Flow-based and packet based

最新推荐文章于 2024-07-11 08:01:13 发布

tuoyahan

最新推荐文章于 2024-07-11 08:01:13 发布

阅读量1k

点赞数

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guide/packet-flow-based-fwd-section.html

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Understanding Packet-Based and Flow-Based Forwarding

Packets that enter and exit a J Series or SRX Series device running JUNOS Software can undergo packet-based or flow-based processing. Packet-based (stateless) forwarding treats each packet discretely, and flow-based (stateful) packet processing treats related packets, or a stream of packets, in the same way.

Packet-Based Forwarding

Packet-based (stateless) forwarding is performed on a packet-by-packet basis without regard to flow or state information. Each packet is assessed individually for treatment.

Figure 12 shows the traffic flow for packet-based forwarding.

Figure 12: Traffic Flow for Packet-Based Forwarding

Image g033000.gif

As packets enter the device, classifiers, filters and policers are applied to it. Next, the egress interface for the packet is determined via a route lookup. Once the egress interface for the packet is found, filters are applied and the packet is sent to the egress interface where it is queued and scheduled for transmission.

Packet-based forwarding does not require any information about either previous or subsequent packets that belong to a given connection, and any decision to allow or deny traffic is packet specific. This architecture has the benefit of massive scaling because it forwards packets without keeping track of individual flows or state.

Flow-Based Forwarding

Flow-based (stateful) packet processing requires the creation of sessions. A session is created to store the security measures to be applied to the packets of the flow, to cache information about the state of the flow (for example, logging and counting information), to allocate required resources for the flow for features such as Network Address Translation NAT, and to provide a framework for features such as Application Layer Gateways (ALGs) and firewall features. Figure 13 shows traffic flow for flow-based processing.

Figure 13: Traffic Flow for Flow-Based Forwarding

Image g033001.gif

The packet treatment in flow-based forwarding depends on characteristics that were established for the first packet of the packet stream, which is referred to as a flow. To determine if a flow exists for a packet, the system attempts to match the packet’s information to that of an existing session based on the following match criteria—source address, destination address, source port, destination port, protocol, and unique session token number for a given zone and virtual router.

Most packet processing occurs in the context of a flow, including management of policies, NAT, zones, most screens, and ALGs.

For an overview of stateless and stateful data processing, see the JUNOS Software Security Configuration Guide.