In a short time, network infrastructure bandwidth has scaled exponentially to 10 Gbits/s, with designs for next-generation Ethernet promising between 40 and 100 Gbits/s. At the same time, the complexity and breadth of applications that run over these backbones are drastically changing.
Accordingly, to accommodate the ever-increasing need for network security, control, and visibility that’s required for network traffic, communications equipment needs to be protocol-, content-, and application-aware at increasingly higher speeds.
DPI DEFINED
Deep packet inspection (DPI) is the ability to analyze and understand network traffic at L2-L7 for security, service assurance, quality of service (QoS), and application rate-limiting. DPI provides more extensive and detailed flow awareness to network applications than simple L2-L4 classification by examining the packet contents, as well as the packet headers (Fig. 1). DPI also enables network administrators to examine traffic at all network layers across a series of datagrams, giving insight into the source, destination, application, and intent of the traffic in question.
In contrast to DPI, traditional classification only provides L2-L4 header analysis and is not a dependable mechanism to determine protocol and application—nor is it an adequate technique to analyze specific application-level details within a flow between a set of hosts. Many protocols don’t use standard Internet Protocol (IP) values or non-standard and negotiated TCP/ UDP port numbers for connection establishment. Application and protocol identification is often buried further in the packet or spread across several packets in the transaction, rendering individual packet header analysis ineffective.
This need for greater content awareness applies not only to fixed LAN/WAN-based networks, but increasingly to mobile networks, too. With the bandwidths offered by 3G wireless and Long-Term Evolution (LTE) networks (up to 100-Mbit/s downloads), along with the converged data, voice, and video services that users will utilize over these networks, we can expect wireless networks to support all of the same services as fixed networks and share vulnerabilities to the same types of threats.
DPI AND PLATFORM CHALLENGES
To satisfy the needs of network operators for DPI-based solutions, the platforms on which these applications are hosted share a common set of requirements. Deep-packet-inspection implementations must:
• Support traditional analysis of common L2-L4 packet header fields, including source and destination IP address, IP protocol, source and destination TCP/UDP port numbers, DiffServ codepoint (DSCP), and ingress interface/VLAN
• Support analysis of all network protocol layers and full packet payload/content
• Support identification of applications with static, dynamic, and negotiated protocol and port fields
• Be able to interrogate multiple packets during session establishment extending beyond the standard TCP handshake (SYN, SYN-ACK, SYN)
• Support a signature database for identification of common applications
• Based on application and protocol identification, support the ability to parse the traffic and provide the entire flow or relevant portions of the flow to other applications
• Be completely flexible and programmable to handle the everchanging and evolving set of protocols, applications, services, and threats
• Provide full analysis at line rates; if only a portion of data can be deeply inspected without loss, the inspection process provides little value
• Support inline (active) and offline (passive) configurations
• Support the ability to take a varied set of actions based on packet and flow analysis, including active and passive packet dropping; marking or tagging of traffic; content insertion; queuing/ policing/shaping/rate limiting of flows; redirection; load balancing; and counting/metering/statistics gathering and analysis
A NEW DPI ARCHITECTURE IS NEEDED
To achieve these combined DPI requirements, along with the increasing need for network I/O virtualization, a high-performance flow-processing architecture is necessary. This is best achieved through a heterogeneous processing architecture that combines virtualized I/O network-coprocessing with multicore x86 general-purpose CPUs (Fig. 2).
An example of this architecture is the new generation of network flow processors (NFPs) designed by Netronome. These processors are intended for use in heterogeneous processing architectures. The 40-microengine (ME) core NFP with integrated cryptography supports tight coupling with general-purpose multicore CPUs over PCI Express (PCIe). Because these ME cores contain instruction sets optimized around high-performance packet processing, detailed packet and flow inspection can be performed on greater levels of traffic without compromising either security or performance.
The NFP cores operate at 1.4 GHz, each supporting eight threads. This makes it possible to perform almost 2000 operations per packet on 10-Gigabit Ethernet line-rate traffic for minimum-sized datagrams (64 bytes). Such speed and flexibility enable developers to do far more than simple packet forwarding; they also can apply complex algorithms to both packet headers and content in hardware at line rate.
Depending on the nature of the application, most DPI functionality is implemented in NFP ME cores. At times, these powerful microengine cores will be augmented by tightly coupled general-purpose processors or by specialized hardware like cryptography acceleration or regular expression hardware for pattern/signature matching to further extend expressiveness. A majority of these new solutions ideally suit such heterogeneous processing environments.
Continue to page 2
Reprints
