Transcript NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies Division NBAR, 12/03 © 2003 Cisco Systems, Inc.

NETWORK BASED APPLICATION
RECOGNITION
Tim McSweeney
Product Manager, QoS
Internet Technologies Division
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
1
Agenda
• What is Network Based Application Recognition
(NBAR)?
• Benefits and hardware support
• NBAR Functionality
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
2
NBAR
My
Application is
too slow!
• Intelligent classification engine
used with Quality of Service
(QoS) class-based features
• Protocol Discovery analyzes
application traffic patterns in
real time and identifies which
traffic is running on the
network
NBAR,
Cisco12/03
IOS QoS Update, 11/03
© 2003 Cisco Systems, Inc. All rights reserved.
Link Utilization
Citrix
Netshow
Fasttrack
FTP
HTTP
25%
15%
10%
30%
20%
Mark Citrix as Interactive
traffic and police FTP.
Guarantee bandwidth
for Citrix!
3
NBAR – Intelligent Classification
• Capable of classifying applications that have:
Statically assigned TCP and UDP port numbers
Non-TCP and non-UDP IP protocols
Dynamically assigned TCP and UDP port numbers during
connection establishment
Classification based on deep packet inspection: NBAR can
look deeper into the packet to identify applications
HTTP traffic by URL, host name or MIME type using regular
expressions (*, ?, [ ]), Citrix ICA traffic, RTP Payload type
classification
• Currently supports 88 protocols/applications
NBAR,
Cisco12/03
IOS QoS Update, 11/03
© 2003 Cisco Systems, Inc. All rights reserved.
4
NBAR Benefit Footprint and Hardware
Support
Enterprise
Backbone
Enterprise
Premise Edge
Service Provider
Aggregation Edge
Service Provider Core
• Application classification
• Precise QoS treatment
Application statistics for bandwidth provisioning
Top-n views
• Threshold settings
• Mapping applications to an SP’s service offering
• Cisco Catalyst 6500
and 7600 Series
MSFC
Planned ASIC
NBAR, 12/03
• Cisco Catalyst 6500
and 7600 Series
FlexWAN, MWAM
Planned ASIC
• Cisco 7100, 7200,
and 7500 Series
• Cisco 83x, 1700,
2600-2600XM, 3600,
and 3700 Series
© 2003 Cisco Systems, Inc. All rights reserved.
• Cisco Catalyst 6500
and 7600 Series
FlexWAN, MWAM
Planned ASIC
• Cisco 7100, 7200,
and 7500 Series
• Cisco Catalyst 6500 and
7600 Series
• FlexWAN, MWAM
• Planned ASIC
• Cisco 7500 Series
5
NBAR
Stateful & Dynamic Inspection
IP Packet
ToS
Protocol Source
IP Addr
egp
gre
icmp
ipinip
ipsec
eigrp
bgp
cuseeme
dhcp
dns
TCP/UDP Packet
Dest
IP Addr
Src
Port
exchange
finger
ftp
secure-ftp
gopher
http
secure-http
imap
irc
secure-irc
Dst
Port
kerberos
l2tp
ldap
secure-ldap
netshow
pptp
sqlserver
netbios
nfs
nntp
citrix
Data Packet
Sub-Port/Deep Inspection
secure-nntp
notes
novadigm
ntp
pcanywhere
pop3
secure-pop3
printer
realaudio
rcmd
napster
smtp
snmp
socks
sqlnet
ssh
streamwork
syslog
telnet
secure-telent
tftp
vdolive
xwindows
Supported protocols as of Cisco IOS Software Release 12.2(8)T:
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm - 1031614
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
6
Packet Description Language Modules
• Packet Description Language Modules (PDLMs) define
applications recognizable by NBAR
New applications supported by adding new PDLMs
No Cisco IOS Software upgrade or reboot required to add new
PDLMs
New Cisco IOS Software required only when enhanced NBAR
infrastructure is required for new PDLM functionality
• New PDLMs are incorporated natively into subsequent Cisco
IOS Software releases
Only new/updated PDLMs are loaded
• Must be produced by Cisco engineers
• Issues:
Software quality: testing and support
Software security: risk of Trojan horses and worms
SDK infrastructure: development environment
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
7
Protocol Discovery:
Traffic Classification & Real-Time Statistics
• Automatically uses all PDLMs
Run Protocol Discovery instead of specifying individual
protocols
• Includes statistics for traffic identified with userdefined custom application classification
• Statistics per-interface, per-protocol
bit rate (bps)
packet counts and
byte counts
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
8
NBAR User-Defined Custom
Application Classification
IP Packet
ToS
Protocol Source
IP Addr
TCP/UDP Packet
Dest
IP Addr
Src
Port
Dst
Port
 Name – Name the match criteria – up to 24 characters
• lunar_light
 Offset – Specify the beginning byte of string or value to be
matched in the data packet, counting from zero for the first byte
• Skip first 8 bytes
 Format – Define the format of the match criteria
– ASCII, hex or decimal
• ascii
 Value – The value to match in the packet
– if ASCII, up to 16 characters
• Moonbeam
 [Source or destination port] – Optionally restrict the direction of
packet inspection; defaults to both directions if not specified
• [source | destination]
 TCP or UDP – Indicate the protocol encapsulated in the IP packet
• tcp
 Range or selected port number(s)
– “range” with start and end port numbers, up to 1000
– 1 to 16 individual port numbers
• range 2000 2999
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
12.3(4)T
Nov 2003
Data Packet
FFFF0000MoonbeamFFFF
Example
ip nbar custom lunar_light
8 ascii Moonbeam tcp
range 2000 2999
class-map solar_system
match protocol lunar_light
policy-map astronomy
class solar_system
set ip dscp AF21
interface <>
service-policy output
astronomy
12/03
9
12.3(4)T
Nov 2003
NBAR HTTP Classification
Extended Inspection: NBAR looks for an
HTTP-specific signature in ports beyond
well-known TCP port 80
HTTP GET request contains
Host/URL string
HTTP GET Request
Router X
Responses to HTTP GET
Router Y
HTTP Server
HTTP Clients
Optionally, HTTP responses may be
further classified by MIME-type
• router(config-cmap)#match protocol http ?
host host-name-string
url url-string
mime MIME-type
-- Match Host Name
-- Match URL String
-- Match MIME Type
match protocol http:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112789
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
10/03
10
NBAR: Additional Development
• New and updated PDLMs
Citrix ICA: enhanced support for Citrix-based applications
Real-Time Protocol (RTP)
Real-Time Streaming Protocol (RTSP)
eDonkey: peer-to-peer file sharing application
KaZaA: revalidated for KaZaA v 2.5
• Support for IP Services
NBAR-NAT-RTSP integration: Release 12.3(3rd)T [Q1CY’04]
Upcoming: NBAR-Firewall integration
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
11
KaZaA versions 2 and 2.5
PDLM Rev 6
April 2003
• KaZaA v2 PDLM available
www.cisco.com/cgi-bin/tablebuild.pl/pdlm
• Classifies KaZaA v2 and v2.5 data traffic
QoS policy can limit users to browse, but not share, files
• Covers file transfers
Downloads and uploads
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
12
NBAR RTP Payload Classification
PDLM Rev 2
May 2003
Stateful identification of real time audio and video traffic
Differentiation on the basis of audio and video codecs
IP Hdr
UDP
RTP Header
Audio/Video/Data
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X| CC |M|
PT
|
sequence number
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
timestamp
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
synchronization source (SSRC) identifier
|
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
contributing source (CSRC) identifiers
|
|
....
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
RTP: transport protocol for Real-Time Applications – RFC 1889
RTP profile for audio and video conferences with minimal control – RFC 1890
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
13
NBAR Protocol Discovery MIB
Release
12.3
• Provides statistics per application, per interface via SNMP
Enable or disable protocol discovery per interface
Display protocol discovery statistics
Configure and view multiple top-n tables listing protocols by
bandwidth usage
Configure thresholds: report breaches and send notifications when
these thresholds are crossed
• Supported by Cisco QoS partners
Concord Communications
InfoVista: traffic monitoring; DoS attack mitigation
• NBAR Protocol Discovery MIB
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft
/122t/122t15/ftpdmib.htm
• CISCO-NBAR-PROTOCOL-DISCOVERY-MIB
www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
15
NBAR Classification for Multiple IP Services
Previously: Each IP Service Processes Packets Sequentially
QoS Uses NBAR Parsing
Results for Traffic Classification
PACKET
PACKET
+ Parse
NBAR
Parse
P
D
L
M
P
D
L
M
PACKET
QoS
Classification
P
D
L
M
PACKET
IDS
Parse
D
A
T
D
A
T
NAT
Parse
PACKET
Firewall
Parse
D
A
T
Now: NBAR Provides a Shared Infrastructure for IP Traffic Identification
NBAR’s Parsing Utilized by Multiple Services
PACKET
PACKET
+ Parse
NBAR
Parse
P
D
L
M
NBAR, 12/03
P
D
L
M
P
D
L
M
PACKET
+ Parse
QoS
Classification
PACKET
+ Parse
IDS
D
A
T
© 2003 Cisco Systems, Inc. All rights reserved.
D
A
T
NAT
D
A
T
PACKET
+ Parse
Firewall
New NBAR PDLMs Can be Added
to Identify New Applications
Without a Software Upgrade
16
References
• QoS Classification Overview
www.cisco.com/univercd/cc/td/doc/product/software/ios122/1
22cgcr/fqos_c/fqcprt1/qcfclass.htm#1003102
• Configuring Network-Based Application Recognition
www.cisco.com/univercd/cc/td/doc/product/software/ios122/1
22cgcr/fqos_c/fqcprt1/qcfnbar.htm
• Match Protocol Commands: Citrix, HTTP, RTP
www.cisco.com/univercd/cc/td/doc/product/software/ios123/1
23cgcr/qos_r/qos_m1g.htm#1112612
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
17
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
18
Custom-xx NBAR Functionality
• Used for static TCP/UDP port based applications
that NBAR does not support
• Add up to 10 custom applications
• Map 16 TCP and UDP ports each per application
• Statistics appear in the Protocol Discovery
• Router(config)#ip nbar port-map custom-01 ?
tcp TCP ports
udp UDP ports
NBAR, 12/03
© 2003 Cisco Systems, Inc. All rights reserved.
19