Firewalls: Re: Dynamically Re-arranged Access Lists?

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Dynamically Re-arranged Access Lists?
From:	Paul Traina <pst @ cisco . com>
Date:	Thu, 26 Jan 1995 18:04:29 -0800
To:	steveg @ cseic . saic . com (Stephen Harold Goldstein)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Thu, 26 Jan 1995 16:28:09 EST." <9501262128 . AA08758 @ cseic . saic . com>

  From: steveg @
 cseic .
 saic .
 com (Stephen Harold Goldstein)
  Subject: Dynamically Re-arranged Access Lists?

  I just got back from ComNet '95 in D.C., and heard some rather
  disturbing "info" from a firewall vendor who shall remain nameless.
  He claimed that some manufacturer's routers (wouldn't specify) will
  re-arrange the order in which ACL entries are processed for efficiency
  reasons, possibly leading to unintended results such as packets getting
  through that should have been blocked.

Said firewall vendor is blowing smoke up your butt.  Flame him.

I know of at least one vendor that does what you're describing, but
the conclusion you were fed is BS.

I'm going to assume you're talking about cisco, since I've heard of people
complaining about this feature in cisco routers,  but if you look more
closely at it,  it's not a bug at all...

(A) THIS APPLIES ONLY TO SIMPLE ACCESS LISTS
(B) THIS APPLIES ONLY TO SIMPLE ACCESS LISTS FOR INDIVIDUAL HOSTS

Now...

For SIMPLE ACCESS LISTS ONLY (e.g. in the range 1-99), we will rearrange the
order of HOST access lists:

e.g. if you enter:

access-list 1 permit 1.2.3.4
access-list 1 permit 4.5.6.7
access-list 1 permit 3.4.5.6
access-list 1 permit 160.131.0.0 0.0.255.255
access-list 1 deny 160.131.2.0 0.0.0.255
access-list 1 deny 160.131.5.1

we would likely arrange it along the lines of:

access-list 1 permit 1.2.3.4
access-list 1 permit 3.4.5.6
access-list 1 permit 4.5.6.7
access-list 1 deny 160.131.5.1
access-list 1 permit 160.131.0.0 0.0.255.255
access-list 1 deny 160.131.2.0 0.0.0.255

The idea here is that you can ALWAYS get away with rearranging host-specific
stuff (**NOT** host/mask stuff) in any order you want (we throw them into
hash chains for quick processing), because there's no interesting relationship
between the permit/deny sequence.  If you put a permit 160.131.5.1 in your
simple acl, you meant it.  There's nothing more specific that's going to
change that further down the line.  Therfore, for performance reasons, you
can put the single-host simple permit/denys in any order.

The trick here is that you don't want to muck up the order of the permit/denys
that have any mask specifications,  so we NEVER touch that order,  nor do we
ever touch the ordering of extended ACLs because that would make a difference
in evaluation.

So the long and the short is that we do reorder things, and it doesn't make
any difference unless the author of the list was being deliberately dense
beyond a reasonable expectation of denseness.

Sorry some firewall vendor was giving you BS.  If you feel like telling me
who it was in private,  I'll gladly send him a polite note explaining what's
up. :-)

Paul

References:

Dynamically Re-arranged Access Lists?
From: steveg @ cseic . saic . com (Stephen Harold Goldstein)

Indexed By Date	Previous:	Re: Router filtering not enough! (Was: Re: CERT advisory ) From: "Jonathan M. Bresler" <jmb @ kryten . atinc . com>
Indexed By Date	Next:	Re: Windows web browsers behind firewalls From: bobk @ manzanita . DEV . 3Com . COM (Bob Konigsberg)
Indexed By Thread	Previous:	Re: Dynamically Re-arranged Access Lists? From: Rens Troost <rens @ imsi . com>
Indexed By Thread	Next:	Re: Dynamically Re-arranged Access Lists? From: Joe Matuscak <matuscak @ rohrer . com>