Beruflich Dokumente
Kultur Dokumente
Carrier-Grade-NAT-(CGNAT)-
Workshop-– Day-1
Professional-Services-Americas-
Renato-Florentino,-MSC,-JNCIERSP-772
Agenda-– Day-One
• 1.1-R Protocol/Functionality-Highlights
• 1.1.1-CGNAT-Strategies
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC-and-MSRMPC-NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-flow-
roles-[master/responder],-flow-creation-and-deletion,-timers-involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
• 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
2 Copy right-©-2014-J uniper-Networks ,-Inc .-
1
11/11/15
Agenda-– Day-One
• 2.1-R NAT-pools-and-NAT-prefixes.-Relationship-between-NAT-pool,-
serviceRset-and-SPR interface-
• 2.2-R Static-source-NAT-
• 2.3-R Static-destination-NAT-
• 2.4-R Port-overloading,-port-assignment-(range,-sequencing)-
• 2.5-R Dynamic-source-NAT-with-PAT-
• 2.5.1-R Port-allocation-mechanisms:-sequential-(default)-vs random
• 2.5.2-R Port-ranges-(default-1024R65535-vs custom)
• 2.5.3-R Behaviour when-no-free-ports-found-
Agenda-– Day-One
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1- R SYN- cookies
• 3.1.2- R SYN- attacks
• 3.1.3- R ICMP- errors
• 3.1.4- R Protocol- header- errors
• 3.1.5- R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1- R Default- Junos definitions
• 3.2.2- R Customization- (reassignment- of-ports,-timers)
2
11/11/15
Introduction
• Initial-description-of-NAT-services-configuration,-HW-requirements-
and-basic-scaling-details.
Introduction
• 1.1#$ Protocol/Functionality# Highlights
• 1.1.1-CGNAT- Strategies
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
6
• 1.5#$ Scaling#details Copy right-©-2014-J uniper-Networks ,-Inc .-
3
11/11/15
Protocol/Functionality- Highlights
• In-early-2011,-the-Internet-Assigned-Numbers-Authority-allocated-the-
last-of-its-inventory-of-large-block-IPv4-addresses,-and-service-
providers,-large-enterprises-and-universities,-cloud-providers,-eR
tailers,-and-federal-agencies-will-find-it-increasingly-difficult-to-acquire-
new-IPv4-addresses.
• Juniper-Networks'-Next-Generation-Network-Addressing-portfolio-
provides-a-comprehensive-set-of-technologies-that-mitigate-IPv4-
depletion-issues-while-ensuring-IPv4RIPv6-coRexistence-and-a-
pragmatic,-business-driven-transition-to-IPv6.
Protocol/Functionality- Highlights-(contd.)
• Network-Address-Translation-(NAT)-is-the-process-of-modifying-
network-address-and-port-information-inside-the-IP-packet-headers,-
while-it-transits-across-a-routing-device,-for-the-purpose-of-remapping-
a-given-address-space into-another.
4
11/11/15
Protocol/Functionality- Highlights-(contd.)
• NAT-is-commonly-used-for:
– Concealing- a-set-of-host-addresses- on- a-private- network- behind- a-
pool- of-public-addresses.-
– A-security-measure- to-protect- the-host-addresses- from- direct-
targeting- in-network- attacks.
– Allowing- access-from-Internet- to-private- servers-or- applications
– Merge- or-Interconnecting- network- with-overlapped- addressing
– Migration- technique- from/to- IPv6
Protocol/Functionality- Highlights-(contd.)
• Traditional-NAT,-specified-in-RFC-3022,-Traditional-IP-Network-
Address-Translator,-is-fully-supported-by-the-JUNOS-Software.-In-
addition,-network-address-port-translation-(NAPT)-is-supported-for-
source-addresses.
• The-following-types-of-NAT-are-supported-on-Juniper-Networks-
devices:
– Static-NAT
– Destination-NAT
– Source-NAT
10 Copy right-©-2014-J uniper-Networks ,-Inc .-
5
11/11/15
Protocol/Functionality- Highlights-(contd.)
Summary
• Depending-of-the-action-taken-when-the-packet-is-in-transit-on-the-
router-(fields-to-be-replaced-(src/dst),-internal/external-pool-
relationship),-there-are-different-kinds-of-translations.
• For-each-translation-a-flow-is-created-in-the-Service-PIC,-that-allows-
returning-traffic-to-be-processed
• Below-there-is-a-small-summary-about-the-most-common-type-of-NAT-
translations
Translation- Traffic- Mapping IP-field- TCP/UDP-
Type Initiated-from translated information
Static- Source- Nat Inside- 1:1,- n:n Source- Address Preserved
Dynamic-Source- Inside- m:n-- Source- Port- and- Source- port-
Nat (m>n) Address- translated
Static- Destination- Outside- 1:1,- n:n Destination- Preserved
Nat Address Copy right-©-2014-J uniper-Networks ,-Inc .-
12
6
11/11/15
• Juniper-recommends-technologies-that-extend-customers-current-
IPv4-address-pool-and-ensure-IPv4-and-IPv6-coRexistence-without-
imposing-forklift-upgrades-or-operational-penalties.-These-include-
technologies-such-as-NAT-44(4),-as-well-as-DSRLite-which-uses-
13
tunneling-in-combination-with-NAT. Copy right-©-2014-J uniper-Networks ,-Inc .-
7
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.1.1#CGNAT# Strategies
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSDPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
16
• 1.5#$ Scaling#details Copy right-©-2014-J uniper-Networks ,-Inc .-
8
11/11/15
CGNAT- Strategies
Carrier-Grade-NAT-services
• A-comprehensive-feature-rich-set-of-NAT-services.--
NAT#Type Options# Available
Basic$NAT44 • Source-Nat-pool-with-addressRrange/-prefix-
• translation-type-is-source-static-----------
Basic$NAT66# • Nat-pool-with-IPv6-addressRrange/prefix
• translation-type-source-static-
NAPT44 • Source-Nat-pool-with-addressRrange/-prefix-and-port-range
• Translation-type-is-source-dynamic
NAPT66# • Source-Nat-pool-with-IPv6-addressRrange/prefix-and-port-range
• Translation-type-is-source-dynamic
Dynamic$NAT44 • Source-Nat-pool-with-addressRrange/prefix
• translation-type-is-source-dynamic---------
Basic$NAT$PT • Source-Nat-pool-with-Ipv4-addressRrange/prefix
• Destination-Nat-pool-with-/96-prefix---------------
• NAT-match-condition-has-IPv6-address/addressRrange
• translation-type-is-source-dynamic-destination-static
NAPT$PT • Source-Nat-pool-with-Ipv4-addressRrange/prefix-and-portRrange
• Destination-Nat-pool-with-/96-prefix---------------
• NAT-match-condition-has-IPv6-address/addressRrange
• translation-type-is-source-dynamic-destination-static
Twice$NAT44 • Source-Nat-pool-with-addressRrange/prefix
• Destination-Nat-pool-with-addressRrange/prefix
• translation-type-is-source-dynamic-destination-static
Stateful$nat64 • Source'Nat'pool'with'address2range/'prefix'and'port'range
• Translation'type'is'source'dynamic
• Translate-between-address-families-v6-to-v4
18 Copy right-©-2014-J uniper-Networks ,-Inc .-
9
11/11/15
NAT444:- Double-IPv4-NAT
• Extends-the-life-of-IPv4
• Little/No-customer-control-on-CGN-translations
• Customers-are-assigned-private-IPv4-addresses-(RFC1918)
• Least-impact-to-existing-infrastructure
RFC1918 RFC1918
v4'hosts
v4'Internet
UE/HG CGN
v4'host v4''
Access'
Router
v4'CPE
NAT
v4'Core'Network
CGN-(NAT444)-Internals
IPv4'packet IPv4'packet
IPv4'packet
IPv4'src:' 10.6.7.8 IPv4'src:' 1.2.3.4
IPv4'src:' 192.168.1.3
(ISP'RFC1918' internal) (from' the'pool' of'the' ISP)
IPv4'dst:'198.108.95.21 IPv4'dst:'198.108.95.21 IPv4'dst:'198.108.95.21
IPv4'src' port:'12345
IPv4'src' port:'23456 IPv4'src' port:'45678
IPv4'dst'port:' 80
IPv4'dst'port:' 80 IPv4'dst'port:' 80
CGN IPv4
192.168.1.3 IPv4&CPE
www.nanog.org
NAT NAT 198.108.95.21
CPE&NAT&Binding CGN&NAT&Binding
IN:% %%%%%192.168.1.3' +'port' 12345' '''''''''''IN:% %%%%10.6.7.8' +'port' 23456
OUT:% %10.6.7.8' +'port:' 23456' ''''''' OUT:% %%%%1.2.3.4' +'port:' 45678
20 Copy right-©-2014-J uniper-Networks ,-Inc .-
10
11/11/15
NAT64:- IPv6-to-IPv4-NAT
• IPv6-access-network
• All-customers-devices-and-applications-MUST support-IPv6
• NAT64-and-DNS64-share-a-WellRKnown-Prefix-
v6-Internet
v 6-Serv ers
NAT64
UE/HG
v 6-Hos t
v6--
Access/Dist
ribution-
v4-Internet
Router DNS64
v6-Network
v6-Core-Network
NAT64- Internals
IPv6& packet IPv4& packet
IPv6'src:' 2001:db8::1 IPv4'src:' 1.2.3.4
IPv6'dst:'2009:db9:7 (from' the'pool' of'the' ISP)
(AAAA'generated'by'DNS64&to'match' www.nanog.org) IPv4'dst:'198.108.95.21
IPv6'src' port:'12345 IPv4'src' port:'45678
IPv6'dst'port:' 80 IPv4'dst'port:' 80
NAT64 IPv4
2001:db8::1 IPv6&CPE www.nanog.org
198.108.95.21
NAT
NAT64&NAT&Binding
11
11/11/15
6rd:-Native-IPv4-+-IPv6-Overlay-Service
• Allows-for-rapid-deployment-of-IPv6-without-significant-infrastructure-
changes
– CPE-must-be-updated/replaced-to-add-support-for-6rd
– Devices-that-functions-as-a-6rd-relay-must-be-installed
• No-other-changes-to-infrastructure-are-required
6rd:-Native-IPv4-+-IPv6-Overlay-Service
RFC1918 RFC1918
v6'Internet
Dual2Stack
6rd&relay
UE/HG
v4'only
v4'Access'
Router
IPv4/NAT v4'Internet
v4'CPE
with' 6rd'Support
v4'Core'Network
12
11/11/15
6rd-Internals
IPv4& packet
IPv4'src:' CPE'IPv4'address
IPv6& packet IPv4'dst:'6rd' relay IPv6& packet
IPv6'src:' 2001:db8::1 IPv6'src:' 2001:db8::1
IPv6'dst:'2001:4860:8010::63 IPv6&packet IPv6'dst:'2001:4860:8010::63
IPv6'src' port:'12345 IPv6'src:'2001:db8::1 IPv6'src' port:'12345
IPv6'dst'port:' 80 IPv6'dst:'2001:4860:8010::63 IPv6'dst'port:' 80
IPv6'src'port:'12345
IPv6'dst'port:'80
6rd IPv6
2001:db8::1 IPv6&CPE
6rd ipv6.googl e.c om
2001:4860:8010: :63
DSRLite:-Native-IPv6-+-IPv4-Overlay-Service
• Requires-a-IPv6-access-network
• CPE-must-be-upgraded/replaced-to-support-DSRLITE
• CPE-only-provisioned-with-IPv6
• Only-one-layer-of-NAT-– performed-on-AFTR
v6'Internet
Dual2Stack
IPv6
UE/HG
v6''
Access/Distri
bution'
AFTR v4'Internet
Router
v6'CPE/Device
with' DS2Lite'(B4)'Support
v6'Core'Network
13
11/11/15
DSRLite-Internals
IPv6& packet
IPv6'src:' CPE'IPv6'address IPv4& packet
IPv4& packet
IPv6'dst:'AFTR'IPv6' address IPv4'src:' 1.2.3.4
IPv4'src:' 192.168.1.3
IPv4&packet (from' the'pool' of'the' ISP)
IPv4'dst:'198.108.95.21
IPv4'src:'192.168.1.3 IPv4'dst:'198.108.95.21
IPv4'src' port:'12345
IPv4'dst:'198.108.95.21 IPv4'src' port:'45678
IPv4'dst'port:' 80 IPv4'src'port:'12345 IPv4'dst'port:' 80
IPv4'dst'port:'80
AFTR IPv4
192.168.1.3 IPv6&CPE www.nanog.org
DSOLite NAT 198.108.95.21
AFTR&NAT& Binding
IN: IPv6& WAN& address& of&CPE& +'192.168.1.3' +' port'12345
OUT:% 1.2.3.4' +'port:' 45678
27
CPE' using' Protocol:' IP' in'IP' [encapsulation] Copy right-©-2014-J uniper-Networks ,-Inc .-
The-evolution-of-high-speed-nat –
Why-inline-NAT?
Inline& (Trio)& Based& NAT
MX480
MX960 MX240
MX480
MX240
MultiOService
Dense&Port&
Concentrator&(MSO
DPC)
MXO80
14
11/11/15
Summary-of-NAT/Transition- Methods
Access&
CPE&Network Destination Solution
Network
IPv4 IPv4 IPv4'Internet NAT44(4)
DS2LITE with'
IPv4/IPv6 IPv6 IPv4'Internet
NAT44
IPv4/IPv6 IPv4 IPv6'Internet 6rd'(6to4)
IPv6 IPv6 IPv4'Internet NAT64
RFC’s-supported-– growing-list
• RFC2663-– NAT44-and-NAPT44
• RFC4787-– UDP-Behave
• RFC5382-– TCP-Behave
• RFC5508-– ICMP-Behave
• RFC6146-– Stateful NAT64
• RFC5969-– 6rd
• RFC6333– DSRLite
15
11/11/15
RFC’s-supported-– growing-list
• RFC2766-– NATRPT
• RFC3056-6to4
• draftRkuarsinghRv6opsR6to4RproviderRmanagedRtunnel-– 6to4RPMT
• draftRietfRbehaveRlsnRrequirements-– Common-requirements-for-CGN-
devices
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.1.1-CGNAT- Strategies
• 1.2#$ Hardware#architecture#and#services#modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
32
• 1.5#$ Scaling#details Copy right-©-2014-J uniper-Networks ,-Inc .-
16
11/11/15
Hardware-architecture
• In-modern-networking,-additional-services-have-been-moved-from-
dedicated-devices-into-a-single-box-(the-router).-For-this-purpose-
additional-hardware-is-required-to-avoid-any-degradation-in-packet-
forwarding-and-throughput.
• Service-is-a-broad-term-that-can-include-tasks-that-are-performed-at-
Layer-2-(such-as-link-bonding)-or-at-Layer-3-(such-as-Network-
Address-Translation-[NAT]).-
• Depending-on-the-type-of-service-required-and-the-size-of-the-
service,-different-PICs-can-be-used.-The-current-offerings-include:
– MultiServices DPC-(MSRDPC)
– MultiServices MPC-(MSRMPC)
33 Copy right-©-2014-J uniper-Networks ,-Inc .-
Hardware-architecture
Separation of Control and Forwarding
Routing Engine
RT FT% The%
Junos% OS
Control Plane Internal Link
Forwarding Plane
FT
Frames/Packets In Frames/Packets Out
Packet&Forwarding& Engine
17
11/11/15
NAT-in-Control-plane-(RE)
• On-RE-side,-NAT-functionality-resides-in-NSD-and-USPINFO.
• In-NSD,-NAT-module-has-below-major-works:
• Do-sanity-check-on-NAT-configuration.
• Parser-NAT-configuration-and-generate-configuration-blob-and-push-them-
into-RE-kernel.-(RE-kernel-will-communicates-with-PFEs)
• Handle-asyncronous events(e.g.-interface-up/down)-from-kernel.
• In-USPINFO,-NAT-module-handles-NAT-related-operational-
commands.-USPINFO-retrieves-info-from-PFE-and-displays-in-
predefined-format.
Nat-in-the-Data-plane-(PFE)
• In-FLOWD,-packet-is-processed-and-forwarded.-Ukernel-serves-as-
control-plane-in-FLOWD,-and-forwardingRthreads-do-the-real-packet-
processing.-Below-are-the-major-works-of-NAT-in-Ukernal:
• Handling-configuration-blob-from-RE-kernel.
• Handling-operational-commands-from-USPINFO-on-RE.
• Handling-VTY-commands.
18
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.1.1-CGNAT- Strategies
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1#$ Basic#hardware#(MSDPC# and# MS$MPC# NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
37
• 1.5#$ Scaling#details Copy right-©-2014-J uniper-Networks ,-Inc .-
19
11/11/15
Network-Address-Translation-(NAT)
• NAT-and-SFW-are-Statefull-directional-services
• A-notion-of- inside and-“outside”-needs-to-be-applied.-
• Conversations-are-initiated-from-one-side
• NAT-works-in-conjunction-with-the-Statefull-Firewall
• Share-ALGs
• Allows-the-SFW-to-manage-the-traffic-and-then-everything-can-be-
NATed
• Or-allow-a-SFW-rule-that-allows-all-legitimate-traffic-through-biR
directionally-and-NAT-accordingly
The-MultiService MPC-(MSRMPC)
• Extends-MSRDPC-capabilities-to-MXRseries-
• CLI-syntax-will-remain-the-same-with-minor-changes
• Hardware-based-on:
• 4 Network-Processor-Units-(NPU)-Per-MPC
• One-msR*-interface-is-created-per-NPU
• 4-XLP-832-8Rcore-processors-connected-in-2-pairs-via-InterRChipR
Interconnect-(ICI)
• An-XM-and-an-LU-complex-– with-40G-(4-X-XAUI)-biRdirectional-traffic-
to-each-XLP
• 32GB-of-DDR3-memory-per-XLP-processor
• 2-SGMII- ports-of-each-XLP-are-connected-to-the-GE-switches
• 8-MSRMPCs-are-supported-per-chassis-with-AMSR interface
• Supports-L3
• SFW,- NAT,-JFLOW,- IPSec,-GRE-Tunneling-with-keys-and-TCPR
40
MSS-Adjust,-RPM,-DAA,-full-IDP-with-signatures Copy right-©-2014-J uniper-Networks ,-Inc .-
20
11/11/15
• Possibility#to#ignore#TCP#or#ALG#errors#or#both
interfaces*{
"<ms/*/[0/3]/0>"*{
services/options*{
ignore'errors)tcp alg;*
• Limit#ports#per#private#IP
root@bug#*set*services*nat pool*p1*limit/ports/per/address*?******
Possible*completions:
<limit/ports/per/address>**Limit*number*of*ports*allocated*per*host*(IP*address)
MSRMPC:-CGNAT- Roadmap
4Q#2014 1H2015 2H# 2015 1H# 2016 2H# 2016 1H# 2017
AMS& Support& for&IPv6 14.2
IKE&ALG ????
21
11/11/15
NAT-on-MSRDPC- and-MSRMPC
• MSRDPC- and-MSRMPC- supports-following-NAT-standards:
– IPv4-to-IPv4-Traditional-NAT-(RFC-3022,-Traditional-IP-Network-Address-
Translator).-In-addition,-network-address-port-translation-(NAPT)-is-
supported-for-source-addresses.-
– Twice-NAT-(RFC-2663,-IP-Network-Address-Translator-(NAT)-Terminology-
and-Considerations)-– (MSRMPC-in-JUNOS-15.1-and-above)
– IPv6-to-IPv6-NAT-(NAT66),-defined-in-Internet-Draft-“draftRmrwRbehaveR
nat66R01”-– (only-MSRDPC)
– NATRPT-(RFC-2766,-Network-Address-Translation-R Protocol-Translation-
(NATRPT))-with-DNS-ALG
– DSRLite – (only-MSRDPC)
Packet-vs-Flow-Processing
• PacketRbased,-or-stateless,-packet-processing-treats-packets-
discretely.-Each-packet-is-assessed-individually-for-treatment.
• FlowRbased-packet-processing-treats-related-packets,-or-a-stream-of-
packets,-in-the-same-way.-Packet-treatment-depends-on-
characteristics-that-were-established-for-the-first-packet-of-the-packet-
stream,-which-is-referred-to-as-a-flow.
22
11/11/15
Flow
• A-flow-is-a-stream-of-related-packets-that-meet-the-same-matching-
criteria-and-share-the-same-characteristics.-
• JUNOS-Software-treats-packets-belonging-to-the-same-flow-in-the-
same-manner.
• Configuration-settings-that-determine-the-fate-of-a-packet—such-as-
the-security-policy-that-applies-to-it,-if-it-requires-an-Application-Layer-
Gateway-(ALG),-if-Network-Address-Translation-(NAT)-is-applied-to-
translate-the-packet’s-source-and/or-destination-IP-address—are-
assessed-for-the-first-packet-of-a-flow.
Flow
• To-determine-if-a-flow-exists-for-a-packet,-the-NPU-attempts-to-match-
the-packet’s-information-to-that-of-an-existing-session-based-on-the-
following-match-criteria:
• Source-address
• Destination-address
• Source-port
• Destination-port
• Protocol-(L4-options-needs-to-be-manually-enabled)
23
11/11/15
Flows-(CONTD.)
• UDP-and-ICMP-flows
• Since-UDP-is-uniRdirectional,-it-causes-one-flow.-
• ICMP-is-biRdirectional,-so-it-causes-two-flows.
• TCP-flows
• Establishing-a-TCP-connection-begins-with-a-threeRway-
handshake-and-creates-two-flows.-The-two-TCP-flows-end-with-a-
fourRway-handshake-or-a-timeRout.
Flows-(CONTD.)
• Other-protocols
• Packets-from-other-protocols-can-be-grouped-into-flows-as-well.-
There-are-other-transport-protocols,-and-some-protocols-use-layer-4-
as-a-transport.-E.g.-HTTP-traffic-is-carried-by-TCP/IP-and-creates-a-
flow-as-the-connection-is-built-and-torn-down.
• Flow-roles:
• “Master”-is-the-flow-initializing-the-session
• “Responder”-is-the-responding-flow
• Source:-http://en.wikipedia.org/wiki/Flow_(computer_networking)
24
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3#$ NH#style,#interface#style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
49 Copy right-©-2014-J uniper-Networks ,-Inc .-
ServiceRset
• Service-sets-are-the-main-building-block-when-configuring-JUNOS-
software-services.-This-set-of-services-are-a-list-of-service-interfaces,-
service-types,-and-service-rules-applied-to-either-an-interface-or-a-
routing-next-hop.-A-service-set-can-contain-one-type-of-Layer-3-
service-or-a-grouping-of-services-such-as-NAT,-IDS,-and-stateful-
firewall.
25
11/11/15
NH-style-vs.-interface-style
• When-creating-a-service-set,-you'll-need-to-decide-whether-it-
should-be-applied-as-an-interface-or-a-next-hop.-
• A-next-hopRstyle-service-set-makes-use-of-two-logical-service-
interfaces,-called-the-inside-and-outside-interfaces.-Traffic-is-
mapped-to-these-interfaces-as-a-result-of-a-routing-next-hop-
lookup.-The-traffic-can-enter-or-exit-either-the-inside-or-the-outside-
interface-depending-on-the-configuration,-which-depends-primarily-
on-the-routing-configuration-and-statefulRfirewall-rules.
• An-interfaceRstyle-service-set-is-applied-directly-to-the-interface-
affecting-traffic-as-it-leaves-and-enters-the-interface.
Service-SET’s
• InterfaceRStyle
• The-serviceRsets-are-generally-quicker-to-configure-and-deploy-than-nextR
hop-style.--
• Directly-applied-to-the-media-interfaces-and-appear-as-a-“bumpRinRtheRwire”-
between-the-media-interface-and-the-PFE.--
• All-traffic-entering-the-interface-and-exiting-the-interface-will-traverse-the-
MSRDPC/MPC-by-a-service-filter-applied-to-the-interface.--
• NextRHop-Style
• Use-the-routing-table-or-instance-to-steer-traffic-to-services.--
• Only-traffic-that-is-destined-for-a-specific-nextRhop-is-serviced-by-the-serviceR
set-by-use-of-firewall-filters.--
• Provide-more-flexibility-than-interfaceRstyle-but-care-must-be-taken-to-
ensure-traffic-symmetry-for-services-that-require-it.
52 Copy right-©-2014-J uniper-Networks ,-Inc .-
26
11/11/15
Interface-style
• When-creating-the-service-rules,-one-item-you-must-configure-is-a-
direction-of-either-input-or-output.-The-direction-that-is-recorded-for-a-
packet-must-match-for-the-service-rule-to-match.-This-direction-is-
straightforward-for-an-interfaceRstyle-service-set,-as-input-is-for-
incoming-traffic-to-the-physical-interface,-and-output-is-for-traffic-
leaving-the-physical-interface.
• InterfaceRstyle-serviceRset-is-tied-to-a-single-spR*/rsp*-interface-unit-
and-traffic-is-directed-into-this-serviceRset-by-means-of-serviceRfilter Copy right-©-2014-J uniper-Networks ,-Inc .-
53
Life-of-a-Packet-– Interface-STYLE
Ingress&PFE& Egress&PFE&
Media& Media&
Interface& Interface&
& Input&BA& Input& Input& Input& Output& Output& Output& Output& Rewrite& &
Classifier& Filter& Policer& Service& Filter& Policer& Service& Scheduler& ToS&
ge.1/0/0.0& Filter& Filter& Ge.2/0/0.0&
1 2 3 4 8 9 & 10 11 12
Input&traffic&before&service&PIC& Services&PFE&
Input&traffic&aLer&service&PIC&
Input&traffic&when&output& Post& Route&
service&set&is&applied&to&the& Service& Table&
egress&interface& Filter& Lookup&
Traffic&aLer&a&service&is& 6 7 14
applied&from&an&output&
service&filter&
Services&
PIC&
&
5
sp.1/0/0.0& 13
&
27
11/11/15
NextRhop-style
• When-you-look-at-a-next-hopRstyle-service-set,-the-direction-is-more-
complex-because-the-next-hop-could-point-to-two-possible-logical-
interfaces.-If-the-next-hop-points-to-the-inside-interface,-the-direction-
is-input,-and-if-the-next-hop-points-to-the-outside-interface,-the-
direction-is-output
• NextRhopRstyle-serviceRset-is-tied-to-a-pair-of-spR*/rsp*-interface-units-
and-traffic-is-directed-into-this-serviceRset-by-means-of-static-or-
dynamic-routing
Life-of-a-Packet-– NextRHop-Style
Input-Traffic
Ingress&PFE& Egress&PFE&
Media& Media&
Interface& Interface&
Route&
& Input&BA& Input& Input& Lookup& Output& Output& Output& Rewrite& &
ge.1/0/0.0& Classifier& Filter& Policer& Filter& Policer& Scheduler& ToS& Ge.2/0/0.0&
1 2 3 7 8 9 10
4
VRF1& Inet.0&
Input&traffic&before&service&PIC& Services&PFE&
Input&traffic&aNer&service&PIC&
Route& Route&
Lookup& Lookup&
VRF1& Inet.0&
6
Inside& Outside&
Interface& Interface&
Unit&10& Unit&20&
5
Services&
PIC&
28
11/11/15
Return&traffic&aLer&service&PIC& Services&PFE&
Return&traffic&before&service&PIC&
Route& Route&
Lookup& Lookup&
VRF1& Inet.0&
6
Inside& Outside&
Interface& Interface&
Unit&10& Unit&20&
5
Services&
PIC&
Interface-style-limitation
• An-interfaceRstyle-service-set-has-the-following-limitations:
– It-cannot-support-multicast-traffic-matched-through-the-service-set-(including-
IPSec-tunnels).
– It-cannot-have-overlapping-address-spaces-(such-as-RFC-1918)-that-need-
to-be-NATed.
– It-cannot-run-routing-protocols-over-the-service-sets,-such-as-IPSec-tunnels.
– Locally-generated-traffic-will-not-match-the-rules.
• So,-to-solve-any-of-those-four-general-limitations,-you-must-use-a-
next-hop-service-set.-!
29
11/11/15
Traffic-Direction-– InterfaceRStyle
Router$ Service'set*
Service$
Interface$
(sp32/0/0.0)$
Input$
Traffic$
Media$
Interface$ PFE$
(ge31/0/0.0)$
Output$
Traffic$
Next2Hop'Style
VRF1& Input& Input&
&
VRF2
Traffic& Traffic&
Service&
Domain&
Service'set* Service&
Domain&
Inside& Service&Interface& Outside&
(sp;2/0/0)&
Unit&10& Unit&20&
Output& Output&
Traffic& Traffic&
Life-of-a-Packet-– Interface-Style
Inline-NAT
Ingress PFE Egress PFE
Media Media
Interface Interface
Input BA Input Input Input Output Output Output Output Rewrite
Classifier Filter Policer Service Filter Policer Service Scheduler ToS
ge21/0/0.0 Filter Filter Ge22/0/0.0
1- 2- 3- 4- 7- 8- 9- 10- 11
30
11/11/15
Summary-of-serviceRstyle-feature-support
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4#$ Service#combination# (NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
62 Copy right-©-2014-J uniper-Networks ,-Inc .-
31
11/11/15
Service-combination-(NAT+SFW+IDS)
• When-combining-multiple-services,-the-general-path-must-be-
remembered-in-the-forward-and-reverse-directions-(see-Figure-
below).-This-is-especially-true-when-NAT-is-deployed-to-determine-
whether-the-preR or-postRNAT-address-should-be-used-to-match-a-
rule.-In-the-forward-path-from-a-LAN-interface-to-a-WAN-interface,-
IDS-and-stateful firewall-are-performed-first,-then-NAT,-and-finally-
IPSec.-This-means-that-the-stateful firewall-must-match-on-a-preRNAT-
address-whereas-the-IPSec-tunnel-would-match-on-the-postRNAT-
address.
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1#$ Interaction# with# SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
64 Copy right-©-2014-J uniper-Networks ,-Inc .-
32
11/11/15
NAT-and-the-stateful-firewall
• A-stateful firewall-filter-inspects-traffic-flowing-between-a-trusted-
network-and-an-untrusted-network.-In-contrast-to-a-stateless-firewall-
filter-that-inspects-packets-in-isolation,-a-stateful firewall-filter-
provides-an-extra-layer-of-security-by-using-state-information-derived-
from-past-communications-and-other-applications-to-make-dynamic-
control-decisions.
• On-the-Services-Router-you-can-configure-Network-Address-
Translation-(NAT)-either-independently-or-with-a-stateful firewall-filter.
NAT-and-the-stateful-firewall
admin@MX-CGNAT-RE0# set services stateful-firewall rule CGNAT term 1 from ?
Possible completions:
application-sets Match one or more application sets
+ applications Match one or more applications
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-address-range Match IP destination address range
> destination-prefix-list One or more named lists of destination prefixes to match
> source-address Match IP source address
> source-address-range Match IP source address range
source-prefix-list One or more named lists of source prefixes to match
[edit]
admin@MX-CGNAT-RE0#
33
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2#$ Interaction# with# IDS# protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
67 Copy right-©-2014-J uniper-Networks ,-Inc .-
NAT-and-the-IDS
• JUNOS-services-support-a-limited-set-of-IDSs-to-help-detect-attacks-
such-as-port-scanning-and-anomalies-in-traffic-patterns.-It-also-
supports-some-attack-prevention-by-limiting-the-number-of-flows,-
sessions,-and-rates.-In-addition,-it-protects-against-SYN-attacks-by-
implementing-a-SYN-cookie-mechanism.
34
11/11/15
NAT-and-the-IDS-(contd.)
• IDS-is-a-service-that-monitors-the-various-traffic-flows-permitted-by-
SFW-and-tries-to-recognize-patterns.-Once-a-specific-pattern-is-
matched-as-a-worthy-event,-the-device-can-send-a-notification-about-
this.--
• The-SFW/IDS-code-piece-does-/NOT/-do-“traditional”-IDS-
functionality-though--the-naming-convention-would-tell-customers-
otherwise.-
• Note:-There-is-a-signatureRbased-IDP-functionality-on-MSDPC
• IDS-can-be-called-"traffic-anomaly-subsystem"-since-it's-more-of-a-
SFW-log-anomaly-analyzer-system.--It-does-NOT-examine-the-
packets-directly.
69 Copy right-©-2014-J uniper-Networks ,-Inc .-
NAT-and-the-IDS-(contd.)
• As-traffic-hits-the-NPU,-the-SFW-subRsystem-creates-various-internal-
events-which-may-or-may-not-be-syslogged.-The-IDS-subsystem-
aggregates-these-events-for-trend-analysis.--Upon-a-common-trend-
that-exceeds-the-configured-IDS-threshold,-the-subsystem-will-
identify-the-anomaly.
35
11/11/15
NAT-and-the-IDS-(contd.)
• IDS-can-be-used-to-limit-flows-per-each-subscriber-to-prevent-
“resource-exhaustion”-attack-targeting-MSDPC-NPU-itself
– IDS-rule-with-“matchRdirection-input”-and-“sessionRlimit-maximum”-is-
needed
• IDS-can-be-used-in-conjunction-with-EIM+EIF-to-rateRlimit-unsolicited-
traffic-destined-to-NAT-address-pool-_and_-matching-“pinhole(s)”-
created-by-EIM.
– A-separate-IDS-rule-with-“matchRdirection-output”-and-“sessionRlimit-rate”-is-
needed
• If-unsolicited-traffic-does-_not_-match-any-NAT-mappings/“pinhole(s)”-
then-it-is-dropped-by-SFW-anyway,-even-before-reaching-IDS-
processing.
71 Copy right-©-2014-J uniper-Networks ,-Inc .-
NAT-and-the-IDS-(contd.)
admin@MX-CGNAT-RE0# set services ids rule CGNAT term 1 from ?
Possible completions:
application-sets Match one or more application sets
+ applications Match one or more applications
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-address-range Match IP destination address range
> destination-prefix-list One or more named lists of destination prefixes to match
> source-address Match IP source address
> source-address-range Match IP source address range
> source-prefix-list One or more named lists of source prefixes to match
[edit]
admin@MX-CGNAT-RE0#
36
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2#$ Interaction# with# IDS# protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
73 Copy right-©-2014-J uniper-Networks ,-Inc .-
IDS-applicabitily to-“master”-flows-only
• Not-all-flows-can-be-rateRlimited-by-IDS,-as-per-design:
– IDS-_can_-rateRlimit-only-“master”-flows
• Useful-when-a-“master”-flow-was-initiated- by-unsolicited- internet-source-
towards-“pinholes”- opened-for-EIM-in-NAT-address-pool.
– IDS-can-_NOT_-rateRlimit-the-“responder”-flows.-
• This-means--if-“master”-flow-was-legitimately- established- from-subscriber-host-
to-internet- host-then-downloads- via-HTTP/HTTPS- initiated- by-subscriber-hosts-
cannot-be-rateRlimited- by-IDS
• There-is-a-caveat:-when-EIM-is-configured,- the-NAT-mappings- are-not-cleared-
when-“clear-services-statefulRfirewall- flows”-is-executed.-Therefore,-if-
bidirectional- traffic-(between-private-host-and-legit- internet- host,-initiated- by-
private-host)-is-present-when-flow-clearing- was-executed,-the-flow-pair-from/to-
legit- internet-host-can-be-reRestablished- as-EIM-flow-pair-thru-the-existing-NAT-
mapping.- If-this-happens,-the-flows-are-nonRdeterministically- swapping- roles.
74 Copy right-©-2014-J uniper-Networks ,-Inc .-
37
11/11/15
Introduction
• 1.1-R Protocol/Functionality-Highlights
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5#$ Scaling#details
75 Copy right-©-2014-J uniper-Networks ,-Inc .-
Platform-Support
Hard MXO MXO MXO MXO MXO MXO MXO MXO
ware 5 10 40 80 240 480 960 2020
MS2 Y Y Y Y Y Y Y Y(Jflow
MIC only)
MS2 N N N N Y Y Y N
MPC
MS2 N N N N Y Y Y Y
DPC
Hardware&Facts
MS2MIC'CPU'Clock' Cycle'– 800'MHz MS2DPC'per'NPU'CPU'clock'Cycle'– 1.1GHz
MS2MPC'per'NPU'CPU'clock'Cycle'– 1.2GHz MS2DPC'has'2'NPUs'per'DPC
MS2MPC'has'4'NPUs'per'MPC
38
11/11/15
Services-Supported-during-FRS-(JUNOS-13.2R1)
Service Notes
CGN – NAT,'NAPT,'NAT64 Other CGN'flavors'like'Dslite,'PCP,' 6RD'are'
on'the' roadmap
CGN – AMS'with'NAT44 NAT64'not'yet'supported.' AMS'support' for'
other' services'like'Jflow,'IPSEC'are'on'the'
roadmap
CGN'2 ALGS SIP,'RTSP,'DNS etc.
SFW'– v4' only SFW'v6'support' is'on' the'roadmap
IPSEC'(v4, IKEv1,'IKEv2) IPSEC'V6'support' might'be'in'13.2R2. KMD'
on'PIC' will'come'in'14.x'release
Jflow V9'(IPv4,IPv6,' MPLS,' Version'V5'and'V8'will'not be'supported.'
MPLS2v4,'multi'collector' IPFIX'support' is'on' the'roadmap
77
and'multi'templates) Copy right-©-2014-J uniper-Networks ,-Inc .-
Scaling-and-Performance-Numbers-for-CGNAT
MS-DPC- 2 NPUs
Sparks – MIC - Sparks MPC-4 NPUs
Description per NPU (1.1 GHz) 16G(800 MHz) - Per NPU (1.2 GHz)
NAT44
NAT64
Max flows*(Millions) 8 14 30
39
11/11/15
Scaling-and-Performance-Numbers-for-CGNAT- R
Detailed
CGNAT&PERFORMANCE
Test Service Card Build Packet Size(bytes) Feature PPS(Kpps) Throughput(Mbps) Num Of Flows Avg Latency (µ-sec)
16G MIC (800MHz) 13.3R1.6 1518 napt44 1602 19424 14000000 100
NAPT44 w/o syslog MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44 1994 24182 30000000 65
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 nat64 1577 19121 14000000 99
NAT64 MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 nat64 1794 21755 30000000 70
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 nat64 858 10404 8000000 66
16G MIC (800MHz) 13.3R1.6 1518 sfw 1605 19461 14000000 99
SFW MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 sfw 1722 20883 30000000 61
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 sfw 858 10404 8400000 61
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_slog 1602 19424 14000000 100
NAPT+SFW)w)syslog MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_slog 2263 27441 30000000 88
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_slog 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw 1602 19425 14000000 100
NAPT+SFW)w/o)syslog MPC (Per NPU 1.2Ghz) 13.2R3.7 1518 napt44_sfw 2200 26682 30000000 81
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_app 1602 19425 14000000 100
NAPT+SFW+APP MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_app 2235 27100 30000000 85
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_app 858 10404 7000000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_app_eim 1601 19406 14000000 99
NAPT+SFW+APP+EIM MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_app_eim 1997 24218 30000000 66
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_app_eim 858 10404 5800000 61
16G MIC (800MHz) 13.3R1.6 1518 nat64_sfw 1571 19045 14000000 100
NAT64+SFW MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 nat64_sfw 2047 24825 30000000 74
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 nat64_sfw 858 10404 8000000 66
16G MIC (800MHz) 13.3R1.6 1518 sfw_v6 1579 19140 14000000 100
SFW+V6Flows MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 sfw_v6 1850 22437 30000000 65
79 MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 sfw_v6 858 10404 7600000 63 Copy right-©-2014-J uniper-Networks ,-Inc .-
IANA-CGNAT-Address-Space
• RFC5735-R IANARReserved-IPv4-Prefix-for-Shared-Address-
Space-R 100.64.0.0/10
• RFC6598-R IANARReserved-IPv4-Prefix-for-Shared-Address-
Space-R 100.64.0.0/10
• 11111111-11000000-00000000-00000000-=-/10
• 4.194.302-hosts-per-space-address-(/10)
40
11/11/15
41
11/11/15
NAT-pools
• Address-pool-is-an-IP-address-pool-used-for-IP-address/port-
translation.-The-pool-is-uniquely-identified-by-pool-name.-
One-can-configure-routing-instance-attached-with-this-pool-
to-perform-route-lookup-for-the-address-in-the-pool.
• There-are-two-kinds-of-pools-supported-in-NAT:
• source-pool
• destination-pool-
Source-Pools
• There-are-five-types-of-source-pool-defined:
• •-Source-Pool-without-PAT:-PAT-is-enabled-by-default-unless-the-
source-pool-is-defined-with-'noRportRtranslation'-option.-
• •-Source-Pool-with-PAT:-With-PAT-enabled,-up-to-about-64,500-hosts-
can-share-a-single-IP-address.-Hence,-source-NAT-pool-with-PAT-is-
hardly-exhausted.
42
11/11/15
Source-Pools
• Overflow-pool:-overflow-pool-is-actually-the-source-pool-with-PAT.-If-
all-the-IP-addresses-in-the-source-pool-without-PAT-are-exhausted,-
overflow-pool-specified-will-be-employed-where-PAT-is-always-
enabled.-
• Interface-pool:-interface-pool-is-one-special-source-pool-with-PAT.-In-
this-case-the-configured-interface-IP-address-is-used-for-source-IP-
translation.-
• AllowingRincoming-Table-Source-Pool:-AllowRincoming-table-can-also-
be-allocated-from-a-source-pool.
Destination-pools
• Destination-NAT-hierarchy-configures-destination-NAT-pool.-It-should-
also-be-noted-that-destination-NAT-with-port-mapping-does-NOT-
involve-dynamic-port-allocation/translation.-Instead,-it-is-mapped-to-a-
preRdefined-port-number.-
43
11/11/15
Relationship- between-NAT-pool,-serviceRset-and-
SPR interface
• Once-the-NAT rules (along-with-other-rules,-if-needed)-are-
configured,-a-service-set-with-all-relevant-rules-must-be-configured.-In-
case-of-interface-style-service-set,-the-service-set-must-be-applied-on-
the-media-interface.-In-case-of-nextRhop-style,-the-service-set-must-
be-applied-on-two-logical-service-interfaces,-called-the-inside-and-
outside-interfaces.
44
11/11/15
Static-Source-NAT
• Some-characteristics-of-Static-Source-NAT-are:
• Translate-sessions-initiated-from-Internal-network
• OneRtoRone-address-mapping-for-hosts-between-an-internal-network-and-a-
public-IP-pool-for-the-lifetime-of-NAT-operation.
• Support-source/destinationRprefix--(e.g translate-from-/24-to-/24)-
• TCP/UDP- port-information-is-preserved-during-translation.
• Pool-size-must-have-same- size-as-internal-network-that-require-access-to-external-
networks.
Internal'Network External'Network
192.168.0.0/24
S:'192.168.0.2:3333 S:'213.13.10.2:3333
D:'200.44.32.12:80 D:'200.44.32.12:80
IP'Pool:' 213.13.10.0/24
89 Copy right-©-2014-J uniper-Networks ,-Inc .-
45
11/11/15
Static-Destination-NAT
• Some-characteristics-of-Static-Destination-NAT-are:
• Translate-sessions-initiated-from-External-network
• 1:1-address-mapping-for-hosts-between-an-internal-network-and-a-public-IP-
pool-for-the-lifetime-of-NAT-operation.-
• TCP/UDP-port-information-is-preserved-during-translation.
• Used-to-allow-access-from-external-networks-to-internal-
applications/servers,-etc
Internal'Network External'Network
192.168.0.0/24
S:'200.44.32.12:3333 S:'200.44.32.12:3333
D:&192.168.0.2:80 D:'213.14.3.1:80
Internal'Server'Public' IP'address:
213.14.3.1
91 Copy right-©-2014-J uniper-Networks ,-Inc .-
46
11/11/15
Port-Assignments
• The-port-statement-specifies-port-assignment-for-the-translated-
addresses.-To-configure-automatic-assignment-of-ports,-include-the-
port-automatic-statement-at-the-[edit services nat pool nat-
pool-name] hierarchy-level.-To-configure-a-specific-range-of-port-
numbers,-include-the-port range low minimum-value high
maximum-value statement-at-the-[edit-services-nat pool-natRpoolR
name]-hierarchy-level.-
• By-default,-the-JUNOS-software-allocates-NAT-ports-sequentially.-To-
configure-random-port-allocation,-include-the-randomRallocation-
statement.
Port-Assignments-(CONTD.)
• Here-an-example-why-port-randomRallocation-was-triggered-and-got-
recommended:
• A-DNS-server-can-be-tricked-into-accepting-and-caching-incorrect-
translations-of-network-names.-
• A-malicious-user-can-use-this-vulnerability-to-"hijack"-the-target,-
redirecting-all-accesses-to-a-substitute-network-host-or-service.-
• DNS-servers-that-cache-the-incorrect-results-will-continue-to-redirect-
all-clients-to-the-substitute-host-or-service-indefinitely.
47
11/11/15
Port-Assignments-(CONTD.)
• A-number-of-NAT/PAT-devices-effectively-defeat-the-DNS-source-port-
randomization-feature-that-was-implemented-to-address-DNS-Cache-
Poisoning-(CERT/CC-VU#800113,-CVER2008R1447).
• Network-Address-Translation-(NAT)-counteracted-the-random-
selection-of-source-ports:
• Mapping-the-source-port-to-a-staticallyRdefined-port,-sequentiallyR
assigned-port,-or-some-other-easilyRpredicted-NAT-port
48
11/11/15
Dynamic-Source-NAT
• Some-characteristics-of-Dynamic-Source-NAT-are:
• Translate-sessions-initiated-from-Internal-network
• m:n address-mapping-for-hosts-between-an-internal-network-and-a-public-IP-
pool-for-the-lifetime-of-NAT-operation-(m>n).-
• TCP/UDP- port-information-is-not-preserved-during-translation-(NAPT).- NAT-ALG-
allows- specific-applications-to-work- in-this-scenario
• Pool-size-could-be-smaller- than-internal-network-that-require-access-to-external-
networks.
Internal'Network External'Network
192.168.0.0/24
S:'192.168.0.2:3333 S:'213.13.10.2:1500
D:'200.44.32.12:80 D:'200.44.32.12:80
IP'Pool:' 213.13.10.2/32
97 Copy right-©-2014-J uniper-Networks ,-Inc .-
49
11/11/15
Port-allocation- mechanisms
• With-static-source-NAT-and-dynamic-source-NAT-it’s-possible-to-specify:-
multiple-IPv4-or-IPv6-addresses-(or-prefixes)-and-IPv4-and-IPv6-address-
ranges.
• Up-to-10-prefixes-or-address-ranges-(or-a-combination)-can-be-
supported-within-a-single-pool.
• With-static-destination-NAT,-it’s-also-possible-to-specify-multiple-address-
prefixes-and-address-ranges-in-a-single-term.-
• Multiple-destination-NAT-terms-can-share-a-destination-NAT-pool.-
Port-allocation- mechanisms
• However,-the-netmask or-range-for-the-from-address-must-be-smaller-
or-equal-to-the-netmask or-range-for-the-destination-pool-address.-If-
you-define-the-pool-to-be-larger-than-required,-some-addresses-will-
not-be-used.-
• For-example,-if-you-define-the-pool-size-as-100-addresses-and-the-
rule-specifies-only-80-addresses,-the-last-20-addresses-in-the-pool-
are-not-used.
50
11/11/15
Port-allocation- mechanisms-(contd.)
• With-source-static-NAT,-the-prefixes-and-address-ranges-cannot-
overlap-between-separate-pools.-However,-source-dynamic-NAT-
(without-NAPT)-and-destination-static-NAT-allow-more-than-one-rule-
or-service-set-to-refer-to-the-same-pool,-and-allow-multiple-pools-to-
have-subnets-that-can-overlap.-A-prefix-pool-can-be-used-by-multiple-
rules-or-terms.
• Note:-When-you-configure-address-pools-for-NAT-and-user-access,-
these-address-pools-can-overlap-with-one-another.-To-configure-
overlapping-address-pools,-include-the-address-or-addressRrange-
statement-at-the-[edit-access-addressRpool-poolRname]-and-[edit-
services-nat pool-poolRname]-hierarchy-level.
Port-allocation- mechanisms-(contd.)
• In-an-address-range,-the-low-value-must-be-a-lower-number-than-the-
high-value.-When-multiple-address-ranges-and-prefixes-are-
configured,-the-prefixes-are-depleted-first,-followed-by-the-address-
ranges.
• When-you-specify-a-port-for-dynamic-source-NAT,-address-ranges-
are-limited-to-a-maximum-of-32-addresses,-for-a-total-of-
approximately-2,000-flows.-A-dynamic-NAT-pool-with-no-address-port-
translation-supports-up-to-65,535-addresses.-There-is-no-limit-on-the-
pool-size-for-static-source-NAT.
51
11/11/15
Port-Ranges
• The-port-statement-specifies-port-assignment-for-the-translated-
addresses.-
• To-configure-automatic-assignment-of-ports,-include-the-port-
automatic-statement-at-the-[edit-services-nat pool-natRpoolRname]-hierarchy-
level.-To-configure-a-specific-range-of-port-numbers,-include-the-port-
range-low-minimumRvalue-high-maximumRvalue-statement-at-the-
[edit services nat pool nat-pool-name] hierarchy-level.-
• By-default,-the-JUNOS-software-allocates-NAT-ports-sequentially.-To-
configure-random-port-allocation,-include-the-randomRallocation-
statement.
52
11/11/15
NO-FREE- Ports-Behaviour
• If-a-free-port-cannot-be-allocated-for-an-initial-packet-establishing-a-
new-flow,-pkt is-dropped
• Such-behaviour is-actually-a-beneficial-one-since-does-not-cause-leaking-of-
packets-with-private-src.IP to-outside-(Netscreen does-allow-such-leaking)
53
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• Deep-dive-into-Junos OS-NAT-implementation-details,-covering-
stetafulness mechanisms,-ALG-definition-and-application,-error-
generation-etc.
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1#$ Statefulness and#anomaly#detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
54
11/11/15
Statefulness and-anomaly-detection
• The-stateful firewall-recognizes-the-following-events-as-anomalies-
and-sends-them-to-the-IDS-software-for-processing:
• IP-anomalies
• IP-address-anomalies
• IP-fragmentation-anomalies
• TCP-anomalies
• UDP-anomalies
• Anomalies-found-through-stateful TCP-or-UDP-checks
• Packets-dropped-according-to-stateful firewall-rules
Statefulness and-anomaly-detection
• If-you-employ-stateful anomaly-detection-in-conjunction-with-stateless-
detection,-IDS-can-provide-early-warning-for-a-wide-range-of-attacks,-
including-these:
• TCP-or-UDP-network-probes-and-port-scanning
• SYN-flood-attacks
• IP-fragmentationRbased-attacks-such-as-teardrop,-bonk,-and-boink
55
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1#$ SYN#cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
SYN-cookies
SYN- Cookie- is-a-stateless- SYN- proxy- mechanism- you- can- use- in-conjunction- with- the- defenses- against- a-SYN-
flood- attack.
As-with- traditional- SYN- proxying,- SYN- Cookie- is-activated- when- the- SYN- flood- attack- threshold- is-exceeded.-
However,- because- SYN- Cookie- is-stateless,- it-does- not- set- up- a-session- or-policy- and- route- lookups- upon- receipt-
of- a-SYN- segment,- and- it-maintains- no- connection- request- queues.- This- dramatically- reduces- CPU- and- memory-
usage- and- is-the- primary- advantage- of- using- SYN- Cookie- over- the- traditional- SYN- proxying mechanism.
When- SYN- Cookie- is-enabled- on- JUNOS- software- and- becomes- the- TCPRnegotiati ng- proxy- for-the- destination-
server,- it-replies- to-each- incoming- SYN- segment- with-a-SYN/ACK- containing- an- encrypted- cookie- as-its-Initial-
Sequenc e- Number- (ISN).- The- cookie- is-an- MD5-hash- of-the- original- source- address- and- port- number,- destination-
address- and- port- number,- and- ISN- from-the- original- SYN- packet.- After- sending- the- cookie,- JUNOS- software- drops-
the- original- SYN- packet- and- deletes- the- calculated- cookie- from- memory.- If-there- is-no- response- to- the- packet-
containing- the- cookie,- the- attack- is-noted- as-an- active- SYN- attack- and- is-effectively- stopped.
If-the- initiating- host- responds- with- a-TCP-packet- containing- the- cookie- +1-in-the- TCP-ACK- field,- JUNOS- software-
extracts- the- cookie,- subtracts- 1-from-the- value,- and- recomputes the- cookie- to-validate- that- it-is-a-legitimate- ACK.- If-
it-is-legitimate,- JUNOS- software- starts- the- TCP-proxy- process- by- setting- up- a- session- and- sending- a- SYN- to-the-
server- containing- the- source- information- from- the- original- SYN.- When- JUNOS- software- receives- a-SYN/ACK- from-
the- server,- it-sends- ACKs- to- the- server- and- to- the- initiation- host.- At-this- point- the- connection- is-established- and- the-
host- and- server- are-able- to- communicate- directly.
112 Copy right-©-2014-J uniper-Networks ,-Inc .-
56
11/11/15
SYN-cookies-(contd.)
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2#$ SYN#attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
57
11/11/15
SYN-attacks
• A-SYN-flood-attack-sends-TCP-connection-requests-faster-than-a-
machine-can-process-them.-The-flow-of-a-SYN-flood-attack-is-as-
follows:
• An-attacker-creates-a-random-source-address-for-each-packet.
• The-SYN-flag-set-in-each-packet-is-a-request-to-open-a-new-connection-to-
the-server-from-the-spoofed-IP-address.
• The-victim-responds-to-the-spoofed-IP-address-and-waits-for-confirmation-
that-never-arrives.
• The-connection-table-begins-to-fill-up-while-the-victim-waits-for-replies.
• After-the-table-fills-up,-all-new-connections,-including-legitimate-user-
requests,-are-ignored.
• In-IDP,-the-SYNRProtector-rulebase provides-the-ability-to-minimize-
115 and-prevent-these-types-of-attacks. Copy right-©-2014-J uniper-Networks ,-Inc .-
SYN-attacks-(contd.)
58
11/11/15
SYN-attacks-(contd.)
• You-can-set-the-following-parameters-for-proxying uncompleted-TCP-
connection-requests:
• Attack Threshold: This-option-allows-you-to-set-the-number-of-SYN-
segments-(that-is,-TCP-segments-with-the-SYN-flag-set)-to-the-same-
destination-address-and-port-number-per-second-required-to-activate-the-
SYN-proxying mechanism.
• Alarm Threshold: This-option-allows-you-to-set-the-number-of-proxied,-halfR
complete-TCP-connection-requests-per-second-after-which-JUNOS-software-
enters-an-alarm-in-the-event-log.
• Source Threshold: This-option-allows-you-to-specify-the-number-of-SYN-
segments-received-per-second-from-a-single-source-IP-address—regardless-
of-the-destination-IP-address-and-port-number—before-JUNOS-software-
begins-dropping-connection-requests-from-that-source.
117 Copy right-©-2014-J uniper-Networks ,-Inc .-
SYN-attacks-(contd.)
• Destination Threshold: This-option-allows-you-to-specify-the-number-of-
SYN-segments-received-per-second-for-a-single-destination-IP-address-
before-JUNOS-software-begins-dropping-connection-requests-to-that-
destination.
• Timeout: This-option-allows-you-to-set-the-maximum-length-of-time-before-a-
halfRcompleted-connection-is-dropped-from-the-queue.-The-default-is-20-
seconds.
59
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3#$ ICMP#errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
ICMP-errors
• ICMP-protocol-errors:
• IP-data-length-less-than-minimum-ICMP-header-length-(8-bytes)—ICMP-
header-length-is-8-bytes.-This-counter-is-incremented-when-received-IP-
packets-contain-less-than-8-bytes.
• ICMP-error-length-inconsistencies—Minimum-length-of-an-ICMP-error-
packet-is-48-bytes,-and-the-maximum-length-is-576-bytes.-This-counter-is-
incremented-when-the-received-ICMP-error-falls-outside-this-range.
• Ping-duplicate-sequence-number—Received-ping-packet-has-a-duplicate-
sequence-number.
• Ping-mismatched-sequence-number—Received-ping-packet-has-a-
mismatched-sequence-number.
60
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4#$ Protocol#header#errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
Protocol-Header-Errors
• TCP-protocol-errors:
• TCP-header-length-inconsistencies—Minimum-TCP-header-length-is-
20 bytes,-and-the-IP-packet-received-does-not-contain-at-least-20-bytes.
• Source-or-destination-port-number-is-zero—TCP-source-or-destination-port-
is-zero.
• Illegal-sequence-number,-flags-combination—Dropped-because-of-TCP-
errors,-such-as-an-illegal-sequence-number,-which-causes-an-illogical-
combination-of-flags-to-be-set.
• SYN-attack-(multiple-SYN-messages-seen-for-the-same-flow)—Multiple-SYN-
packets-received-for-the-same-flow-are-treated-as-a-SYN-attack.-The-
packets-might-be-retransmitted-SYN-packets-and-therefore-valid,-but-a-large-
number-is-cause-for-concern.
61
11/11/15
Protocol-Header-Errors-(contd.)
• First-packet-not-SYN—First-packets-for-a-connection-are-not-SYN-packets.-
These-packets-might-originate-from-previous-connections-or-from-someone-
performing-an-ACK/FIN-scan.
• TCP-port-scan-(Handshake,-RST-seen-from-server-for-SYN)—In-the-case-of-
a-SYN-defender,-if-an-RST-(reset)-packet-is-received-instead-of-a-SYN/ACK-
message,-someone-is-probably-trying-to-scan-the-server.-This-behavior-can-
result-in-false-alarms-if-the-RST-packet-is-not-combined-with-an-intrusion-
detection-service-(IDS).
• Bad-SYN-cookie-response—SYN-cookie-generates-a-SYN/ACK-message-
for-all-incoming-SYN-packets.-If-the-ACK-received-for-the-SYN/ACK-
message-does-not-match,-this-counter-is-incremented.
Protocol-Header-Errors-(contd.)
• UDP-protocol-errors:
• IP-data-length-less-than-minimum-UDP-header-length-(8-bytes)—Minimum-
UDP-header-length-is-8-bytes.-The-received-IP-packets-contain-less-than-
8 bytes.
• Source-or-destination-port-is-zero—UDP-source-or-destination-port-is-0.
• UDP-port-scan-(ICMP-error-seen-for-UDP-flow)—ICMP-error-is-received-for-
a-UDP-flow.-This-could-be-a-genuine-UDP-flow,-but-it-is-counted-as-an-error.
62
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5#$ TCP#tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
TCP-Tickles
• It-happens-if-the-TCP-flow-appears-to-be-idle-(no-traffic).-In-this-case,-
the-router-implements-a-TCP-tickle-by-sending-an-ACK-message-with-
the-last-seen-sequence-number,-minus-one-numeral,-to-the-end-host.-
This-verifies-whether-the-ports-are-open.-If-no-response-is-received,-
the-flow-is-marked-for-deletion-in-approximately-five-seconds.
• See-next-slide-for-more-details
63
11/11/15
TCP-Tickles- (contd.)
• TCP-tickles-as-liveness detection-mechanism
• Upon-reaching-inactivityRtimeout-values-without-TCP-traffic,-Services-
PIC-will-forge-the-last-ACK-packet-seen-with-the-last-sequence-
number-MINUS-ONE.-
• If-the-session-is-still-alive,-the-remote-speaker-will-reply-to-the-ACK-with-next-
available-sequence-number.--
• This-packet-will-be-received-by-the-other-remote-TCP/IP-stack-but-will-be-
dropped-as-a-duplicate-ACK-packet.-
• Traffic-created-by-this-interaction-will-keep-the-flow-in-the-Services-PIC's-
table.
• If-the-Services-PIC-sees-a-FINRflagged-packet,-conversation-is-to-be-
deleted
127 • Session-expired-from-cache-flow-after-4-nonRreplied-TCP-tickles Copy right-©-2014-J uniper-Networks ,-Inc .-
TCP-Tickles- (contd.)
Reaching'inactivityOtimeout
Client Translator Server
st st
1 TCP'tickle 1 TCP'tickle
2 n d TCP'tickle 2 n d TCP'tickle
4 th TCP'tickle 4 th TCP'tickle
Flow'expiration'if'TCP'tickles'not'replied
64
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2#$ Application# Level#Gateways#(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
Application- Layer-Gateway
• Some-applications,-such-as-FTP,-H.323,-RTSP-used-by-RealAudio,-
and-SIP,-are-more-difficult-to-predict-because-the-application-may-
initiate-separate-connections-for-data-and-control-flows-or-may-
generate-new-protocol-flows-based-on-an-open-connection.
65
11/11/15
Example-of-why-an-ALG-is-needed?
• An-active-outgoing-FTP-uses-both-a-control-and-a-data-channel.-First,-
the-TCP-threeRway-handshake-is-established-between-the-client-
(84.10.113.0)-and-the-server-(84.10.113.1)-using-a-destination-port-of-
20:
02:21:00.500569- -In- IP-84.10.113.0.4290- >-84.10.113.1.20:- Syn
02:21:00.500627- Out- IP-84.10.113.1.20- >-84.10.113.0.4290:- Syn Ack
02:21:00.510683- -In- IP-84.10.113.0.4290- >-84.10.113.1.20:- .---Ack
• Then-the-server-initiates-a-new-connection-for-the-data-transfer-using-
a-new-source-port-of-21-and-a-destination-port-that-the-client-gives-to-
the-server-in-the-initial-connection-using-a-PORT-command-(56958,-
in-this-case):
02:26:28.024058- Out- IP-84.10.113.1.21- >-84.10.113.0.56958:- Syn
02:26:28.032298- -In- IP-84.10.113.0.56958- >-84.10.113.1.21:- Syn Ack
131 02:26:28.032362- Out- IP-84.10.113.1.21- >-84.10.113.0.56958:- .-Ack Copy right-©-2014-J uniper-Networks ,-Inc .-
Example-of-why-an-ALG-is-needed?
• So,-the problem with the active mode-FTP-application and standard-
firewall-rules is-that the connections are-initiated by both the server-
and the client,-and the connection initiated by the server-to the client
is-using an unpredictable port-number.
66
11/11/15
Example-of-why-an-ALG-is-needed?-(contd.)
• The-ALG-solves-this-problem-by-looking-deep-into-the-packets-during-
the-initial-connection-phase-for-the-PORT-command,-indicating-which-
port-number-the-client-will-be-expecting-from-the-server-during-the-
data-phase-and-allowing-the-firewall-to-create-a-predictable-pinhole-
for-the-serverRtoRclient-connection.
• Note:-If-passive-FTP-is-used,-all-connections-are-initiated-from-the-
client-to-the-server,-but-the-ALG-must-still-monitor-the-PORT-
command-from-the-server-to-open-the-data-connection.
Default-Junos Definitions
• The-JUNOS-Software-provides-a-default,-hidden-configuration-group-
called-junosRdefaults-that-is-automatically-applied-to-the-configuration-
of-your-router.-The-junosRdefaults-group-contains-preconfigured-
statements-that-contain-predefined-values-for-common-applications.-
Some-of-the-statements-must-be-referenced-to-take-effect,-such-as-
applications-like-FTP-or-Telnet.-Other-statements-are-applied-
automatically,-such-as-terminal-settings.-All-of-the-preconfigured-
statements-begin-with-the-reserved-name-junosR.
• To-view-the-full-set-of-available-preset-statements-from-the-JUNOS-
default-group,-issue-the-show-groups-junosRdefaults-configuration-
mode-command.
67
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1#$ Default#Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
Default-Junos Definitions
• Note:-You-can-override-the-JUNOS-default-configuration-values,-but-you-
cannot-delete-or-edit-them.-If-you-delete-a-configuration,-the-defaults-return-
when-a-new-configuration-is-added.
• You-cannot-use-the-applyRgroups-statement-with-the-JUNOS-defaults-
group.
68
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1-R Default-Junos definitions
• 3.2.2#$ Customization#(reassignment#of#ports,#timers)
Customization-of-Application
• The-applications-allows-you-to-achieve-a-fine-tunning in-how-the-
applications-will-work
• Thru-applications,-is-choose-the-type-of-NAT-that-will-be-in-place-in-
the-configuration
• The-JUNOS-has-it-own-default-applications-and-those-can-be-used-as-a-default-
basis-or-changed
• Since-JUNOS-13.1-the-default-applications-cannot-be-changed,-where-if-any-
different-value-is-required,-a-new-application-must-be-created
69
11/11/15
Why-is-so-important-to-optimize-the-timers-?
• Imagine-a-mobile-Internet-services-provider
• You-are-the-client-and-is-using-the-Internet-on-you-smartphone-to-
suffer-in-the-Internet,-synchronize-mail,-access-social-networks,-etc
• All-accesses-should-use-a-DNS-server-to-get-te correspondent-IP-
address-of-the-desired-services
• The-DNS-creates-a-lot-of-requests-either-per-second,-minute
• Junos has-the-default-applications-timeRout,-that-age-the-port-
mapping-after-a-given-period-of-time
• To-avoid-that-a-port/mapping-keeps-open-consumig a-port-allocation,-
applications-must-age-shorter-than-other-to-provide-this-behavior-
Why-is-so-important-to-optimize-the-timers-?
• For-instance,-the-DNS-service-is-recommended-to-be-aged-in-5-
seconds,-avoiding-that-a-port-keep-in-use/mapped-with-no-service
70
11/11/15
Customization-of-ALG-
• A-Junos application-object-is-a-construct-to-define-an-network-
application-using-information-from-layer-3-and-above.-
• Arbitrary-ALGs-can-be-defined-and-applied-for-NAT-or-SFW-by-
specifying-the-applicationRprotocol-parameter ALG'name
application <application-name> {
application-protocol <application-protocol-name>;
protocol <number>; IP'protocol'number
destination-port [ <port> ];
source-port [ <port> ];
snmp-command [ <command> ]; GET,'GETNEXT,'TRAP
icmp-type [ <value> ];
icmp-code [ <value> ]; Traceroute'ttl2threshold'value,'used'to'
ttl-threshold <value>; control'the'acceptable'level'of'network'
rpc-program-number <number>; penetration'for'traceroute
uuid <hex-values>;
inactivity-timeout <timeout value>; Range'1000002400000'for'DCE'or'RPC
}
uuid'for'DCE'RPC'objects
Specific'inactivity'timeout'per&application
Allows'an'application'to'override'global'timeout'values'from'SP:
Default'for'UDP,'ICMP,'IP'and'TCP'(until'tickles)'is'30'seconds
141 NOTE:&Global'inactivityOtimeout&set'to'1500'at'APN'Multiservicio setup Copy right-©-2014-J uniper-Networks ,-Inc .-
Customization-of-ALG-(contd.)-
• The-following-example-shows-a-custom-configuration-for-DNS:
admin@MX-CGNAT-RE0> show configuration applications
application DNS {
application-protocol dns;
protocol udp;
destination-port 53;
inactivity-timeout 200;
}
71
11/11/15
Applications
• The-applications-allows-you-to-achieve-a-fine-tunning in-how-the-
applications-will-work
• Thru-applications,-is-choose-the-type-of-NAT-that-will-be-in-place-in-
the-configuration
• The-JUNOS-has-it-own-default-applications-and-those-can-be-used-as-a-default-
basis-or-changed
• Since-JUNOS-13.1-the-default-applications-cannot-be-changed,-where-if-any-
different-value-is-required,-a-new-application-must-be-created
Applications
• List-of-minimum-applications-recommended-for-CGNAT-
Implementation:
application-set ALG-SET-noEIM-noEIF { application appl-junos-ssh;
application appl-junos-sip; application appl-junos-talk-tcp;
application appl-junos-syslog; application appl-junos-telnet;
application appl-alt-http-tomcat; application appl-junos-icmp-all;
application appl-android-google-play; application appl-junos-ike;
application appl-apple-xmpp; application appl-junos-ipsec-esp;
application appl-ms-rdp; application appl-junos-talk-udp;
application appl-junos-ssmtp; application appl-junos-ntalk;
application appl-junos-ssmtp-ssl; application appl-junos-ntp;
application appl-squid-proxy; application appl-junos-snmp-get-next;
application appl-vnc-tcp; application appl-junos-snmp-get;
application appl-junos-citrix-winframe-udp; application appl-junos-snmp-response;
application appl-junos-citrix-winframe-tcp; application appl-junos-snmp-trap;
application appl-junos-dns-udp; application appl-junos-traceroute;
application appl-junos-ftp; }
application appl-junos-tftp;
application appl-junos-http;
application appl-junos-https;
application appl-junos-imap;
application appl-junos-imaps;
application appl-junos-ldap;
application appl-junos-nntp;
application appl-junos-pop3;
application appl-junos-spop3;
application appl-junos-pptp;
application appl-junos-printer;
application appl-junos-smtp;
72
11/11/15
NAT-Order-of-Operation
Configure' Configure'
Configure' Configure'
Service' NAT'Pool'
NAT'Rules Service2Set
Interfaces Information
• The-above-is-an-example-of-how-the-different-components-of-a-
service-set-can-be-configured-to-create-a-service-on-the-router.
• They-can-be-configured-in-any-order,-except-that-the-serviceRset-itself-
can’t-be-configured-completely-until-the-previous-3-components-have-
been-created.
Thank-You
73