Traffic that enters and exits a Services Router running JUNOS software is processed according to features you configure, such as security policies, packet filters, and screens. For example the software can determine:
Packets that enter and exit a Services Router running JUNOS software undergo both packet-based and flow-based processing.
The software implements flow-based security and services, with packet-based application of filters, policers, traffic shapers, and other classification features.
A packet undergoes flow-based processing after any packet-based filters and policers have been applied to it.
Figure 1 shows an architectural overview of traffic flow in a Services Router running JUNOS software. See Figure 3 to follow the path of the traffic as it traverses through the Flow services module.
Figure 1: Traffic Flow for Flow-Based Processing
A flow is a stream of related packets that meet the same matching criteria and share the same characteristics. JUNOS software treats packets belonging to the same flow in the same manner.
Configuration settings that determine the fate of a packet—such as the security policy that applies to it, whether the packet is sent through an IPsec tunnel, if it requires an Application Layer Gateway (ALG), if Network Address Translation (NAT) is applied to translate the packet's address—are assessed for the first packet of a flow. The settings are then applied to the rest of the packets in the flow.
To determine if a packet belongs to an existing flow, the router attempts to match the packet's information to that of an existing flow based on the following six match criteria:
If the packet matches an existing flow, processing for the packet is assessed in the context of its flow state, which is maintained by the flow's session. If it does not match the session for an existing flow, the packet is used to create a flow state and a session is allocated for it.
The security policy to be used for the first packet of a flow is cached in a flow table for use with the same flow and closely related flows. Security policies are associated with zones. A zone is a collection of interfaces that define a security boundary. A packet's incoming zone, as determined by the interface through which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which policy is used for packets of the flow.
Flow-based packet processing, which is stateful, requires the creation of sessions. A session is created, based on the characteristics assessed for the first packet of a flow, for the following purposes:
For example, logging and counting information for a flow is cached in its session. (Some stateful firewall screens rely on threshold values that pertain to individual sessions or across all sessions.)
Most packet processing occurs in the context of a flow. The flow engine and session bring together the following features and events that affect a packet as it undergoes flow-based processing:
A packet undergoes packet-based processing when it is dequeued from its input (ingress) interface and before it is enqueued on its output (egress) interface.
Packet-based processing applies stateless firewall filters and class-of-service (CoS) features to discrete packets. You can apply a firewall filter to an ingress or egress interface, or to both.
Figure 2 shows architectural overview of traffic flow in a standard JUNOS router.
Figure 2: Traffic Flow for Packet-Based Processing
Filters and CoS features are typically associated with one or more interfaces to influence which packets are allowed to transit the system and to apply special actions to packets as necessary.
 |
Note: Packet-based processing occurs only if you configure filters, CoS, IPv6, and MPLS features for an interface that handles the packet. |
Here are the kinds of packet-based features that you can configure and apply to transit traffic. For details on specific stateless firewall filters and CoS features, see the JUNOS Software Interfaces and Routing Configuration Guide and the JUNOS Software CLI Reference.
You can apply a stateless firewall filter to an input or output interface, or to both. A filter contains one or more terms, and each terms consists of two components—match conditions and actions. By default, a packet that does not match a firewall filter is discarded.
You can plan and design stateless firewall filters to be used for various purposes—for example, to limit traffic to certain protocols, IP source or destination addresses, or data rates.
Sessions are created, based on routing and other classification information, to store information and allocate resources for a flow. Sessions have characteristics, some of which you can change, such as when they terminated. For example, you might want to ensure that a session table is never entirely full to protect against an attacker's attempt to flood the table and thereby prevent legitimate users from starting sessions.
Depending on the protocol and service, a session is programmed with a timeout value. For example, the default timeout for TCP is 30 minutes. The default timeout for UDP is 1 minute. When a flow is terminated, it is marked as invalid, and its timeout is reduced to 10 seconds.
If no traffic uses the session before the service timeout, the session is aged out and freed to a common resource pool for reuse. You can affect the life of a session in the following ways:
The following sections show you how to modify a session's characteristics. For details, see the JUNOS Software CLI Reference.
JUNOS software terminates sessions normally in certain situations—for example, after receiving a TCP FINish Close or receiving a RST (reset) message, when encountering Internet Control Message Protocol (ICMP) errors for UDP, and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use for other sessions.
To control when sessions are terminated, you configure the router to age out sessions after a certain period of time, when the number of sessions in the session table reaches a specified percentage, or both.
- set security flow aging early-ageout 2
- set security flow aging high-watermark 90 low-watermark
50
- set security flow tcp-session tcp-initial-timeout 280
- set security flow tcp-session rst-invalidate-session
The JUNOS software provides a mechanism to disable security checks on TCP packets to ensure interoperability with hosts and routers with faulty TCP implementations. The following set security flow command disable TCP SYN checks and TCP sequence checks on all TCP sessions.
- set security flow tcp-session no-syn-check
- set security flow tcp-session no-sequence-check
End-to-end TCP communication in a customer network might not work for large packets approaching 1500 bytes because of GRE or IPsec tunneling encapsulation. You can use the set security flow command to change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels.
- set security flow tcp-mss ipsec-vpn mss 1400
- set security flow tcp-mss gre-in mss 1364
- set security flow tcp-mss gre-out mss 1364
The following command configures the TCP MSS to 1400 bytes for all TCP sessions.
- set security flow tcp-mss all-tcp 1400
- set security flow allow-dns-reply
- set security flow route-change-timeout
- set security flow syn-flood-protection-mode
You can use other set security flow commands to accommodate other systems. For syntax information, see the JUNOS Software CLI Reference.
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |