Throughout the history of Ethernet starting from late 1970s when Robert Metcalf started 3COM, network evolution has been clustered around few specific themes every decade. In author's view, in the 80s, the industry was focused on improving the span of basic network connectivity by connecting localized LAN clouds with each other. By the early 90s, the focus for LAN equipment providers had moved from basic connectivity to broader attributes such as assured connectivity, ease of deployment whereas backbone and service providers were focusing on uptime, resilience, and capacity. Late 90s and the following decade saw the span complexity, span and our dependence on networking grow to historic levels especially with the advent of voice as well as video on previously known as data networks- a move that industry termed as “triple play”. Today the need for ubiquitous connectivity anytime anywhere is driving wireless networks rollouts which are becoming a big part of the connectivity cloud. Thus, the journey that started in the 70s in serving the need to connect stationary computers has come all the way to connecting mobile humans. A lot has changed in this time. Our expectations as users of the networks of today and the future invoke demands of omnipresence, resilience, cost effectiveness, scalability, speed, capability (packets/voice/video), mobility, ease of use and deployment, interoperability etc. That is indeed a lot of change within four decades.
From an enterprise perspective, networks have moved on from being productivity enhancement tools to becoming a business continuity infrastructure. These three decades have given rise to new technologies and have thus correspondingly led to the demise of many old businesses. Connecting small businesses to global markets (Ebay, Alibaba), carrying stock trades without the transaction ever touching a human or paper (Merrill, Schwab), affording economies of scale to rural areas (Amazon) are real value adds for consumers. Networks are helping squeeze inefficiencies out of supply chain enabling better products at yesterday's prices. Influence of networking technology has had a deep impact on business where entire industries (bricks and mortar stock brokerages, travel agents, airline service staffs etc) have changed for ever.
From governmental and social perspective, availability of ubiquitous and cheaper way of dissemination of information has taken down the barriers of access to information and has enabled greater participation of masses in the way societies are being run. Egregious violations of power take seconds to be flashed around the world garnering power to the side of caution and reasons to weigh repercussions. Unlike previous times, access to timely information has helped humanity cope with better disaster planning and more widespread outpouring of support in case of natural and man made disasters. Lot of this would not have been possible without the key networks that have connected supply with demand for the economic world while connecting populace with information like never before. As we can see, networks have been ever transforming and are now the quintessential part of modern human existence.
To address changing needs of networks within the early decades, architects responded by increasing capacity and by providing differentiated levels of services enabling preferential treatment to latency sensitive (phone calls, stock trades) traffic. Knowing what was flowing over the network became important for several reasons- Controllability to prioritize and engineer traffic, Prevention of attacks to the network, detecting and preventing pilferage of Corporate information from the networks and finally to build differentiated tiers of billable services. While the number of users on the internet was increasing, evolution of file-sharing applications such as Napster put enormous load on the global network infrastructure. Loads of users around the world sharing files through large downloads created Denial of Service (DoS) scenarios affecting the resilience and availability of service provider as well as enterprises networks. Early Firewalls which were designed to defend networks from malicious attacks were capable of identifying applications based on standard port numbers and protocol (TCP/UDP/Others) by sniffing packets headers and seemed sufficient to address user behavior generated DoS (as compared to malicious DoS). This was the first line of defense against file sharing services. The author classifies such applications as SASP (Standard Applications running over Standard Ports).
Soon the arms race heated up and protocols surfaced where the application writers started reusing port numbers. To recognize such applications one needed to broaden the existing port to application association by binding port and protocol with known source and/or destination IP addresses through Access Control Lists (ACLs). I classify such applications as SANP (Standard services over non-standard ports).
The next generation of applications to emerged was much harder to identify. Peer to peer file sharing applications such as Kazaa are not tied to a central pool of identifiable control servers (hence ACLs are helpless) and many of them use standard HTTP port 80 for transport. Since nearly all of the web traffic runs on HTTP port 80, disabling port 80 in order to stop Kazaa is thus not a viable solution. These and other hard to detect next generation applications can be identified only through inspection of the not just the packet headers but as well the content of the packets. I classify this category as SBAD (Signature based Application detection) category. This deeper inspection (or content inspection) works by the inspector searching for strings of interest within packet content and identifying applications based on the matches found.
Bringing SBAD to reality presents many issues that need to be solved- first of which falls in the general class of string abstraction. Strings of interest are to be strong and sufficiently abstracted. For example, if one was interested in uniquely identifying the author, a signature with just his first name “Deepak” would not be sufficient to identify the author specifically since it would identify all his namesakes in the world. A stronger signature would contain “Deepak”, “Lala” and “LSI” whereas the strongest will additionally contain “Arizona State” and “Kellogg School of Management”. This example illustrates that the first method with just the author's first name has a lot of false positives whereas a stronger signature which most uniquely describes the author has near zero or better, zero false positives. Reduction of false positives is driven by the uniqueness of strings. To help improve uniqueness within strings, the signature writers use technique of anchoring and usage of grammar.
Second big issue in SBAD is the issue of false positives and false negatives- the former we have already touched upon in the preceding paragraph. False negative occur when the inspection machine misses detecting an application when it's really there.
Deep packet inspection thus has complexities involved in specifying what to search for and analyzing whether the abstraction yields acceptable false positives and zero false negatives. These complexities are solved today by signature compilers and post processing tools. For effective application recognition, fixed attributes based checks (port numbers, protocol etc) need to be applied in conjunction with SBAD as well as with deeper contextual checks.
Other big areas of discussion remains on how today's designers are going about building systems that are capable of inspecting every packet at high throughput and also in identifying next generation applications that use encrypted communication leaving content inspection helpless. While the idea of deep packet inspection has been around for sometime, building scalable and cost effective solutions for constantly evolving application landscape is still an evolving area. A detailed analysis of the issues and potential solutions will follow in a future article.
By Deepak Lala, Engineering Director - Networking Components Division, LSI
vadmail@cybermedia.co.in