Dubai, 20 November 29 November 2012


II.5 Example policy rules for mixed (“stateful”) Application-dependent, Flow-independent/Flow-dependent DPI



Download 1.36 Mb.
Page18/31
Date23.04.2018
Size1.36 Mb.
#46650
1   ...   14   15   16   17   18   19   20   21   ...   31

II.5 Example policy rules for mixed (“stateful”) Application-dependent, Flow-independent/Flow-dependent DPI

II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols”


Example for a bidirectional, stateful DPI policy rule. Note: the rule itself illustrates just the principal proceeding, but is not necessarily sufficient for a real deployment.

Table II.5.1 – Example



DPI Policy Rule ("Detect TelephonyServiceX session establishment")

Rx: “…”, Id = …, precedence = …

Condition(s)

Action(s)

State S1:

If:


C1,1: "L4 protocol = UDP"

AND


C1,2: "L4 payload size = 18"

AND


C1,3: "3rd payload byte = 0x02"

Then:

A1,1: “save source IP transport address”

A1,2: “save destination IP transport address”

A1,3: “save first two bytes of L4 payload”

Comment: the flow descriptor are based here on the 5-tuple for the UDPoIP transport connection and locally stored.


State S2:

If:


C2,1: "Flow Descriptor in reverse direction = … (see A1,1 / A1,2)"

AND


C2,2: "L4 payload size = 11"

AND


C2,3: "first two bytes of L4 payload = … (see A1,3)"

AND


C2,4: "3rd payload byte: lower nibble = 7"

Then:

none


State S3:

If:


C3,1: " Flow Descriptor in initial direction = … (see A1,1 / A1,2)"

AND


C3,2: "L4 payload size = 23"

AND


C3,3: "first two bytes of L4 payload = … (see A1,3)"

AND


C3,4: "3rd payload byte: lower nibble = 3"

Then:

none


State S4:

If:


C4,1: " Flow Descriptor in reverse direction = … (see A1,1 / A1,2)"

AND


C4,2: "L4 payload size = 18"

AND


C4,3: "3rd payload byte = 0x02"

Then:

A4,1: “report “successfully TelephonyServiceX detected”


II.6 Examples of multiple, different DPI policy rules for the same DPI application

II.6.1 Example “Detection of Remote Telnet


The DPI policy rule may request to inspect for the (IP) application Remote Telnet. There are then two options:

1) the application identification may be solely based on a rule with just the flow level conditions if a well-known port is used (see Table II.6.1); or

2) another rule: an additional application level conditions would be required if application may not be derived from flow level condition (see Table II.6.2).

Table II.6.1 – Example



DPI Policy Rule ("Detection of Remote Telnet based on well-known port value")

Rx: “…”, Id = …, precedence = …

Condition(s)

Action(s)

If:

C1: "L4 Port = 107"
Then:

A1: “report Application Tag with value “Remote Telnet””



Table II.6.2 – Example

DPI Policy Rule ("Detection of Remote Telnet based on inspection of IP application protocol itself")

Rx: “…”, Id = …, precedence = …

Condition(s)

Action(s)

If:

C1: "L4+ PDU contains Remote Telnet specific control commands …"
Then:

A1: “report Application Tag with value “Remote Telnet””



This example illustrates application identification with and without “application payload” inspection”.

II.7 Further examples

II.7.1 Example for application detection without independent of flow descriptor usage or not


The purpose could be the detection of application “image objects encoded in JPEG File Interchange Format (JFIF)” (NOTE 1). This DPI application could be detected by monitoring traffic with or without a particular rule for flow identification because just an application-level condition would be sufficient..

NOTE 1 – Such a data object is typically carried within the payload of an application layer protocol. The DPI policy rule could contain the condition for searching the so-called JFIF-Tag equal to “FF E0 00 10 4A 46 49 46 00 01”.

Appendix III

Policy Enforcement Process

(This appendix does not form an integral part of this Recommendation)


III.1 Introduction


This appendix provides complementary information concerning the used concepts, terminology and example functional models in this Recommendation. This appendix is orthogonal to the requirements, as specified in the main body of this Recommendation.

III.2 (DPI) Policy rule

III.2.1 Concept


It may be noted that the used concept of a policy rule (see clause 3) is generic and thus applicable for DPI-specific policy rules, but also non-DPI related policing like for medium depth packet inspection (MPI) or shallow-depth packet inspection (SPI). Figure III.1 summarizes the used policy rule concept by this Recommendation. There are one or multiple (DPI) policy rules RDPI in place, called DPI policy rule set RDPI. The rules are stored in the DPI-PIB, which determines consequently the behaviour of the DPI-FE.

Any individual rule RDPI,i may contain one or multiple policy conditions Ck and one or multiple policy actions Am. It may be noted that every DPI policy requirement (as specified by this Recommendation) may be satisfied by this policy rule concept.


III.2.2 (DPI) Policy condition


The policy condition represents a logical function (which may lead typically to a compare operation or search operation on elements of the evaluated packet). Such a logical function may contain itself one or multiple literals (also known as simple versus compound policy conditions). Compound policy conditions are typically specified as Boolean normal form (like disjunctive normal form (DNF) or conjunctive normal form (CNF)), which may imply a correspondent conversion between the high level policy management and decision process towards the execution in the packet path by the DPI-FE (e.g., a compound policy condition in format “(C1C2)  C3 ) “ must be converted).

NOTE 1 –The applied structure (simple vs. compound) of policy conditions, and whether a policy rule provides only a single condition or multiple conditions per rule, is not relevant for this Recommendation. Because each specification structure for policy conditions (and rules) may be converted to each other. They are adequate from functional perspective.



Figure III.1 – Policy Enforcement Process – Example Structure of a (DPI) Policy Rule

It may be reminded again that the specification of explicit bindings between actions and conditions, and also the specification of entire DPI policy rules as such is out of scope of this Recommendation (see clause 1.1).

III.2.3 Hierarchical (DPI) policy conditions or/and (DPI) policy rules


The packet path processing by the DPI-FE may be either just straightforward in terms of a “flat” link between action(s) and condition(s), or hierarchical by embedded, nested, recursive, etc. rule structures. For instance, a top-level policy rule may contain a pointer (in the rule action) to a subsequent set of policy rules etc. See also clause III.3.

The example model with two functional stages of “packet scanning” and subsequent “packet analysing” represent a hierarchical concept in terms of distributed processing of policy conditions.




Download 1.36 Mb.

Share with your friends:
1   ...   14   15   16   17   18   19   20   21   ...   31



The database is protected by copyright ©ininet.org 2024
send message
    Main page
Guide
Instructions
Report
Request
Review