Re: [dpdk-users] Security Block TLS

DPDK usage discussions
 help / color / mirror / Atom feed

From: Shyam Shrivastav <shrivastav.shyam@gmail.com>
To: Konstantinos Schoinas <ece8537@upnet.gr>
Cc: users <users@dpdk.org>
Subject: Re: [dpdk-users] Security Block TLS
Date: Thu, 3 May 2018 11:53:14 +0530	[thread overview]
Message-ID: <CAGSp03=6sOV_tzoqGjJCBsQnRy1pv+VnutJLmeh1jgrcdcJkWA@mail.gmail.com> (raw)
In-Reply-To: <1e68674367022360d7f6973e295dd004@upnet.gr>

As I understand

Step 1:  Generic implementation : TCP segments need to be filtered, if
destination port numbers are fixed/known ACL can include that else just
based on IP protocol field

http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html
http://dpdk.org/doc/guides/prog_guide/packet_framework.html
http://dpdk.org/doc/guides/sample_app_ug/ip_pipeline.html
http://dpdk.org/doc/guides/sample_app_ug/l3_forward_access_ctrl.html

However if your requirement is very specific as described, packets in burst
can be read from port (see following link for example) and packets with ip
protocol as TCP  filtered for further processing

http://dpdk.org/doc/guides/sample_app_ug/skeleton.html

 Step 2:  Generic pattern matching : Intel Hyperscan can be integrated with
dpdk and used, it works.   https://www.hyperscan.io/

Else you can just compare and filter by hardcoded string if use case is
very specific, that is just catching client hello message and then
filtering out based on certain field value.


On Wed, May 2, 2018 at 10:00 PM, Konstantinos Schoinas <ece8537@upnet.gr>
wrote:

> Hello,
>
> I wanna create a dpdk application that do something like this: Implement a
> simple blacklist with FQDN patterns. The dpdk app must extract the SNI from
> the Client Hello message of the TLS exchange. It will then check the SNI
> against the blacklist. If it matches, VNF shall block (drop packets) the
> TLS session, effectively disallowing the user from visiting the particular
> secure site.
>
> Can anyone give me any good information on what tools, libraries or sample
> applications I can use in order to create something like that?
>
> Thanks for your time,
>
> Konstantinos
>

     prev parent reply	other threads:[~2018-05-03  6:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-02 16:30 Konstantinos Schoinas
2018-05-03  6:23 ` Shyam Shrivastav [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGSp03=6sOV_tzoqGjJCBsQnRy1pv+VnutJLmeh1jgrcdcJkWA@mail.gmail.com' \
    --to=shrivastav.shyam@gmail.com \
    --cc=ece8537@upnet.gr \
    --cc=users@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).