|
Like standard and extended access
lists, reflexive access lists contain condition statements (that is,
entries) that define criteria for permitting IP packets (see the
Figure). The router evaluates these entries in order, and when a
match occurs, no more entries are evaluated. However, reflexive
access lists have significant differences from other types of access
lists. Reflexive access lists contain only temporary entries. These
entries are automatically created when a new IP session begins (for
example, with an outbound packet), and the entries are removed when
the session ends.
Reflexive access lists are not applied directly to an interface,
but they are "nested" within an extended named IP access
list that is applied to the interface. Because reflexive lists are
nested in extended lists, they do not have the implicit
deny ip any any statement at the end of the list.
Compared to using the
established
argument, reflexive access lists
provide a truer form of session filtering. This method is much harder to
spoof because more filter criteria must be matched before a packet
is permitted through. (For example, source and destination addresses
and port numbers are checked, not just ACK and RST bits.) Also,
session filtering uses temporary filters that are removed when a
session is over. This limits the hacker's attack opportunity to a
smaller time window.
A reflexive access list is triggered when a new IP upper-layer
session (such as TCP or UDP) is initiated from inside the network,
with a packet traveling to the external network. When triggered, the
reflexive access list generates a new, temporary entry. This entry
will permit traffic to enter your network if the traffic is part of
the session, but it will not permit traffic to enter your network if
the traffic is not part of the session. For example, if the first
packet of a TCP session is forwarded out, a new, temporary reflexive
access list entry will be created. This entry is added to the
reflexive access list, which applies to inbound traffic. The
temporary entry has the following characteristics:
permit
entry.
The entry specifies the same protocol (such as TCP) as the
original outbound packet.
The entry specifies the same source and destination port
numbers (for TCP and UDP only) as the original outbound packet,
except that the port numbers are swapped.
For protocols that do not have port numbers, such as ICMP and
Internet Group Management Protocol (IGMP), other criteria are
specified. For example, for ICMP, type numbers are used instead.
Inbound traffic will be evaluated against the reflexive entry,
until the entry expires. If an inbound packet matches the entry,
the inbound packet will be forwarded into your network.
The entry will expire (be removed) after the last packet of
the session passes through the interface.
If no packets belonging to the session are detected for a
configurable length of time (the timeout period), the entry will
expire.
Temporary reflexive access list entries are removed at the end of
the session. For TCP sessions, the entry is removed 5 seconds after
2 set FIN bits are detected, or immediately after matching a TCP
packet with the RST bit set. Two set FIN bits in a session indicate
that the session is about to end; the 5-second window allows the
session to close gracefully. A set RST bit indicates an abrupt
session close. Alternately, the temporary entry is removed after no
packets of the session have been detected for a configurable length
of time (the timeout period).
Unlike TCP, UDP and other connectionless protocols do not include
session tracking information in either the Layer 3 or Layer 4
headers, so the exact end of a session cannot be known. Therefore,
the end of a session is considered to be when no packets of the
session have been detected for a configurable length of time (the
timeout period).
|
|