1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION...

1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.

NETWORK BASED APPLICATION RECOGNITIONTim McSweeney

Product Manager, QoS

Internet Technologies Division


Agenda

• What is Network Based Application Recognition

(NBAR)?

• Benefits and hardware support

• NBAR Functionality

3NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 3Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved.

My Application is

too slow!

Citrix 25%Netshow 15%Fasttrack 10%FTPFTP 30%30%HTTP 20%

Link Utilization

Mark Citrix as Interactive traffic and police FTP.

Guarantee bandwidth for Citrix!

• Intelligent classification engine used with Quality of Service (QoS) class-based features

• Protocol Discovery analyzes application traffic patterns in real time and identifies which traffic is running on the network

NBAR

4NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 4Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved.

NBAR – Intelligent Classification

• Capable of classifying applications that have:

Statically assigned TCP and UDP port numbers

Non-TCP and non-UDP IP protocols

Dynamically assigned TCP and UDP port numbers during connection establishment

Classification based on deep packet inspection: NBAR can look deeper into the packet to identify applications

HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]), Citrix ICA traffic, RTP Payload type classification

• Currently supports 88 protocols/applications


NBAR Benefit Footprint and Hardware Support

Enterprise Enterprise BackboneBackbone

Enterprise Enterprise Premise EdgePremise Edge

Service Provider Service Provider Aggregation EdgeAggregation Edge

Service Provider CoreService Provider Core

• Application classification• Precise QoS treatment

Application statistics for bandwidth provisioningTop-n views

• Threshold settings• Mapping applications to an SP’s service offering

• Cisco Catalyst 6500 and 7600 Series

MSFCPlanned ASIC


FlexWAN, MWAMPlanned ASIC

• Cisco 7100, 7200, and 7500 Series

• Cisco 83x, 1700, 2600-2600XM, 3600, and 3700 Series


FlexWAN, MWAMPlanned ASIC

• Cisco 7100, 7200, and 7500 Series


• FlexWAN, MWAM • Planned ASIC

• Cisco 7500 Series


ToS SourceIP Addr

DestIP Addr

IP Packet TCP/UDP Packet

SrcPort

Data Packet

Sub-Port/Deep Inspection

Stateful & Dynamic Inspection

DstPort

Supported protocols as of Cisco IOS Software Release 12.2(8)T: www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm - 1031614

egp exchange kerberos secure-nntp smtpgre finger l2tp notes snmpicmp ftp ldap novadigm socksipinip secure-ftp secure-ldap ntp sqlnetipsec gopher netshow pcanywhere ssheigrp http pptp pop3 streamworkbgp secure-http sqlserver secure-pop3 syslogcuseeme imap netbios printer telnetdhcp irc nfs realaudio secure-telentdns secure-irc nntp rcmd tftp

vdolivexwindows

napstercitrix

Protocol

NBAR


Packet Description Language Modules

• Packet Description Language Modules (PDLMs) define applications recognizable by NBAR

New applications supported by adding new PDLMs

No Cisco IOS Software upgrade or reboot required to add new PDLMs

New Cisco IOS Software required only when enhanced NBAR infrastructure is required for new PDLM functionality

• New PDLMs are incorporated natively into subsequent Cisco IOS Software releases

Only new/updated PDLMs are loaded

• Must be produced by Cisco engineers

• Issues: Software quality: testing and support

Software security: risk of Trojan horses and worms

SDK infrastructure: development environment


Protocol Discovery: Traffic Classification & Real-Time Statistics

• Automatically uses all PDLMs

Run Protocol Discovery instead of specifying individual protocols

• Includes statistics for traffic identified with user-defined custom application classification

• Statistics per-interface, per-protocol

bit rate (bps)

packet counts and

byte counts


ToS SourceIP Addr

DestIP Addr

IP Packet TCP/UDP Packet

SrcPort

Data Packet

DstPort

Protocol FFFF0000MoonbeamFFFF

ip nbar custom lunar_light

8 ascii Moonbeam tcp range 2000 2999

class-map solar_system

match protocol lunar_light

policy-map astronomy class solar_system set ip dscp AF21

interface <>

service-policy output astronomy

Name – Name the match criteria – up to 24 characters• lunar_light

Offset – Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte

• Skip first 8 bytes Format – Define the format of the match criteria

– ASCII, hex or decimal• ascii

Value – The value to match in the packet – if ASCII, up to 16 characters

• Moonbeam [Source or destination port] – Optionally restrict the direction of

packet inspection; defaults to both directions if not specified• [source | destination]

TCP or UDP – Indicate the protocol encapsulated in the IP packet• tcp

Range or selected port number(s) – “range” with start and end port numbers, up to 1000 – 1 to 16 individual port numbers

• range 2000 2999

Example

12/03

12.3(4)TNov 2003

NBAR User-Defined Custom Application Classification


Extended Inspection: NBAR looks for an HTTP-specific signature in ports beyond

well-known TCP port 80

NBAR HTTP Classification

• router(config-cmap)#match protocol http ? host host-name-string -- Match Host Name

url url-string -- Match URL String

mime MIME-type -- Match MIME Type

HTTP Clients

Router X Router YHTTP Server

Responses to HTTP GET

HTTP GET Request

match protocol http: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112789 10/03

HTTP GET request contains Host/URL string

Optionally, HTTP responses may be further classified by MIME-type

12.3(4)TNov 2003


NBAR: Additional Development

• New and updated PDLMs

Citrix ICA: enhanced support for Citrix-based applications

Real-Time Protocol (RTP)

Real-Time Streaming Protocol (RTSP)

eDonkey: peer-to-peer file sharing application

KaZaA: revalidated for KaZaA v 2.5

• Support for IP Services

NBAR-NAT-RTSP integration: Release 12.3(3rd)T [Q1CY’04]

Upcoming: NBAR-Firewall integration


KaZaA versions 2 and 2.5

• KaZaA v2 PDLM available

www.cisco.com/cgi-bin/tablebuild.pl/pdlm

• Classifies KaZaA v2 and v2.5 data traffic

QoS policy can limit users to browse, but not share, files

• Covers file transfers

Downloads and uploads

PDLM Rev 6April 2003


IP Hdr UDP RTP Header Audio/Video/Data

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M| PT | sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | synchronization source (SSRC) identifier | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | contributing source (CSRC) identifiers | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Stateful identification of real time audio and video trafficDifferentiation on the basis of audio and video codecs

RTP: transport protocol for Real-Time Applications – RFC 1889

RTP profile for audio and video conferences with minimal control – RFC 1890

NBAR RTP Payload ClassificationPDLM Rev 2

May 2003


NBAR Protocol Discovery MIBRelease

12.3

• Provides statistics per application, per interface via SNMP

Enable or disable protocol discovery per interface

Display protocol discovery statistics

Configure and view multiple top-n tables listing protocols by bandwidth usage

Configure thresholds: report breaches and send notifications when these thresholds are crossed

• Supported by Cisco QoS partners

Concord Communications

InfoVista: traffic monitoring; DoS attack mitigation

• NBAR Protocol Discovery MIB

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpdmib.htm

• CISCO-NBAR-PROTOCOL-DISCOVERY-MIB

www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


DDAATT

DDAATT

DDAATT

PPDDLLMM

PPDDLLMM

PPDDLLMM

Previously: Each IP Service Processes Packets Sequentially

FirewallFirewallNATNAT

DDAATT

DDAATT

DDAATT

IDSIDS

PPDDLLMM

PPDDLLMM

PPDDLLMM

QoS QoS Classifi-Classifi-cationcation

PACKETPACKETPACKETPACKETParse

PACKET+

ParseParse ParseParseParseParse

QoS Uses NBAR Parsing QoS Uses NBAR Parsing Results for Traffic Classification Results for Traffic Classification

Now: NBAR Provides a Shared Infrastructure for IP Traffic Identification

FirewallFirewall

ParsePACKET

+

NATNAT

ParsePACKET

+

IDSIDS

ParsePACKET

+PACKET

QoS QoS Classifi-Classifi-cationcation

ParsePACKET

+

ParseParse

NBAR’s Parsing Utilized by Multiple Services NBAR’s Parsing Utilized by Multiple Services

New NBAR PDLMs Can be Added New NBAR PDLMs Can be Added to Identify New Applications to Identify New Applications Without a Software UpgradeWithout a Software Upgrade

NBARNBAR

NBARNBAR

NBAR Classification for Multiple IP Services

ParseParse


References

• QoS Classification Overview

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfclass.htm#1003102

• Configuring Network-Based Application Recognition

www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfnbar.htm

• Match Protocol Commands: Citrix, HTTP, RTP

www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112612


Custom-xx NBAR Functionality

• Used for static TCP/UDP port based applications that NBAR does not support

• Add up to 10 custom applications

• Map 16 TCP and UDP ports each per application

• Statistics appear in the Protocol Discovery

• Router(config)#ip nbar port-map custom-01 ?

tcp TCP ports

udp UDP ports

1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION...

Documents

Transcript of 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION...