This page contains a Flash digital edition of a book.
VENDOR VIEW


Although strict encryption prevents the DPI platform from looking into the packet, there are still plenty of clues for the DPI platform to look at.


Mike Coward


VP Strategy & Innovation, Radisys


algorithms—making this a software exercise, not a silicon development one. This approach has been popular in the standalone traffic shaping market, which is aiming to offer the highest per- formance possible and can leverage the pace of silicon change with new chips coming out every year.


Everything, Encrypted Encryption has been discussed in the DPI community for years, but it was always seen as a theoretical problem with a couple of famous exceptions (e.g., Skype going to great lengths to conceal itself). 2011 was a turning point: the year started with Facebook announcing that many of their services would be offered over encrypted web sessions by default. Facebook’s decision was triggered by the release of a proof-of-concept hacking tool called Firesheep that allowed users to snoop Facebook traffic on open Wi-Fi networks and impersonate other users. This was followed throughout 2011 by other high profile services like Twitter and Google moving to encrypt their ses- sions as well. It is fairly clear that this is a one-


way evolution. Significant barriers to encryption have been the hardware cost and the time it takes to encrypt and decrypt traffic. But these are shrinking every year with Moore’s Law, as even desktop and mobile CPUs get dedi- cated instructions added to accelerate encryption. Furthermore, once a web service has added encryption, it’s hard to imagine a reason that they would later remove it, so we can expect to see a steady increase in the percentage of encrypted traffic as service after service adds encryption.


Adapting DPI Platforms to an Encrypted World To come back to the original premise of the article: No, in the general case, DPI platforms cannot break the encryption and look inside the packets. In order to think about how a DPI


platform can function in an environment where most of the traffic is encrypted, it is helpful to think back to the main purposes of commercial DPI platforms today: to understand which users are consuming the available bandwidth and then making intelligent decisions about which traffic to prioritise. Although strict encryption pre- vents the DPI platform from looking into the packet, there are still plenty of clues for the DPI platform to look at: the source and destination of the traffic, the packet size, and the pattern of packets. For ex- ample, a stream of small packets every 20 milliseconds in both directions is almost always a VoIP call. Traffic to and from the Facebook servers is, by definition, Facebook traffic. It’s also possible to cor- relate separate flows: even if everything is encrypted, if the platform sees a request to a server at CNN, followed by a request to Akamai, it can reasonably assume that Akamai is serving CNN content and thus apply the appropriate rules. This is called “heuristic” or “inferred application” clas- sification, and can reach similar levels of accuracy as the traditional DPI approach. With this information, the DPI platform


can make the same decisions that it would have if the packets were unencrypted: control the amount of bandwidth that each user is allocated, and within that band- width help the user prioritize interactive services like VoIP and video streaming while de-prioritising less sensitive services like big downloads or backup sessions.


This approach is more compute-inten-


sive than traditional DPI—it takes more CPU cycles to track flows, look at packet sizes and packet arrival times, and then correlate different flows than to just look inside the packet—but it’s still possible. Developers with FPGA and ASIC-based platforms are in a tough spot, though: the ASICs can’t be changed once they are in the field, and the task is more complex than FPGAs can be expected to handle because they are good at fixed function but poor at heuristic correlation. Developers on Commercial Off-the-


Shelf (COTS)-based packet processing platforms have an easier time: the same multicore CPU that was looking inside the packet can instead run heuristic code to infer the application, so systems that are already deployed can be repurposed to handle encrypted traffic with just a new software load.


The death of DPI? The death of DPI has been predicted multiple times. I’ve no doubt that very prediction will be proffered at this year’s Mobile World Congress. There are those who believed the


functionality would be absorbed into adjacent network nodes. Those who argued that users wouldn’t put up with it. Most recently, there have been those who believe that encryption will render DPI useless. The shift to heuristic-based application classification, however, coupled with the use of general purpose packet processing platforms, provides a solid path forward that preserves exist- ing investment and delivers the same benefits in a timeframe that meets the needs of operators already struggling with traffic congestion. n


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48