Is Network DPI really a ‘Dead Piece of Investment’?
The importance of data driven insights traditionally gained from deep packet inspection, is undeniable. However, the extent of the explosion in demand in mobile data traffic combined with the telecom transformation into cloud native, hyperscaler environments, and, the changes in internet traffic, focus attention on the right type of network DPI.
DPI was once playfully referred to as a “Dead Piece of Investment” in an industry that had a limited view of the importance of data classification and relied on physical, dedic ated boxes for this function that everyone assumed they knew what it was for – exemplified the phrase – “We already have a DPI”.
Take another look at this, with internet transport protocols changing frequently (e.g. QUIC is already has multiple new versions & HTTP3 is on the way) and networks transforming to cloud native hyperscaled, distributed environments – it is clear that how and where a DPI functions, combined with how it is continually refreshed has to be integral to a new way of thinking.
The Function of DPI
Looking quickly at the function – which can be used in a number of ways. Using an analogy, DPI as a traffic cop – being able to see the vehicles and guide the traffic – which is needed for smooth flow management and, in some cases, to stop unwanted traffic. In our environment not only has the speed traffic increased, reducing the time to make decisions but also the traffic identification has moved to both identifying individual vehicles but also to flows. Often these flows can only be “seen” after multiple packets have gone past between the same source & destination, so a new DPI intelligence is required.
Usually embedded as part of a firewall defense, DPI is an advanced method of filtering data that locates, identifies, and classifies the most relevant datasets to support accurate analyses. The DPI will process packet contents in real time and apply the rules or filters provided by the enterprise or network manager designed to route network traffic automatically at specific IP address checkpoints. These filters can be programmed to tag certain messages as a higher priority so certain data reaches its destination ahead of less important content or packets, and certain data types can be routed for further analysis or have other policies applied. In an enterprise network video conference traffic may be prioritized over web browsing for example, and gaming or adult content traffic may be blocked.
Keeping up to date
As mentioned, there are significant changes in transport protocol (specifically the increase in UDP based traffic) the use of ports for encrypted traffic (going beyond port 443) and expansion of prioritization bits/dynamic classification in IPV6. This is combined with the staggering facts of the internet; with approximately 2000 apps added daily to Google Play alone. There is a need for the function itself to be agile (performant, software based, cloud native on a standard k8s) as well as automated in its update, to keep up with changes.
Is Change Needed? – Yes!
Network traffic monitoring requirements have increased to include traffic marking, load balancing, and finding new monetization opportunities. As monitoring responsibilities grow with the expanding mobile market, telcos will need to reevaluate whether their current fixed deployment systems are sufficient to keep up with the rapidly changing landscape. Next-generation software that still relies on fixed infrastructure (literally physical boxes) will be much less able to address these market needs for the nuanced traffic monitoring 5G and MBB requires.
It is also about measuring the quality of delivery. Quality of Experience (QoE) is a top priority for both application providers and network operators, as end users we expect sustained fast connectivity. In mobile networks, a key function now is to both measure QOE parameters and react in real time to changing conditions. Think of a user watching a video, walking around, moving from cell to cell. As the user moves physical conditions can change, even the time of day becomes important (e.g., lunchtime in a city business district). What is needed is real time measurement combined with individual real time traffic management – so that all the users keep doing what they want with their data.
Traditional physical DPI boxes that come with their own database for processing analytics, that are limited by their own data stores, will not be able to keep up with this kind of QoE monitoring. In practical terms these older DPI implementations routinely require manual re-configuration and historical data cleansing, which is operationally difficult to do, without causing service interruptions – in turn defeating the purpose of measuring QOE in the first place.
Therefore, the future of DPIs must focus on measuring data that can produce actionable responses in real-time to help generate the metadata needed to feed ML and AI algorithms. Learning-based algorithms can also help speed up deployments and assist with transport protocol acceleration that automatically utilizes the maximum available bandwidth to reduce congestion. Real time intelligent reaction to a user moving through 4G and 5G radio connectivity delivers on that high quality of experience which is the new normal for mobile telecoms.
DPI’s Going Native?
Cloud Native DPI combines smart classification with intelligent action – for optimal data flow. The defensive role of DPI in providing the information about the flows – their source, destination, priority and volume should not be overlooked. Traffic flows can try and give itself higher flow priority – essentially jumping the queue in flow terms – just to be egressed more quickly. Alternately there are trojan horse type flows that can bypass DNS, or obfuscate information in encrypted SSL e.g., the Server Name Indication (SNI) to hide malicious/illegal activity.
In all of these cases, DPI must be agile enough to keep up with the changing threat landscape and smart enough to avoid false positives.
The bottom line is that DPI is not a dead piece of investment. What is dead is the dedicated hardware of a physical box. Network DPI as a function is more important than ever in today’s data-driven world.
Check out Enea’s Traffic Classification and DPI capabilities @