SCTP PPID filtering

AA allows the operator to configure PPID filters that contain a list of PPIDs to allow or deny.

config>app-assure>group <aa-group-id>[:<partition>] 
         sctp-filter <sctp-filter-name> [create]
               description <description-string>
               no description
               event-log <event-log-name>
               no event-log
               ppid-range min <min-ppid> max <max-ppid>   //[0..4294967295]
               no ppid-range
               ppid
                    default-action {permit | deny}
                    entry <entry-id> value <ppid-value> action {permit | deny}
                         //<entry-id> : [1..255]
                                <ppid-value>    : [0..4294967295]D | [256 chars max]
                                <permit | deny> : permit | deny
                    no value <entry-id>
         no sctp-filter <sctp-filter-name>

The filter can then be used within an AQP action.

AA identifies DATA chunks within SCTP payloads (for example, as first, nth or last chunk) and filters according to the configure PPID filter. If any chunk PPID matches a PPID on the configured blocked PPID list, the whole SCTP packet is dropped.

SCTP packets without DATA chunks are not impacted or accounted for by an SCTP Filter.

For IP fragmentation, and in the case where the operator did not configure AA ISA to drop ‟all fragmented traffic”, only the first IP fragment is inspected and subject to the PPID filtering. Any action applied to the first fragment is also applied to the remaining fragments. Out-of-order fragments appearing before the first fragment receive the default action (for example, drop action of ‟out-of-order-Frag”).