Hi Srini, There is no "firewall" support in VPP, but rather a simple "stateful ACL", "stateless ACL", and "classifier" (the latter can operate on arbitrary bit-masked slice of the packet at fixed offsets).
ACL plugin deliberately provides only a very simple concept of "stateful" ACL with very loose tracking of UDP (simple idle timeout) and TCP (two-state idle timeout), with the state tracking being confined to a per-interface - inbound ACL creaated state affects the outbound ACL filtering and vice versa. The reason for this is that with today's threat landscape there is really no "chewy inside" vs "crunchy outside", and this is why you see the leaders in the industry moving to various "zero trust" models. In this light, implementing any ALG is a significant cost with much smaller benefits, even not talking about it being a DoS vector itself. In the same vein - if an application-level protocol exposes the payload in cleartext in such a fashion that it allows to inspect its contents, it should not be used in any production network in 2020+. For file transfers, SFTP/rsync/HTTPS provide perfectly usable options (depending on the scenario). For SIP, STUN/ICE are the industry standard mechanisms. --a p.s. I spent nearly a decade in 2000s resolving complex issues involving ALGs on commercial firewalls, including those caused by interactions of different stacks and vendors. That experience contributed to my design decisions. On 7/14/20, Srini <srinivasa.r.addepa...@intel.com> wrote: > Hi VPP team, > > I understand that VPP has firewall and NAT support. > Some protocols are complex sessions, where they have control and data > connections. > Few examples are SIP and FTP. > > In these protocols, control connection service port is well known, but not > the ports related to data connections. > It is expectation to have SIP ALG and FTP ALG which interpret the control > connection data, figure out the port on which data connections would be made > and open temporary firewall holes to allow data connections. Linux IPTables > support few ALGs, but it is in the Kernel. > > In that context, does VPP firewall/NAT feature support ALGs? Sorry, if it > is the question asked already. I tried to search, could not find the > answer. > > Thanks in advance. > > Thanks > Srini > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16964): https://lists.fd.io/g/vpp-dev/message/16964 Mute This Topic: https://lists.fd.io/mt/75504468/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
