This is an old revision of the document!
- Can one use the own list rather than the one loaded from clouds?
Can one make DPI to use our list of restricted resources only?
Answer: Yes. The cloud service is implemented for your convenience, in order not to process Department of Justice list manually. The cloud list functionality is configured by federal_black_list. - Do you pass STP transparently?
Answer: Yes. - We have a traffic 50 Mb and up to 100 Mb in future. Do we need to buy SILICOM or DNA & Libzero cards?
Answer: The free drivers with NIC, chipsets Intel 82575/82576/82580 (without bypass) dual port are suitable for 50-400 Mb.
Any server with these specs is OK: CPU Intel Nehalem microarchitecture (support extended set of commands SSE 4.2) and RAM 8Gb, HDD larger than 100Gb, 1 NIC from 100Mb (for SSH Management Interface). - Does the filtering by Federal Supervision Agency for Information Technologies and Communications and Department of Justice lists work in case SKAT processes the outbound traffic only?
Can your system operate passing not the whole traffic but only that one bound to IP addresses from restricted resources list?
Answer: Asymmetric connection is supported but it is not advised. The reasons are:
- most of options become unavailable (for example, analytics requires both inbound and outbound streams for protocol analysis and so on);
- sending the traffic according to PKH scheme (i.e. only IPs from a list) creates an additional trouble. Our SW does not support the router's control option (and it is not scheduled for future implementation). It means you have to develop this part by yourself. - Is the license going to be free in future?
Does the free license cover the full functionality or the filtering only?
Answer: The free license covers filtering only. It is issued for 12 months and can be prolonged. We plan to prolong free of charge now, as we do not consider filtering as a business. We plan to make money on additional options. The income sharing is considered as well.
Free evaluation period of 3 months is available for other options.
So you are welcome to inform us if you wish to try some options. You provide us the access and we install licenses remotely. These licenses are limited by their term for evaluation. - What is the license price for dna&libzero?
Answer: Approximately:
- 1GbE port costs 40-55 у.е.
- 10GbE port costs 250-325 у.е. - Can one use two ports of four-ports card 02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01) for asymmetric filtering?
Answer: Yes. SKAT runs with this network card at several of our customers. - The source code for libzero and DNA drivers for Intel network interfaces are available for download on ntop.org. Can you briefly describe what functionality is restricted in these drivers compared to commercial ones (http://www.nmon.net/shop/cart.php)?
Answer: Ntop license for dna & libzero is the commercial one. There are no free or GPL licenses for these products. Some part of sources is absent. It is responsible for licensing and connection layer: a part of libzero and driver's code. - Does your solution allow the following connection scheme: a server has one 10G network interface. The SKAT traffic passes through this interface by means of two VLAN representing input and output?
Answer: No. The future support is not scheduled. - Can your system arrange BGP link to a border in order to export prefixes that require their traffic to be sent to SKAT?
Answer: No. The future support is not scheduled. - Are the url2dic and ip2bin utilities source codes available? Can we get them for FreeBSD 9 x64?
Answer: Source codes for utilities are not available and we do not plan to provide them in a future. FreeBSD allows to run native Linux applications: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu-lbc-install.html . The archive with binary utilities is available for FreeBSD 9.2. - Is the request https://IP:443 to a resource from custom_ip_black_list to be redirected in a same way as request by http (port 80)? In our case the request is plainly blocked with no redirect to "choke" page.
Answer: https request can not be redirected. It requires decoding of the traffic using a private key or a root certificate. That is why we just block the traffic. - What is the aggregation logic when working by your list and external one?
Answer: own lists are used as separate ones. They are added to cloud ones (if the service is on). - Can DPI pass the tagged traffic and implement filtering policy on certain VLANs?
Answer: Yes. SKAT processes tagged traffic - VLAN, QinQ, MPLS.
Currently there is no option to indicate the VLAN to block the traffic on. This functionality can be implemented in future versions. - All the tagged traffic passing through DPI is filtered and there is no need to create any VLANs on DPI server itself. Is it right?
Answer: Yes. - The process fastdpi_1gb по top shows the load about 140% (4 core CPU) even on non connected server. Is it OK? 'top' shows CPU Load 160-220% on the flow of 50 Mb. Is it correct or we need to fix something?
Answer: The high idle load is caused by constant queries to network cards, rather than by interrupts. This allows to achieve low latency. The higher is data flow the larger part of this load becomes a useful one. We advise to check CPU load by mpstat -P ALL utility. - We connected the internal local area network for tests. Ping's time remains the same. Should it be some delay?
Answer: The equipment delay is no higher than 30 us if the equipments meets our recommendations. Ping measurements start from 1 ms. In order to detect such small delays one needs specific software and hardware. We use nanosecond timers (supported by modern network cards) in our test bench.