But, as Matthias points out, traffic management equipment, such as that produced by Sandvine, also analyzes the pattern of packets. Turns out a lot of traffic can be identified merely by watching the pattern of packets. Recent research has even shown that shell commands going over SSH can be identified – all without breaking the underlying encryption. So, even universal encryption would not stop all traffic throttling or even network-level user profiling.

Dan – The OSI model has no clear mapping to the modern Internet. How do you define DPI in terms of current networking technology?

Michael – note that DPI is not something that can easily be an “opt-in” technology. When you’re trying to identify a spreading worm or a spam flood from a botnet, the contributions from individual hosts can be relatively modest; they are only problematic in aggregate.

While I don’t condone what Bell has been doing to the smaller ISPs, I can see why they might be doing it: if traffic from all sources is getting pushed onto Bell’s backbone without any labeling, then they would be left with either shaping the traffic of everyone or nobody. But really, if this is the case then this is an example of incompetence: they implemented a bad network architecture and now they are stuck with it. This is probably all the more reason, though, that we need good regulations and regulators.

That was the point of my essay – DPI is a set of networking technologies that have both legitimate and illegitimate uses. The bad part is not looking in payloads; the bad part is looking at payloads for the wrong reason (advertising vs. legit traffic management) or in the wrong way (exposing private communications to humans, rather than algorithms).

Internet traffic must be managed because there are always circumstances where there are insufficient resources – in crisis situations, sometimes much, much less. To manage traffic you have to understand it in some way. For multiple reasons the information necessary for understanding modern Internet traffic is more than that supplied by standard packet headers.

I’m actually a bit worried about universal encryption of network traffic because it would make traffic management a lot more difficult. I care about privacy a lot. (I digitally sign my email with GNU Privacy Guard and encrypt with everyone I can – do you?) But I care about the Internet working as well.

But that’s the topic for another essay.

–Anil

The copper pair is dedicated between a home (or other location) and the telephone central office so any traffic on this circuit will not interfere with other customer’s traffic; Bell can make no argument for touching content of the DSL circuit in the name of ‘network management’, so they must be touching the back haul circuit.

The back haul circuit brings the traffic to the independent ISP datacentre. Bell already managed this circuit without DPI; if the independent ISP buys too little bandwidth, Bell randomly drops the packets that don’t fit in the pipe. Again, no reason for Bell to touch the payload in this circuit, at least no in the name of ‘network management’. This circuit is remarkably similar to a circuit that a large enterprise might purchase, and I don’t think Bell runs DPI to drop packets of their choice from a Bank’s network, they just drop packets which do not fit.

Bell can use the name ‘network management’ when they look for traffic they feel is harming Bell Internet service (Sympatico), but when they do it to Independent ISPs, it seems there must be another reason. Perhaps the regulations which require Bell to share their monopolistic network (copper to the house) are tariffed incorrectly, not breaking out the back haul circuit? If so, Bell should be arguing for correct tariffs so that they can sell bigger circuits to independent ISPs and make more money. But instead, it would appear that they have chosen to filter traffic on behalf of Independent ISPs, preventing other ISPs from having competitive network service offerings.

This is only one argument against DPIs.

P.S.

Anil referenced ‘payload’, as opposed to ‘header’, and as such identifies correctly that DPI applies to the thigher layers of OSI. It is, however, unclear to me how layers 4 and 5 apply to the terms ‘header’ and ‘payload’. For example, is a port number a header? If we use postal mail as an example, the port number is similar to a name, since mail can still be delivered to a location without the name, but it may have difficulty finding the right person to look at it without the name, or port number in the case of a computer. Most postal mail includes a name on the envelop despite the fact that the post office does not need it for delivery most of the time.

P.P.S

Do you suppose that encryption will be like port 80? Before firewalls filtered everything based on port, so everyone moved services to port 80 to get through the firewalls. Now, some services are moving to encryption to protect privacy or avoid DPI. Once most everything uses encryption, network operators will be forced to look only at headers and traffic profiles. If they really do rely on DPI, they better have some other plans for when encryption is ubiquitous!

I would like to think that a happy equilibrium would be the encryption of content end-to-end, and the ISPs doing whatever competition lets them get away with in pricing congestion (a cost issue) and value to the user (grabbing more of the social surplus).

An aside: The OSI layer model, while still mentioned in most textbooks, is totally irrelevant for the internet. It is not even useful for abstract purposes, since the upper three layers have no such counterpart in the internet. Why is it that even 25 years after this has been clear (to some at least) there is still such an appreciation of the OSI layer model?

WRONG!

I assume you know what the OSI 7 Layer Model is?

The objection amongst us is not ‘packet inspection’, it’s ‘DEEP’ packet inspection.

ISPs are not using DPI to protect me… they are using DPI to ensure that they have a competitive advantage over competition. It is unconcionable that the CND government allows the internet to be used this way.

DPI should be an opt-in service that I subscribe to if I want it. Am I sick of getting spam? Yes… therefore I signed up to Gmail which DPIs the email I get Google to filter my email. Am I worried about Internet Worms? NO… my Router will protect me from them, and I keep my systems UP-to-Date. I do not want DPI to protect me from them. Am I afraid of DDoS? No… dont DPI me.

Dont DPI my traffic unless I specifically ask for it. Thank you very much.

It all comes down to what you classify as “DPI gear.” If you are just looking at the boxes that track user behavior for advertising purposes, then yeah, the Internet will be fine without them. But DPI covers *any* networking equipment that examines the payloads of packets while in transit. A box that scans email connections to terminate connections from spambots – it is doing DPI. Blocking viruses at a gateway – that’s DPI. Filtering a web flash crowd (i.e. “the slashdot effect”) upstream by blocking requests for a specific URL – that’s DPI.

This is my point – you’ve got to look at the payloads to do any number of important things in the network. Even if you specifically made exceptions in the law for these cases, tomorrow some new problem will come along that will require some box on the network to inspect packet payloads. That’s why I don’t want DPI to outlawed; it should be regulated, but regulated in a way that allows ISPs to adapt to changing circumstances.

Note that the very architecture of the Internet (indeed, any modern communications network) means that everyone cannot use all of their upstream bandwidth at the same time. Uplinks (almost) always offer less bandwidth than the sum of the connections feeding into them. Thus there is always the potential for parts of the network to become congested due to excessive demand. What happens if a flash worm (one that can spread across the entire Internet in a matter of minutes) starts saturating everyone’s Internet connection, how are you going to stop it? DPI, that’s the only way.

All I’m saying is that we need DPI technology in some form to keep the Internet alive. But, clearly some ISPs are now abusing their power and are doing inappropriate things with DPI technology. So we need regulation. But please, don’t legislate “don’t look at my packets ever!” Instead, make laws with specific intentionality tests, i.e., you can inspect to block known security threats but not to choose which applications are and aren’t allowed. And definitely, they shouldn’t be profiling me for advertising purposes. (But really, that’s a much larger debate – right now major Internet companies can track almost everything you do, and that’s without DPI. That doesn’t make me happy.)

If you ask me, wiretap was a horrible precedent for the Internet. But we live in a world where, in general, we don’t relinquish technological power once we have it – generally because we can think of too many situations where we’d really, really like to have that power. So, we just have to agree on the rules for when such power may be used.

OK, that was a bit of a lecture. But, does that clarify things?

–Anil

Exactly! All the DPI gear out there doesn’t do any of that! It’s only job is to gather data on advertising. Anil is really just spreading FUD.

Dave

Yep.

–Anil”

What are you talking about? DPI != all of those other things.