Deep packet inspection
Encyclopedia
Deep Packet Inspection (also called complete packet inspection and Information eXtraction - IX -) is a form of computer network
packet filtering that examines the data
part (and possibly also the header
) of a packet as it passes an inspection point, searching for protocol non-compliance, virus
es, spam
, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. There are multiple headers for IP packets, network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc.) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.
Deep Packet Inspection (and filtering) enables advanced network management, user service, and security
functions as well as internet data mining
, eavesdropping
, and censorship
. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality
fear that the technology can be used anticompetitively or to reduce the openness of the Internet.
DPI is currently being used by the enterprise, service providers and governments in a wide range of applications.
. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot on their own catch events that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, Denial of Service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.
DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model
, in cases DPI can be evoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. DPI functionality is evoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases.
A classified packet can be redirected, marked/tagged (see quality of service
), blocked, rate limited, and of course reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
at the enterprise was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.
However, vulnerabilities exist at network layers that are not visible to a stateful firewall. Also, an increase in the use of laptops in the enterprise makes it more difficult to prevent threats such as viruses
, worms
and spyware
from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats.
Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks.
DPI can be used by the enterprise for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file he may be given information on how to get the proper clearance to send the file.
, targeted advertising
, quality of service
, offering tiered services, and copyright
enforcement.
capabilities. Decades ago in a legacy telephone environment, this was met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. This is not possible in contemporary digital networks. The acquisition component of this functionality can be provided in many ways, including DPI, DPI enabled products that are "LI or CALEA
-compliant" can be used - when directed by a court order - to access a user's datastream.
with their customers to provide a certain level of service, and at the same time enforce an acceptable use policy
, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads". Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior.
, Front Porch
and Phorm
. US ISPs monitoring their customers include Knology
, and Wide Open West, and probably also Embarq
. In addition, the UK ISP British Telecom has admitted testing technology from Phorm without their customers' knowledge or consent.
(P2P) traffic present increasing problems for broadband service providers. P2P traffic is typically used by applications that do file sharing. This can be documents, music and videos. Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as email or Web browsing which use less bandwidth. Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.
DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not. This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.
Other Vendors claim that DPI is ineffective against P2P and that other methods of Bandwidth Management
are more effective.
services from "value added", “all-you-can-eat" and "one-size-fits-all” data services. By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their Average Revenue Per User (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.
owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2
, was given a court injunction and told it must block its customers from accessing The Pirate Bay
, a launching point for BitTorrent. Instead of prosecuting file sharers one at a time, the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI
, Sony BMG, Universal Music and Warner Music have begun suing ISPs like Eircom
for not doing enough about protecting their copyrights. The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America
(MPAA) which enforces movie copyright
s, on the other hand has taken the position with the Federal Communications Commission
(FCC) that network neutrality could hurt anti-piracy technology such as Deep Packet Inspection and other forms of filtering.
and censorship
; many of these programs are classified.
The FCC, pursuant to its mandate from the US Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.
The National Security Agency
(NSA), with cooperation from AT&T
has used Deep Packet Inspection technology to make internet traffic surveillance, sorting and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) phone call.
Traffic associated with AT&T’s Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources primarily of domestic data."
Narus's Semantic Traffic Analyzer software which runs on IBM
or Dell
Linux
servers
, using DPI technology, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address
or, in the case of VoIP, phone number. President George W. Bush
and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.
The Defense Information Systems Agency
has developed a sensor platform that uses Deep Packet Inspection.
ese and Tibet
an independence, Falun Gong
, the Dalai Lama
, the Tiananmen Square protests and massacre of 1989
, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements as those materials were signed as DPI sensitive keywords already. China also blocks VoIP traffic in and out of their country. Voice traffic in Skype
is unaffected, although text messages are subject to DPI, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites like YouTube.com, and various photography and blogging sites.
AG, the German conglomerate, and Nokia
Corp., the Finnish cellphone company, according to a report in the Wall Street Journal in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes."
The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the Journal, NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome. That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and data communication on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solutions,' at the end of March, by selling it to Perusa Partners Fund 1 LP, a Munich
-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business."
The NSN system followed on purchases by Iran from Secure Computing Corp. earlier in the decade.
Questions have been raised about the reporting reliability of the Journal report by David Isenberg, an independent Washington, D.C.
-based analyst and Cato Institute
Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, had similar complaints with one of the same Journal reporters himself in an earlier story. NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran." A concurrent article in The New York Times said the NSN sale had been covered in a "spate of news reports in April [2009], including The Washington Times
," and reviewed censorship of the Internet and other media in the country, but did not mention DPI.
or network neutrality
find inspection of the content layers of the Internet protocol to be offensive, saying for example, "the 'Net was built on open access and non-discrimination of packets!" Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network
services.
protocols like Skype
or encrypted BitTorrent.
The open source community offers a wide array of options for performing deep packet inspection functions; a comprehensive list is maintained by the dPacket.org community
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
packet filtering that examines the data
Data
The term data refers to qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which...
part (and possibly also the header
Header (information technology)
In information technology, header refers to supplemental data placed at the beginning of a block of data being stored or transmitted. In data transmission, the data following the header are sometimes called the payload or body....
) of a packet as it passes an inspection point, searching for protocol non-compliance, virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es, spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. There are multiple headers for IP packets, network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc.) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.
Deep Packet Inspection (and filtering) enables advanced network management, user service, and security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
functions as well as internet data mining
Data mining
Data mining , a relatively young and interdisciplinary field of computer science is the process of discovering new patterns from large data sets involving methods at the intersection of artificial intelligence, machine learning, statistics and database systems...
, eavesdropping
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...
, and censorship
Censorship
thumb|[[Book burning]] following the [[1973 Chilean coup d'état|1973 coup]] that installed the [[Military government of Chile |Pinochet regime]] in Chile...
. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality
Network neutrality
Network neutrality is a principle that advocates no restrictions by Internet service providers or governments on consumers' access to networks that participate in the Internet...
fear that the technology can be used anticompetitively or to reduce the openness of the Internet.
DPI is currently being used by the enterprise, service providers and governments in a wide range of applications.
Background
DPI combines the functionality of an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) with a traditional stateful firewallStateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
. This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot on their own catch events that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, Denial of Service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.
DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
, in cases DPI can be evoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. DPI functionality is evoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases.
A classified packet can be redirected, marked/tagged (see quality of service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
), blocked, rate limited, and of course reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
DPI at the enterprise
Until recently, securityNetwork security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
at the enterprise was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.
However, vulnerabilities exist at network layers that are not visible to a stateful firewall. Also, an increase in the use of laptops in the enterprise makes it more difficult to prevent threats such as viruses
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
and spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats.
Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks.
DPI can be used by the enterprise for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file he may be given information on how to get the proper clearance to send the file.
DPI at network/Internet service providers
In addition to using DPI to secure their internal networks, Internet service providers also apply this technology on the public networks provided to customers. Common uses of DPI by ISPs are lawful intercept, policy definition and enforcementNetwork security policy
A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a...
, targeted advertising
Targeted advertising
Targeted advertising is a type of advertising whereby advertisements are placed so as to reach consumers based on various traits such as demographics, purchase history, or observed behavior....
, quality of service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
, offering tiered services, and copyright
Copyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
enforcement.
Lawful interception
Service providers are required by almost all governments worldwide to enable lawful interceptLawful interception
Lawful interception is obtaining communications network data pursuant to lawful authority for the purpose of analysis or evidence. Such data generally consist of signalling or network management information or, in fewer instances, the content of the communications...
capabilities. Decades ago in a legacy telephone environment, this was met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. This is not possible in contemporary digital networks. The acquisition component of this functionality can be provided in many ways, including DPI, DPI enabled products that are "LI or CALEA
Communications Assistance for Law Enforcement Act
The Communications Assistance for Law Enforcement Act is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton...
-compliant" can be used - when directed by a court order - to access a user's datastream.
Policy definition and enforcement
Service providers obligated by the service level agreementService Level Agreement
A service-level agreement is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time or performance...
with their customers to provide a certain level of service, and at the same time enforce an acceptable use policy
Acceptable use policy
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used...
, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads". Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior.
Targeted advertising
Because ISPs route all of their customers' traffic, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 US customers are tracked this way, and as many of 10% of US customers have been tracked in this way. Technology providers include NebuAdNebuAd
NebuAd was an American online advertising company based in Redwood City, California, with offices in New York and London and was funded by the investment companies Sierra Ventures and Menlo Ventures....
, Front Porch
Front Porch
Front Porch, Inc. provides services to Internet Service Providers. Front Porch technology enables an Internet Service Provider to insert its own messages to be presented to users as they use their web browsers, such as customer service notices or online advertising...
and Phorm
Phorm
Phorm, formerly known as 121Media, is a Delaware, United States-based digital technology company known for its advertising software. Founded in 2002, the company originally distributed programs that were considered spyware, from which they made millions of dollars in revenue...
. US ISPs monitoring their customers include Knology
Knology
Knology Inc. is a cable company that formed in 1994 by ITC Holding Company, Inc, a telecommunications holding company in West Point, Georgia that also founded Internet service provider Mindspring. In late 1994, shortly after Knology's inception, two employees made a $600,000 investment to make...
, and Wide Open West, and probably also Embarq
Embarq
Embarq Corporation was the largest independent local exchange carrier in the United States , serving customers in 18 states and providing local, long distance, high-speed data and wireless services to residential and business customers...
. In addition, the UK ISP British Telecom has admitted testing technology from Phorm without their customers' knowledge or consent.
Quality of service
Applications such as peer-to-peerPeer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
(P2P) traffic present increasing problems for broadband service providers. P2P traffic is typically used by applications that do file sharing. This can be documents, music and videos. Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as email or Web browsing which use less bandwidth. Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.
DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not. This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.
Other Vendors claim that DPI is ineffective against P2P and that other methods of Bandwidth Management
Bandwidth management
Bandwidth management is the process of measuring and controlling the communications on a network link, to avoid filling the link to capacity or overfilling the link, which would result in network congestion and poor performance of the network.- Management :Bandwidth management mechanisms may be...
are more effective.
Tiered services
Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "walled garden"Walled garden (media)
A walled garden is an analogy used in various senses in information technology. In the telecommunications and media industries, a "walled garden" refers to a carrier or service provider's control over applications, content, and media on platforms and restriction of convenient access to...
services from "value added", “all-you-can-eat" and "one-size-fits-all” data services. By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their Average Revenue Per User (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.
Copyright enforcement
ISPs are sometimes requested by copyrightCopyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2
Tele2
Tele2 AB is a major European telecommunications operator, with about 34 million customers in 11 countries. It serves as a fixed-line telephone operator, cable television provider, mobile phone operator and Internet service provider.- Overview :...
, was given a court injunction and told it must block its customers from accessing The Pirate Bay
The Pirate Bay
The Pirate Bay is a Swedish website which hosts magnet links and .torrent files, which allow users to share electronic files, including multimedia, computer games and software via BitTorrent...
, a launching point for BitTorrent. Instead of prosecuting file sharers one at a time, the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI
EMI
The EMI Group, also known as EMI Music or simply EMI, is a multinational music company headquartered in London, United Kingdom. It is the fourth-largest business group and family of record labels in the recording industry and one of the "big four" record companies. EMI Group also has a major...
, Sony BMG, Universal Music and Warner Music have begun suing ISPs like Eircom
Eircom
Eircom Group LTD is a telecommunications company in the Republic of Ireland, and a former state-owned incumbent. It is currently the largest telecommunications operator in the Republic of Ireland and operates primarily on the island of Ireland, with a point of presence in Great Britain.As Bord...
for not doing enough about protecting their copyrights. The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America
Motion Picture Association of America
The Motion Picture Association of America, Inc. , originally the Motion Picture Producers and Distributors of America , was founded in 1922 and is designed to advance the business interests of its members...
(MPAA) which enforces movie copyright
Copyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
s, on the other hand has taken the position with the Federal Communications Commission
Federal Communications Commission
The Federal Communications Commission is an independent agency of the United States government, created, Congressional statute , and with the majority of its commissioners appointed by the current President. The FCC works towards six goals in the areas of broadband, competition, the spectrum, the...
(FCC) that network neutrality could hurt anti-piracy technology such as Deep Packet Inspection and other forms of filtering.
Statistics
DPI allows ISPs to gather statistical information about usage patterns by user group. For instance, it might be of interest whether users with a 2 Mbit connection use the network in a dissimilar manner to users with a 5 Mbit connection. Access to trend data also help network planning.Deep Packet Inspection by governments
In addition to using DPI for the security of their own networks, governments in North America, Europe and Asia use DPI for various purposes such as surveillanceSurveillance
Surveillance is the monitoring of the behavior, activities, or other changing information, usually of people. It is sometimes done in a surreptitious manner...
and censorship
Censorship
thumb|[[Book burning]] following the [[1973 Chilean coup d'état|1973 coup]] that installed the [[Military government of Chile |Pinochet regime]] in Chile...
; many of these programs are classified.
United States
FCC adopts Internet CALEA requirements.The FCC, pursuant to its mandate from the US Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.
The National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
(NSA), with cooperation from AT&T
AT&T
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...
has used Deep Packet Inspection technology to make internet traffic surveillance, sorting and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) phone call.
Traffic associated with AT&T’s Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources primarily of domestic data."
Narus's Semantic Traffic Analyzer software which runs on IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
or Dell
Dell
Dell, Inc. is an American multinational information technology corporation based in 1 Dell Way, Round Rock, Texas, United States, that develops, sells and supports computers and related products and services. Bearing the name of its founder, Michael Dell, the company is one of the largest...
Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
servers
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
, using DPI technology, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
or, in the case of VoIP, phone number. President George W. Bush
George W. Bush
George Walker Bush is an American politician who served as the 43rd President of the United States, from 2001 to 2009. Before that, he was the 46th Governor of Texas, having served from 1995 to 2000....
and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.
The Defense Information Systems Agency
Defense Information Systems Agency
The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
has developed a sensor platform that uses Deep Packet Inspection.
China
The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that it claims harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent. Chinese network ISPs use DPI to see if there's any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to TaiwanTaiwan
Taiwan , also known, especially in the past, as Formosa , is the largest island of the same-named island group of East Asia in the western Pacific Ocean and located off the southeastern coast of mainland China. The island forms over 99% of the current territory of the Republic of China following...
ese and Tibet
Tibet
Tibet is a plateau region in Asia, north-east of the Himalayas. It is the traditional homeland of the Tibetan people as well as some other ethnic groups such as Monpas, Qiang, and Lhobas, and is now also inhabited by considerable numbers of Han and Hui people...
an independence, Falun Gong
Falun Gong
Falun Gong is a spiritual discipline first introduced in China in 1992 by its founder, Li Hongzhi, through public lectures. It combines the practice of meditation and slow-moving qigong exercises with the moral philosophy...
, the Dalai Lama
Dalai Lama
The Dalai Lama is a high lama in the Gelug or "Yellow Hat" branch of Tibetan Buddhism. The name is a combination of the Mongolian word далай meaning "Ocean" and the Tibetan word bla-ma meaning "teacher"...
, the Tiananmen Square protests and massacre of 1989
Tiananmen Square protests of 1989
The Tiananmen Square protests of 1989, also known as the June Fourth Incident in Chinese , were a series of demonstrations in and near Tiananmen Square in Beijing in the People's Republic of China beginning on 15 April 1989...
, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements as those materials were signed as DPI sensitive keywords already. China also blocks VoIP traffic in and out of their country. Voice traffic in Skype
Skype
Skype is a software application that allows users to make voice and video calls and chat over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system...
is unaffected, although text messages are subject to DPI, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites like YouTube.com, and various photography and blogging sites.
Iran
The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN), a joint venture SiemensSiemens
Siemens may refer toSiemens, a German family name carried by generations of telecommunications industrialists, including:* Werner von Siemens , inventor, founder of Siemens AG...
AG, the German conglomerate, and Nokia
Nokia
Nokia Corporation is a Finnish multinational communications corporation that is headquartered in Keilaniemi, Espoo, a city neighbouring Finland's capital Helsinki...
Corp., the Finnish cellphone company, according to a report in the Wall Street Journal in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes."
The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the Journal, NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome. That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and data communication on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solutions,' at the end of March, by selling it to Perusa Partners Fund 1 LP, a Munich
Munich
Munich The city's motto is "" . Before 2006, it was "Weltstadt mit Herz" . Its native name, , is derived from the Old High German Munichen, meaning "by the monks' place". The city's name derives from the monks of the Benedictine order who founded the city; hence the monk depicted on the city's coat...
-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business."
The NSN system followed on purchases by Iran from Secure Computing Corp. earlier in the decade.
Questions have been raised about the reporting reliability of the Journal report by David Isenberg, an independent Washington, D.C.
Washington, D.C.
Washington, D.C., formally the District of Columbia and commonly referred to as Washington, "the District", or simply D.C., is the capital of the United States. On July 16, 1790, the United States Congress approved the creation of a permanent national capital as permitted by the U.S. Constitution....
-based analyst and Cato Institute
Cato Institute
The Cato Institute is a libertarian think tank headquartered in Washington, D.C. It was founded in 1977 by Edward H. Crane, who remains president and CEO, and Charles Koch, chairman of the board and chief executive officer of the conglomerate Koch Industries, Inc., the largest privately held...
Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, had similar complaints with one of the same Journal reporters himself in an earlier story. NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran." A concurrent article in The New York Times said the NSN sale had been covered in a "spate of news reports in April [2009], including The Washington Times
The Washington Times
The Washington Times is a daily broadsheet newspaper published in Washington, D.C., the capital of the United States. It was founded in 1982 by Unification Church founder Sun Myung Moon, and until 2010 was owned by News World Communications, an international media conglomerate associated with the...
," and reviewed censorship of the Internet and other media in the country, but did not mention DPI.
DPI and net neutrality
People and organizations concerned about privacyPrivacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
or network neutrality
Network neutrality
Network neutrality is a principle that advocates no restrictions by Internet service providers or governments on consumers' access to networks that participate in the Internet...
find inspection of the content layers of the Internet protocol to be offensive, saying for example, "the 'Net was built on open access and non-discrimination of packets!" Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network
Next Generation Networking
Next-generation network is a broad term used to describe key architectural evolutions in telecommunication core and access networks. The general idea behind the NGN is that one network transports all information and services by encapsulating these into packets, similar to those used on the...
services.
Software
Opendpi is the open source version for non obfuscated protocols, PACE includes obfuscated/encryptedprotocols like Skype
Skype
Skype is a software application that allows users to make voice and video calls and chat over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system...
or encrypted BitTorrent.
The open source community offers a wide array of options for performing deep packet inspection functions; a comprehensive list is maintained by the dPacket.org community
See also
- Common carrierCommon carrierA common carrier in common-law countries is a person or company that transports goods or people for any person or company and that is responsible for any possible loss of the goods during transport...
- Deep content inspectionDeep content inspectionDeep Content Inspection is a form of network filtering that examines an entire file or MIME object as it passes an inspection point, searching for viruses, spam, data loss, key words or other content level criteria...
- Deep packet capture
- Firewall
- Foreign Intelligence Surveillance Act
- Golden Shield
- Intrusion prevention/detection systems
- Network neutralityNetwork neutralityNetwork neutrality is a principle that advocates no restrictions by Internet service providers or governments on consumers' access to networks that participate in the Internet...
- NSA warrantless surveillance controversyNSA warrantless surveillance controversyThe NSA warrantless surveillance controversy concerns surveillance of persons within the United States during the collection of foreign intelligence by the U.S. National Security Agency as part of the war on terror...
- Stateful firewallStateful firewallIn computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
- ECHELONECHELONECHELON is a name used in global media and in popular culture to describe a signals intelligence collection and analysis network operated on behalf of the five signatory states to the UK–USA Security Agreement...
External links
- Test Methodology - registration required
- Subverting Deep Packet Inspection the Right Way
- What is "Deep Inspection"?
- A collection of essays from industry experts
- What Is Deep Packet Inspection and Why the Controversy
- White Paper "Deep Packet Inspection – Technology, Applications & Net Neutrality"
- Egypt's cyber-crackdown aided by US Company - DPI technology used by Egyptian government in recent internet crackdown
- http://www.savetheinternet.com/
- Deep Packet Inspection puts its stamp on an evolving Internet
- Validate DPI policy using real applications