Overview
Deep packet inspection (DPI) is a technique used to uncover the true nature of the traffic traversing IP networks. It works by inspecting each packet layer, including layer 7 protocol contents. Traditional packet inspection mechanisms only analyze layer 2 through 4 contents, including the source address, destination address, source port, destination port and the protocol type.
DPI analyzes the application layer packets, identifying the application source and contents.
Figure 96. Deep Packet Inspection
The application-awareness offered by DPI was initially used by service providers to identify and manage P2P traffic and security threats. Providers are now looking towards DPI to manage their subscriber community and deliver application-level quality of service (QoS) appropriate for each type of service traffic – voice, video, P2P, gaming, email, etc.
In order to identify and classify application types, DPI devices need to inspect every bit of traffic traversing its path and match patterns against signature or heuristic libraries containing patterns that correspond with standard Internet protocols or application behavior of certain protocol flows.
Once a traffic flow has been inspected and classified, the QoS policies that are relevant to that application type or subscriber need to be applied to ensure that the traffic is placed in the
appropriate priority queue. These activities make DPI a resource intensive task, especially when the device is processing tens of gigabits per second of traffic from millions of subscribers.
DPI Usage
The benefits of DPI technology far outweigh the complexity. DPI gives service providers the application awareness with per-subscriber granularity that is needed to unlock the revenue potential of their converged IP networks. With greater awareness and intelligence, operators can provide better value to subscribers, content owners and advertisers. Service providers and mobile operators are looking at or already deploying these advanced DPI devices to deliver the advanced functionalities and features discussed in Table 57.
Table 57. DPI Features and Deployment Use Cases
Features Description
Stateful inspection and monitoring
Inspects every IP flow, identifying the application contained within the flow and the subscriber that generated it. This provides service providers with a complete picture of network utilization on a per-application and per-subscriber basis.
Security Identifies denial of service/distributed denial of service
(DoS/DDoS), zero day attacks and other traffic anomalies that may impact network performance and integrity.
Traffic management and policy enforcements
Prioritizes, expedites and shapes application traffic flows to control congestion and ensure fair use of the network resources.
Service provider can define dynamic quality of service (QoS) policies to be applied to application traffic in order to manage the way in which bandwidth is apportioned to applications and subscribers.
Tiered service management Mobile and broadband service providers use DPI as a means to implement tiered service plans, offering differentiated services.
This enables operators to tailor service offerings to individual subscribers and increase their average revenue per user (ARPU).
A policy is created per user or group of users. The DPI system enforces that policy, allowing users access to different services and applications with varying quality of service.
Dynamic subscriber management and billing
Some DPI infrastructures have centralized quota management and accounting capabilities. This allows operators to monitor real-time subscriber usage and to implement consumption-based billing models or quota thresholds.
Features Description Lawful intercept, copyright
enforcement and ad Insertion
Service providers are sometimes required by various government agencies to allow lawful intercept. Copyright owners, such record labels and movie studios are also turning towards DPI technology to enforce copyright protection.
Operators are also looking at ways to monetize subscriber-specific information that they gained while monitoring service and usage patterns that enable external marketing companies to perform targeted advertising.
DPI Deployment
DPI devices are typically deployed towards the edge of the service provider network, as shown in the following figure, making it a critical point in the end-to-end service delivery.
Figure 98. Typical DPI Deployment
All the traffic that enters the core network will traverse the DPI devices, where every flow is
Key DPI Scalability Metrics
The scalability of DPI devices needs to be measured in a multi-dimensional fashion, where the following metrics are simultaneously maximized to determine the performance under realistic conditions.
Maximum number of subscribers that can be supported
Maximum concurrent connections, or flows, that can be inspected and classified
Additional connections per second that can be serviced when the device is already servicing a large number of flows
Maximum throughput that can be sustained under peak subscriber load
These are some of the system performance quoted by some DPI vendors:
Table 58. Typical performance of DPI platforms
Metric Vendor A Vendor B Vendor C
Most DPI devices are deployed in clusters, so that capacity can be incrementally increased. The performance figures in Table 2 are for fully populated system. Performance and capacity can be measured in modular fashion with a smaller test bed, however.
Another key point to note is that with any application-aware device, performance is adversely impacted if advanced functions are enabled. Therefore it is critical to understand and measure the performance under real-world conditions with features that are used in your network.