Analysis: The murky world of deep packet inspection

Three words, "Deep Packet Inspection," strike fear into the hearts of privacy advocates and net neutrality supporters alike.

Using DPI on your network is something of a double-edged sword: on the one hand, the technology allows for fine-grained control over network data flows and can boost security as well as prioritise services or even create new ones.

However, DPI can also block certain data deemed undesirable and even modify it for purposes such as censorship, copyright monitoring and enforcement, and intrusive marketing and advertising.

ISPs tend to keep quiet about their use of DPI on their networks so as not to raise users' hackles and to avoid thorny legal issues on whether or not such packet peeking amounts to wiretapping.

In other words, DPI remains a controversial technology that has the potential to do good but also carries the risk of turning customers away.

As the Internet law evolves however, DPI could become mandatory for ISPs soon, to comply with statutory filtering requirements and copyright laws.

Indeed, DPI was raised by the film industry's barristers in the iiNet trial as a way for the Perth ISP to measure the volume of peer-to-peer traffic passing across its network. iiNet argued the Telecommunications Act prevented it from examining the content of data packets. That will be tested when the Federal Court hands down its decision later this year.

The case raises the prospect of DPI playing a larger - possibly mandated - role in ISP networks.

What advice do vendors offer for ISPs looking at heading down the DPI route? iTNews spoke to Arbor Networks and Procera Networks to get some ideas about the costs, and what the technology can and can't do.

Uses

Procera Networks' vice president of global marketing, Jon Lindén says Procera's customers use DPI for four purposes - traffic intelligence, congestion management, network protection and creating different service options for customers.

As DPI provides a much greater insight into data traffic streams and potential threats contained in them, the technology can replace stateful network firewalls for ISPs, Lindén says.

Senior product manager Paul Varley at Arbor Networks says its ISP customers use the company's eSeries DPI products for a number of different applications. These include subscriber and application reporting, bandwidth management, service tier enforcement, usage quota tracking and usage-based billing.

Costs

DPI doesn't come cheap, however: implementing DPI represents a serious investment for providers, with for instance the Arbor Networks eSeries DPI solution starting at  under US$50k and reaching several hundreds of thousands of dollars depending on the speed of the interface such as Gigabit Ethernet or 10 Gigabit Ethernet and the overall system capacity and feature set, Varley says.

Lindén says "we don't provide public pricing" but technology site Ars Technica reported in 2008 that Procera's PacketLogic PL1000 unit capable of 80Gbps total bandwidth, five million users and tracking 48 million data flows for Tier-1 networks costs US$800,000, with integration costs on top.

Varley says that Arbor Networks customers "must purchase the eSeries Command Center (eCC) appliance, which provides centralised configuration and reporting for many e100s in the network". This costs between US$50,000 to US$90,000, depending on the licensing says Varley.

For subscriber management, Arbor also offers the eSeries Subscriber Center (eSC) appliance with a list price of US$90,000 plus a subscriber management software license in blocks from 100,000 to five million subscribers, according to Varley.

How deep?

How far does the DPI "snooping" go then? Can the companies' solutions peek into any packets, even encrypted ones? The answers from the two vendors were cagey:

"We don't decrypt any traffic. We identify and classify traffic, even encrypted, based on heuristics like packet sequence, packet size and other common patterns," says Procera's Lindén.

Varley says that DPI platforms like the eSeries "cannot decrypt packets at wire speed but they do perform heuristic analysis on encrypted traffic flows that provide very accurate classification without knowing what the content is."

According to Varley, the e100 can identify encrypted BitTorrent flows even though it does not know which file the subscriber is sharing.

Both Lindén and Varley say their products are capable of filtering and managing data flows across entire networks, depending on how they're deployed.

"DPI is a technology with different applications," Varley says. "For applications such as subscriber security, traffic management and policy enforcement yes, [it] can be a network-wide solution," according to Varley.

Procera's DPI solution can manage all traffic traversing the network, Lindén says. He adds that it can basically be placed anywhere in the network topology.

There are some blind spots for DPI solutions however. Varley says most service providers install DPI at the subscriber edge where it can see most if not all of the traffic, but there are exceptions to this. 

Some providers have separate overlay networks for services like VoIP which may not have DPI. In some network architectures such as DOCSIS in cable, subscribers in the same neighbourhood can communicate with each other directly on the access network, and their traffic would not pass through the DPI, says Varley.

Procera's Lindén agrees that DPI doesn't necessarily cover everything.

"Sure. It's not a 'God box' says Lindén. "But it's an intelligent layer on top of an IP network that offers capabilities to manage traffic in a smart way to achieve best possible results and quality," he adds.

An ISP's DPI solution cannot completely control traffic on its network however, says Varley. The provider can gain enhanced subscriber visibility and security, be able to quickly identify and mitigate distributed denial of service attacks, as well as time-shifting, Varley says.

Lindén says that the main thing DPI provides is awareness of applications, subscribers, locations and devices.

This, he says, "enables better planning for what network investments are required, pro-actively identify potential issues, and the ability to best accommodate different needs."

A question of ethics

Being ethical and straight about the use of DPI on a network seems paramount. 

"Greed is not an acceptable reason to implement DPI," says Lindén.

Not being transparent about the use of technology will come back and bite providers, says Lindén, so he recommends ISPs be open with customers and tell them why DPI is being implemented.

"People aren't stupid and will notice," says Lindén.

A DPI solution should not be kept secret from subscribers. Instead, Lindén says providers need to be clear about the use of DPI and point out its positive effects to customers, such as better, more consistent level of service. 

"You have to avoid the '1984' stigma."