Terms and Definitions [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show pagesource
  • Old revisions
  • Export to PDF
  • ODT export
  • Backlinks
  • Show pagesource
  • Old revisions
  • Export to PDF
  • ODT export
  • Backlinks
    • SSG Implementation DocumentationSystem DescriptionTerms and Definitions

    Terms and Definitions

    ISP (Provider) — A provider that has the SSG system installed for policing and web filtering purposes. The provider is connected to the Internet through multiple Uplink channels and provides Internet access to end subscribers (Subscribers), channels to downstream providers (vChannel), which also have subscribers (Subscribers).

    Definitions of logical objects to which rules are applied:

    1. Common Channel or Default vChannel — Traffic passing through a DPI device that is not allocated to channels (vChannel). By default, this is all traffic. In the system, the Default Channel has ID number 1, defined in the DPI with the parameter default_vhannels=1.
    2. vChannel (Channel) — Defined by a list of Static and Dynamic IPprefixes. Dynamic IPprefixes are defined using regular expressions (regexp) with specified ASpath and BGP Community from BGP. IPprefix binding is assigned to a specific vChannel. vChannel contains traffic from those subscribers (Subscribers) that fall within the bound IPprefix.
    3. Subscriber — Defined by a list of Static and Dynamic IPprefixes. Dynamic IPprefixes are defined using regular expressions (regexp) with specified ASpath and BGP Community from BGP. IPprefix binding is assigned to a specific Login. If an IPprefix associated with a specific Subscriber overlaps with an IPprefix associated with a vChannel, the policies applied to the vChannel will also affect the Subscriber. This influence can be excluded by applying personal filtering and policing rules to the Subscriber.
    4. Session — Traffic (flow) defined by a set of parameters IPsrc:port, IPdst:port, and TCP, UDP, ICMP protocol attributes, etc.

    Set of rules that can be applied to logical objects:

    1. WEB Filter — Implements filtering based on blacklists for HTTP, HTTPS, and QUIC protocols. Filtering criteria may include HTTP URL, SNI, and Common Name fields for HTTPS and QUIC protocols; traffic can also be blocked for IPdst and IPdst:port. If an IP address or CIDR is specified, only ALL TCP ports are blocked. To block UDP ports, enable udp_block=3 in /etc/dpi/fastdpi.conf.
    2. Bandwidth Management — Implements traffic class policing and session policing for all logical objects.
      • Common Channel Policing — Policing for the common channel, applied to all traffic except that defined in vChannel and AS Bypass.
      • vChannel Policing — Policing for a specific channel, excluding traffic defined in AS Bypass.
      • Subscriber Policing — Policing for a specific subscriber, excluding traffic defined in AS Bypass.
      • Session Policing — Policing for a specific session, excluding traffic defined in AS Bypass.

    Auxiliary logical objects for rule implementation:

    1. WEB-resources Exception List — A list of resources (SNI, SN, URL, IP:TCPport) excluded from all WEB filtering rules.
    2. Subscribers Priority List — A list of subscribers for whom channel WEB filtering and policing rules do not apply. Unique rules may be assigned to these subscribers.
    3. AS Bypass — A list of IPprefixes excluded from processing (software Bypass), with no statistics transmitted. IPprefix may include both internal and external IPs. Matches are checked in each session for IPdst and IPsrc.
    4. AS Blackhole — A list of IPprefixes that are blocked regardless of other rules, with no statistics transmitted. IPprefix may include both internal and external IPs. Matches are checked in each session for IPdst and IPsrc.
    5. Application Protocol — A signature that detects the affiliation of a specific session to a certain application or protocol. Types of protocols:
      • Built-in Protocol — Protocols provided by the manufacturer.
      • Custom Protocol — Defined by the system user by AS, IPprefix, IPprefix:port, SNI in the VAS Cloud section.
    6. Policing Class — Defined based on one or more Application Protocols, a group of Application Protocols, and autonomous system ASN. Eight non-overlapping classes (cs0, cs1…cs7) are available for each type of policing.
    7. Policing — A set of policing rules applied to a specific logical object. Two policing algorithms are possible:
      • HTB with hierarchy for 8 classes, used for traffic class prioritization.
      • TBF without hierarchy, used for limiting/blocking a specific policing class.

    The GUI interface includes the following roles:

    1. FilterUI — Used for managing filtering, blocking, etc.
    2. QoE GUI — Used for viewing QoE statistics.