The issues of deep packet inspection and network neutrality can only be understood with reference to the history of the Internet. This history is quite remarkable: Originally a set of technologies designed to connect dozens of institutions in the early 1970’s, it now supports the communication needs for hundreds of millions of people. The Internet has scaled, and continues to scale, because engineers across the planet continuously study and improve its underlying technology. It is virtually a truism amongst network engineers that, if given the chance, they would have built the Internet differently. They are never given that chance, however, and thus they have largely focused on how to make the Internet we have satisfy all the demands we place upon it. Thus, the Internet should not be seen as a static system that is finished in any sense; instead, it is an ongoing experiment in open communications.
As originally conceived, the Internet experiment was based upon a central insight: that networks were the fastest and most efficient when they were the dumbest. Reliability, integrity, confidentiality—these were all things that could be provided by the endpoints using custom communication protocols; adding them to the network itself made it more complicated and stole precious resources. The Internet was designed to simply transmit data on a “best effort” basis. No attention was given to ideas like quality of service; indeed, the network’s original designers were happy when the network worked at all.
Today, we expect more and more, and often need, the Internet to work. To a remarkable extent the Internet fulfills its promise. While technical glitches do sometimes disrupt communications, network administrators and engineers more often must contend with overuse and abuse of network resources: spam floods, denial-of-service attacks, peer-to-peer sharing of video files, flash crowds—these are the real threats. The endpoints—the computers attached to the Internet and their users—are not up to the task of stopping these threats. Thus, Internet service providers have stepped into the breach, doing the best that they can. In other words, the Internet has had to become “smart” in order to arbitrate the myriad of uses—legitimate and illegitimate—for which it is used.
With earlier technology such intervention would have been impossible: routers that were fast enough for the Internet didn’t have the resources to examine traffic as it went by. Technology has progressed, however, to the point that network providers have the capability to observe and manipulate traffic in a variety of ways. They now need this power to keep their networks running: if they can’t isolate an overly aggressive file sharing program or spam-relaying botnets, their networks will become useless for regular users. This same power has turned out to be a Pandora’s box for network providers: if they discriminate against abuse of network resources, why not discriminate against other forms of unwanted communication—child pornography, hate speech, copyright violations…the list is potentially endless.
Network neutrality is a principle that says that network providers should not preferentially discriminate against certain kinds of traffic. Ideally this would mean a return to the Internet of old which passed on data blindly; such a simplistic approach today, however, would quickly result in the collapse of the Internet. Network neutrality advocates realize this, so they make exception for providers monitoring and changing traffic for the purposes of maintaining their networks. The problem comes, though, when these exceptions are codified: allow too much flexibility and providers have the power to be despots on their network; make them too rigid and providers will be prevented from adapting to the next problematic use of the Internet.
Note that any technology for managing Internet traffic will, today, have to employ deep packet inspection (DPI). DPI is essential because IP packet headers (the “outer” parts of network data that give its addressing information) are no longer sufficient for making traffic engineering decisions. Virtually all new applications attempt to make their communications resemble web traffic, so as to traverse the numerous impediments (firewalls) that exist currently. How can a provider tell that a given stream of “web” traffic is really a file sharing program or a self-replicating worm? Their only real option is to look past the outer headers and into (IP and TCP packet) payloads. This is exactly what deep packet inspection is.
A wrinkle in this debate has been the heavy-handedness with which some providers have regulated their networks. For example, some have greatly discriminated against or outright banned certain popular applications (e.g., BitTorrent), even though there are many legitimate uses and users of such technology. While some of this is due to poor policies on the part of network providers, much of this is simply a function of current technology: we simply do not know how to make the network punish miscreants on its own. Thus, network administrators must painstakingly identify every dangerous use of the network and then craft rules with which to stop such uses. Inevitably those rules have collateral damage, even when they are implemented in good faith.
The technology is improving every day, however, as it has for the entire life of the Internet. Internet providers are obtaining more and more precise mechanisms with which to monitor and regulate their networks. Indeed, the tools have developed to the point that there is much room for abuse—hence all of the concerns regarding network neutrality.
It is essential for technologists to have the flexibility to develop, test, and deploy new ways to protect the Internet. These mechanisms will, by and large, be based upon deep packet inspection, simply because that’s where the necessary information is—block DPI and we won’t be able to keep the Internet running. However, if we wish to prevent the abuse of these technologies we need to develop guidelines for their use and incentives for the development of appropriate technologies.
If we wish to preserve privacy, we need rules on what data is stored and exposed to network administrators. To preserve fairness, we need rules restricting how network traffic can be manipulated. To handle the inevitable evolution of Internet uses and abuses, though, such rules should be crafted with a strong focus on intentionality. Network providers need to be given a great deal of flexibility; they should just show that they are acting in good faith.
Of course, deciding what “good faith” means can be very hard. Perhaps what is needed are industry standard “best practices” for addressing different traffic engineering problems. These would be standard methodologies for managing traffic. So long as network providers are basically adhering to a standard methodology they can argue they are acting in good faith.
To make such methodologies really work, however, what we need are technologies that make such “good faith” decisions easily. Rather than a human deciding on what traffic should be throttled or blocked, we need programs—algorithms—for identifying problematic traffic patterns, and safe mechanisms for automatically managing such problems. The more this process can be automated, the more likely we can get systems that are fair, privacy preserving, yet tolerant of abuse. No such system will be perfect, thus humans will always be needed to monitor our networks. However, if they rarely have to create traffic management rules, we will have significantly fewer opportunities for abuse.
A key role for government in solving this problem lies in giving network providers the incentives for developing automated traffic management systems that keep humans at a distance from the judgment of what data should and should not be carried by the network. Even though such technology does not currently exist, with the right incentives I am sure the right technologies can be developed. (Indeed, the development of such technology is one of my research goals.) Without those incentives, however, network providers will continue to use manual, ad-hoc methods for managing traffic, because it is the path of least resistance, and because it is the one that gives them the most power and flexibility. Government should step into this debate to help network providers balance out their needs with those of their customers and society at large.
RSS Comment Feed 17 Comments
17 Responses
Leave a Reply
Tags: DPI, Inspection, Net, Neutrality, Packet
“block DPI and we won’t be able to keep the Internet running” And yet it is running, has been running for years and years – that is the history that once must reference.
No, Mr. Somayaji, DPI is not the answer. Yes, the Internet is an experiment in open communications and DPI will put an end to that once and for all. The Internet is like a highway and you propose that every vehicle be stopped and the contents of the vehicle inspected, the pockets and purses of the occupants turned out for business and government to see, along with a permanent record.
Which packets will be allowed and which will not? Who will make the lost of blacklisted sites? Those vehicles carrying opinions detrimental to the business of the carrier may well be ‘disappeared’. Political freedom on the net, such as it exists, will surely disappear when all submissions can be monitored in real time.
The Internet is in many respects self-healing and the net will interpret DPI as damage. A great deal of the traffic will simply become encrypted, thwarting most DPI efforts. Certainly, those with the most to lose will encrypt in order to circumvent inspection – they already do. Will laws then be enacted to make encryption illegal or will ISP’s simply amend their customer contracts and refuse to forward encrypted content?
No, the only history that really needs to be referenced is human history. It is a history replete with enough lessons about crime, greed, abuse and blunder that any rational person (with an awareness of that history) would never promote DPI.
It is running today, in part, because of DPI. What else is network intrusion detection? What is spam filtering? We still don’t have good tools for managing distributed denial-of-service attacks – that’s why they are still effective for blackmail.
The Internet is a commons. If I and my friends decide to do bittorrent downloads you may not be able to check your email. Increases in capacity aren’t enough, computers and users will always be able to consume more if permitted.
Arbitrary DPI is bad. Privacy-violating DPI is bad. But some form of DPI is needed.
To see what I’m talking about, read http://ccsl.carleton.ca/paper-archive/amatrawy-acns-05.pdf. And, look at our NetADHICT project.
–Anil
Sorry, but I completely disagree that DPI is necessary. It is my understanding that the major internet backbones are nowhere near their limit in terms of bandwidth and that most of the bandwidth constraints are in individual neighborhoods. Without spying on what someone is doing there is no reason why the bandwidth can’t be split up evenly between all users, what protocol or application someone is using is irrelevant.
DPI is also not going to solve all (or any, actually) internet attacks (DDoS) just like CSS encryption didn’t stop people from copying DVDs and Blu-Ray’s encryption hasn’t stopped people from copying Blu-ray discs. What I mean is it sounds great at first, but then a few months later someone gets around it. Do you really want to say we just gave up our privacy rights for three months without DDoS attacks? No thanks. Oh yea, the current DPI gear (NebuAd) that has been employed doesn’t even stop DDoS attacks, but it was made to spy on us to support online advertising. Nobody that makes DPI gear has interest in stopping DDoS attacks because there is no money to make there, it’s just theory craft.
“Network neutrality is a principle that says that network providers should not preferentially discriminate against certain kinds of traffic. Ideally this would mean a return to the Internet of old which passed on data blindly; such a simplistic approach today, however, would quickly result in the collapse of the Internet.”
His claims are completely unfounded, and are meant to spread FUD, fear uncertainty and doubt.
This guy doesn’t know what he’s talking about, he doesn’t understand how bandwidth capacity actually functions and how little DPI actually does to actually reduce network traffic. As a network engineer, take it from me, this guy’s an idiot.
None of the stuff described above (w.r.t to throttling traffic volume) cannot be done with shallow packet inspection (and is already done). All you need is to check if the endpoint is sending too much traffic (more than its fair share, say) and you should not care as a carrier about the type of traffic or its contents. IT IS NOT YOUR BUSINESS. Just drop packets from the offender and move on.
Arthur says: “This guy doesn’t know what he’s talking about, he doesn’t understand how bandwidth capacity actually functions and how little DPI actually does to actually reduce network traffic. As a network engineer, take it from me, this guy’s an idiot.”
Who am I to disagree. Yes, I’d love to have an Internet with no DPI. No network spam filtering. No malware defense. No defenses against botnet-based DDoS (cause yeah, the headers from your neighbor’s infected desktop are a dead giveaway). Sounds like an Internet that would work really well.
Yep.
–Anil
File sharing is the problem…. dont make me laugh. In japan you can get a internet connection 100 times faster for less. The bandwidth is there.
DPI is moot once encryption is involved – the only reason for DPI is so that ISPs (also known as the TV and Phone providers) can degrade competitive traffic such as VOIP, streaming video and file sharing – along with encrypted ‘unidentified’ traffic from people like me who encrypt everything on principle alone. The bad guys will still be out there doing what they do, while actual consumers will be left to pay premium prices for HDTV and phone services offered by their providers at quality levels that only they have access to.
“Who am I to disagree. Yes, I’d love to have an Internet with no DPI. No network spam filtering. No malware defense. No defenses against botnet-based DDoS (cause yeah, the headers from your neighbor’s infected desktop are a dead giveaway). Sounds like an Internet that would work really well.
Yep.
–Anil”
What are you talking about? DPI != all of those other things.
Dan:
Exactly! All the DPI gear out there doesn’t do any of that! It’s only job is to gather data on advertising. Anil is really just spreading FUD.
Dave
Dan, Dave -
It all comes down to what you classify as “DPI gear.” If you are just looking at the boxes that track user behavior for advertising purposes, then yeah, the Internet will be fine without them. But DPI covers *any* networking equipment that examines the payloads of packets while in transit. A box that scans email connections to terminate connections from spambots – it is doing DPI. Blocking viruses at a gateway – that’s DPI. Filtering a web flash crowd (i.e. “the slashdot effect”) upstream by blocking requests for a specific URL – that’s DPI.
This is my point – you’ve got to look at the payloads to do any number of important things in the network. Even if you specifically made exceptions in the law for these cases, tomorrow some new problem will come along that will require some box on the network to inspect packet payloads. That’s why I don’t want DPI to outlawed; it should be regulated, but regulated in a way that allows ISPs to adapt to changing circumstances.
Note that the very architecture of the Internet (indeed, any modern communications network) means that everyone cannot use all of their upstream bandwidth at the same time. Uplinks (almost) always offer less bandwidth than the sum of the connections feeding into them. Thus there is always the potential for parts of the network to become congested due to excessive demand. What happens if a flash worm (one that can spread across the entire Internet in a matter of minutes) starts saturating everyone’s Internet connection, how are you going to stop it? DPI, that’s the only way.
All I’m saying is that we need DPI technology in some form to keep the Internet alive. But, clearly some ISPs are now abusing their power and are doing inappropriate things with DPI technology. So we need regulation. But please, don’t legislate “don’t look at my packets ever!” Instead, make laws with specific intentionality tests, i.e., you can inspect to block known security threats but not to choose which applications are and aren’t allowed. And definitely, they shouldn’t be profiling me for advertising purposes. (But really, that’s a much larger debate – right now major Internet companies can track almost everything you do, and that’s without DPI. That doesn’t make me happy.)
If you ask me, wiretap was a horrible precedent for the Internet. But we live in a world where, in general, we don’t relinquish technological power once we have it – generally because we can think of too many situations where we’d really, really like to have that power. So, we just have to agree on the rules for when such power may be used.
OK, that was a bit of a lecture. But, does that clarify things?
–Anil
The problem with DPI is how it is employed by ISPs (like Bell and Rogers). These ISPs are forcing THEIR view of DPI UPON me. They are thus violating my privacy, and using their monopolization of the Canadian Internet Backbones to ensure that they get their way at the expense of the Canadian Public.
ISPs are not using DPI to protect me… they are using DPI to ensure that they have a competitive advantage over competition. It is unconcionable that the CND government allows the internet to be used this way.
DPI should be an opt-in service that I subscribe to if I want it. Am I sick of getting spam? Yes… therefore I signed up to Gmail which DPIs the email I get Google to filter my email. Am I worried about Internet Worms? NO… my Router will protect me from them, and I keep my systems UP-to-Date. I do not want DPI to protect me from them. Am I afraid of DDoS? No… dont DPI me.
Dont DPI my traffic unless I specifically ask for it. Thank you very much.
“But DPI covers *any* networking equipment that examines the payloads of packets while in transit. ”
WRONG!
I assume you know what the OSI 7 Layer Model is?
The objection amongst us is not ‘packet inspection’, it’s ‘DEEP’ packet inspection.
In a sense, DPI is a misnomer – hence the flame war above. It is a metaphor that seems to imply depth of inspection rather than breadth. Yet very clearly it is about both inspecting payloads of packets, and observing the patterns of traffic that develop over time and many of the packets. After all, the later is what most DPI boxes do when analysing the “behavior” of traffic – thus inferring what types of application are being used. An ISP would be mad if they were to look too deep inside the application layer content that is being transmitted, for that would expose them not only to PR disasters, but would likely rob them of their mere conduit status. I have been told, and I tend to believe that the ISPs are well aware of that fine line.
I would like to think that a happy equilibrium would be the encryption of content end-to-end, and the ISPs doing whatever competition lets them get away with in pricing congestion (a cost issue) and value to the user (grabbing more of the social surplus).
An aside: The OSI layer model, while still mentioned in most textbooks, is totally irrelevant for the internet. It is not even useful for abstract purposes, since the upper three layers have no such counterpart in the internet. Why is it that even 25 years after this has been clear (to some at least) there is still such an appreciation of the OSI layer model?
As with Micheal, I too take issue with the way that Bell has forced DPI based filtering (er ‘network management’) on independent ISPs. These ISPs effectively rent the DSL frequencies of a copper pair together with a back haul circuit that brings the packet to the independent ISPs datacentre.
The copper pair is dedicated between a home (or other location) and the telephone central office so any traffic on this circuit will not interfere with other customer’s traffic; Bell can make no argument for touching content of the DSL circuit in the name of ‘network management’, so they must be touching the back haul circuit.
The back haul circuit brings the traffic to the independent ISP datacentre. Bell already managed this circuit without DPI; if the independent ISP buys too little bandwidth, Bell randomly drops the packets that don’t fit in the pipe. Again, no reason for Bell to touch the payload in this circuit, at least no in the name of ‘network management’. This circuit is remarkably similar to a circuit that a large enterprise might purchase, and I don’t think Bell runs DPI to drop packets of their choice from a Bank’s network, they just drop packets which do not fit.
Bell can use the name ‘network management’ when they look for traffic they feel is harming Bell Internet service (Sympatico), but when they do it to Independent ISPs, it seems there must be another reason. Perhaps the regulations which require Bell to share their monopolistic network (copper to the house) are tariffed incorrectly, not breaking out the back haul circuit? If so, Bell should be arguing for correct tariffs so that they can sell bigger circuits to independent ISPs and make more money. But instead, it would appear that they have chosen to filter traffic on behalf of Independent ISPs, preventing other ISPs from having competitive network service offerings.
This is only one argument against DPIs.
P.S.
Anil referenced ‘payload’, as opposed to ‘header’, and as such identifies correctly that DPI applies to the thigher layers of OSI. It is, however, unclear to me how layers 4 and 5 apply to the terms ‘header’ and ‘payload’. For example, is a port number a header? If we use postal mail as an example, the port number is similar to a name, since mail can still be delivered to a location without the name, but it may have difficulty finding the right person to look at it without the name, or port number in the case of a computer. Most postal mail includes a name on the envelop despite the fact that the post office does not need it for delivery most of the time.
P.P.S
Do you suppose that encryption will be like port 80? Before firewalls filtered everything based on port, so everyone moved services to port 80 to get through the firewalls. Now, some services are moving to encryption to protect privacy or avoid DPI. Once most everything uses encryption, network operators will be forced to look only at headers and traffic profiles. If they really do rely on DPI, they better have some other plans for when encryption is ubiquitous!
Old fashioned routers just looked at the IP packet header: really, just the destination IP address. Now networking gear look beyond the IP header into the TCP header (for connection tracking) and then into the application-level headers (i.e. HTTP headers) and below. Inspection of application-level headers is “deep packet inspection” since it goes beyond the standard IP and TCP/UDP headers.
But, as Matthias points out, traffic management equipment, such as that produced by Sandvine, also analyzes the pattern of packets. Turns out a lot of traffic can be identified merely by watching the pattern of packets. Recent research has even shown that shell commands going over SSH can be identified – all without breaking the underlying encryption. So, even universal encryption would not stop all traffic throttling or even network-level user profiling.
Dan – The OSI model has no clear mapping to the modern Internet. How do you define DPI in terms of current networking technology?
Michael – note that DPI is not something that can easily be an “opt-in” technology. When you’re trying to identify a spreading worm or a spam flood from a botnet, the contributions from individual hosts can be relatively modest; they are only problematic in aggregate.
While I don’t condone what Bell has been doing to the smaller ISPs, I can see why they might be doing it: if traffic from all sources is getting pushed onto Bell’s backbone without any labeling, then they would be left with either shaping the traffic of everyone or nobody. But really, if this is the case then this is an example of incompetence: they implemented a bad network architecture and now they are stuck with it. This is probably all the more reason, though, that we need good regulations and regulators.
That was the point of my essay – DPI is a set of networking technologies that have both legitimate and illegitimate uses. The bad part is not looking in payloads; the bad part is looking at payloads for the wrong reason (advertising vs. legit traffic management) or in the wrong way (exposing private communications to humans, rather than algorithms).
Internet traffic must be managed because there are always circumstances where there are insufficient resources – in crisis situations, sometimes much, much less. To manage traffic you have to understand it in some way. For multiple reasons the information necessary for understanding modern Internet traffic is more than that supplied by standard packet headers.
I’m actually a bit worried about universal encryption of network traffic because it would make traffic management a lot more difficult. I care about privacy a lot. (I digitally sign my email with GNU Privacy Guard and encrypt with everyone I can – do you?) But I care about the Internet working as well.
But that’s the topic for another essay.
–Anil
I believe that one important aspect of the overall issue (DSI as the necessary evil?) is missing in the discussion. The problem I see is the inevitable business dilemma for the ISP providers: expand the network bandwidth (more expensive option) or limit/throttle the usage using DPI approach. The DSI option must not be used to promote inefficient monopoly relying on the non existent business ethics especially as I don’t see how the use of the DSI is going to be tightly controlled and it misuse prevented.
I personally don’t believe in the “laissez-faire” approach to free enterprise and consequently in the existence of the ethical business practice without the adequate measures independently ensuring general public protection. We just have to look at Enrons of our era and the consequence of “ethical” business practices in the business behavior of unregulated financial institutions in the global financial market to come to the conclusions that the DSI throttling will inevitably be misused as the cost effective approach to avoid necessary and costly capacity upgrades of ISP networks unless the application of these throttling techniques are not tightly controlled.
The question is then whether the sufficient control measures exist to prevent misuse and if not, what these measures should be and how to establish them!