Common Requirements for Use Cases
When reviewing the above use cases, it can be noted that there are several requirements that are common across the different use cases. Some may be only partly applicable, while others are always applicable.
Figure 2. Several requirements are common across diverse DPI use cases.
The system being used to execute DPI applications should not be visible to the traffic passing through. This means, assuming no action is taken, that all traffic and packages passing from left to right will not notice there is an inspection system in between.
That extends also to packets that would normally be used to configure networks, such as routing information protocol (RIP) and border gateway protocol (BGP) packets, even though there is frequently a switching device present inside the inspection system.
The inspection system must have enough bandwidth available so all traffic coming from left or right can be passed through, to avoid the inspection system being a bottleneck in itself, causing network congestion and, most undesirable, becoming visible as a function in the network as a result of that. This requirement has follow-on requirements such as high (enough) processing capability, low latency, high availability and scalability.
High (Enough) Processing Capabilities
Analyzing data connections based on single or multiple packets is not an easy function. If additionally, content needs analysis in order to protect applications from injected malicious content, the performance requirements are very high. This, paired with the fact that application profiles typically are held in a large in-memory database, this calls for highest-end computing and high memory capacity in the system.
Splitting up connections (load balancing) across multiple entities as described above, eases this load to a level where real time processing becomes possible. Still massive compute capabilities together with enough memory for the in-memory database of fingerprints is required.
Low latency, so a minimal time loss inside the inspection device, is an important requirement. After all, first, the system should not be visible in the flow, and some connections such as VoIP are very susceptible to latency. Second, latencies add up, creating slowness in connections, and causing bad user experiences.
An inspection device should be operational at any time in order to ensure complete coverage of what needs inspecting. Additionally, these machines are inside a connection, so any unavailability causes unavailability of certain connections, which, in the worst case, can result in loss of revenues.
Users today expect 24x7x365 availability, and, in some countries, even have legal rights to this. In 2010, Finland was the first country to make broadband a legal right for every citizen. And in 2013, Germany's Federal Court of Justice stated that Internet connection is a modern necessity, on par with the right to mobility, such that people can sue their Internet providers for damages if connection is lost.
DPI applications are monitoring Internet traffic, which keeps growing with double-digit percentage rates all over the world. As a result, DPI devices must be able to easily adapt to these growing bandwidth requirements, preferably seamlessly.
This needs to be a given for many years to come, so an architecture is needed that allows gradual adjustments in line with the growing requirements.
Next: Solution Architectures
Terminology used in this article:
Before starting to explain the requirements, definition of several terms that will be used going forward to ensure a common understanding and clarity of the following discussion is necessary.
When discussion DPI applications, there is always a client (or internal) network side, and an external network, e.g. the Internet, which the packets pass through to reach the opposite side. The internal network normally is termed “left” side, and the open network will be called “right” side.
A packet flow is the complete communication between an entity on the left side (example: an Internet browser on a PC) and an entity on the right side (example: a web server delivering the web page with dynamically generated content coming from a database).
In the application of DPI, load balancing means distributing packet flows over multiple inspection devices, while ensuring that a given flow will always go to the same inspection device, thus allowing that device to analyze a complete conversation between entities rather than single packets.
Flow fingerprints are the characteristics used to identify applications and functions in a given conversation. Certain applications have certain behaviors in their communication that make them uniquely identifiable.