Best-Effort Application Identification of DPI-Serviced Flows
This topic describes the following information:
Features that Support Application-Level Filtering
On MX Series routers equipped with Multiservices DPCs and M120 or M320 routers equipped with Multiservices 400 PICs, Intrusion Detection and Prevention (IDP) is accomplished by Deep Packet Inspection (DPI) of TCP, UDP, and ICMP flows. The application identification (APPID) feature defines applications as members of application groups in TCP/UDP/ICMP traffic. IDP depends on APPID for identification and detection of some Layer 7 applications.
The application-aware access list (AACL) service uses application names and groups as matching criteria for filtering traffic. The service defines the applications and application groups for which statistics are collected for a specific user or interface.
The local policy decision function (L-PDF) enables you to configure properties for statistics output. L-PDF supports a process that regulates collection of statistics related to applications and application groups and tracking of information about dynamic subscribers and static interfaces.
Best-Effort Application Determination
Typically, APPID conclusively determines the Layer 7 application associated with a given DPI-serviced flow. In these cases, the application identification is final. Occasionally, APPID is only able to make an initial, inconclusive determination of the Layer 7 application associated with a given flow. This is referred to as a "best-effort" application identification. In such cases, the APPID process continues processing packets on that flow and might subsequently make a conclusive determination of the application associated with that flow. In some cases of best-effort application identification, the flow ends before a final application determination can be made.
APPID, AACL, and L-PDF Processing in Preconvergence Scenarios
The following sections describe APPID, AACL, and L-PDF processing in various stages of application identification for a DPI-serviced flow of TCP/UDP/ICMP traffic.
- Prior to a Final or Best-Effort Application Identification
- Upon Best-Effort Application Identification
- While Application Identification Is on a Best-Effort Basis
- If a Flow Ends Before an Application Identification Is Made
- If a Flow Ends While Application Identification on a Best-Effort Basis
Prior to a Final or Best-Effort Application Identification
During the time that APPID has not yet made either a final or best-effort determination of the application associated with a given flow, the flow does not contribute to any per-subscriber or per-application statistics collection.
The output of the following operational mode commands includes flows for which APPID has not yet made either a final or best-effort determination of the associated application:
- show services local-policy-decision-function flows (interface interface-name | subscriber subscriber-name)
- show services application-aware-access-list flows (interface interface-name | subscriber subscriber-name)
In the command output, the Action field displays "accept" and the Application or Application group field displays “unknown” for a flow for which APPID has not yet made either a final or best-effort determination of the associated application.
Upon Best-Effort Application Identification
When a best-effort application determination is made, AACL does not apply any AACL term actions configured for that flow. There are a number of reasons for this, one being that the action itself (such as "discard") could make a final application determination impossible. Instead, AACL or L-PDF tracks the flow and accepts all packets for that flow until a final determination is made, at which time the normal AACL or L-PDFL actions are fully applied to the flow.
While Application Identification Is on a Best-Effort Basis
During the time that APPID identification of the application associated with a given flow is on a best-effort basis, the flow does not contribute to any per-subscriber or per-application statistics collection.
The output of the following operational mode commands includes flows for which APPID has only made a best-effort determination of the associated application:
- show services local-policy-decision-function flows (interface interface-name | subscriber subscriber-name)
- show services application-aware-access-list flows (interface interface-name | subscriber subscriber-name)
In the command output, the Action field displays "accept" and the Application or Application group field displays “unknown” for a flow for which APPID has only made a best-effort determination of the associated application.
If a Flow Ends Before an Application Identification Is Made
If a flow ends before APPID has made either a final or a best-effort application identification, AACL or L-PDF uses the "unknown" application ID as a final determination and performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for the "application-group-any" application, then the statistics for that flow will be collected and aggregated against the count bucket type, and reported as such.
If a Flow Ends While Application Identification on a Best-Effort Basis
If a flow ends while the application identification is on a best-effort basis, AACL or L-PDF uses that best-effort determination as a final determination. AACL or L-PDF performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for that Layer 7 application, then the statistics for the flow will be collected and aggregated against the AACL or L-PDF statistics.
