1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION...
-
Upload
kimberly-callahan -
Category
Documents
-
view
215 -
download
1
Transcript of 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION...
![Page 1: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/1.jpg)
1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
NETWORK BASED APPLICATION RECOGNITIONTim McSweeney
Product Manager, QoS
Internet Technologies Division
![Page 2: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/2.jpg)
2NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
Agenda
• What is Network Based Application Recognition
(NBAR)?
• Benefits and hardware support
• NBAR Functionality
![Page 3: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/3.jpg)
3NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 3Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved.
My Application is
too slow!
Citrix 25%Netshow 15%Fasttrack 10%FTPFTP 30%30%HTTP 20%
Link Utilization
Mark Citrix as Interactive traffic and police FTP.
Guarantee bandwidth for Citrix!
• Intelligent classification engine used with Quality of Service (QoS) class-based features
• Protocol Discovery analyzes application traffic patterns in real time and identifies which traffic is running on the network
NBAR
![Page 4: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/4.jpg)
4NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 4Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved.
NBAR – Intelligent Classification
• Capable of classifying applications that have:
Statically assigned TCP and UDP port numbers
Non-TCP and non-UDP IP protocols
Dynamically assigned TCP and UDP port numbers during connection establishment
Classification based on deep packet inspection: NBAR can look deeper into the packet to identify applications
HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]), Citrix ICA traffic, RTP Payload type classification
• Currently supports 88 protocols/applications
![Page 5: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/5.jpg)
5NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
NBAR Benefit Footprint and Hardware Support
Enterprise Enterprise BackboneBackbone
Enterprise Enterprise Premise EdgePremise Edge
Service Provider Service Provider Aggregation EdgeAggregation Edge
Service Provider CoreService Provider Core
• Application classification• Precise QoS treatment
Application statistics for bandwidth provisioningTop-n views
• Threshold settings• Mapping applications to an SP’s service offering
• Cisco Catalyst 6500 and 7600 Series
MSFCPlanned ASIC
• Cisco Catalyst 6500 and 7600 Series
FlexWAN, MWAMPlanned ASIC
• Cisco 7100, 7200, and 7500 Series
• Cisco 83x, 1700, 2600-2600XM, 3600, and 3700 Series
• Cisco Catalyst 6500 and 7600 Series
FlexWAN, MWAMPlanned ASIC
• Cisco 7100, 7200, and 7500 Series
• Cisco Catalyst 6500 and 7600 Series
• FlexWAN, MWAM • Planned ASIC
• Cisco 7500 Series
![Page 6: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/6.jpg)
6NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
ToS SourceIP Addr
DestIP Addr
IP Packet TCP/UDP Packet
SrcPort
Data Packet
Sub-Port/Deep Inspection
Stateful & Dynamic Inspection
DstPort
Supported protocols as of Cisco IOS Software Release 12.2(8)T: www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm - 1031614
egp exchange kerberos secure-nntp smtpgre finger l2tp notes snmpicmp ftp ldap novadigm socksipinip secure-ftp secure-ldap ntp sqlnetipsec gopher netshow pcanywhere ssheigrp http pptp pop3 streamworkbgp secure-http sqlserver secure-pop3 syslogcuseeme imap netbios printer telnetdhcp irc nfs realaudio secure-telentdns secure-irc nntp rcmd tftp
vdolivexwindows
napstercitrix
Protocol
NBAR
![Page 7: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/7.jpg)
7NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
Packet Description Language Modules
• Packet Description Language Modules (PDLMs) define applications recognizable by NBAR
New applications supported by adding new PDLMs
No Cisco IOS Software upgrade or reboot required to add new PDLMs
New Cisco IOS Software required only when enhanced NBAR infrastructure is required for new PDLM functionality
• New PDLMs are incorporated natively into subsequent Cisco IOS Software releases
Only new/updated PDLMs are loaded
• Must be produced by Cisco engineers
• Issues: Software quality: testing and support
Software security: risk of Trojan horses and worms
SDK infrastructure: development environment
![Page 8: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/8.jpg)
8NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
Protocol Discovery: Traffic Classification & Real-Time Statistics
• Automatically uses all PDLMs
Run Protocol Discovery instead of specifying individual protocols
• Includes statistics for traffic identified with user-defined custom application classification
• Statistics per-interface, per-protocol
bit rate (bps)
packet counts and
byte counts
![Page 9: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/9.jpg)
9NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
ToS SourceIP Addr
DestIP Addr
IP Packet TCP/UDP Packet
SrcPort
Data Packet
DstPort
Protocol FFFF0000MoonbeamFFFF
ip nbar custom lunar_light
8 ascii Moonbeam tcp range 2000 2999
class-map solar_system
match protocol lunar_light
policy-map astronomy class solar_system set ip dscp AF21
interface <>
service-policy output astronomy
Name – Name the match criteria – up to 24 characters• lunar_light
Offset – Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte
• Skip first 8 bytes Format – Define the format of the match criteria
– ASCII, hex or decimal• ascii
Value – The value to match in the packet – if ASCII, up to 16 characters
• Moonbeam [Source or destination port] – Optionally restrict the direction of
packet inspection; defaults to both directions if not specified• [source | destination]
TCP or UDP – Indicate the protocol encapsulated in the IP packet• tcp
Range or selected port number(s) – “range” with start and end port numbers, up to 1000 – 1 to 16 individual port numbers
• range 2000 2999
Example
12/03
12.3(4)TNov 2003
NBAR User-Defined Custom Application Classification
![Page 10: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/10.jpg)
10NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
Extended Inspection: NBAR looks for an HTTP-specific signature in ports beyond
well-known TCP port 80
NBAR HTTP Classification
• router(config-cmap)#match protocol http ? host host-name-string -- Match Host Name
url url-string -- Match URL String
mime MIME-type -- Match MIME Type
HTTP Clients
Router X Router YHTTP Server
Responses to HTTP GET
HTTP GET Request
match protocol http: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112789 10/03
HTTP GET request contains Host/URL string
Optionally, HTTP responses may be further classified by MIME-type
12.3(4)TNov 2003
![Page 11: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/11.jpg)
11NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
NBAR: Additional Development
• New and updated PDLMs
Citrix ICA: enhanced support for Citrix-based applications
Real-Time Protocol (RTP)
Real-Time Streaming Protocol (RTSP)
eDonkey: peer-to-peer file sharing application
KaZaA: revalidated for KaZaA v 2.5
• Support for IP Services
NBAR-NAT-RTSP integration: Release 12.3(3rd)T [Q1CY’04]
Upcoming: NBAR-Firewall integration
![Page 12: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/12.jpg)
12NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
KaZaA versions 2 and 2.5
• KaZaA v2 PDLM available
www.cisco.com/cgi-bin/tablebuild.pl/pdlm
• Classifies KaZaA v2 and v2.5 data traffic
QoS policy can limit users to browse, but not share, files
• Covers file transfers
Downloads and uploads
PDLM Rev 6April 2003
![Page 13: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/13.jpg)
13NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
IP Hdr UDP RTP Header Audio/Video/Data
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M| PT | sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | synchronization source (SSRC) identifier | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | contributing source (CSRC) identifiers | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Stateful identification of real time audio and video trafficDifferentiation on the basis of audio and video codecs
RTP: transport protocol for Real-Time Applications – RFC 1889
RTP profile for audio and video conferences with minimal control – RFC 1890
NBAR RTP Payload ClassificationPDLM Rev 2
May 2003
![Page 14: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/14.jpg)
15NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
NBAR Protocol Discovery MIBRelease
12.3
• Provides statistics per application, per interface via SNMP
Enable or disable protocol discovery per interface
Display protocol discovery statistics
Configure and view multiple top-n tables listing protocols by bandwidth usage
Configure thresholds: report breaches and send notifications when these thresholds are crossed
• Supported by Cisco QoS partners
Concord Communications
InfoVista: traffic monitoring; DoS attack mitigation
• NBAR Protocol Discovery MIB
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpdmib.htm
• CISCO-NBAR-PROTOCOL-DISCOVERY-MIB
www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
![Page 15: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/15.jpg)
16NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
DDAATT
DDAATT
DDAATT
PPDDLLMM
PPDDLLMM
PPDDLLMM
Previously: Each IP Service Processes Packets Sequentially
FirewallFirewallNATNAT
DDAATT
DDAATT
DDAATT
IDSIDS
PPDDLLMM
PPDDLLMM
PPDDLLMM
QoS QoS Classifi-Classifi-cationcation
PACKETPACKETPACKETPACKETParse
PACKET+
ParseParse ParseParseParseParse
QoS Uses NBAR Parsing QoS Uses NBAR Parsing Results for Traffic Classification Results for Traffic Classification
Now: NBAR Provides a Shared Infrastructure for IP Traffic Identification
FirewallFirewall
ParsePACKET
+
NATNAT
ParsePACKET
+
IDSIDS
ParsePACKET
+PACKET
QoS QoS Classifi-Classifi-cationcation
ParsePACKET
+
ParseParse
NBAR’s Parsing Utilized by Multiple Services NBAR’s Parsing Utilized by Multiple Services
New NBAR PDLMs Can be Added New NBAR PDLMs Can be Added to Identify New Applications to Identify New Applications Without a Software UpgradeWithout a Software Upgrade
NBARNBAR
NBARNBAR
NBAR Classification for Multiple IP Services
ParseParse
![Page 16: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/16.jpg)
17NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
References
• QoS Classification Overview
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfclass.htm#1003102
• Configuring Network-Based Application Recognition
www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfnbar.htm
• Match Protocol Commands: Citrix, HTTP, RTP
www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112612
![Page 17: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/17.jpg)
18NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
![Page 18: 1NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies.](https://reader035.fdocuments.in/reader035/viewer/2022062511/5513f08d55034674748b5bd2/html5/thumbnails/18.jpg)
19NBAR, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.
Custom-xx NBAR Functionality
• Used for static TCP/UDP port based applications that NBAR does not support
• Add up to 10 custom applications
• Map 16 TCP and UDP ports each per application
• Statistics appear in the Protocol Discovery
• Router(config)#ip nbar port-map custom-01 ?
tcp TCP ports
udp UDP ports