Packet Flow and Session Management in SRX 210 Services Gateways

This section describes the process that the SRX 210 services gateway undertakes in establishing a session for packets belonging to a flow that transits the device. The flow services of the SRX 210 are single-threaded and non-distributed. Although it differs from the other SRX services gateways in this respect, the same flow model is followed and the same command line interface (CLI) is implemented.

To illustrate session establishment and the packet “walk” including the points at which services are applied to the packets of a flow, this example uses the simple case of a unicast session.

Flow Processing and Session Management

This section explains how a session is set up to process the packets composing a flow. In the following sections, the SPU refers to the dataplane thread of the SRX 210 services gateway.

At the outset, the dataplane thread fetches the packet and performs basic sanity checks on it. Then it processes the packet for stateless filters and CoS classifiers and applies some screens.

First-Packet Processing

To determine if a packet belongs to an existing flow, the services gateway attempts to match the packet’s information to that of an existing session based on the following six match criteria:

• Source address
• Destination address
• Source port
• Destination port
• Protocol
• Unique token from a given zone and virtual router

The SPU checks its session table for an existing session for the packet. If no existent session is found, the SPU sets up a session for the flow. If a session match is found, the session has already been created, so the SPU performs fast-path processing on the packet.

Session Creation

In setting up the session, the SPU executes the following services for the packet:

• Screens
• Route lookup
• Policy lookup
• Service lookup
• NAT, if required

After a session is set up, it is used for all packets belonging to the flow. Packets of a flow are processed according to the parameters of its session. For the remainder of the steps entailed in packet processing, proceed to Step 1 in “Fast-Path Processing”. All packets undergo fast-path processing.

Fast-Path Processing

If a packet matches a session, JUNOS software for the SRX-series services gateways performs fast-path processing as described in the following steps. After a session has been set up for the first packet in a flow, also undergoes fast-path processing. All packets undergo fast-path processing.

1. The SPU applies flow-based security features to the packet.
   • Configured screens are applied.
   • TCP checks are performed.
   • Flow services, such as NAT, ALG, and IPsec are applied, if required.
2. The SPU prepares the packet for forwarding and transmits it.
   • Routing packet filters are applied.
   • Traffic shaping is applied.
   • Traffic prioritizing is applied.
   • Traffic scheduling is applied.
   • The packet is transmitted.