| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 1 | .. |
| 2 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 3 | SPDX-License-Identifier: Apache-2.0 |
| 4 | |
| Scott Baker | 728115f | 2022-03-10 10:12:01 -0800 | [diff] [blame] | 5 | .. _application: |
| 6 | |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 7 | Application Management |
| 8 | ====================== |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 9 | |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 10 | Aether allows configuration of the application endpoints that a |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 11 | device is allowed to connect to. Configuration is possible of not only whether an |
| 12 | application endpoint is reachable or not, but also what maximum bitrate and traffic |
| 13 | class should be associated with that endpoint. |
| 14 | |
| Scott Baker | c074756 | 2022-03-09 13:48:29 -0800 | [diff] [blame] | 15 | A Slice may have a total of five user-defined application endpoints associated with it. Logically |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 16 | this could be one application with five endpoints, five applications with one endpoint |
| 17 | each, or any other combination that is less than or equal to five endpoints total. |
| 18 | |
| Scott Baker | 728115f | 2022-03-10 10:12:01 -0800 | [diff] [blame] | 19 | Each application has an address field which may be |
| 20 | set to an IPv4 address or an IPv4 subnet, which may in turn match several IPv4 |
| 21 | addresses. This address is common to all endpoints for the application. |
| 22 | Each endpoint is a port range, specified by its start and end port. A range of |
| 23 | exactly one port is also acceptable. The protocol may be set to either TCP or UDP. Each |
| 24 | endpoint may also have associated with it a maximum bitrate and a traffic-class. The |
| 25 | maximum bitrate (MBR) is per-device to the application; it is not the sum of all devices to the |
| 26 | application. For more information see the section on :ref:`metering`. |
| 27 | |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 28 | In addition to |
| 29 | these five user configurable endpoints, the default behavior can be set to either |
| 30 | ALLOW-ALL, DENY-ALL, or ALLOW-PUBLIC. ALLOW-PUBLIC is a special rule that denies traffic |
| 31 | to private IPv4 networks (as per RFC1918) and then allows everything else. |
| 32 | |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 33 | Creating Applications |
| 34 | --------------------- |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 35 | |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 36 | Begin by creating Applications. Start by going to the application page, and |
| 37 | clicking the add button. |
| 38 | |
| 39 | |app-list| |
| 40 | |
| 41 | This will open a page where application details may be specified: |
| 42 | |
| 43 | |app-add| |
| 44 | |
| Scott Baker | 728115f | 2022-03-10 10:12:01 -0800 | [diff] [blame] | 45 | Set the address and then move on to creating endpoints. Press the *+* |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 46 | button to add an endpoint. |
| 47 | |
| 48 | |app-add-endpoint| |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 49 | |
| Scott Baker | 728115f | 2022-03-10 10:12:01 -0800 | [diff] [blame] | 50 | Specify the port range, protocol, and optionally the MBR and traffic class for the |
| 51 | endpoint. |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 52 | |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 53 | Once all endpoints have been added, they will be summarized on the application page. Update |
| 54 | and commit the changes. |
| 55 | |
| 56 | |app-add-update| |
| 57 | |
| Scott Baker | c074756 | 2022-03-09 13:48:29 -0800 | [diff] [blame] | 58 | Adding Applications to Slices |
| 59 | ----------------------------- |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 60 | |
| Scott Baker | c074756 | 2022-03-09 13:48:29 -0800 | [diff] [blame] | 61 | Each Slice has an application filter, which is a list of applications. Each entry |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 62 | in this list has a priority and an allow|deny setting. Keep in mind that the total |
| Scott Baker | c074756 | 2022-03-09 13:48:29 -0800 | [diff] [blame] | 63 | number of endpoints for all applications attached to the Slice must be less than or |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 64 | equal to five. Start by opening up the slice and clicking the plus button next to the |
| 65 | Filter list. |
| 66 | |
| 67 | |app-filter-slice-edit-filter-plus| |
| 68 | |
| 69 | Choose an application and select a priority for it. |
| 70 | |
| 71 | |slice-filter-popup| |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 72 | |
| Scott Baker | c074756 | 2022-03-09 13:48:29 -0800 | [diff] [blame] | 73 | Also configurable for the Slice is the default-behavior, which will automatically |
| Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame] | 74 | be evaluated at the lowest priority, only taking effect if no other rule matches. |
| 75 | The default behavior does not count against the 5-endpoint limit. |
| 76 | |
| 77 | How Application Filtering is Evaluated |
| 78 | -------------------------------------- |
| 79 | |
| 80 | Application filtering is evaluated from highest priority (0) to the lowest |
| 81 | priority (250). The first rule to match will have its action applied. Subsequent |
| 82 | rules after a match are not evaluated. |
| 83 | |
| 84 | For example, assume the following filter is configured: |
| 85 | |
| 86 | * Priority=0, Address=10.0.0.1, Protocol=TCP, Port=8000, Action=Allow |
| 87 | * Priority=1, Address=10.0.0.0/24, Action=Deny |
| 88 | * Default_Behavior = Allow All |
| 89 | |
| 90 | The above rule would allow traffic to 10.0.0.1 on TCP port 8000, but deny |
| 91 | traffic to all other hosts on the IPv4 subnet 10.0.0.0/24. Ports other than |
| 92 | 8000 on 10.0.0.1 would be denied, as would protocols other than TCP. Traffic to |
| 93 | subnets other than 10.0.0.0/24 would be allowed. |
| Scott Baker | 3c7cfea | 2022-03-09 16:22:42 -0800 | [diff] [blame] | 94 | |
| 95 | .. |app-list| image:: images/aether-roc-gui-application-list.png |
| 96 | :alt: List of applications |
| 97 | :width: 1000 |
| 98 | |
| 99 | .. |app-add| image:: images/aether-roc-gui-application-add.png |
| 100 | :alt: Add an application |
| 101 | :width: 800 |
| 102 | |
| 103 | .. |app-add-endpoint| image:: images/aether-roc-gui-application-add-endpoint.png |
| 104 | :alt: Add an application endpoint |
| 105 | :width: 600 |
| 106 | |
| 107 | .. |app-add-update| image:: images/aether-roc-gui-application-add-update.png |
| 108 | :alt: Ready to update and commit the application |
| 109 | :width: 800 |
| 110 | |
| 111 | .. |app-filter-slice-edit-filter-plus| image:: images/aether-roc-gui-slice-edit-filter-plus.png |
| 112 | :alt: Slice edit page, ready to add a filter |
| 113 | :width: 800 |
| 114 | |
| 115 | .. |slice-filter-popup| image:: images/aether-roc-gui-slice-filter-popup.png |
| 116 | :alt: Popup to add or edit an application filter |
| 117 | :width: 600 |
| 118 | |
| 119 | |
| 120 | |