000034229 - Does RSA Web Threat Detection Support Frame Tagging for SilverTap?

Document created by RSA Customer Support Employee on Jan 9, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034229
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 4.6
 
Issue

Customers may request request for support of "QinQ" IEEE 80.1Q-1998 or IEEE 802.1ad, Frame tagging. One or more terms may be mentioned in the inquiry, however, it is the same technology. 
 Customer may find these observations while testing Frame Tagging in their environment.  Below is an example from an actual Customer:   


“when packets are tagged more than once, packets are not being ingested correctly by the SilverTap component. We have made modifications
  to make WTD work and I am able to conclude that the app does not seem to like the dual tags.”


Can you tell me if this has ever been tested?  Do we support this feature? How can it be configured on the Silvertap to receive it?"



If we do not currently support this functionality, then the Customer wants this Jira to become a feature request.

Resolution

 There is a request to Engineering as Jira WTD-5301 to add support for this protocol.  This is considered a feature request (RFE).  
Background 
IEEE 802.1ad [note 1] is an Ethernet networking standard informally known as QinQ and is an amendment to IEEE standard IEEE 802.1Q-1998. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. "Q-in-Q" can for supported devices applies to C-tag stacking on C-tag (Ethernet Type = 0x8100) but this has limited application in the modern methodology of network routing.


This protocol is at the bridge/Frame OSI 2 level below ethernet. To be able to support this protocol, Silvertap needs the following: 
1. capture packets from the stream, and
2. the IP source is included in the headers, and
3. the original URL is carried through.
In summary, if the traffic is such that WTD can associate with the true user browser session, then this should be possible.  As pointed out in https://en.wikipedia.org/wiki/IEEE_802.1ad, however, there are some difficulties with this protocol that need to be overcome.

Attachments

    Outcomes