Embedded Objects in Cubro Service Gateway
CSG: Country Scaled DPI operates with the concepts of "profile" and "service".
A Profile defines the scope of policy application. Policies, in turn, are described by various services. It is important to differentiate between the concept of Profile, which describes the area of policy application, and Service Profile, which refers to the configuration profile of the policy related to the settings of a specific service.
Country Scaled DPI views the traffic passing through the system as a set of virtual channels (vChannels) and subscribers.
The entity "channel" (vChannel) and the entity "subscriber" describe the scope of policies but have different sets of services that can be applied to them. Some policies are applied only to channel-type profiles, some only to subscriber-type profiles, and some are applied to both channel and subscriber profiles.
Hereinafter, the terms "channel profile" and "channel," as well as "subscriber profile" and "subscriber," are equivalent and interchangeable.
A channel (vChannel) is a broad area of policy application that can be described by any set of CIDR IPv4 and IPv6. Generally, a channel refers to a lower-level operator or a set of networks united by a common geolocation – for example, a city or region. Channels can be defined either dynamically based on BGP signaling (as-path, bgp community) or statically based on manually entered CIDR prefixes. The number and width of prefixes do not matter.
A subscriber refers to a narrow area of policy application where it is necessary to override existing policies applied to the channel. Thus, the subscriber mechanism allows for the definition of specialized policies for individual IP addresses or CIDR and to exempt them from the rules applied to the channel.
The default channel is the area of the network that does not belong to any of the channels or subscribers. Policies can also be applied to the default channel if there is no need to separate the traffic passing through the DPI into areas of policy application. Rules applied to the default channel will apply to all traffic that does not belong to other channels or subscribers.
Consider the following example:
-- Common Channel
+++ Service <per_session_policing> { service_profile: applist_rules_common}
+++ Service <blacklist_global> {service_profile: government}
-- Channel_100: [Mobile Provide A]
+++ Service <blacklist> {service_profile: mobile_a, use_global=true}
+++ Service <per_session_policing> { service_profile: applist_rules}
-- Subscriber: [very_important_bank]
+++ Service <ddos_protection> { service_profile: max_cps=100, syn_flood=1, …}
+++ Service <per_session_policing> { service_profile: applist_veryimpbank}
-- Subscriber: [SOME_USER_1]
+++ Service <mirror_traffic> { service_profile: destination=vlan4000}
+++ Service <dns_replacement> { service_profile: “rule_set_for_replacement” }
-- Channel_101: [Mobile Provide B]
+++ Service <per_session_policing> { service_profile: applist_rules_mobileB}
+++ Service <disable_ipv6> { service_profile: disable_ipv6=true}
-- Subscriber: [SOME_USER_2]
+++ Service <blacklist> {service_profile: some_user2, use_global=false}
+++ Service <per_session_policing> { service_profile: applist_rules_common }
For traffic not allocated between channels Channel_100 and Channel_101 that enters the common channel (Common Channel), services <blacklist_global> (Service type 4) and <per_session_policing> (Service type 18) will be applied.
Service type 4: Web and IP filtering by protocols HTTP, HTTPS, QUIC, IP, and IP+port.
Service type 18: Traffic marking by protocols and bandwidth limitation at the application session level.
For traffic passing through channel Channel_100, services with Service type 4 and 18 are also applied but with a different service profile: {service_profile: mobile_a, use_global=true}. Traffic filtering in Channel_100 is performed by the rule "apply global blacklist && blacklist including resources from the mobile_a list".
Service type 4 is enabled by default for all channels with the built-in profile blacklist_global, including the default channel. This profile cannot be disabled – if the list is empty, filtering is not applied.
If the blacklist_global list is not empty, to disable filtering on a selected channel or subscriber, it is necessary to enable the service with Service type 4 and a service profile containing an empty list and the flag use_global=false. Thus, the system allows for the combination of a global blacklist and additional lists applied to selected channels and subscribers.
Service 18 allows for bandwidth limitation for selected applications at the session level. Additionally, Service 18 allows for overriding the DSCP traffic marking for the selected channel or subscriber.
For example, a user can set a limit for the protocol whatsapp_voice at the level of 1 Mbps for the common channel and 128 Kbps for channel Channel_100. The range of values is from 8 bits (blocking) to <unlimited>.
For a subscriber defined as very_important_bank and belonging to Channel_100, services <ddos_protection> (Service type 10) and <per_session_policing> (Service Type 18) are enabled. Thus, for the specified subscriber, Web and IP filtering rules from Channel_100 will apply since Service Type 4 for the specified subscriber is not defined separately, while bandwidth limitation and traffic marking for applications will follow the specific rules applist_veryimpbank that override those for Channel_100.
For the subscriber SOME_USER_1, services <mirror_traffic> (Service Type 17) and <dns_replacement> (Service Type 19) are applied. Thus, for the specified subscriber, Web and IP filtering and bandwidth limitation for applications will be subject to the rules of Channel_100.
In the Country Scaled DPI edition, management of profiles and services is integrated into the DPI CNC graphical interface. The settings of profiles and services are mutually integrated. Part B of this document provides practical scenarios for use.