10.4 Session Filtering
10.4.3 How reflexive access lists work
Like standard and extended access lists, reflexive access lists contain condition statements (that is, entries) that define criteria for permitting IP packets (see the Figure). The router evaluates these entries in order, and when a match occurs, no more entries are evaluated. However, reflexive access lists have significant differences from other types of access lists. Reflexive access lists contain only temporary entries. These entries are automatically created when a new IP session begins (for example, with an outbound packet), and the entries are removed when the session ends.

Reflexive access lists are not applied directly to an interface, but they are "nested" within an extended named IP access list that is applied to the interface. Because reflexive lists are nested in extended lists, they do not have the implicit deny ip any any statement at the end of the list.

Compared to using the established argument, reflexive access lists provide a truer form of session filtering. This method is much harder to spoof because more filter criteria must be matched before a packet is permitted through. (For example, source and destination addresses and port numbers are checked, not just ACK and RST bits.) Also, session filtering uses temporary filters that are removed when a session is over. This limits the hacker's attack opportunity to a smaller time window.

A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside the network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry. This entry will permit traffic to enter your network if the traffic is part of the session, but it will not permit traffic to enter your network if the traffic is not part of the session. For example, if the first packet of a TCP session is forwarded out, a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic. The temporary entry has the following characteristics:

  • The entry is always a permit entry.
  • The entry specifies the same protocol (such as TCP) as the original outbound packet.
  • The entry specifies the same source and destination port numbers (for TCP and UDP only) as the original outbound packet, except that the port numbers are swapped.
  • For protocols that do not have port numbers, such as ICMP and Internet Group Management Protocol (IGMP), other criteria are specified. For example, for ICMP, type numbers are used instead.
  • Inbound traffic will be evaluated against the reflexive entry, until the entry expires. If an inbound packet matches the entry, the inbound packet will be forwarded into your network.
  • The entry will expire (be removed) after the last packet of the session passes through the interface.
  • If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire.

Temporary reflexive access list entries are removed at the end of the session. For TCP sessions, the entry is removed 5 seconds after 2 set FIN bits are detected, or immediately after matching a TCP packet with the RST bit set. Two set FIN bits in a session indicate that the session is about to end; the 5-second window allows the session to close gracefully. A set RST bit indicates an abrupt session close. Alternately, the temporary entry is removed after no packets of the session have been detected for a configurable length of time (the timeout period).

Unlike TCP, UDP and other connectionless protocols do not include session tracking information in either the Layer 3 or Layer 4 headers, so the exact end of a session cannot be known. Therefore, the end of a session is considered to be when no packets of the session have been detected for a configurable length of time (the timeout period).