NETWORK BASED APPLICATION RECOGNITION Tim McSweeney Product Manager, QoS Internet Technologies Division

Agenda What is Network Based Application Recognition (NBAR)? Benefits and hardware support NBAR Functionality

NBAR My Application is too slow! Citrix 25% Netshow 15% Fasttrack 10% FTP 30% HTTP 20% Link Utilization Intelligent classification engine used with Quality of Service (QoS) class-based features Protocol Discovery analyzes application traffic patterns in real time and identifies which traffic is running on the network Mark Citrix as Interactive traffic and police FTP. Guarantee bandwidth for Citrix! Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. 3

NBAR – Intelligent Classification Capable of classifying applications that have: Statically assigned TCP and UDP port numbers Non-TCP and non-UDP IP protocols Dynamically assigned TCP and UDP port numbers during connection establishment Classification based on deep packet inspection: NBAR can look deeper into the packet to identify applications HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]), Citrix ICA traffic, RTP Payload type classification Currently supports 88 protocols/applications Identifies application/protocols from layer 4 to layer 7. The applications that nBAR can classify include applications that use the following: ·         Statically assigned TCP and UDP port numbers ·         Non-UDP and non-TCP IP protocols ·         Dynamically assigned TCP and UCP port numbers during connection establishment. Classification of such applications/protocols requires stateful inspection, that is, the ability to discover the data connections to be classified by parsing the control connections over which the data connection port assignments are made. ·         Sub-port classification or Classification based on deep inspection – that is classification by looking deeper into the packet. For example classification based on HTTP urls, mime or host names and RTP Payload Type classification – where nBAR looks for the RTP Payload Type field within the RTP header amongst other criteria to identify voice and video bearer traffic. nBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on Citrix published applications. nBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests to the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application. nBAR ensures that network bandwidth is used efficiently by working with QoS features to provide: Guaranteed bandwidth Bandwidth limits Traffic shaping Packet coloring nBAR introduces several new classification features: Classification of applications which dynamically assign TCP/UDP port numbers Classification of HTTP traffic by URL, host, or MIME type Classification of Citrix ICA traffic by application name Classification of application traffic using subport information nBAR can also classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, nBAR is easier to configure and can provide classification statistics that are not available when using ACLs. nBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. Cisco IOS QoS Update, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. 4

NBAR Benefit Footprint and Hardware Support Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core Application classification Precise QoS treatment Application statistics for bandwidth provisioning Top-n views Threshold settings Mapping applications to an SP’s service offering Cisco Catalyst 6500 and 7600 Series MSFC Planned ASIC FlexWAN, MWAM Cisco 7100, 7200, and 7500 Series Cisco 83x, 1700, 2600-2600XM, 3600, and 3700 Series Cisco 7500 Series Complete Differentiated Services Solution Uniform Provisioning of IP QoS on any media and all certified platforms (Modular QoS Command Line Interface) Advanced QoS. Flexible guaranteed bandwidth solution (QoS Based Routing) QoS Intelligence and Automation. Intelligent, automatic QoS (AutoQoS/NBAR) for rapid, low cost deployment High-End QoS. Highly-Scalable per-user and per-application QoS with uniform provisioning and feedback on network state

Stateful & Dynamic Inspection Sub-Port/Deep Inspection NBAR Stateful & Dynamic Inspection IP Packet TCP/UDP Packet Data Packet ToS Protocol Source IP Addr Dest IP Addr Src Port Dst Port Sub-Port/Deep Inspection egp exchange kerberos secure-nntp smtp gre finger l2tp notes snmp icmp ftp ldap novadigm socks ipinip secure-ftp secure-ldap ntp sqlnet ipsec gopher netshow pcanywhere ssh eigrp http pptp pop3 streamwork bgp secure-http sqlserver secure-pop3 syslog cuseeme imap netbios printer telnet dhcp irc nfs realaudio secure-telent dns secure-irc nntp rcmd tftp vdolive xwindows napster citrix Supported protocols as of Cisco IOS Software Release 12.2(8)T: www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm - 1031614

Packet Description Language Modules Packet Description Language Modules (PDLMs) define applications recognizable by NBAR New applications supported by adding new PDLMs No Cisco IOS Software upgrade or reboot required to add new PDLMs New Cisco IOS Software required only when enhanced NBAR infrastructure is required for new PDLM functionality New PDLMs are incorporated natively into subsequent Cisco IOS Software releases Only new/updated PDLMs are loaded Must be produced by Cisco engineers Issues: Software quality: testing and support Software security: risk of Trojan horses and worms SDK infrastructure: development environment An external Packet Description Language Module (PDLM) can be loaded at run time to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. PDLMs allow NBAR to recognize new protocols without requiring a new Cisco IOS image or a router reload. New PDLMs are released only by Cisco and available from local Cisco representatives. They can be loaded from flash memory. Registered user can find them at: http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm To extend or enhance the list of protocols recognized by NBAR through a Cisco-provided PDLM, use the ip nbar pdlm configuration command. Use the no form of this command to unload a PDLM if it was previously loaded. Use the show ip nbar port-map command to display the current protocol-to-port mappings in use by NBAR. What is the process of adding new applications to NBAR? Contact: cpk@cisco.com - Chetan Khetani - NBAR PM Customer/Field provides the following: Understand the application behavior: Does it use static port v/s dynamic Is it based on multicast - today we do not have multicast support Does it require sub port classification Sniffer Capture of the traffic. Basically anything that describes how the application communicates on the network - including traffic capture. Once this is done, NBAR team will evaluate the requests. Customers will send in their requests through the account team. Account team fills out the PERS request. Anytime you can directly contact NBAR PM – cpk@cisco.com

Protocol Discovery: Traffic Classification & Real-Time Statistics Automatically uses all PDLMs Run Protocol Discovery instead of specifying individual protocols Includes statistics for traffic identified with user-defined custom application classification Statistics per-interface, per-protocol bit rate (bps) packet counts and byte counts

NBAR User-Defined Custom Application Classification Nov 2003 NBAR User-Defined Custom Application Classification IP Packet TCP/UDP Packet Data Packet ToS Protocol Source IP Addr Dest IP Addr Src Port Dst Port FFFF0000MoonbeamFFFF Example Name – Name the match criteria – up to 24 characters lunar_light Offset – Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte Skip first 8 bytes Format – Define the format of the match criteria – ASCII, hex or decimal ascii Value – The value to match in the packet – if ASCII, up to 16 characters Moonbeam [Source or destination port] – Optionally restrict the direction of packet inspection; defaults to both directions if not specified [source | destination] TCP or UDP – Indicate the protocol encapsulated in the IP packet tcp Range or selected port number(s) – “range” with start and end port numbers, up to 1000 – 1 to 16 individual port numbers range 2000 2999 ip nbar custom lunar_light 8 ascii Moonbeam tcp range 2000 2999 class-map solar_system match protocol lunar_light policy-map astronomy class solar_system set ip dscp AF21 interface <> service-policy output astronomy Description With the ip nbar custom command, users can specify their own match criteria to identify TCP- or UDP-based applications across a range of ports, as well as on specific ports, in addition to the protocols and applications identified natively by NBAR or via downloaded PDLMs imported to NBAR. The user can specify a string or value to match at a specified byte offset within the packet payload. More than 30 custom PDLMs can be created and given user-defined names with the ip nbar custom command. Benefits: NBAR User-Defined Application Classification enables NBAR users to specify their own criteria to match a string or numeric value inside the data packet to identify application traffic. 12/03

NBAR HTTP Classification Nov 2003 NBAR HTTP Classification Extended Inspection: NBAR looks for an HTTP-specific signature in ports beyond well-known TCP port 80 HTTP GET request contains Host/URL string HTTP GET Request Router X Responses to HTTP GET Router Y HTTP Server Optionally, HTTP responses may be further classified by MIME-type HTTP Clients When specifying a URL for classification, include only the portion of the URL following the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html. Host specification is identical to URL specification. NBAR performs a regular expression match on the Host field contents inside an HTTP GET packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com. For MIME type matching, the MIME type can contain any user-specified text string. A list of the Internet Assigned Numbers Authority (IANA)-supported MIME types can be found at: ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types In MIME type matching, NBAR classifies the packet containing the MIME type and all subsequent packets, which are sent to the source of the HTTP GET request. 29056 router(config-cmap)#match protocol http ? host host-name-string -- Match Host Name url url-string -- Match URL String mime MIME-type -- Match MIME Type match protocol http: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112789 10/03

NBAR: Additional Development New and updated PDLMs Citrix ICA: enhanced support for Citrix-based applications Real-Time Protocol (RTP) Real-Time Streaming Protocol (RTSP) eDonkey: peer-to-peer file sharing application KaZaA: revalidated for KaZaA v 2.5 Support for IP Services NBAR-NAT-RTSP integration: Release 12.3(3rd)T [Q1CY’04] Upcoming: NBAR-Firewall integration

KaZaA versions 2 and 2.5 KaZaA v2 PDLM available PDLM Rev 6 April 2003 KaZaA versions 2 and 2.5 KaZaA v2 PDLM available www.cisco.com/cgi-bin/tablebuild.pl/pdlm Classifies KaZaA v2 and v2.5 data traffic QoS policy can limit users to browse, but not share, files Covers file transfers Downloads and uploads

NBAR RTP Payload Classification PDLM Rev 2 May 2003 NBAR RTP Payload Classification Stateful identification of real time audio and video traffic Differentiation on the basis of audio and video codecs IP Hdr UDP RTP Header Audio/Video/Data RTP: transport protocol for Real-Time Applications – RFC 1889 RTP profile for audio and video conferences with minimal control – RFC 1890

NBAR RTP Payload Classification Configuration match protocol rtp [audio | video | payload-type payload-string] audio: Specifies matching by payload-type values 0-23. video: Specifies matching by payload-type values 24-33. payload-type: Specifies matching by payload-type value, for more granular matching than audio or video provide. Example NBAR to match RTP traffic with the payload-types 0, 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 64 match protocol rtp payload-type "0, 1, 4 - 0x10, 10001b - 10010b, 64"

NBAR Protocol Discovery MIB Release 12.3 NBAR Protocol Discovery MIB Provides statistics per application, per interface via SNMP Enable or disable protocol discovery per interface Display protocol discovery statistics Configure and view multiple top-n tables listing protocols by bandwidth usage Configure thresholds: report breaches and send notifications when these thresholds are crossed Supported by Cisco QoS partners Concord Communications InfoVista: traffic monitoring; DoS attack mitigation NBAR Protocol Discovery MIB www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpdmib.htm CISCO-NBAR-PROTOCOL-DISCOVERY-MIB www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

NBAR Classification for Multiple IP Services Previously: Each IP Service Processes Packets Sequentially QoS Uses NBAR Parsing Results for Traffic Classification PACKET Parse PACKET + PACKET PACKET PACKET QoS Classifi- cation IDS NAT Firewall NBAR Parse Parse Parse Parse P D L M D A T Now: NBAR Provides a Shared Infrastructure for IP Traffic Identification NBAR’s Parsing Utilized by Multiple Services PACKET Parse PACKET + Parse PACKET + Parse PACKET + Parse PACKET + QoS Classifi- cation IDS NAT Firewall NBAR Parse P D L M D A T New NBAR PDLMs Can be Added to Identify New Applications Without a Software Upgrade

References QoS Classification Overview www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfclass.htm#1003102 Configuring Network-Based Application Recognition www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfnbar.htm Match Protocol Commands: Citrix, HTTP, RTP www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#1112612

Custom-xx NBAR Functionality Used for static TCP/UDP port based applications that NBAR does not support Add up to 10 custom applications Map 16 TCP and UDP ports each per application Statistics appear in the Protocol Discovery Router(config)#ip nbar port-map custom-01 ? tcp TCP ports udp UDP ports