search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
383 stars 100 forks source link

DPDK Support #9

Open mmanoj opened 5 years ago

mmanoj commented 5 years ago

Hi,

  1. Please, advice is there any plan to integrate with DPDK ?

  2. What are the max concurrent connections supported as per test/benchmarks?

Thank you, Manoj M

sonertari commented 5 years ago

There are a couple of things against DPDK:

So I would probably consider DPDK if I were developing an appliance on Linux.

I don't have performance tests or benchmarks. The most well-known factors limiting the number of connections are CPU and available RAM of course, but the max number of file descriptors allowed by the system settings is more important. Because SSLproxy starts rejecting new connections if it reaches within FD_RESERVE (currently set to 10) of that limit. The openfiles-max is set in login.conf file on OpenBSD. You would want to increase it as much as possible. I increase it to 1024 on UTMFW.

mmanoj commented 5 years ago

Hi,

Thanks for the quick advice. I'm looking more concurrent scenario like operator traffic, What is the best scaling out strategy you can suggest. I would like to check the feasibility with DPDK for linux. May be we have to use user space TCP stack.

On the other hand we have to think about user certificate which we trusting as it's not the actual certificate from server owner. It's privacy concern if it's operator traffic. It's real challenge content inspection in encrypted traffic. we can explore more about this.

Thank you, Manoj M

sonertari commented 5 years ago

What I mean by scaling out is multiple SSLproxy instances running on separate hardware. And the traffic is distributed to those instances via a packet (flow) distributor running in front of SSLproxy instances. How packets (flows) are distributed would be implementation specific, but seems nontrivial to me. What traffic should and should not go through SSLproxy is important, as I guess you are trying to say too. My comments here are just theoretical of course, as I haven't tried them in practice.