SA Signature Database

Different applications use different protocols. Each protocol has its own characteristics, which are known as signatures and can be a specific port, a character string, or a bit sequence. SAC identifies an application by detecting signatures in data packets. Signatures of some protocols are contained in multiple packets, and therefore the system must collect and analyze multiple packets to identify the protocol type. The system analyzes service flows passing through a device, and compares the analysis result with the signature database loaded on the device. The system identifies an application by detecting signatures in data packets, and then implements refined QoS policy control based on the identification result. Figure 12-1 shows the working mechanism of SAC.

Figure 12-1 SAC working mechanism

A device identifies applications based on signatures of application protocols. As application software is continuously upgraded and updated, their signatures also change. If signatures are not updated in a timely manner, application protocols may fail to be correctly or accurately matched. To prevent this, you are advised to update the signature database in a timely manner. If signatures are consolidated in software packages, the software version must be updated, which greatly affects services. Huawei devices separate their signature files from system software. In this way, signature files can be loaded and upgraded at any time, without affecting services.

Both SA and FPI identify protocol packets of an application based on the protocol signatures. FPI signatures are used to identify FPI applications, while SA signatures are used to identify SA applications. These signatures can be Layer 3 information carried in packets, such as the IP address, port number, protocol type, and DSCP value, or information generated based on the domain name and IP address in DNS response packets. Huawei analyzes the signatures of common applications and develops an SA signature database file, which contains both FPI signatures and SA signatures. After the SA signature database file is loaded onto a device, the device automatically generates 45 application groups, for example, Instant_Message. The Instant_Message application group contains common instant messaging software, including QQ_IM, MSN_IM, ICQ_IM, YahooMsg_IM, SinaUC_IM, Fetion_IM, AliTalk_IM, DoShow_IM, XiaoNeiTong, Skype_IM, Lava_Lava_IM, and GoogleTalk_IM. Signature databases are classified into user-defined and predefined ones. The user-defined signature database needs to be created, whereas the predefined SA signature database file can be updated only through upgrades and cannot be manually modified. In SD-WAN scenarios, Huawei provides two signature databases: SA_H30071000 and SA_H30071002. The SA_H30071000 signature database contains more than 6000 applications, and the SA_H30071002 signature database contains more than 500 applications. The SA signature database needs to be updated in a timely manner because applications on the live network change rapidly. If the SA signature database is not updated in a timely manner, some applications may fail to be identified.

Currently, AR routers cannot identify packets that are based on regular expression rules and SSL-encrypted passerby packets.