tasking Control Protocol, Intercept Commands issued via DTCP
  • NE: Network Element, in this case my router
  • Entities
    • TTP: Trusted Third Party
    • NETOP: Network Operator (my employer/me)
  • IKE Security Association End Point (AKA IPSec Gateway):
    • TTP IKE security-association:
    • NETOP IKE security-association:
  • IPSec Security Association (what qualifies to be sent over the IPSec tunnel):
    • TTP IPSec Encryption Domain:
    • NETOP IPSec Encryption Domain:
  • SSH End Point
    • TTP Mediation Device:
    • NETOP NE:

The NETOP has contracted with a TTP.
The TTP demands the type of VPN be that of a Lan-2-Lan/Site-2-Site only.
All physical interfaces on the NE are public.
NE is used soley for IP transit to and from the Internet.
The NE has full BGP routes from it’s eBGP and iBGP peers.
The NE has an AS-II PIC installed.
DTCP is tunneled via an SSH connection.
IPSec tunnels are used to transport the SSH protocol.
IPSec tunnels are used to transport the intercepted data back to the TTP’s mediation device.
IPSec tunnels are terminated directly to the NE.
SSH connections are terminated directly to the NE.
DTCP and SSH are considered control plain operations in this document.
IPSec is considered the data plain in this document.

Router Diagram

Logical representation of packet encapsulation, command/control communication, and subscriber packet flow over network device

Flow-Tap Configuration

These are the additional commands I added to my existing configuration.

system { login { class ft-class { permissions [ flow-tap flow-tap-control flow-tap-operation ]; } user ft-ttp { uid 2200; class ft-class; authentication { encrypted-password "password_for_ft-ttp"; } } services { flow-tap-dtcp { ssh { connection-limit 5; rate-limit 5; } } } } chassis { fpc 0 { pic 3 { adaptive-services { service-package layer-3; } } } } interfaces { sp-0/3/0 { unit 0 { description "For Flow-Tap"; family inet; } } } services { flow-tap { interface sp-0/3/0.0; } }

IPSec Configuration

Firewall filters need to permit the following protocol/port values: TCP/32001 (SSH) UDP/1814 (DTCP) ESP (IPSec)

I’ve been asked in the past what defines the DTCP port value above (1814).  It is defined in draft-cavuto-dtcp-03.txt in section 6.5 “No specific port”.  The draft leaves it up to the implementers (vendors) to choose which port the DTCP server binds to.

interfaces { sp-0/3/0 { unit 1 { description "For IPSec TTP"; family inet; service-domain inside; } unit 2 { description "For IPSec TTP"; family inet; service-domain outside; } } lo0 { unit 0 { family inet { /* this address was already present and is primary */ address { primary; } /* this address was added just for the VPN */ address; } } } } routing-options { static { /* is a TTP-CALEA related prefix */ route next-hop sp-0/3/0.1; } } services { service-set IPSEC-TTP-Company-1 { next-hop-service { inside-service-interface sp-0/3/0.1; outside-service-interface sp-0/3/0.2; } ipsec-vpn-options { local-gateway; } ipsec-vpn-rules To-TTP-Company; } ipsec-vpn { rule To-TTP-Company { term 1 { from { source-address {; } destination-address {; } } then { remote-gateway; dynamic { ike-policy 123_123_123_123; ipsec-policy dynamic-policy-1; } } } match-direction input; } ipsec { proposal dynamic-1 { description "Mimick TTP Company Phase 2"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy dynamic-policy-1 { proposals dynamic-1; } } ike { proposal proposal-1 { description "Mimick TTP Company Phase 1"; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy 123_123_123_123 { mode main; proposals proposal-1; pre-shared-key ascii-text "a_password_here"; } } } }

Verify IPSec

Verify the IPSec tunnels by manually generating some traffic.

operator@router> ping source operator@router> show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type Matured 2d79657b04657b2f 9a5223ce9a529048 Main operator@router> show services ipsec-vpn ipsec security-associations Service set: IPSEC-TTP-Company-1, IKE Routing-instance: default Rule: To-TTP-Company, Term: 1, Tunnel index: 1 Local gateway:, Remote gateway: IPSec inside interface: sp-0/3/0.1, Tunnel MTU: 1500 Direction SPI AUX-SPI Mode Type Protocol inbound 4075957595 0 tunnel dynamic ESP outbound 3306433064 0 tunnel dynamic ESP

Miscellaneous Notes

Coverage of the IP Network

I work for a small ISP; at the time this document was drafted, the IP coverage of this solution is roughly 80% to 90% converage. The setup used in this document is applied at the AS edge which should explain why 100% IP converage is not realized. “Hair-pin” IP flows are not accounted for and neither are inter-AS IP flows.

Appendix – References and Credits


  1. Trademarks Related: JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
  2. JUNOS 8.2 – Flow-Tap Configuration Guidelines
  3. JUNOS 8.2 – IPSec Services Configuration Guidelines
  7. – Impact of CALEA on Network Operators
  9. RFC2804 – IETF Policy on Wiretapping
  10. DTCP, see draft-cavuto-dtcp-03.txt at

Contributed Credits:

  • None

Appendix – To do

Maybe expand on “hair-pinning” solutions once a solution is understood or concieved. Presently exploring MPLS-TE approach, however a preliminary concern with MPLS is not knowing if Flow-tap filters will extract an IPv4 datagram from an LSP.

Appendix – Change log

1/13/2008 – Added the following warning to the top of the howto. “As of right now… flow-tap does not work if the ip-sec tunnel to the mediation device is configured on the same router. From what I understand, this is supposed to be fixed down the road, but as of now this issue renders this solution useless.

1/3/2012 – Several spelling corrections.  Moved content over to a blog.
1/5/2012 – Several formatting and typo corrections
2/11/2013 – fixed formatting issues