Page History
...
- Rejected - packet swallowed
- Inspected - packet contents passed onto the next stage of inspection
- Ignored - packet forwarded without any further inspection
| OSI Layer | Rejected | Inspected | Ignored |
|---|---|---|---|
| DataLink [2] | QinQ | Ethernet, VLAN | everything else |
| Network [3] | IPv6, IPv4JUMBO | IPv4 | everything else |
| Transport [4] | - | TCP | everything else |
| Application [7] | everything else | FIX | BGP |
| Warning | ||
|---|---|---|
| ||
|
TCP Whitelists & Network Address Translation
...
The message parsers must consume complete messages one at a time, and in order. However, the TCP protocol delivers only a stream of bytes, possibly segmented differently from the messages. This mismatch in segmentation means that sometimes, Reflector is required to store packets containing partial messages while manufacturing/manipulating TCP ACKs. TCP frames manufactured by
Reflector can be identified by their unusual IPv4ID and TTL values.
Session Termination
Reflector's parser can return error for a variety of reasons: logon fail, wrong protocol, sanity checks, etc. Some exogenous factors can also call for immediate termination: session timeout, disabled credential, UNPLUG mode, etc. The session store executes this directive by generating a pair of TCP RST frames for each affected session.
| Session Drop Reason | Source | Executor | RST Generated | Description |
|---|---|---|---|---|
| TCP_FIN_ACK | wire | SessionStore | N | Normal bilateral TCP termination |
| TCP_RESET | wire | SessionStore | N | Unilateral (client) TCP reset |
| LOGIN_FAIL | wire | Risk Instance | Y | Logon credential check failed |
| PARSE_ERROR | wire | FIX Message Parser | Y | Message syntax error |
| EXPIRED | metronome | SessionStore | Y | Session heartbeat expired |
| SEND_FAIL_LIMIT | wire | SessionStore | N | send() failed too many times |
| TRADER_IP_REMOVED | web server | SessionStore | Y | Associated trader IP removed |
| VENUE_IP_REMOVED | web server | SessionStore | Y | Associated venue IP removed |
| CREDENTIAL_DISABLED | web server | Risk Instance | Y | Associated credential disabled |
| GROUP_DISABLED | web server | Risk Instance | Y | Associated risk pool disabled |
| DEAD_MAN_SWITCH | metronome | Risk Instance | Y | Risk pool DMS heartbeat expired |
| SHUTDOWN | web server | Risk Instance | Y | Shutdown command received |
Broken Session
If Reflector receives a TCP packet that fits the following requirements, it swallows the packet and generates a TCP RST packet in the reverse direction
- TCP packet is not part of a BGP session
- TCP packet cannot be matched to an existing session
- TCP packet is not an outbound SYN packet
Ethernet Loop Detection
Reflector periodically emits a packet with a custom EtherType and other unique identications. If Reflector captures a packet it has emitted in the opposite direction, it will schedule an orderly shutdown.
Overview
Content Tools