Cisco Cisco Packet Data Gateway (PDG)
ADC detects encrypted traffic using the SNI field (signatures) of TLS/SSL (Secure Sockets Layer) traffic.
These signatures are added along with other detection mechanisms and delivered as a plugin. If there are new
SNI fields either in the already detected applications or new applications, then these new fields are added to
the plugin and a new version of the plugin is released. This results in frequent releases of plugin versions
causing delay in upgrading the new plugin in the network and leading to revenue leak to the operator. Due to
increased number of applications moving towards TLS/SSL, an option is provided to configure the SNI in
ruledef and classify traffic based on the configured SNI with this release.
These signatures are added along with other detection mechanisms and delivered as a plugin. If there are new
SNI fields either in the already detected applications or new applications, then these new fields are added to
the plugin and a new version of the plugin is released. This results in frequent releases of plugin versions
causing delay in upgrading the new plugin in the network and leading to revenue leak to the operator. Due to
increased number of applications moving towards TLS/SSL, an option is provided to configure the SNI in
ruledef and classify traffic based on the configured SNI with this release.
The SNI Detection feature requires a valid Application Detection and Control license. Contact your Cisco
account representative for more information.
account representative for more information.
Important
Previous Behavior: There was no provision to configure a custom defined protocol (CDP) in previous releases.
Only protocols as part of the ADC plugin were populated as part of bulk statistics in P2P schema.
Only protocols as part of the ADC plugin were populated as part of bulk statistics in P2P schema.
New Behavior: An option to configure the SNI and the corresponding custom defined protocol (CDP) name
in a ruledef is added. CDP names defined in TLS ruledef will be populated as part of the P2P schema.
in a ruledef is added. CDP names defined in TLS ruledef will be populated as part of the P2P schema.
Command Changes
tls
The new tls CLI command is added in the ACS Ruledef Configuration mode to configure TLS/SSL Server
Name Indication (SNI) and the corresponding custom defined protocol (CDP).
Name Indication (SNI) and the corresponding custom defined protocol (CDP).
configure
active-charging service service_name
ruledef ruledef_name
[ no ] tls { set-app-proto cdp_name_string | sni operator server_name_string }
end
[ no ] tls { set-app-proto cdp_name_string | sni operator server_name_string }
end
Notes:
• set-app-proto cdp_name_string: Specifies the name of the custom defined protocol for TLS/SSL flows
matching the ruledef.
cdp_name_string must be an alphanumeric string of 1 through 19 characters.
• sni operator server_name_string: Specifies the TLS/SSL Server Name Indication (SNI) field value in
the SSL Client Hello packet.
operator: Specifies how to match and must be one of the following:
• !=: Does not equal
The != operator in the TLS SNI rule results in non-optimized rule.
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts with
server_name_string: Specifies the server name and must be an alphanumeric string of 1 through 127
characters.
characters.
Release Change Reference, StarOS Release 19
56
ADC Changes in Release 19
SNI Detection Support