Thanks Andrew. Good perspectives. I agree with everything you said. Middleboxes have lesser control due to end2end security protocols.
You might be surprised, but there are few legacy end devices that still require some protocol ALGs 😊 in the middleboxes. In any case, I got the answer, that is, VPP firewall is simpler stateful inspection firewall with no ALG support. BTW, on some other subject I had similar type of discussion with end2end security: 5G UPF as defined by 3GPP has traffic redirection feature for HTTP and SIP. Intention of this feature to provide URL redirection. It requires deep inspection of the payload to get hold of URL and then apply the traffic redirection rule. We were wondering whether this feature is valid as majority of HTTP transactions between UEs and Cloud services (or even among Micro-services) are HTTPS based. I was told that in some segments, clear traffic is not so uncommon. Thanks Srini -----Original Message----- From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Andrew Yourtchenko Sent: Tuesday, July 14, 2020 1:13 PM To: Addepalli, Srinivasa R <srinivasa.r.addepa...@intel.com> Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Firewall/NAT support for complex applications such as SIP, FTP etc.. Hi Srini, There is no "firewall" support in VPP, but rather a simple "stateful ACL", "stateless ACL", and "classifier" (the latter can operate on arbitrary bit-masked slice of the packet at fixed offsets). ACL plugin deliberately provides only a very simple concept of "stateful" ACL with very loose tracking of UDP (simple idle timeout) and TCP (two-state idle timeout), with the state tracking being confined to a per-interface - inbound ACL creaated state affects the outbound ACL filtering and vice versa. The reason for this is that with today's threat landscape there is really no "chewy inside" vs "crunchy outside", and this is why you see the leaders in the industry moving to various "zero trust" models. In this light, implementing any ALG is a significant cost with much smaller benefits, even not talking about it being a DoS vector itself. In the same vein - if an application-level protocol exposes the payload in cleartext in such a fashion that it allows to inspect its contents, it should not be used in any production network in 2020+. For file transfers, SFTP/rsync/HTTPS provide perfectly usable options (depending on the scenario). For SIP, STUN/ICE are the industry standard mechanisms. --a p.s. I spent nearly a decade in 2000s resolving complex issues involving ALGs on commercial firewalls, including those caused by interactions of different stacks and vendors. That experience contributed to my design decisions. On 7/14/20, Srini <srinivasa.r.addepa...@intel.com<mailto:srinivasa.r.addepa...@intel.com>> wrote: > Hi VPP team, > > I understand that VPP has firewall and NAT support. > Some protocols are complex sessions, where they have control and data > connections. > Few examples are SIP and FTP. > > In these protocols, control connection service port is well known, > but not the ports related to data connections. > It is expectation to have SIP ALG and FTP ALG which interpret the > control connection data, figure out the port on which data connections > would be made and open temporary firewall holes to allow data > connections. Linux IPTables support few ALGs, but it is in the Kernel. > > In that context, does VPP firewall/NAT feature support ALGs? Sorry, > if it is the question asked already. I tried to search, could not find > the answer. > > Thanks in advance. > > Thanks > Srini > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16965): https://lists.fd.io/g/vpp-dev/message/16965 Mute This Topic: https://lists.fd.io/mt/75504468/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
