Wednesday, April 30, 2008

Firewall session inactivity configuration - TR-069 Support

Firewalls maintain session entries for each 5 tuple connection. Session entries are created upon first packet of the connection. TCP Sessions are removed whenever TCP RST packet is observed or ACKs for TCP FINs are observed in both directions. Sessions are also removed when there is no traffic for some period of time. This period of time is called inactivity timeout period. Non-TCP sessions such as UDP, ICMP sessions are removed only due to inactivity as they don't have any connection boundaries.

There are multiple application protocols (services) running on TCP and UDP transports such as FTP, Telnet, SSH, HTTP, LDAP, RADIUS, SMTP, POP3, IMAP etc. Some application protocols are interactive applications and many are non-interactive applications. Telnet, SSH, FTP are interactive applications. HTTP, HTTPS and many others are non-interactive. In non-interactive applications, once the connection is made to the server, there is no user input in between until the connection is terminated. Entire user input is taken before making the connection. In interactive applications, user input is taken after connection is established. Inactivity timeout period for non-interactive protocols can be in terms of 10s of seconds. Since interactive applications wait for user input, less inactivity timeout value may remove session if user does not feed any input data for a longer duration. So, interactive application protocols require longer inactivity timeout. If longer inactivity timeout is configured for non-interactive application protocols, there is a danger of keeping stale sessions for a longer time and that may result in session entries exhaustion problem. So, there is need for providing different inactivity timeout values for different protocols.

Please refer document on maximizing firewall availability. One of the techniques suggested there was to provide 'INIT Flow Timer optimization'. This approach suggests to have separate inactivity timeout period during connection establishment phase (3 way TCP handshake) . This inactivity timeout value can be way less than the inactivity timeout needed after connection is established.

Keeping both of above points in mind, session inactivity configuration includes following:
  • TCP Pre Connection inactivity timeout : Inactivity timeout during connection establishment phase.
  • UDP Pre Connection inactivity timeout: UDP does not have any connection establishment phase. For this discussion, UDP connection establishment phase considered complete when it receives at least one packet in both directions of the connection (client to server and server to client).
  • TCP Inactivity timeout: Inactivity timeout value after TCP connection is established.
  • UDP Inactivity timeout: Inactivity tiemout value after UDP session is established.
  • Generic IP inactivity timeout: Inactivity timeout value for non-TCP and non-UDP sessions.
  • TCP FIN timeout: Inactivity timeout after TCP FINs are observed in both directions.
  • Application protocol specific timeout records. Each record containing
    • Application protocol information : Protocol and Port
    • Inactivity timeout value: This inactivity timeout value is used after connection is established. If there is no matching application protocol specific inactivity timeout record, then TCP, UDP or generic IP inactivity timeout value is used.
TR-069 based configuration:
  • internetGatewayDevice.security.VirtualInstance.{i}.firewall.serviceInactivityTimeout P
    • tcpPreConnTimeOut: RW, Unsigned Int, Default : 10 seconds - Value in seconds.
    • udpPreConnTimeOut: RW, Unsigned int, Default: 10 seconds - Value in seconds.
    • tcpTimeOut: RW, Unsigned Int, Default: 60 seconds - Value in seconds.
    • tcpFinTimeOut: RW, unsigned int, default: 10 seconds - Value in seconds.
    • udpTimeOut: RW, Unsigned Int, Default: 60 seconds - Value in seconds.
    • IPTimeOut: RW, Unsigned Int, Default: 60 seconds - Value in seconds.
    • internetGatewayDevice.security.VirtualInstance.{i}.firewall.serviceInactivityTimeout.applicationTimeout.{i} PC
      • name: String(32), RW, Name of the record. Once the record is created, this can't be changed.
      • Description: String(128), RW, Optional - Description of the record.
      • protocol: String(8), RW, Mandatory - Takes values "tcp", "udp"
      • port: String(8), RW, Mandatory - Takes port value
      • inactivityTImeout: Unsigned Int, RW, Mandatory - Inactivity timeout in seconds.

No comments: