DPI (Deep Packet Inspection) Technology

Infiberone managerGVIP2018/3/27 13:55:11

DPI (Deep Packet Inspection) Technology

1.The background of DPI Technology

In recent years, new network businesses emerge in an endless stream, such as Peer-to-Peer,, VoIP, streaming media, Web TV, audio and video chat, interactive online games and virtual reality. The popularity of these new businesses has absorbed a large number of customer resources for operators, but it also has a great impact on the underlying traffic model and the upper application mode of the network, bringing a series of new problems, such as bandwidth management, content billing, information security, public opinion control and so on. In particular, P2P, VoIP, streaming media and other business have great influences on the network management. The current P2P traffic accounted for Internet data traffic 50%-70%, the data flow of new business would be quite large if coupled with the streaming media business, ,which broke the previous "high bandwidth, low load" IP network QoS model, to a great extent aggravating the network congestion as well as reducing the network performance. Moreover, it will deteriorate the quality of network service and hinder the popularization and application of the normal network services. At the same time, the extensive use of P2P also brings great challenges to the information security monitoring and management of the network.

Due to the consuming characteristics of P2P traffic bandwidth, simple network upgrading is unable to meet the needs of the growth of data traffic operators, network equipment and lack of effective technical means of supervision, cannot achieve the perception and recognition of P2P/WEB TV and other emerging businesses, leading to the fact that the operation of network cannot effectively managed by network operators.

The traditional network management often manages the network element through the equipment management level, and later developed to the network management, controlling the top simple application, and the application control technology mainly uses the simple network management protocol SNMP or traffic identification based on port analysis and management.

Therefore, how to deeply perceive Internet / mobile Internet business, provide application level management control, and build an "operational and manageable" network has become the focus of operators.

2.Introduction of DPI Technology

DPI technology is a flow detection and control technology based on application     layer, called "Deep Packet Inspection ". The so-called "depth" is compared with the ordinary packet analysis level. Ordinary packet detection only analyzes the contents of the 4 layers of the IP package, including source address, destination address, source port, destination port and protocol type.  


Fig.1 Traditional analysis of IP header message

However, DPI technology not only analyses the four layers, but also implements analysis of the application layer, which can identify various applications and their contents. When IP, TCP or UDP data packet flow pass through a bandwidth management system based on DPI technology, the system fetches IP packet payload content to the application layer information of the recombinant OSI seven layer protocol, so as to get the content of the application, then operates the flow in accordance with the definition of management system strategy.


Fig.2 Analysis of application characteristics by DPI Technology

[Definition:OSI seven layer protocol:

OSI is an open communication system interconnection reference model, and he is a very well defined protocol specification. The OSI model has 7 layers of structure, and there are several sub-layers on each layer. OSI 7 layers from top to bottom are 7.application layer, 6.presentation layer, 5.session layer, 4.transport layer, 3.network layer, 2.data link layer, 1.physical layer; among them the high layers (Layer 7, 6, 5, 4) define the function of the application, the following 3 layers (Layer 3, 2, 1) is mainly oriented by network end-to-end data stream.]

The DPI bandwidth management technology solutions are more similar, in some ways, to the anti-virus software system we know that the type of application it can identify must be known to the system. To take BT for example, the Handshake protocol is "BitTorrent Protocol"; in other words, the anti-virus system in the background must have a large virus features database, and the DPI bandwidth management system technology should maintain a database application feature database as well. When the flow is passed, the application type is determined by comparing the application information of unpack and the background characteristic database. When new applications appear, the application feature database in the background will be updated to have the ability to recognize and control new applications.

Here we need to mention UTM (Unified Threat Management). The principle of UTM implementation is DPI. This method compares and matches the download, e-mail transmission and compressed documents with the comprehensive and continuously updated predefined attack signature database. These signatures can be used to scan and detect and prevent variant packed executable files and macro virus files in real time in order to realize the function of UTM.

3.Principle of DPI Technology

The key to the technology of DPI is to efficiently identify various applications on the network. The common message detection is to identify the application type by the port number. If the port number is 80, it is believed that the application represents the common use of the Internet. However, some illegal applications in the network will hide or fake port numbers to avoid detection and supervision, which will lead to the erosion of network data. The traditional method of detecting the L2 ~ L4 layer at this time has been powerless. DPI technology is to detect the content of the data message in the application stream, so as to determine the real application of the data message. Because the port number can be hidden by illegal applications, it is difficult to hide the protocol features of the application layer at present. The DPI recognition technology can be divided into the following categories:

1.    Applications based on the " characteristic word" technology often rely on different protocols, and different protocols have their special fingerprints. These fingerprints may be specific ports, specific strings or specific Bit sequences. The recognition technology based on "characteristic word" determines the application of the traffic flow by detecting the "fingerprint" information in the specific data message in the business stream. According to the different detection methods, the recognition technology based on "characteristic word" can be further divided into three technologies: fixed position feature word matching, changing location feature matching and state feature matching. Through the upgrading of the "fingerprint" information, the feature based recognition technology can easily expand the function and realize the detection of the new protocol. For example, the identification of Bittorrent protocol, and the analysis of its peer-to-peer protocol by reverse engineering, the so-called peer-to-peer protocol refers to the protocol of exchanging information between Peer and Peer. A peer-to-peer protocol begins with a handshake, followed by a circular message flow, and there is a number in front of each message to indicate the length of the message. In the process of handshaking, the first is to send 19 first, followed by the string "BitTorrent Protocol". Then "19BitTorrent Protocol" is the "characteristic word" of Bittorrent.

2.    Application layer gateway recognition technology is separated from the control flow and traffic flow of some services, and the business flow has no features. In this case, we need to use the application layer gateway identification technology. The application layer gateway needs to identify the control flow first, and analyze it according to the protocol of the control flow through a specific application layer gateway, and identify the corresponding business flow from the protocol content. For each protocol, it needs to have a different application layer gateway to analyze it. The SIP and H323 protocols belong to this type. SIP/H323 through the signaling interaction process, negotiation of its data channel, generally RTP format encapsulated voice flow. That is to say, the pure detection of the RTP flow does not come to the conclusion that the RTP flow is established through that protocol. The complete analysis can only be obtained by detecting the protocol interaction of the SIP/H323.

3.    The analysis of behavior pattern recognition technology based on the implemented behavior can determine the actions that the user is doing or is about to implement. The behavior pattern recognition technology is usually used to identify the business that cannot be judged according to the protocol. For example, SPAM (spam) business flow and common Email traffic flow are exactly the same from the content of Email. Only by analyzing user behavior, can we accurately identify SPAM services.

4.Important applications of DPI

Deep packet inspection (DPI) has been successful in traffic management, network security and other aspects of analysis technology, and it can analyze the network data packet content, but also the technology differs from header or metadata packet detection. These two tests are usually performed by switches, firewalls, and intrusion detection systems /IPS devices. The usual DPI solution provides deep packet detection for different applications.

Header processing only restricts the content that can be seen from the packet processing process, and is not able to detect content threats or to distinguish application programs that use common communication platforms. DPI can detect the contents and payloads of packets, and extract content level information, such as malware, specific data and application types.

As network operators, Internet service providers (ISP) and similar companies rely more and more on their network and the efficiency of applications running on the network, managing bandwidth and controlling communication complexity and security needs become increasingly important. DPI happens to be able to provide these requirements, and to seek better network management and compliance users should take DPI as an important technology.

DPI technology first assembles data packets into network traffic, data processing (including protocol classification), and then can extract information from traffic contents. Traffic reorganization and content extraction require lots of processing power, especially in high traffic data streams. A successful DPI technology must be able to provide basic functions, such as high performance computing and flexible support for analysis tasks.

The DPI processing department must be able to provide scalability and performance that meets the communication network performance. Deep content detection requires more processing than header detection. Therefore, DPI usually uses parallel processing structures to speed up computing tasks. DPI technology can provide traffic information extracting from network to the user, the actual content of treatment may vary greatly with the extracted information, performance of DPI technology is a bit like a platform, to provide practical tools of content processing, but can allow the user to decide what content to deal with.

5.Use DPI to separate network traffic

Many service providers now use DPI to divide traffic into low latency (voice), guarantee delay (network traffic), guarantee delivery (application traffic) and try effort to deliver applications (file sharing). Using this classification, they can better optimize resources based on critical task traffic and non critical traffic and reduce network congestion. Because of cheap bandwidth, service providers can increase value-added services to get extra income, including security, peak usage management, content billing and targeted advertising. All of these require depth detection of network traffic.

6.Use DPI to manage network performance

Enterprises with large networks that cover many geographic areas may run a completely different type of communication between their internal networks. In addition to controlling cost and bandwidth usage, security has been a challenge, which requires understanding of network application traffic. These enterprises have begun to see the benefits of DPI analysis, for example, network administrators can use DPI technology to control network performance. When the network performance is low, they restrict the application traffic and improve traffic when the performance is restored to normal.

Now more and more network security functions require the knowledge of payload level, and data leakage protection requires a deep understanding of the actual content sent through the line. The application layer firewall is responsible for the content of the payload, not the Header content. In cloud computing, providers of security services, such as anti spam or Web filtering services, must acquire real-time and visible contents through multiple customers, so as to get information quickly against threats and attacks. This also requires content level information.

Traditionally, these security functions are provided by special - purpose technology, which may include some DPI functions. For example, IPS has a built-in DPI. The protection of Web gateway also provides DPI analysis of Web content. However, every special purpose technology, which refers to its special purpose or incompatible software, will make the network infrastructure inefficient. A packet may be checked for multiple purposes many times. In addition, these technologies do not provide a programmable interface, which means that you can't extract any information.

In addition to security issues, DPI has a significant impact on cloud computing service providers. For cloud computing providers, service subscription and user management are a major challenge. Many vendors use their own developed or off the shelf technologies to manage service subscriptions. They find that this is neither scalable enough nor to provide enough information for complex management tasks. On the other hand, DPI can provide intelligence information about user traffic, application usage, content delivery and abnormal mode. These service providers can also use programmable interfaces to collect other useful information, such as marketing intelligence and customer files.

7.Challenges facing DPI

Internet Service Providers (ISP) have been recently relying on Deep Packet Inspection (DPI) systems, which are the most accurate techniques for traffic identification and classification. However, building high performance DPI systems requires an in-depth and careful computing system design due to the memory and processing power demands. Gigalight, as a innovator of optical communication industry, provides 100G QSFP28 LR4 receiver to ensure the efficiency and high speed demand of DPI. The Gigalight QSFP28 LR4 Receiver is an optical receiver module designed for optical communication applications compliant to 100GBASE-LR4 of the IEEE P802.3ba standard and ONT OTU4. The receiver module de-multiplexes an optical input into 4 channels of LAN WDM optical signals and then converts them to 4 output channels of electrical data. The central wavelengths of the 4 LAN WDM channels are 1295.56nm, 1300.05nm, 1304.58nm and 1309.14nm as members of the LAN WDM wavelength grid defined in IEEE 802.3ba. The high sensitivity PIN receivers provide superior performance for 100G Ethernet and ONT OTU4 applications up to 10km links and compliant to optical interface with IEEE802.3ba Clause 88 100GBASE-LR4 requirements.

As ISPs backbone links speed and data volume soar, commodity hardware-based DPI systems start to face performance bottlenecks (e.g., packet losses), which interferes on traffic classification accuracy dramatically.

As a relatively young market, the DPI industry is facing many challenges, such as:

1. there is no standard standard. Today's DPI market is also full of puzzled, one-stop, performance information for specific applications. The industry needs standard benchmarks to specify connection safety time, TCP, UDP and throughput testing. These benchmarks are important for establishing comparable performance indicators among competing products.

2. different DPI technologies are constantly emerging, and "Open DPI" will allow third party developers to write DPI applications on different business solutions.

3., the DPI technology market will continue to exist. Now, the application of the market may still be decentralized and inconsistent, but the huge potential and industry interest will finally push it towards a standard and open market.

You need to log in before comment. Not a member yet? Register now.
Copyright @ 2016 infiberone.com All Rights Reserved