Hundreds of Columns Sorted by Topic     

 Index

Triple Play

Metro Ethernet

Wireless

IMS

 

 

 


 

Programmable Deep Packet Inspection (DPI) for Service Providers

by Tim Waters, VP of Marketing

     
12/17/2007
Bookmark and Share

Service providers around the globe are in the process of converging legacy and future network services to a common IP infrastructure. While global IP networks have created great opportunities for growth and business transformation, they also present a new set of challenges to the service providers operating these networks.  

Key Network Infrastructure Challenges

First, broadband Internet services are commodity services with razor thin margins. As legacy cash-cow services are migrated to IP, it is essential that service providers create new value-added IP services (above and beyond basic Internet access) which will allow for revenue growth with high profit margins. Secondly, it is essential for service providers to optimize the capacity of their network to deliver a wide variety of network services to different subscribers such that bandwidth allocation is aligned with maximizing customer satisfaction and service revenue.  

 

Figure 1 -- Driving Revenue via Service Creation  

Finally, threats of DDOS and other attacks are escalating. Service providers must have the capability to protect their networks from current and emerging security threats.  

These are the key challenges that service providers face in an IP centric world -- unfortunately, the switches and routers in the current IP network infrastructure are not well suited to solving these problems. 

A Rapid Migration to The Next Generation DPI Network Infrastructure

In order to address the challenges of IP convergence, many service providers are utilizing Deep Packet Inspection (DPI) technology. DPI products allow service providers to monitor and control traffic at all layers of the protocol stack (including the application layer) based on a set of policies.  

There are three fundamental business drivers for implementing DPI network platforms: 

  1. Maximize service revenue;
  2. Minimize network capital expenditures (CapEx) and operating expenditures (OpEx);
  3. Limit the risk of security threats to the network.
 Service providers have successfully deployed the first generation of DPI products. These are application-specific point products targeted at solving very specific problems in the network; for example, controlling P2P traffic, preventing network intrusions (IDP), or implementing network access control based on identity and policy.  

Many of these products are adept at solving specific problems; however they are not flexible enough to resolve the emerging network challenges or implement new services as infrastructure dynamics and requirements change. This means that new hardware needs to be added to the network as new requirements emerge. Adding hardware can be extremely costly, especially in networks that require OSMINE certification and complex OSS integration. New hardware also introduces additional points of failure in the data path, reducing overall service availability. Furthermore, application-specific DPI products can not effectively keep pace with the velocity of change required to respond in a timely manner to new requirements. 

In order to avoid adding new hardware and redesigning networks as requirements change, a second generation of programmable DPI products is now being successfully implemented in networks. Programmable DPI products allow service providers to run multiple DPI applications at line speed, adding new functionality using software only updates. These applications can provide bandwidth-on-demand, traffic management, intrusion detection and prevention, usage based billing, content insertion, security services, and other complex application layer services. Using a programmable DPI architecture, service providers have the flexibility to implement new value added services while optimizing network traffic and securing the network from security threats. 

The Business Drivers for Programmable DPI Platforms 

Driving Top Line Revenue:

One of the key drivers for DPI network deployments is maximization of service revenues and profitability. Programmable DPI functionality allows service providers to offer a wide variety of value-added services on top of basic broadband access. Today most service providers are focused on providing the basic set of triple play services consisting of Internet, telephone, and TV service. However, even basic telephone and TV services are being threatened by Internet voice services (Skype, Yahoo Messenger, Google Talk) and video content services (YouTube, iTunes, Netflix). In order to justify the large capital investments that are being made in broadband infrastructure, it is critical that service providers move away from the "dumb pipe" model of broadband access to a "smart pipe" model of premium services. By using "smart pipes" service providers can play a pivotal role in the emerging broadband service value chain.  

Premium services require traffic management, monitoring, and content modification at the application layer. For example, a customer might subscribe to a gaming service that provides additional network bandwidth for gaming web sites at certain times of the day. Another example is a premium subscription to an Internet video-on-demand service that provides extra bandwidth for real time video viewed over the Internet. Other types of services involve application specific traffic monitoring, allowing service providers to implement usage based billing for certain applications. A third class of premium services enables services providers to insert and/or modify the content in application streams -- for example, advertisement insertion in video streams allowing targeted advertising based on subscriber and video viewing habits.  

It is clear from these examples that in order to participate in the premium Internet service value chain, service providers must be able to monitor and control network traffic and content at the application layer. It is also critical that DPI products have the flexibility to support new services as market opportunities are presented. DPI network processors must be programmable in order to achieve this necessary flexibility, allowing service providers to adapt their service offerings to dynamic market requirements. 

Maximizing Customer Satisfaction While Optimizing CapEx and OpEx:

It is equally important that service providers minimize network capital and operating expenses as new services are rolled out. This means that network utilization must be optimized to align service delivery with customer satisfaction. This is a difficult problem in many networks today because most network elements are not able to implement traffic management above layer 4. Since most web applications run over http on TCP port 80, it is impossible for standard routers and switches to classify and manage web application traffic -- it is all treated as http Internet traffic. First generation DPI products have attacked the most pressing problem of rate limiting P2P traffic, however, many of these products are not flexible enough to address the more general problem of providing fair network use based on customer, application, service pricing, and service dynamics. Current trends in Internet content services indicate that the requirements for traffic management are unpredictable. Therefore, service providers must implement a programmable DPI solution so that software can be upgraded to support new requirements for traffic management and control as necessary. By effectively managing network traffic based on applications, service providers can optimize utilization of their networks which has the effect of reducing both capital and operating expenses. 

Maximum Network Security

DPI is also required for to insure best-in-class network security.  Threats -- including DDOS attacks, worm propagation, VoIP service hijacking, toll fraud, and credit card fraud -- continue to escalate in both quantity and severity. In order to protect networks from these threats it is necessary to implement application layer firewalls, intrusion detection and protection (IDP), and network monitoring and control based on identity, services, and most importantly, policy management.  

First generation security devices have implemented basic firewall and IDP capability but, as threats have become more sophisticated, it is necessary to monitor and control network traffic based on a more complex set of policies. For example, traffic control policies might be based on a combination of application behavior, protocol anomaly detection, vulnerability signatures, and user identity. As threats become more sophisticated it is important to be able to add new security functions into the network as necessary, driving the need for a programmable DPI product that is software upgradeable. This allows new security applications to be implemented in the network, thus dealing with new threats without replacing existing network hardware or implementing a network redesign. 

Figure 2 brings these three market drivers together and presents an overview of how programmable DPI can transform a "dumb pipe" broadband network into a "smart pipe" thus allowing service providers to 1) increase service revenues and margins, 2) optimize network utilization, minimizing operating expenses and 3) protect the network from security threats.  

 

Figure 2 -- Business Drivers for Programmable DPI 

Composition of the Next Generation DPI Device -- 7 Key Requirements 

Now that the key business drivers have been established for DPI, we will examine some of the specific requirements for next generation DPI network devices.  

1.  Programmable

By definition, DPI network infrastructure devices must be programmable, allowing for significant software flexibility, scalability, and in service software upgrades. These capabilities enable an emerging class of DPI applications supporting new premium services, traffic management, and network security policies to be implemented without fork lift upgrades of network hardware. 

2.  Active and Passive Monitoring

Some service providers use DPI products to monitor how subscribers, services, and applications are using the network, utilizing this data in network planning and engineering. Others want the DPI products to play an active part in controlling network traffic to deliver new services and optimize bandwidth allocations. The DPI platforms must be capable of both these functions. Furthermore, this functionality must be able to be modified to support new requirements by upgrading the software in the DPI device. 

3.  Full Packet Scanning

DPI devices must be able to scan every packet at line speed. Scanning must include all network protocol layers as well as application content. Additionally scanning must be able to correlate session layer content in sequential packet streams, providing maximum flexibility to implement services or security threat mitigation at the session layer.  

4.  Traffic Classification and Management

Classification of network traffic must be flexible and allow service providers to classify traffic by multiple parameters which include: subscriber, service, application, origin/destination, IP address, and other parameters related to services and protocols. Traffic classification could also be based on usage and traffic patterns of subscriber sessions. Based on the network traffic classification and policies, DPI platforms must allow service providers to control traffic flows. This includes blocking, rate shaping, and redirection of packets to different destinations. 

5.  Packet Modification and Content Insertion

In some cases it is necessary to modify packet headers or application layer content. There are many other potential services and applications that could require packet modification. Therefore, it is important that a DPI platform deployed in a service provider's network has this capability.  

6. Packet Generation

Some services or security defense systems require DPI processors to generate packets. For example, proxy servers might require packet generation to set up connections, defense mechanisms might need to send TCP packets to throttle to stop malicious TCP attacks, or some applications (such as SIP) could require in-band signaling. DPI platforms must have the capability to flexibly generate packets based on the application and service objectives. 

7.  Billing Policy and Control

A critical component of service management is billing. Today, most Internet services are based on fixed rate billing -- a legacy of the "dumb pipe" broadband access model. As premium services are implemented it will be important to be able to bill customers based on usage, bandwidth, service offering, time of day, response time, and other parameters that define a service level agreement (SLA). The DPI processor must have the capability to monitor many different aspects of user session, collect data, and generate billing records. 

Such programmable DPI devices are now emerging into the marketplace.  Bivio's DPI platform is a good example of a programmable DPI processor that allows service providers and their systems integrator partners to run DPI applications in a standard Linux environment, yet deliver the flexibility and scalability required to optimize carriers' evolving network infrastructure. Custom, commercial and open-source applications, tailored to maximize carrier revenue opportunities and/or minimize further CapEx and OpEx investments are easily and seamlessly ported to the platform. This model allows service providers to add and enhance new services and manage network application traffic as requirements change without adding new hardware to the network. Furthermore, carriers can operate their networks at line speed, thus minimizing bottlenecks and maximizing customer satisfaction.  

In summary, DPI devices are essential components of next generation IP networks and one should ensure that a programmable DPI solution is implemented which is sufficiently flexible to solve current as well as future challenges. 

About the Author

 Tim Waters has more than 18 years experience in marketing data and telecommunications products and services.  He is responsible for overall marketing and product management of Bivio networking appliances.

Prior to joining Bivio, Waters was vice president of marketing and business development at NetDevices, Inc., a leading supplier in the emerging enterprise service gateway marketplace.  He has held similar positions at SkyStream Networks, a manufacturer of IP video headends, and Onetta, Inc., where he led the creation of the intelligent optical engine market.  Waters previously was vice president of marketing and business development for Promatory Communications, a leading supplier of next-generation DSL access multiplexers, subsequently acquired by Nortel Networks.  Earlier in his career Waters served as vice president of data product management for Ameritech in Chicago, Illinois, and held several management positions at Paradyne Corporation and AT&T Computer Systems.

Waters holds an MBA from the Harvard Graduate School of Business Administration and a BA in economics from College of the Holy Cross.

About Bivio Networks

Bivio Networks has developed a family of industry leading, deep packet inspection and processing platforms that combine unparalleled scaling of network performance, processing power, and application agility. Bivio's network appliance platforms feature a groundbreaking architecture specifically optimized for wire-speed execution of emerging network services that increasingly demand deep packet processing combined with high network throughput. Based on open industry standards, Bivio Networks fuses unmatched flexibility with uncompromising performance to enable its customers to overcome existing bottlenecks and deliver the foundation of the next-generation network infrastructure. Headquartered in Pleasanton, California, Bivio Networks is backed by Goldman Sachs, InterWest Partners, Storm Ventures, Venrock Associates, and Silver Creek Ventures.

Bookmark and Share

Send us your response to this article.

Learn How to Get Your Column Published on this Site

 

 
 

 

Subscription Info  |  UnSubscribe  |  Archive  | Marketing & Advertising  |  Link2Us Events  | About Us  |  Contact Us
Copyright © 2010 Converge! Media Ventures, Inc.  All rights reserved.