Problem solve Get help with specific problems with your technologies, process and projects.

Deep packet inspection: Controversial but valuable traffic management tool

Deep packet inspection (DPI) may be controversial from a customer privacy and net neutrality standpoint, but the technology has valuable Internet traffic management capabilities to help service providers prioritize and deliver types of traffic, and increase their revenue in the process.

Many technologies somehow become defined by a single application, and for a few, that leads to controversy. Deep packet inspection (DPI) is on that list.

 DPI is not a problem. It's a solution to very real problems the industry will be facing in the years to come.
Tom Nolle
presidentCIMI Corp.

Unfortunately, nearly all of the publicity associated with DPI has come out of its use in behavioral targeting or in managing user Internet traffic, and much of this has been negative.

The truth is that DPI is an important tool in overall Internet traffic management because of some inherent limitations of the Internet protocol that can hamper effective monitoring and control of the network.

An IP packet header identifies the source, destination address and some basic information about the data itself. When IP was first deployed in a research and academic setting, this information was sufficient to enable efficient packet handling by the routers that direct packet flow and by the systems that originate and terminate them. But the Internet has changed profoundly in the last decade, and the IP header has changed very little. This has generated significant challenges for network operators.

Wanted: Increased packet information beyond IP header

Monitoring and handling traffic effectively requires having some knowledge of what kind of traffic the packet represents. The IP header doesn't have enough information to provide that. You need to look deeper into the packet to identify its application and mission, and for that you need deep packet inspection.

DPI's monitoring applications have been accepted almost from the beginning.

IP traffic management resources
Broadband traffic management: Finding rational solutions to ease congestion

Traffic engineering the service provider network

Time Warner bandwidth caps trial draws public backlash

The Remote Monitoring standard (RMON) defines "probes" that can look at packet data beyond the IP header to classify the packet by traffic type (voice, email, video, etc.) and by application. Vendors have offered proprietary monitoring products/probes with even greater ability to analyze deep packet data, and this information can be critical to network operators and enterprises in planning network capacity and managing quality of service (QoS).

The controversy around deep packet inspection for behavioral targeting is not about the technology per se. The issue is whether an ISP that is not an actual participant in a Web exchange between a browser and a server has the right to examine the end-to-end data to gain insight into what the user is doing. That question must be answered at the public policy level (and no consensus has fully emerged), but the monitoring applications of DPI alone would justify the technology even if applying it to behavioral targeting turned out to be a privacy rights issue.

IP headers miss the mark in identifying traffic type

The traffic control applications of DPI are even more significant than the monitoring applications, though they are also sometimes controversial. Everyone knows that "routing" is based primarily on IP address and may sometimes be based on things like the type of service, an element that's also included in the IP header. But service and QoS indicators in the IP header are not reliable ways of identifying traffic types to assure reasonable handling of priority traffic like voice or video.

With Internet users generating enormous traffic bursts from their ordinary surfing, some means of expediting time-critical applications in periods of congestion may be crucial to emerging applications like VoIP and Web conferencing. Deep packet inspection can be used to help separate the traffic that needs expedited handling, even where that traffic isn't easily distinguished by normal IP header fields like address or port number.

Operators must balance deep packet inspection value with net neutrality issues

Using DPI technology to allow time-sensitive "real time" voice or video services despite existing network congestion is an example of the balance of policy and value that confronts network operators and regulators. On one hand, there may not be an affordable way to assure real-time delivery in a broadband network without special handling. On the other, the ability to handle packets based on the content rather than the header could be used to "de-prioritize" or even block certain types of traffic or applications.

In many areas, including the U.S., this could violate "net neutrality" policies. Yet a noticeable regulatory shift toward permitting traffic engineering based on application and traffic type under some circumstances is already under way. It's simply a question of deploying the type of traffic handling options at the service-level or the application level that might legally be applied.

The thorniest public policy question with deep packet inspection arises out of its application to metering, de-prioritizing or blocking traffic. Yet operator statistics show that 40% of all broadband traffic may be illegal file sharing and that 5% of users may account for 80% of all network traffic. Therefore, "normal" broadband users paying a fixed-price for unlimited bandwidth services may subsidize the abusers.

Given that network operators cannot sustain profit margins with the exponential growth in traffic and a fixed-price cap on revenue, some mechanism to reset the balance is essential, and DPI is certain to play a role. Whether the solution is to support premium handling at an incremental charge or to de-prioritize or even block some traffic that puts the majority of users at a disadvantage, deep packet inspection is the only mechanism available to manage the way the policy is applied.

Deep packet inspection traffic analysis creates latency risks

The technical issues of deep packet inspection are as complex as the policy issues. The problem can be stated in one word: latency. Packet analysis takes time, and that increases handling delay at the point where the analysis takes place. The more points requiring traffic analysis, the more the delay. And the more sophisticated the analysis, the more the delay.

The delay problem can be crippling in the core, where the traffic volume is highest. To avoid that, most DPI solutions are applied near the edge of the network. Latency management requirements have also shifted DPI technology toward custom VLSI chips for analysis so the performance of a connection isn't affected significantly by the examination.

The bottom line: Deep packet inspection isn't a problem. It's a solution to very real problems the industry will be facing in the years to come. In a highly regulated industry, public policy concerns about possible violations of privacy or net neutrality will be handled by the regulators and legislation as needed, but any changes applied here will affect only the way DPI is used and not the fact that it will become an increasingly critical part of network deployments.

About the author: Tom Nolle is president of CIMI Corporation, a strategic consulting firm specializing in telecommunications and data communications since 1982. He is a member of the IEEE, ACM, TMF and IPsphere Forum, and the publisher of Netwatcher, a journal in advanced telecommunications strategy issues. Check out his networking blog, Uncommon Wisdom  

This was last published in July 2009

Dig Deeper on Telecommunication networking