TCP Robustness Compliance with RFC 5961

Feature Summary and Revision History

Summary Data

Applicable Products or Functional Area

P-GW

Applicable Platforms

  • ASR 5500

  • VPC-SI

Feature Default

Disabled - Configuration Required

Related Changes in This Release

Not applicable

Related Documentation

  • Command Line Interface Reference

  • ECS Administration Guide

  • Statistics and Counters Reference

Revision History

Revision Details

Release

First introduced.

21.27

Feature Description

P-GW supports TCP Reset (RST) in compliance with RFC 5961. This feature is enabled only when P-GW is in non-proxy mode, and when the connection is in an established state. On receiving the in-sequence TCP RST packets, the P-GW changes the connection to the closed state. This feature supports handling of Out-Of-Sequence (OOS) RST packets in compliance with RFC 5961. Use the tcp rst-robustness CLI in the ACS configuration mode to enable the TCP robustness RFC 5961. The feature is disabled by default.

How it Works

When a TCP RST packet comes in established state, the P-GW performs the following actions:

  1. If the RST bit is set and the sequence number is outside the current receive window, TCP ignores the segment.

  2. If the RST bit is set and the sequence number matches the next expected sequence number (RCV.NXT), TCP must reset the connection.

  3. If the RST bit is set and the sequence number does not match the next expected sequence number, despite being within the current receive window, then the RST does not get processed, and a challenge-ack timer starts. The challenge-ack timer is same as the configured 2MSL timer. If the receiver of the OOS RST responds back with a challenge-ack packet, then the timer stops and connection remain in established state. The P-GW closes the connection when the challenge-ack timer expires for RFC 5961 noncompliant TCP endpoint that does not send challenge-ack.

When an attacker injects the OOS RST packet into TCP, the challenge-ack timer starts immediately. The peer sends a challenge-ack, and the challenge-ack timer stops and the connection remains in the established state. If there is no response to the challenge-ack, then the traffic continues to flow.

In both the scenarios, the P-GW does not block the challenge-ack (ACK + RST) and passes it to the remote end.

Configuring TCP RST Robustness

Use the following configuration to configure the TCP RST robustness:

configure 
            active-charging service acs_service_name 
                        rulebase rulebase_name 
                        tcp rst-robustness  
                        end 

NOTES:

  • rulebase rulebase_name: Specifies the name of an ACS rulebase to be configured.

  • tcp rst-robustness : Enables or disables TCP RST robustness as per RFC 5961. By default, TCP RST robustness is disabled.

Monitoring and Troubleshooting

This section provides information to monitor and troubleshoot this feature using show commands.

Show Commands and Outputs

This section provides information about the show commands and outputs.

show active-charging analyzer statistics name tcp

Table 1. show active-charging analyzer statistics name tcp Command Output Descriptions
Field Description

Uplink In Sequence RST Pkts

The total number of uplink in-sequence RST packets received.

Downlink In Sequence RST Pkts

The total number of downlink in-sequence RST packets received.

Uplink Out of Order RST Pkts

The total number of uplink OOS RST packets received.

Downlink Out of Order RST Pkts

The total number of downlink OOS RST packets received.

Uplink Out of Window RST Pkts

The total number of uplinks Out of Window (OOW) RST packets received.

Downlink Out of Window RST Pkts

The total number of downlink OOW RST packets received.

Uplink Challenge-Ack RST Pkts

The total number of uplink challenge-ack packets received

Downlink challenge-ack RST Pkts

The total number of downlink challenge-ack packets received.

Uplink challenge-ack RST Pkts Timeout

The total number of uplink challenge-ack packets not received within 2msl time.

Downlink challenge-ack RST Pkts Timeout

The total number of downlink challenge-ack packets not received within 2msl time.