This guide provides an overview of Cisco IOS Flexible Packet Matching and describes the process of writing FPM filters along with examples. The following topics are covered in this document:
• What is Cisco IOS Flexible Packet Matching?
• Why do we need Cisco IOS Flexible Packet Matching?
• What platforms and images does it work on?
• How to write a Cisco IOS Flexible Packet Matching policy?
• Example policy
Pre-Requisites:
Before getting started with Flexible Packet Matching, ensure that you have the following:
• A Cisco ISR Router in the following model (87x, 18xx, 28xx, 38xx, and 72xx)
• Console or telnet connectivity to the router
• IOS Release 12.4(4)T or later
• An `Advanced Security' image loaded on the router
What is Cisco IOS Flexible Packet Matching (FPM)?
Networks are experiencing increasing sophisticated attacks that require mitigating tools that are as flexible as possible. Cisco IOS Flexible Packet Matching (FPM) is a set of classes and policies that provides pattern matching capability for more granular and customized packet filters for Layer 2 to 7-bit/byte matching capability deep into the packet at any offset within the packet header and payload.
Put simply, it is a powerful, easy, and rapid deployment mechanism that enables users to specify criteria to match against any part of a packet (header and payload) and define the action to take. In short, FPM is able to classify a packet based on its characteristics and take appropriate action.
Why do we Need Cisco IOS Flexible Packet Matching (FPM)?
There are three main reasons for Cisco IOS Flexible Packet Matching (FPM):
• Sophisticated attacks: characteristics of common attacks have evolved beyond current filtering tools like ACLs (i.e. limited matching criteria-protocol, port, ip address, etc.)
• Rapid Mitigation: customers must stop attacks immediately without waiting for a vendor to develop a signature or new code (i.e. IPS or ACL).
• Finer Granularity: goes beyond static attributes allowing you to specify arbitrary bits/bytes at any offset within the entire packet (header or payload), minimizing inadvertent blocking of legitimate business traffic
How does Cisco IOS Flexible Packet Matching Work?
Cisco IOS Flexible Packet Matching (FPM) uses the following characteristics to ensure users successfully mitigate attacks.
• Is a stateless solution and inspects one packet at a time.
• Matches on all static packet characteristics like protocol, port, IP address.
• Uses a Protocol Header Description File (PHDF) that allows the user to define a class match criteria based on any field in the protocol header.
• Supports an offset, size and string keywords, and regular expressions (regex) to allow the user to match on strings or bytes in the packet payload.
• Uses class-map and policy-map configuration syntax to specify the protocol stack, the match criteria and action to take.
What Platforms and Images does it Work On?
The following table lists the platforms and image that Cisco IOS Flexible Packet Matching (FPM) is supported in:
Advanced Security Images
Advanced IP Services Images
Advanced Enterprise Service Images
• 1701 c1700-advsecurityk9-mz.
• 1711 c1700-advsecurityk9-mz.
• 1712 c1700-advsecurityk9-mz.
• 1721 c1700-advsecurityk9-mz.
• 1751 c1700-advsecurityk9-mz.
• 1751-V c1700-advsecurityk9-mz.
• 17xx c1700-k9o3sy7-mz
• 17xx c1700-bk9no3r2sy7-mz
• 1760 c1700-advsecurityk9-mz.
• 1811 c181x-advsecurityk9-mz.
• 1812 c181x-advsecurityk9-mz.
• 1841 c1841-advsecurityk9-mz.
• 2610XM-2611XM c2600-advsecurityk9-mz.
• 2620XM-2621XM c2600-advsecurityk9-mz.
• 2650XM-2651XM c2600-advsecurityk9-mz.
• 2691 c2691-advsecurityk9-mz.
• 2801 c2801-advsecurityk9-mz.
• 2811 c2800nm-advsecurityk9-mz.
• 2812 c2800nm-advsecurityk9-mz.
• 2851 c2800nm-advsecurityk9-mz.
• 3725 c3725-advsecurityk9-mz.
• 3745 c3745-advsecurityk9-mz.
• 3825 c3825-advsecurityk9-mz.
• 3845 c3845-advsecurityk9-mz.
• 7200 c7200-advsecurityk9-mz.
• 7301 c7301-advsecurityk9-mz.
• 87x c870-advipservicsk9-mz .
• 1701 c1700-advipservicesk9-mz.
• 1711 c1700-advipservicesk9-mz.
• 1712 c1700-advipservicesk9-mz.
• 1721 c1700-advipservicesk9-mz.
• 1751 c1700-advipservicesk9-mz.
• 1751-V c1700-advipservicesk9-mz.
• 1760 c1700-advipservicesk9-mz.
• 1811 c181x-advipservicesk9-mz.
• 1812 c181x-advipservicesk9-mz.
• 1841 c1841-advipservicesk9-mz.
• 2610XM-2611XM c2600-advipservicesk9-mz.
• 2620XM-2621XM c2600-advipservicesk9-mz.
• 2650XM-2651XM c2600-advipservicesk9-mz.
• 2691 c2691-advipservicesk9-mz.
• 2801 c2801-advipservicesk9-mz.
• 2811 c2800nm-advipservicesk9-mz.
• 2821 c2800nm-advipservicesk9-mz.
• 2851 c2800nm-advipservicesk9-mz.
• 3725 c3725-advipservicesk9-mz.
• 3745 c3745-advipservicesk9-mz.
• 3825 c3825-advipservicesk9-mz.
• 3845 c3845-advipservicesk9-mz.
• 7200 c7200-advipservicesk9-mz.
• 7301 c7301-advipservicesk9-mz.
• 7xxx c7xxx-ik9o3s
• 7xxx c7xxx-jk9o3s
• 1701 c1700-adventerprisek9-mz.
• 1711 c1700-adventerprisek9-mz.
• 1712 c1700-adventerprisek9-mz.
• 1721 c1700-adventerprisek9-mz.
• 1751 c1700-adventerprisek9-mz.
• 1751-V c1700-adventerprisek9-mz.
• 1760 c1700-adventerprisek9-mz.
• 1811 c181x-adventerprisek9-mz.
• 1812 c181x-adventerprisek9-mz.
• 1841 c1841-adventerprisek9-mz.
• 2610XM-2611XM c2600-adventerprisek9-mz.
• 2620XM-2621XM c2600-adventerprisek9-mz.
• 2650XM-2651XM c2600-adventerprisek9-mz.
• 2691 c2691-adventerprisek9-mz.
• 2801 c2801-adventerprisek9-mz.
• 2811 c2800nm-adventerprisek9-mz.
• 2812 c2800nm-adventerprisek9-mz.
• 2851 c2800nm-adventerprisek9-mz.
• 3725 c3725-adventerprisek9-mz.
• 3745 c3745-adventerprisek9-mz.
• 3825 c3825-adventerprisek9-mz.
• 3845 c3845-adventerprisek9-mz.
• 7200 c7200-adventerprisek9-mz.
• 7301 c7301-adventerprisek9-mz.
Restrictions:
The following restrictions apply when using Cisco IOS Flexible Packet Matching (FPM):
• Since Cisco IOS Flexible Packet Matching (FPM) is stateless, it cannot keep track of port numbers being used by protocols that dynamically negotiate ports. Thus, when using FPM, port numbers must be explicitly specified.
• Cisco IOS Flexible Packet Matching (FPM) does not keep track of the "connection state" and so no connection attributes are retained.
• Cisco IOS Flexible Packet Matching (FPM) cannot perform IP fragmentation or TCP flow reassembly.
• Cisco IOS Flexible Packet Matching's PHDFs describe protocols with static fields and lengths.
• Prior to 12.4(15)T, FPM supports searching for patterns up to 32 bytes long within the first 256 bytes of the packet. After 12.4(15)T, FPM supports searching for patterns up to 256 bytes long anywhere within the entire packet.
Steps to Configure Cisco IOS Flexible Packet Matching (FPM)
This section describes the steps required to create an FPM policy using IOS command-line interface (CLI). It contains the following steps:
Step 1. Load the protocol header description file(s) (PHDF)
Step 2. Define the protocol stack (IP-UDP, IP-TCP, etc.)
Step 3. Define FPM match criteria filter (class-map)
Step 4. Define action to take on classes (service-map)
Step 5. Apply service policy to an interface
Each step and the specific commands are described in the following pages. Example configuration is displayed in a box below each command. A section `Additional Commands and References' under each step provides additional information.
An example Cisco IOS Flexible Packet Matching (FPM) configuration is also discussed.
1. Load the Protocol Header Description File
The first step is to load the protocol header description file (PHDF) into router memory. A PHDF is an XML file that allows the user to take advantage of the flexibility of XML to describe almost any protocol header.
PHDFs are analogous to stencils. A PHDF outlines the structure of packets in an XML format thus allowing IOS to understand the protocol and the packet structure. The field names that are defined within the PHDFs are used for defining the packet filters.
Figure 1 represents the format of an IP packet header:
Figure 1. IP Header
The IP PHDF defines the header field names (i.e. Version, IHL, TOS, etc...), the length of the fields and the location of the fields within the packet. The PHDFs simplifies FPM configurations by allowing the users to reference the field names described in the PHDF instead of having to define the actual offsets within the packet in the router's configuration.
Note: If using an image prior to 12.4(11)T, then you must download the PHDF files to your router flash. Images after 12.4(11)T have the PHDFs built into IOS.
Step 6. To load the PHDF, enter the following command at the router configure terminal prompt.
The second step is to define the protocol stack using class maps. There are two types of class maps: "stack" and "access-control". The "stack" class allows us to logically define protocol relationships. In this step, the `class map type stack' should be defined.
Step 7. To define the protocol stack in a class-map, issue the following commands in order:
The third step is to define the Cisco IOS Flexible Packet Matching (FPM) match criteria filter using class maps. There are two types of class maps: "stack" and "access-control". The "access-control" class allows us to describe granular details about a particular packet. In this step, the `class map type access-control' should be defined along with the match criteria.
Cisco IOS Flexible Packet Matching (FPM) is a packet classification feature that allows users to define one or more classes of network traffic by pairing standard matching operators with user-defined protocol header fields.
Step 8. To define the FPM match criteria filter in a class-map, issue the following commands in order:
Router(config-cmap)# match start l3-start offset 224 size 4 eq 0x4011010
The following regular expressions are supported:
Regular Expression Meta
Character Function
Example
ASCII Character
Represents the character itself
abcd would match the string "abcd" anywhere in the search area
.
Represents any character
t..t matches strings such as test,text and tart
[]
A set of characters or a range of characters with (-)
[02468a-z] matches 0, 1, and w, but not 1, 9, or K
*
Zero or more of preceding characters
5* matches any occurrence of the number 5, including none
?
Zero or one of preceding characters
ba?b matches bb and bab
\
Escape character-specifies what follows as a character instead of a meta-character
18\..* matches the characters 18. and any characters that follow 18.
Additional Commands and References:
To view all class-maps configured on the router, enter the following command at the router prompt.
show class-map [type {stack | access-control}] [class-map-name]
Router# show class-map type access-control slammer
4. Define Action to Take on Classes
The fourth step is to create the hierarchical Cisco IOS Flexible Packet Matching (FPM) policy that defines the action to take on classes. A policy includes the policy map; that is, after a class map has been defined, a policy map is needed to bind the match to an action. A policy map is an ordered set of classes and associated actions, such as drop, log, or send ICMP unreachable.
Step 9. To define a policy-map, issue the following commands in order:
policy-map [type access-control]policy-map-name
Router(config)# policy-map type access-control fpm-udp-policy
descriptioncharacter-string
Router(config-pmap)# description "policy for UDP based attacks"
classclass-name [insert-beforeclass-name]
Router(config-pmap)# class slammer
[drop | log | send-response | service-policy]
Router(config-pmap)# drop
Chain the first policy with it's class to the stack class:
Router(config)# policy-map type access-control fpm-policy
Router(config-pmap)# class ip_udp (reference the class-map stack that was configured in Step 2)
service-policy policy-map-name
Router(config-pmap-c)# service policy fpm-udp-policy
Additional Commands and References:
To view all policy-maps configured on the router, enter the following command at the router prompt.
show policy-map [type access-control] [policy-map-name]
Router# show policy-map type access-control slammer
5. Apply Service Policy to an Interface
The fifth step is to apply the service policy to an interface on the router.
Step 10. To apply the policy on an interface, issue the following the commands:
Example: Cisco IOS Flexible Packet Matching (FPM) Configuration for Peer-to-Peer VoIP Client Applications
This section contains the configuration example to block peer-to-peer VoIP applications (for example Skype version 2.5).
Why Block Skype?
Ensure corporate network security. Skype has the ability to work on any network, regardless of the types of NAT, proxy, firewall, or intrusion prevention systems that are put in place.
How does It Work?
Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443, which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a super node.
How to Block Skype?
In order to block Skype, perform the following steps. A flow of the process is shown below:
The following figure shows a screenshot of the packet capture for the initial conversation (i.e. login) for Skype. This information is used to derive the appropriate pattern and offset for creating the match criteria for the Cisco IOS Flexible Packet Matching (FPM) filter.
Cisco IOS Flexible Packet Matching (FPM) Configuration to Block Skype
The following configuration shows how to define Cisco IOS Flexible Packet Matching (FPM) traffic classes to block Skype packets at login. If Skype is already connected, and this Cisco IOS Flexible Packet Matching (FPM) policy is applied, it does not drop the current connection but prevents new connections from occurring.
!---Load Protocol Header Description File
load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf
!
!---Defines Protocol Stack and Match Criteria (FPM filter to block Skype traffic)
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map type access-control match-all skype
match start TCP payload-start offset 0 size 4 eq 0x17030100
!
!---Define Policy and attach class-map stack, and service policy to policy-map.
policy-map type access-control child
class skype
log
drop
policy-map type access-control parent
class ip_tcp
service-policy child
!
!---Apply Service Policy to the outside Interface which connects to the PC running Skype, and attach policy-map-name to service policy
interface FastEthernet1
ip address 128.107.163.73 255.255.254.0
ip nat outside
ip virtual-reassembly
service-policy type access-control input parent
Figure 4 shows a login attempt that has failed after applying the Cisco IOS Flexible Packet Matching (FPM) configuration:
Figure 4.
Router# show policy-map type access-control interface
