In a short time, network infrastructure bandwidth has scaled
exponentially to 10 Gbits/s, with designs for next-generation
Ethernet promising between 40 and 100 Gbits/s. At the
same time, the complexity and breadth of applications that
run over these backbones are drastically changing.
Accordingly, to accommodate the ever-increasing need for network
security, control, and visibility that’s required for network
traffic, communications equipment needs to be protocol-, content-,
and application-aware at increasingly higher speeds.
DPI DEFINED
Deep packet inspection (DPI) is the ability to analyze and
understand network traffic at L2-L7 for security, service assurance,
quality of service (QoS), and application rate-limiting. DPI
provides more extensive and detailed flow awareness to network
applications than simple L2-L4 classification by examining the
packet contents, as well as the packet headers (Fig. 1). DPI also
enables network administrators to examine traffic at all network
layers across a series of datagrams, giving insight into the source,
destination, application, and intent of the traffic in question.
In contrast to DPI, traditional classification only provides
L2-L4 header analysis and is not a dependable mechanism to
determine protocol and application—nor is it an adequate technique
to analyze specific application-level details within a flow
between a set of hosts. Many protocols don’t use standard Internet
Protocol (IP) values or non-standard and negotiated TCP/
UDP port numbers for connection establishment. Application
and protocol identification is often buried further in the packet or
spread across several packets in the transaction, rendering individual
packet header analysis ineffective.
This need for greater content awareness applies not only to
fixed LAN/WAN-based networks, but increasingly to mobile
networks, too. With the bandwidths offered by 3G wireless and
Long-Term Evolution (LTE) networks (up to 100-Mbit/s downloads),
along with the converged data, voice, and video services
that users will utilize over these networks, we can expect wireless
networks to support all of the same services as fixed networks
and share vulnerabilities to the same types of threats.
DPI AND PLATFORM CHALLENGES
To satisfy the needs of network operators for DPI-based solutions,
the platforms on which these applications are hosted share
a common set of requirements. Deep-packet-inspection implementations
must:
• Support traditional analysis of common L2-L4 packet header
fields, including source and destination IP address, IP protocol,
source and destination TCP/UDP port numbers, DiffServ codepoint
(DSCP), and ingress interface/VLAN
• Support analysis of all network protocol layers and full packet
payload/content
• Support identification of applications with static, dynamic, and
negotiated protocol and port fields
• Be able to interrogate multiple packets during session establishment
extending beyond the standard TCP handshake (SYN,
SYN-ACK, SYN)
• Support a signature database for identification of common
applications
• Based on application and protocol identification, support the
ability to parse the traffic and provide the entire flow or relevant
portions of the flow to other applications
• Be completely flexible and programmable to handle the everchanging
and evolving set of protocols, applications, services,
and threats
• Provide full analysis at line rates; if only a portion of data can
be deeply inspected without loss, the inspection process provides
little value
• Support inline (active) and offline (passive) configurations
• Support the ability to take a varied set of actions based on packet
and flow analysis, including active and passive packet dropping;
marking or tagging of traffic; content insertion; queuing/
policing/shaping/rate limiting of flows; redirection; load balancing;
and counting/metering/statistics gathering and analysis
A NEW DPI ARCHITECTURE IS NEEDED
To achieve these combined DPI requirements, along with the
increasing need for network I/O virtualization, a high-performance
flow-processing architecture is necessary. This is best
achieved through a heterogeneous processing architecture that
combines virtualized I/O network-coprocessing with multicore
x86 general-purpose CPUs (Fig. 2).
An example of this architecture is the new generation of network
flow processors (NFPs) designed by Netronome. These
processors are intended for use in heterogeneous processing
architectures. The 40-microengine (ME) core NFP with integrated
cryptography supports tight coupling with general-purpose
multicore CPUs over PCI Express (PCIe). Because these ME
cores contain instruction sets optimized around high-performance
packet processing, detailed packet and flow inspection
can be performed on greater levels of traffic without compromising
either security or performance.
The NFP cores operate at 1.4 GHz, each supporting
eight threads. This makes it possible
to perform almost 2000 operations per packet
on 10-Gigabit Ethernet line-rate traffic for
minimum-sized datagrams (64 bytes). Such
speed and flexibility enable developers to do far
more than simple packet forwarding; they also can
apply complex algorithms to both packet headers
and content in hardware at line rate.
Depending on the nature of the application,
most DPI functionality is implemented in
NFP ME cores. At times, these powerful
microengine cores will be augmented
by tightly coupled general-purpose processors
or by specialized hardware like cryptography
acceleration or regular expression hardware for pattern/signature
matching to further extend expressiveness. A majority of these
new solutions ideally suit such heterogeneous processing environments.
Continue to page 2