Deep Packet Inspection
There is good news, better news and a few questions for vendors of deep packet inspection (DPI) technology.
The good news is that DPI’s core competence is proven and vital. Service providers of all stripes use it to inspect packets flowing across their networks, identify them and enable traffic shaping and internal and external policy tools to manage streams more efficiently.
The better news is that DPI technology is positioned to help providers play quarterback in the creation and management of a new generation of value-added services.
The questions for DPI concern how exactly it moves forward with that strategy, and whether network operators have alternative means for achieving those ends. P2P and HTTP Not so long ago, any discussion of DPI took place under the shadow of the peer-to-peer (P2P) or file-sharing applications that were stressing the usage models on which high-speed data networks had been designed.
It was the tendency of cable’s @Home and other high-speed data network subscribers to use broadband in such unexpected and bandwidth-intensive ways that first brought DPI into play, says Milind Gadekar, director of marketing for Cisco Systems services routing business unit, and previously with P-Cube, which Cisco acquired in 2004.
"Broadband ISPs… saw that they could keep on adding bandwidth for this growing demand, or can better manage their networks," says "That’s when DPI came to light, to provide better application-awareness and better management capabilities."
Over the past several years, that landscape has shifted somewhat, partly because (P2P) traffic has become less menacing.
A study released by DPI vendor Ellacoya at the 2007 NXTcomm Show in June, for instance, indicated that hyper text transfer protocol (HTTP) or Web traffic had overtaken P2P, with YouTube alone accounting for 20 percent of all HTTP traffic.
Not everyone agreed with that study. Thomas Mennecke, news editor of P2P forum host Slyck.com, noted the coincident deployment of technologies, including DPI, that enable network operators to shape traffic and throttle P2P traffic.
Taking stock of alternative views from P2P caching firm Oversi and DPI vendor Sandvine, Mennecke contended that P2P remained dominant, if not ascendant. He conceded, however, that Web traffic was making gains, thanks to YouTube, iTunes and the resurging newsgroup category. Defense to offense Packet inspection technology is, indeed, now widely deployed. Sandvine boasts 80 customers in more than 30 countries. At NXTcom, Ellacoya was trumpeting a recent win with British Telecom. Cam Cullen, director of product management for Allot Communications, also weighed heavily internationally, estimates that about 80 percent of Tier 1 operators are using DPI somewhere in their footprint.
"DPI is mainstream," says Fred Sammartino, Ellacoya vice president of marketing and product management.
The reasoning is simple: Knowledge is power, and the ability to dive into the payload of packets to see what is going on provides a whole lot of knowledge. A case in point is the paper presented at this year’s CableTec Expo by Sandvine CTO Marc Morin ("What’s in that IP Stream?")
For an illustration of the kind of visiblity that DPI can provide into the dynamics of high-speed data traffic, see the representation in Figure 1 of six months of traffic gathered by Morin from 182,500 active residential subscribers in a small multiple systems operator (MSO.)
Intriguing as such an analysis may be there remains the question of what to do with the information.
"That intelligence can lead to a whole range of security, traffic management, service creation and operational support management tasks," says Tom Donnelly, executive vice president of marketing and sales for Sandvine.
That’s a growing list of tasks. The core capability of DPI certainly can help soften the blow of the growth in high-speed data applications, whether Web or P2P. It can be a big help in handling legitimate traffic and making sure one type of packet is not masquerading as another in order to gain better treatment or freer reign to deliver viruses and other malware.
But what about service creation? Sandvine’s acquisitions in July of not only security firm Simplicita but also network signaling equipment provider CableMatrix provide some clues as to how DPI could expand its field of influence. Questions for DPI The idea of offering value-added services based on the assignment of more bandwidth or other special treatment to subscribers who are willing to pay for it is not entirely new.
Camiant, an erstwhile competitor to CableMatrix, has used PacketCable Multimedia (PCMM)-based policy control and signaling to enable high-speed data speed boosts and speed previews. The question is whether these are complementary or competing approaches.
"Our perspective is that, absolutely, there is a place for DPI technology, and it’s a good technology for serving certain kinds of problems," says Camiant CTO Suzie Kim Riley. "But it’s not the way you would solve all problems."
Riley thinks direct and network-specific signaling from the application is preferable to using DPI triggers, and recommends keeping a larger, architectural trend in mind.
"Don’t underestimate the data and video convergence," she says.
For DPI vendors, it becomes a question of balancing functionality as an integral element of the system or connecting to outside elements, such as policy servers, through application programming interfaces (APIs). Other questions include whether to operate in-line or parallel to the bit stream and the optimum mix of hardware and software processing as capacity demands ramp up.
Allot’s Cullen expects more DPI gear to operate in line. In many cases today’s DPI gear, sitting outside the cable modem termination system (CMTS), mirrors or samples traffic. An inline scenario, he says, will enable the policies to be more efficiently implemented.
Out-of-band solutions require policy fulfillment to be performed after the fact. This can be quite a challenge in P2P scenarios in which many simultaneous connections are established. Doing this dynamically when the software is setting up the session is far more efficient and offers more granularity than implementing traffic shaping, bandwidth limiting or other rules after the fact.
The consensus appears to be that DPI systems must be at least partially hardware-based in order to keep the deep inspections from slowing down applications. This inspection generally has to go to the payload level to ensure that packets are what their headers say they are. In many cases, this isn’t crystal clear unless a stream of packets is assessed.
Donnelly says that the move from out-of-line (he refers to it as "passive") to an in-line approach would increase the breadth of tasks assigned to DPI. This functionality will be added either as integral elements of DPI devices or through the API connections. The bottom line is that operators seek to add capabilities as simply as possible.
As for Cisco, its P-Cube technology is an element in the company’s Next Generation Network topology, says Gadekar. In the first half of next year, DPI modules will be included in the 7600 aggregation routers. In time, the functionality may move into the CMTS.
Each industry that employs DPI has its own characteristics and requirements. The wireless industry will rely on DPI to cut capacity requirements to the bone. The cable industry, still dealing with upstream capacity, will look to DPI as traffic becomes more symmetrical.
The bullish view is that DPI is evolving along with the data trends that it has helped to shape. "(DPI) was a boutique, nice-to-have technology," says Sammartino. "It is turning into one of the technologies that is necessary for the next generation of real time streaming applications to be sent across access networks."
Carl Weinschenk is a contributor and Jonathan Tombes is editor, <span style="fo
