[dpdk-users] Security Block TLS

[Shyam Shrivastav]

As I understand

Step 1:  Generic implementation : TCP segments need to be filtered, if
destination port numbers are fixed/known ACL can include that else just
based on IP protocol field

http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html
http://dpdk.org/doc/guides/prog_guide/packet_framework.html
http://dpdk.org/doc/guides/sample_app_ug/ip_pipeline.html
http://dpdk.org/doc/guides/sample_app_ug/l3_forward_access_ctrl.html

However if your requirement is very specific as described, packets in burst
can be read from port (see following link for example) and packets with ip
protocol as TCP  filtered for further processing

http://dpdk.org/doc/guides/sample_app_ug/skeleton.html

 Step 2:  Generic pattern matching : Intel Hyperscan can be integrated with
dpdk and used, it works.   https://www.hyperscan.io/

Else you can just compare and filter by hardcoded string if use case is
very specific, that is just catching client hello message and then
filtering out based on certain field value.


On Wed, May 2, 2018 at 10:00 PM, Konstantinos Schoinas <ece8537 at upnet.gr>
wrote:

> Hello,
>
> I wanna create a dpdk application that do something like this: Implement a
> simple blacklist with FQDN patterns. The dpdk app must extract the SNI from
> the Client Hello message of the TLS exchange. It will then check the SNI
> against the blacklist. If it matches, VNF shall block (drop packets) the
> TLS session, effectively disallowing the user from visiting the particular
> secure site.
>
> Can anyone give me any good information on what tools, libraries or sample
> applications I can use in order to create something like that?
>
> Thanks for your time,
>
> Konstantinos
>