Limitations And Dependencies; Ip Readdressing - Cisco ASR 5000 Series Administration Manual

▀ Enhanced Features and Functionality

Limitations and Dependencies

This section identifies limitations and dependencies for the DNS Snooping feature.
 On a SessMgr kill or card switchover, the dynamic IP rules created based on domain name resolution will be
lost. Until a new DNS query is made, the dynamic IP based rules will not be applied. These rules will be
recreated on new DNS traffic. So, SessMgr recovery is not supported for these dynamic IP rules.
 The
ip server-domain-name
group of ruledefs. However, it cannot be used as a dynamic-only rule, as dynamic-only rules apply up to L4
and this is an L7 rule.
 Operators must define valid domain-name servers, the DNS responses from which will be considered correct and
snooped and included in the list of dynamic-learnt IP addresses. If the list of valid domain-name servers is not
provided, then the DNS responses from all DNS servers will be considered valid and included in the list of
learnt IP addresses. Also, in case subscribers make DNS queries to their self-created DNS servers and hack the
response being sent, it can result in inclusion of invalid IP addresses in the list. In this case, the IP addresses
will be learnt and the traffic may be free-rated or blocked incorrectly depending on the action set. Therefore the
above is suggested to avoid attacks on DNS traffic.
 There is a limit on the total number of learnt IP addresses per server-domain-name ruledef for memory and
performance considerations. Any more IP addresses across this limit will not be learnt and hence the charging-
action will not be applied to these IP addresses. Similarly, there is a limit on the total number of server-domain-
name ruledefs that can be configured.
 If same IP address is returned in DNS responses for different DNS q-names (same IP hosting multiple URLs),
than while rule matching, the higher priority rule having this learnt-IP address will be matched. This can have
undesired rule-matching as explained next.
For example, if DNS queries for both www.facebook.com and www.cnn.com returned the IP address
162.168.10.2. Here we have allow action for domain www.facebook.com and block or no action for
www.cnn.com which is at a lower priority than allow rule. In this if the actual request for www.cnn.com comes
than as the server IP is same, it will match the higher priority allow rule for domain www.facebook.com
(considering there are no other rule lines or all lines match) and thus, free rated incorrectly. However, this will
happen only of same IP address is returned for different q-names, which is rare and cannot be handled.
 In the 12.2 release, the lookup for IPv6 learnt IP addresses will not be optimized. Hash based lookup
(optimization) is done for IPv4 address lookup. In a later release Longest Prefixed Match (LPM) based
optimization will be considered for both IPv4 and IPv6 learnt IP address matching.

IP Readdressing

The IP Readdressing feature enables redirecting unknown gateway traffic based on the destination IP address of the
packets to known/trusted gateways.
IP Readdressing is configured in the flow action defined in a charging action. IP readdressing works for traffic that
matches particular ruledef, and hence the charging action. IP readdressing is applicable to both uplink and downlink
traffic. In the Enhanced Charging Subsystem, uplink packets are modified after packet inspection, rule matching, and so
on, where the destination IP/port is determined, and replaced with the readdress IP/port just before they are sent out.
Downlink packets (containing the readdressed IP/port) are modified as soon as they are received, before the packet
inspection, where the source IP/port is replaced with the original server IP/port number.
For one flow from an MS, if one packet is re-addressed, then all the packets in that flow will be re-addressed to the same
server. Features like DPI and rule-matching remain unaffected. Each IP address + port combination will be defined as a
ruledef.
▄ Cisco ASR 5x00 Enhanced Charging Services Administration Guide
42
ruledef can be used as a predefined dynamic rule, static rule, or as a part of
Enhanced Charging Service Overview