DPI - Concept

All Rights Reserved Alcatel-Lucent 2009

Short Technology Review

1) standard packet inspection versus Deep Packet Inspection

Standard packet inspection (shallow packet inspection):
Use protocol info in individual packet L2-L4 header
often not sufficient to identify real application
Not all apps use well-known port numbers
Many applications hide as http/port 80
Applications initiating additional connections
for operation will result in different headers
need to analyze control-info spread over different packets

Deep Packet Inspection most used technology for

reliably identifying protocols and applications
Analyze characteristics of the L2-L7 packet header
+ payload over a series of packet transactions
Identify protocols based on signatures = unique
deterministic, stochastic or behavioral characteristic
can follow additional flow setup of same application
can follow morphing of protocols (change of
behavior to adapt e.g. to Firewall or Proxy)

All Rights Reserved Alcatel-Lucent 2009

Short DPI Technology Review

2) Protocol Signatures Techniques

2.1 Port-based analysis
Easiest method to identify protocols

Most-used method to identify protocols

E.g. port 21=telnet, port 25=SMTP,

Router IP Filters/ACLs, no DPI required

But not always possible and not reliable

Many current applications disguise themselves as another application (= False Positives)

(e.g. port 80 syndrome: many applications camouflage as pure HTTP traffic)
Some applications select completely random port-numbers to start communication
Some applications morphe after initialization (e.g. to work-around FW)

Use of Port-based analysis for protocol identification:

results in too many False Positive and False Negatives in Internet/Multimedia environment
can be acceptable to identify well-known business applications in trusted environment.

ALU AA-ISA Signatures do not use port-based analysis to identify protocols.

But we can use protocol-ports to define in a trusted environment
most business applications for which we do not provide signatures yet.
All Rights Reserved Alcatel-Lucent 2009

Short DPI Technology Review

2) Application Signatures Techniques

2.2 String Match based analysis
Search for sequence of textual characters or numerical values in packet-content
(simplified) Example for identification of Kazaa traffic:

Look for string Kazaa in User-Agent Field of HTTP Get request

Note: Port-based analysis would classify this as HTTP traffic

Stronger signatures require use of Context-info with string-matches

E.g. use regular expressions for matches using :

multiple strings in different packets in one or both directions

protocol connection-state,

Note: String-match based analysis is to be used in combination with other techniques to

minimise # False positives & False Negatives

All Rights Reserved Alcatel-Lucent 2009

Short DPI Technology Review

2) Application Signatures Techniques

2.3 statistical/Numerical analysis
Analyse numerical properties of series of packets

Payload length, # packets exchanged in transaction,

E.g. early version of Skype

Note: Numerical based analysis is to be used in combination with other techniques to

minimise # False positives & False Negatives

All Rights Reserved Alcatel-Lucent 2009

Short DPI Technology Review

2) Application Signatures Techniques

2.4 Behavioral & Heuristical Analysis
Behavioral: analyses the way a protocol acts & operates
e.g. - UDP connection that transforms to TCP connection using the same IP & port settings
- P2P Swarm ( group of peers that share torrent)

Heuristical analysis: Extraction of statistical parameters of examined packets

e.g. packet-size of P2P control traffic hiding as HTTP/port 80, versus web-browsing
HTTP/port 80 traffic shown in diagram below

To reduce the # false positives or false negatives, ALU AA solution uses most often a
combination of different techniques to accurately identify the application.
All Rights Reserved Alcatel-Lucent 2009

DPI Residential

All Rights Reserved Alcatel-Lucent 2009

What is Application Assurance for ISP services?

Understanding what applications are used by your
customer-base
Traffic mix, Volumes, utilisation during peak/offpeak time
Per subscriber/user-group/region or peering Partner

Turning that knowledge into value and commercial

opportunities:
Identify new trends to allow first mover advantage
Delivering optimal service performance to your
subscribers
E.g. Premium Video, throttle misbehaving users

Commercial partnerships to open new revenue

streams

Remove the dependency on speed

Managed On-Line Services

IPTV

Mb/s

video

Average
Bandwidth
per
Subscriber

Avoid slide toward commoditisation

Get deeper into the Value chain
(cfr. Mobile networks)

Gaming
VPN

kb/s

Evolve to Managed Services Model:

Make every bit work for its money!!
All Rights Reserved Alcatel-Lucent 2009

HSI

VoIP

Unmanaged Service

Managed Service

Comprehensive Service Portfolio

Which problem do we address with AA?

Todays Internet Service challenges

Worldwide IP Traffic is growing faster then Mores law
OTT Video is accelerating this trend rather then slowing down

Internet Service value proposition is inversely proportional to its earnings.

Most profitable subscribers receive least value and generate least traffic.
Least profitable subscribers receive most value and generate most traffic.

Less Value; More Margin

20 / month

More Value; Less Margin

Provider
Network

20 / month

6 Mb/s Download; 50 Gigabyte per month

Challenge is to flip this trend :

Encourage Use where Value Exists and structure business model to support it.
All Rights Reserved Alcatel-Lucent 2009

A Service Providers options ...

Status Quo
(Preserve existing services)

Keep Adding
More Bandwidth

Managed
Services

Current best effort model selfregulates traffic, providing an

increasingly inferior user
experience and a decrease in
video usage.

Embrace the Internets

separation of applications and
transport, further propagating
the Service Providers role as
transport utility

Leverage Application
Assurance innovation to
deliver high quality services,
allowing consumers - and
other key players in the value
chain - to choose the
experience they want

Cost Control
(Application Discrimination)

Strictly Best Effort

(Application Agnostic)

Downside:

Customer Churn and

potentially, branddamaging publicity

Downside:

Business sustainability
(capacity revenue)

All Rights Reserved Alcatel-Lucent 2009

Application Assurance
(Application Differentiation)
Downside:
May require general market
education

Third option: Adding Service Value to Deliver a Better Experience

From Legacy HSI Tunnels to Application-Aware, Triple Play Policy Management

From Challenge to Opportunity:

- Preserve existing service experience
- and enable emerging applications through a portfolio of new, managed on-line services
Managed On-Line Services
Subscriber Tunnel

video

Average
Bandwidth
per
Subscriber

kb/s

Legacy BRAS

IPTV

Mb/s

Unmanaged Service

VPN

Typical BNG

Voice

VoIP

Multi-Service

IPTV

per-subscriber
per-service

Managed Service

Comprehensive Service Portfolio

Per
Sub

GE

HSI

Hierarchical QoS

7x50SR/ESS

Next Gen BNG

Multi-Application

Per Subscriber
Personalization

Per Sub
Sub
Per

Single-service (HSI)

Gaming
-

HSI

HSI

per-subscriber
per-service
per-application

Voice

Per
Sub

IPTV
Managed Video

On-line Services

Managed VoIP
Managed Gaming
HSI

Redefining the Internet Experience through Application Aware Quality of Services

All Rights Reserved Alcatel-Lucent 2009

DPI Business VPN

All Rights Reserved Alcatel-Lucent 2009

Enterprise WAN Challenges

Poor Visibility to Support Business Critical Applications
ICT Challenges:
Huge pressure to do more with less
87% of IT Directors top issue is achieving consistent
end-to-end application performance Forrester Survey
84% of IT Managers under pressure to optimize
resource utilization and contain costs HP Survey
Poor visibility of application performance
83% of IT Directors did not know what applications
running on their networks - HP Survey
Service Provider opportunity to expand from
Network/Service Aware to Application Aware
Close to 60% of enterprises look to a service
provider for a solution IDC Survey

Tactical

Impact of New Applications

CEO

CIO
er
UUss
dd
EEnn

IT

Strategic

Existing Applications Impacted

Enterprise networks need to meet the new demands of business critical applications
All Rights Reserved Alcatel-Lucent 2009

Move Business VPN Services from being

Application Assured
Service Assured
Service-level visibility
VoIP
Business High
Business Low
HSI

Network Availability
No/limited ability to
diagnose applications

Towards

Application Identification
Reporting & Analysis
Application mix
Business Application
Performance
Application diagnostics
Right-sizing

Application Aware
Business VPN
Service

Application Assurance

Access Control
Application QoS Policy
Application SLAs
Value-added services

Application Awareness is stepping stone for operators to position as

a Customers Business Partner rather then just another network provider.
All Rights Reserved Alcatel-Lucent 2009

AA Solution Options
External AA Appliance
PE

CPE
based

PE

CPE

CPE

CPE

CPE

AA

AA

AA

AA

AA

All Rights Reserved Alcatel-Lucent 2009

AA

AA

Network
based

Integrated AA

AA Solution Options Comparison

CPE-based
AA Appliance
Service
Coverage

- Application Identification
- Reporting & Analysis
- Application
Assurance
++ Broadest
- Application Acceleration

Design
Challenge

- Straightforward design
- Practical planning: rackCoverage
space, redundant power,
management access

Functional

Network-based
External AA Appliance
- Application Identification
- Reporting & Analysis
- Application Assurance
+ good
- Limited acceleration

- Application Identification
- Reporting & Analysis
- Application+Assurance
good
- Limited acceleration

- Big Service Design change

- Straightforward

Functional

(Policy-routing or PWE cross-connect)

Coverageavoidance

- Redundancy, black-hole

- External appliances in CO
Installation - Truck rolls!
effort/costs - Physical insertion (downtime!) - nx10GE ports on PE & AA appliance
- Management link for AA-CE

Network-based
Integrated AA

- Shared resource cost

Huge impact on :

Functional
Coverage

- Insert AA-ISA cards

++ MUCH
more
- Cost-efficient:
scalable
and
Shared resource cost.

cost-efficient

Provisioning - Transparent
-- Expensive
AA- CErtr-PE
Impact on - QoS-alignment
VPN Service

- Big change: policy-based routing or

-- Service Design SAP
accessPWEAAPWEVPN
- Service/subscr awareness on AA box
-- enforcement
Service Configuration
points
- QoS

- Transparent
- Apply divert-profile to service
(on-the-fly!)

to manage
Operational - Many--AA-CPEs
not scalable
- on-site visits expensive
impact

- Additional
to manage
-- box/vendor
Operations
- Additional potential failure-point.
- Complex E2E troubleshooting

- Additional
debugging-tool
deploy
on-the-flythat
can be enabled on-the-fly

- Significant planning & config-- Not Flexible

changes required
- Complexity increases with scale

- Extremely flexible: enable onthe-fly for any service SAP

++VeryPOC/trial,)
Scalable
(diagnostics,
- Very Scalable
(BW & number of customers)!

Service
flexibility

- A lot up-front planning

-- Not Flexible
required
- Not scalable (BW-increase
may require HW-swap,
# devices to manage)

All Rights Reserved Alcatel-Lucent 2009

++Very Flexible:
(transparent)

Business VPN Services Tiered Services View

Increasing Value and $$$

Gold: BVS w
Acceleration

CPE
Based
Solution

Silver: BVS with Application SLA

Bronze: BVS with
Application Performance Reporting & Diagnostics, perApplication QoS

Network
Based
Solution

Standard:
BVS with Application Reporting & Analysis
BW Rightsizing,

Address 90% of customer base with scaleable, cost-effective network based approach for
Application Reporting and Assurance
All Rights Reserved Alcatel-Lucent 2009

Application-Assurance Integrated Services Adaptor (AA-ISA)

Real-Time Application Assurance Blade
Layer 3-7 DPI - signature based application flow identification
Per-application and per-sap* (subscriber) monitoring & reporting
Per-application policing, remarking and forwarding control

Scalable, High Performance

Up to 10Gb/s deep packet analysis per AA-ISA and 70Gb/s per switch*
Over 5M policers per AA-ISA ; 3M simultaneous flows

Seamless Integration
Full integration with SR OS and service & policy management
No interconnects, no topology impact

Flexibility!
Enable on-the-fly traffic-divert from any service.
Any Service: ESM subscriber or SAP (VPLS, Epipe, IES & VPRN service)

AA-ISA Requires
SR OS Release 6.0+

(*) SROS 7 delivery

Scalable, Flexible and Cost-efficient Solution

for Virtualized Application Assurance Services!
All Rights Reserved Alcatel-Lucent 2009

AA building blocks: Protocol, Application, Application-Group

Configurable levels of traffic classification/identification
Protocol used for sending data between devices

Traffic Identified using ALU provided signatures

Issue: identification/report against protocol is not sufficient:

Often difficult to understand linked applications

Need to differentiate applications that use same protocol

Application = a defined end-user application

Appl
Appl
Appl
Appl
Filter
Filter
Filter
Filter

Signature, server-address/server-port, flow-direction, url/uri string

More flexible & Meaningful Application reporting & control

Ex: e-Mail, MSN, Intranet, Internet, SAP, Citrix

Application Group

Other
Criteria

Fully Configurable application definitions (Application-filters)

Protocol
Signatures

Ex: SMTP, pop3, http, bittorrent, rfb

Configurable grouping of applications, up to 32 groups

Convenient per-application type reporting & control

Ex: Business Data, FileTransfer, Mail, Web,..

Application2
Application
1
AA
QoS
Policy

Stats & reporting at all 3 levels

Full flexibility to define Applications & Application Groups

that fit your reporting/QoS policy needs!
All Rights Reserved Alcatel-Lucent 2009

Application
Application
Group
Group1

Traffic Flow through AA-ISA

Switch Fabric

IOM

Dest VoQs

MDA
Forwarding
Premiu
Class

PORT 1/1

Assure
d

BestEffort

Premium

P P
P
A A
A

Assured

A A A

MDA
PORT

B1 B1 B1
B2 B2 B2

Best effort

B B
B

SAP/Sub

MDA

IOM

Qos Sap-ingress
app-profile <xxx>
divert

2
4

AA-ISA

1. Apply Ingress QoS policy (sap-ingress/network qos)

No application awareness yet for this traffic; Traffic mapped to FC

2. Make L2/L3 Forwarding decision (Maintained through DPI divert)

3. Divert traffic for AA-enabled SAPs/subscribers for selected FC
AA-ISA modeled as any other destination MDA (VoQ)
other traffic not affected

4. On IOM with ISA, traffic split over 2 logical ports: to-sub & from-sub
Network-port like qos: 8 queues per port, configurable buffer pools with slope-policy,
Network Queue policy, port-scheduler policy (deflt: 10G)
All Rights Reserved Alcatel-Lucent 2009

Traffic Flow through AA-ISA

Switch Fabric

IOM

Dest VoQs

MDA

Premium

Forwarding Class

P P
P
A A
Assure
A

PORT 1/1

Premiu
m
d

BestEffort

Assured

Qos Sap-ingress
app-profile <xxx>
divert

A A A

MDA
PORT

B1 B1 B1
B2 B2 B2

Best effort

B B
B

SAP/Sub

MDA

IOM

2
4

5. DPI processing on the AA-ISA

Flow-identification, stats-collection, Application QoS Policy
Back-pressure to carrying IOM in case of congestion on AA-ISA engine

6. Application-aware traffic returned to IOM forwarding complex

IOM QoS as for single Network port: configurable pool, slope policy, network queue policy
Traffic switched to egress MDA based on ingress forwarding decision

7. Egress IOM processing

As any other traffic (but based on eventual Application-Aware FC re-marking)

All Rights Reserved Alcatel-Lucent 2009

AA-ISA

Application-Assurance Qos Example

Application
Assurance

Business Internet with priority for E-learning and P2P blocking

Internet
customer
self-care
portal

2a.appserv-options
app-assurance
app-assurance group
group 11 policy
app-service-options
app-service-options
characteristic
characteristic P2P
P2P
Value
Value Yes
Yes
Value
Value No
No
Default-value
Default-value No
No
exit
exit
characteristic
characteristic E-Learning
E-Learning
Value
Value Yes
Yes
Value
Value No
No
Default-value
Default-value No
No
exit
exit
characteristic
characteristic Streaming
Streaming
Value
Value No
No
Value
Value 100K
100K
Value
Value 500K
500K
Value
Value 1M
1M
.. .. ..
exit
exit

7x50

AA-ISA

E-Learning

GE
IP VPN
CIR = 10 Mb/s
PIR = 10 Mb/s

Branch

Divert BE

Voice (P5)
Video (P4)
Business Data (P2)
HSI (P0)

Service
Service VPRN
VPRN 10
10 cust
cust 55 create
create
Description
Description Alu
Alu VPRN
VPRN
Interface
Interface InternetAccess
InternetAccess
1. Service
SAP
SAP 1/1/5
Ingress
Ingress Qos
Qos 10
10
Egress
Egress Qos
Qos 10
10
Application-profile
Application-profile B-Internet
B-Internet
app-assurance
app-assurance group
group 11
2. App-profile
Application
Application profile B-Internet
B-Internet
Divert
Divert
Characteristic
Characteristic P2P
P2P value
value No
No
Characteristic
Characteristic E-learning
E-learning value
value yes
yes
Characteristic
Characteristic Streaming
Streaming value
value 1M
1M
exit
exit

E-Learning
IM
Web Browsing
YouTube
P2P

P1
P0
P0
Rate
Limit
Block

AA-ISA

Internet Business Access

Branch

app-assurance
app-assurance group
group 11 policy
policy
3. aa-qos
app-qos-policy
app-qos-policy
-policy
entry
100
create
entry 100 create
match
match
application
application E-Learning
E-Learning
Characteristic
Characteristic E-learning
E-learning value
value yes
yes
exit
exit
action
action remark
remark af
af
entry
entry 110
110 create
create
match
match
application-group
application-group P2P
P2P
Characteristic
Characteristic P2P
P2P value
value No
No
exit
exit
action
action drop
drop
entry
entry 120
120 create
create
match
match
application-group
application-group MM-streaming
MM-streaming
Characteristic
Characteristic Streaming
Streaming value
value 1M
1M
exit
exit
action
action bw-policer
bw-policer BW-Policer-1M
BW-Policer-1M

0. appl &
app-assurance
app-assurance group 1 policy
app-group
app-group MM-Streaming
MM-Streaming app-groups
app-assurance
app-assurance group
group 11
.. .. ..
policer
BW-Policer-1M
type
policer
BW-Policer-1M
type singlesingleapplication
application Youtube
Youtube
bucket-bw
granularity
subscribes
bucket-bw
granularity
subscribes
App-group
App-group MM-Streaming
MM-Streaming
Rate
Rate 1000
1000
Exit
Exit
.. .. ..
3a policers
exit
exit
App-filter
App-filter
.. .. ..
All Rights Reserved Alcatel-Lucent 2009