From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-f182.google.com (mail-qt0-f182.google.com [209.85.216.182]) by dpdk.org (Postfix) with ESMTP id 920F03572 for ; Thu, 3 May 2018 08:23:15 +0200 (CEST) Received: by mail-qt0-f182.google.com with SMTP id m16-v6so21504558qtg.13 for ; Wed, 02 May 2018 23:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pNFPc/QXl8S4RGgEgr4PqVZOkYycC5CrOkXZeyWFbcU=; b=IsbHjUNCfUgB2pxrNByvggc7e3zoQWcL+PUvXq4PKiCjps4fJP/RhPdHjqUPd+coFS mbEsnQ7v4BJMdCgxUDrdDVj2a0jkIpQ78JxEUTKuhETM1pFqiG12MLeWx33kVd0LaIrC B/tWQSGJY0Q1Jo0Ven/PpsT04IHMp3Qde7Eyt5vOc0haaaf/f+F6wfsGvpeA78xWdeqw Og2FOTX6cGlGJovcInPvmuNnQi/SLNzMRfz00qw090GVwfd1qzlWeXyAZBj7dCiyFSj/ BiOw/cF770dw2AeHw2clkVB5RZHV/5jf4NTD3xCcTzjk7hGQwbw4oNR1C5YThTBartGj sMkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pNFPc/QXl8S4RGgEgr4PqVZOkYycC5CrOkXZeyWFbcU=; b=YpZ6LSKuopjBXSEN+KZmqNMO9/s6Ir7yIgMWmHA0JXQw2XxubBEc4TNhLcLgP605j7 42NHWpqKxby7emNqdPZvEKKvhM6NVN1gHKqQQFR4mT5Xaj1nxEDHUvnoscgIm11WCznz 4grTfur4AUq24exyC6DnmMek54GoSbaq/Q8js9i43wnaeyzQhxJAXmmkopviI1pUGNH8 4dT2Yy4F3t0lacY56MeCB0EDxlYF8Pge8gdcZTc6UFhQs5IjKQuLaBoApst/S9xxigmq wOiddqYfOERCZVOmeHdlo89fS9YtoA/FRVCHTWWE4vJO7EZ13fVuKjgFR3mdOjQsZV91 jIYA== X-Gm-Message-State: ALQs6tD8OO1U3BBe+25MFHTKWZxfbLrwRMx4WSuUd0zkTo4u7Z2qbovC D7cVelcjP3lXnqzUzMhDRMLPpgKNSAsRBdp13moyGA== X-Google-Smtp-Source: AB8JxZq/OdFAvUAZCdyn9xe1rVYOl6D/RdKgGdTE7Bh2feeC/jkptA9VatMNHFrvae8hMFN5xUbClraRXNe6HUy8R48= X-Received: by 2002:ac8:21cd:: with SMTP id 13-v6mr651114qtz.406.1525328594727; Wed, 02 May 2018 23:23:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.247.135 with HTTP; Wed, 2 May 2018 23:23:14 -0700 (PDT) In-Reply-To: <1e68674367022360d7f6973e295dd004@upnet.gr> References: <1e68674367022360d7f6973e295dd004@upnet.gr> From: Shyam Shrivastav Date: Thu, 3 May 2018 11:53:14 +0530 Message-ID: To: Konstantinos Schoinas Cc: users Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-users] Security Block TLS X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2018 06:23:15 -0000 As I understand Step 1: Generic implementation : TCP segments need to be filtered, if destination port numbers are fixed/known ACL can include that else just based on IP protocol field http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html http://dpdk.org/doc/guides/prog_guide/packet_framework.html http://dpdk.org/doc/guides/sample_app_ug/ip_pipeline.html http://dpdk.org/doc/guides/sample_app_ug/l3_forward_access_ctrl.html However if your requirement is very specific as described, packets in burst can be read from port (see following link for example) and packets with ip protocol as TCP filtered for further processing http://dpdk.org/doc/guides/sample_app_ug/skeleton.html Step 2: Generic pattern matching : Intel Hyperscan can be integrated with dpdk and used, it works. https://www.hyperscan.io/ Else you can just compare and filter by hardcoded string if use case is very specific, that is just catching client hello message and then filtering out based on certain field value. On Wed, May 2, 2018 at 10:00 PM, Konstantinos Schoinas wrote: > Hello, > > I wanna create a dpdk application that do something like this: Implement a > simple blacklist with FQDN patterns. The dpdk app must extract the SNI from > the Client Hello message of the TLS exchange. It will then check the SNI > against the blacklist. If it matches, VNF shall block (drop packets) the > TLS session, effectively disallowing the user from visiting the particular > secure site. > > Can anyone give me any good information on what tools, libraries or sample > applications I can use in order to create something like that? > > Thanks for your time, > > Konstantinos >