Managing sessions, Overview, Session management principle – H3C Technologies H3C SecBlade LB Cards User Manual
Page 204: Session management implementation
193
Managing sessions
Overview
Session management is a common feature designed to implement session-based services such as NAT
and intrusion protection. Session management regards packet exchanges at transport layer as sessions
and updates the session status, or ages sessions out according to information in the initiator or responder
packet.
Session management allows multiple features to process the same service packet. Session management
can be applied to the follow purposes:
•
Fast match between packets and sessions
•
Management of transport layer protocol states
•
Identification of application layer protocols
•
Session aging based on protocol state or application layer protocol type
•
Persistent sessions
•
Checksum verification for transport layer protocol packets
•
Special packet match for the application layer protocols requiring port negotiation
•
Resolution of ICMP error control packets and session match based on resolution results
Session management principle
Session management tracks the connection status by inspecting the transport layer protocol (TCP or UDP)
information, performing unified status maintenance, and management of all connections.
The session management function only implements connection status tracking. It does not block potential
attack packets.
Session management implementation
The session management feature provides the following functions:
•
Supporting session creation, session status update, and session timeout setting based on protocol
state for IPv4 TCP, UDP, ICMP, and Raw IP sessions.
•
Supporting port mapping for application layer protocols and allowing application layer protocols
to use customized ports and session timeout intervals.
•
Supporting ICMP error packet mapping and allowing the system to search for original sessions
according to the payloads of these packets. Because ICMP error packets are generated due to
errors, this helps speed up the aging of the original sessions.
•
Supporting persistent sessions. You can specify the TCP sessions that meet certain criteria as the
persistent sessions. Only TCP sessions in the ESTABLISHED state can be specified as persistent
sessions. The aging time of a persistent session does not change with the session state transitions,
and a persistent session is not removed even if no packets match it. A persistent session can be
configured with a longer aging time or configured to never age out. A never-age-out session can be