Deep packet inspection

Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data and/or header part of a packet as it passes an inspection point, searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. It also called Content Inspection or Content Processing. This is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet.

What DPI does

DPI devices have the ability to look at Layer 2 through Layer 7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. The DPI will identify and classify the traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information.

A classified packet can be redirected, marked/tagged (see QoS), blocked, rate limited, and of course reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.

DPI allows phone and cable companies to "readily know the packets of information you are receiving online--from e-mail, to websites, to sharing of music, video and software downloads"^[1] - as would a network analysis tool. This is the approach that cable operators and ISPs use to dynamically allocate bandwidth according to traffic that is passing through their networks. Thus, a higher priority can be allocated to a VoIP call versus web browsing.

Advanced Deep Packet Inspection systems now also incorporate Cross Packet Inspection (XPI) - so that signatures of interest that start within one packet but cross to another packet can also be detected. This requires that each flow's context is stored somewhere, so that when the correct next packet arrives, the scanning process can continue just where it left off - to the scanning engine the two packets look contiguous.

DPI is also increasingly being used in security devices to analyze flows, compare them against policy, and then treat the traffic appropriately (i.e., block, allow, rate limit, tag for priority, mirror to another device for more analysis or reporting). Since the DPI device looks at each individual packet, it can be used by ISPs to provide or block services on a user by user basis.

DPI as a tool to control P2P

The continued growth in peer-to-peer (P2P) traffic presents increasing problems for broadband service providers. Internet service providers (ISPs) do not generate any revenue from delivering P2P traffic to their subscribers, and smaller ISPs face considerable peering costs when P2P traffic goes off-net. Even for ISPs large enough to cover these costs, P2P drives increasing traffic loads, requiring additional capex for no additional revenue. Moreover, a minority of users generating large quantities of P2P traffic can degrade performance for the majority of broadband subscribers using less-intensive applications such as email or Web browsing. Poor network performance increases customer churn, leading to a decline in service revenues.

Deep packet inspection (DPI) technology has emerged from the enterprise world into service provider networks to help mitigate the impact of P2P. According to most vendors, initial uptake of DPI was fastest in Asia, where problems with P2P traffic and high off-net traffic had been most severe. European broadband providers were also early adopters of DPI, but for another reason: due to high levels of competition from digital subscriber line (DSL) broadband operators in many countries, service providers used DPI as a means to implement tiered service plans, to differentiate them from standard “all-you-can-eat" or "one-size-fits-all” data services.

In the U.S. market, multiple system operators (MSOs) such as Cable Operators were early adopters of the technology. This is because Cable Operators faced greater challenges than DSL providers in the last mile. For a Cable Operator, the last-mile bandwidth is shared among users, whereas in a DSL network a dedicated link is established for each subscriber. Smaller DSL operators were generally early adopters of DPI, as they suffered most from P2P-generated off-net traffic and peering costs. Recently, vendors have noted an increase in the number of requests for proposal activity from large wireline and wireless operators in the U.S.

It appears that several operators are looking to deploy DPI alongside their IPTV deployments in 2007. Worldwide, network operators spent US$96.8 million (£48.4 million) on DPI in 2005, but the DPI sector grew by more than 75% in 2006, to about $170 million (£85 million) and is forecast to exceed $586 million (£293 million) in 2010.

Companies currently marketing DPI technologies

• Alcatel-Lucent
• Allot Communications
• Arbor Networks
• Bivio Networks
• Cisco - AON and STG groups
• CloudShield Technologies
• Ellacoya
• Ericsson
• Huawei
• IBM - via its DataPower acquisition
• Juniper Networks
• LogiSense Corporation
• Mazu Networks
• Narus
• Nokia Siemens Networks
• Procera Networks
• Reconnex
• Qosmos
• Sandvine
• Secure Computing
• Sonicwall

Companies offering DPI in silicon

• Cavium
• CloudShield Technologies
• IDT
• NetLogic Microsystems
• Safenet
• Sensory Networks
• Tarari

See also

• Firewall
• Next Generation Firewall
• Detection Systems

Sources

1. ^ The End of the Internet?. Retrieved on 2006-02-06.

External links

• Deep packet inspection meets 'Net neutrality, CALEA (arstechnica.com)

Donate to Wikimedia