* [dpdk-users] Security Block TLS
@ 2018-05-02 16:30 Konstantinos Schoinas
2018-05-03 6:23 ` Shyam Shrivastav
0 siblings, 1 reply; 2+ messages in thread
From: Konstantinos Schoinas @ 2018-05-02 16:30 UTC (permalink / raw)
To: users
Hello,
I wanna create a dpdk application that do something like this: Implement
a simple blacklist with FQDN patterns. The dpdk app must extract the SNI
from the Client Hello message of the TLS exchange. It will then check
the SNI against the blacklist. If it matches, VNF shall block (drop
packets) the TLS session, effectively disallowing the user from visiting
the particular secure site.
Can anyone give me any good information on what tools, libraries or
sample applications I can use in order to create something like that?
Thanks for your time,
Konstantinos
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dpdk-users] Security Block TLS
2018-05-02 16:30 [dpdk-users] Security Block TLS Konstantinos Schoinas
@ 2018-05-03 6:23 ` Shyam Shrivastav
0 siblings, 0 replies; 2+ messages in thread
From: Shyam Shrivastav @ 2018-05-03 6:23 UTC (permalink / raw)
To: Konstantinos Schoinas; +Cc: users
As I understand
Step 1: Generic implementation : TCP segments need to be filtered, if
destination port numbers are fixed/known ACL can include that else just
based on IP protocol field
http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html
http://dpdk.org/doc/guides/prog_guide/packet_framework.html
http://dpdk.org/doc/guides/sample_app_ug/ip_pipeline.html
http://dpdk.org/doc/guides/sample_app_ug/l3_forward_access_ctrl.html
However if your requirement is very specific as described, packets in burst
can be read from port (see following link for example) and packets with ip
protocol as TCP filtered for further processing
http://dpdk.org/doc/guides/sample_app_ug/skeleton.html
Step 2: Generic pattern matching : Intel Hyperscan can be integrated with
dpdk and used, it works. https://www.hyperscan.io/
Else you can just compare and filter by hardcoded string if use case is
very specific, that is just catching client hello message and then
filtering out based on certain field value.
On Wed, May 2, 2018 at 10:00 PM, Konstantinos Schoinas <ece8537@upnet.gr>
wrote:
> Hello,
>
> I wanna create a dpdk application that do something like this: Implement a
> simple blacklist with FQDN patterns. The dpdk app must extract the SNI from
> the Client Hello message of the TLS exchange. It will then check the SNI
> against the blacklist. If it matches, VNF shall block (drop packets) the
> TLS session, effectively disallowing the user from visiting the particular
> secure site.
>
> Can anyone give me any good information on what tools, libraries or sample
> applications I can use in order to create something like that?
>
> Thanks for your time,
>
> Konstantinos
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-03 6:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-02 16:30 [dpdk-users] Security Block TLS Konstantinos Schoinas
2018-05-03 6:23 ` Shyam Shrivastav
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).