Until recently, most networks have been chugging along largely oblivious to the exact makeup and effect of their payloads. The original mission of connecting employees and branch offices to corporate data centers and central IT resources only required deploying routers, switches, cabling, servers and applications, and a service contract for WAN and Internet connectivity. Employees became more productive and managers liked it. Rising traffic and emerging security concerns were answered by building out network infrastructure, buying more bandwidth, deploying gateway firewalls and use of access control lists. Architecting your network was primarily a routing and switching exercise that operated on packet headers.

 

As the Internet grew, customers and business partners connected to the corporate Web site and data repositories. Clients on the network now include mobile computers, VoIP phones, broadband telecommuters, and wireless devices utilizing many different protocols and applications. With this growth comes an ever-increasing challenge to providing a fast, reliable, and safe IT and network infrastructure. In the era of constantly evolving security threats, changing application mix, and dynamic user behavior, just providing faster pipes and hardware will not bring you any closer to that goal. In reality, what you need to achieve the goal of a safe, efficient, and adaptable network is better control of what is running through your network by examining every packet payload, making forwarding, filtering, logging and other decisions in real time, and changing the control knobs whenever needed. In other words, you are trying to build a policy-centric network where policies can originate with various constituent groups, such as the company’s IT staff (e.g., for security rules), e-commerce and application groups (e.g., performance, global traffic management), corporate management (e.g., traffic priorities, appropriate network uses, business continuity), compliance and legal staff (e.g., compliance monitoring, information leak prevention), and other stakeholders. These policies are then compiled and downloaded into various applications and policy-enforcement points residing in the network.

 

The evolution from a switching and routing network to one where devices actively enforce high-level policy introduces several new requirements on the network infrastructure. For example, many security threats hide in the payload of a packet (or stream of packets), therefore requiring a network security device to go beyond network packet header processing and inspect and process full packet payloads. Likewise, many applications depend on HTTP as their communication protocol, requiring a traffic management device to dig into the actual packet payload to differentiate between hundreds of different applications and be able to prioritize the traffic.

 

Mobile computers, wireless access, and sometimes compromised or even hijacked servers have necessitated the deployment of security enforcement devices throughout the corporate network, not just at traditional firewall and VPN choke points. As a result, the devices are expected to perform at LAN network speeds, monitoring several 1Gb or 10Gb links. Metro Ethernet and fiber optic links have also given a substantial boost to bandwidth.

 

These examples highlight the need for high-speed “deep packet inspection” (DPI) capabilities in order for the policy-enforcement points to examine the payload and exert effective control. The convergence of deep packet inspection and high-speed networking has forced equipment manufacturers to reexamine their architectures and product offerings. Processing packet payloads is a compute-intensive task that is historically the domain of computing devices such as desktop computers and servers. While compute power per dollar has increased dramatically in line with Moore’s Law, these devices are not architected to perform general purpose processing of packets on a multi-gigabit or 10 gigabit network. On the other side, network equipment has long relied on specialized high-performance chips to perform well-defined tasks at the highest network speeds. Often, they solely focus on packet header operations. The need for DPI and flexible, dynamic policy configuration is beyond their architectural capacity. This historical and fundamental tradeoff between flexibility and performance embodies the challenge facing current networking equipment vendors and their customers as the demands for DPI in high-speed networks continue to grow.

 

Prior to discussing the approaches to solving the DPI infrastructure challenge, let’s examine the anatomy of a DPI application. A key observation is that all DPI applications share a common approach to packet processing: look at any part of a packet, perform arbitrary computation, access memory to retrieve or store information, and execute an action on the packet based on the configured policy, be it forwarding the packet, discarding it or transforming it in some way, all without introducing network bottlenecks or significant packet latencies.

 

Therefore, we can summarize the requirements of the ideal “DPI network element” as follows:

Application developers wanting to run a DPI application on a high-speed network have essentially three platform options to choose from. The first choice people consider are commodity servers adapted to a network appliance format. They have been very popular in the networking industry due to their low cost base and straightforward application integration. In some cases, the server appliance gets turbocharged with a special-purpose offload chip for fast encryption, pattern matching, or compression. In the past few years, the CPUs powering the server appliances have moved to dual-core, dual processor, and even quad-core designs. While this improves the raw computational power, application developers need to wrestle with modifying their application for efficient multi-threading and minimized memory and I/O contention between the different cores that process the packets. Coming from a design optimized for computational tasks, the basic I/O of packets into and out of the processor often presents a bottleneck for multi-gigabit network throughput, especially for the prevalent small packets on the Internet.

 

A second category consists of platforms that center on a powerful chip or system-on-a-chip such as an application-specific integrated circuit (ASIC) or network processing unit (NPU or network processor). While there are many examples of ASIC-and NPU-based network equipment products especially for lower layer switching and routing operations, they are very costly to develop for a specific application. Furthermore, in the case of a DPI application these chips don’t seem to offer sufficient programming flexibility, memory bandwidth, or throughput. More recently, multi-core communications processors rated at 10 Gbps or more have been introduced in the market that promise a wider flexibility in their programmability and the race is on to see which applications can be hosted efficiently and economically in those systems.

 

Finally, a broad category of hybrid systems combines architectural attributes of high-speed networking devices with those of general purpose computing devices. These devices have established the lead in providing DPI applications with multi-gigabit and even 10 gigabit throughput capacities. Among those, we encounter purpose-built network appliance platforms, blade servers, ATCA-based chassis, and DPI extension blades in routers and switches. The common feature among these approaches is that applications run on several general-purpose processors with a common OS such as Linux, packets enter and exit the device through dedicated interface cards, and an internal bus or switch architecture distributes packets to the appropriate processor or DPI computing blade. The inherent advantage of this design is two-fold: with a sufficient number of processors and associated memory any network throughput can be achieved by scaling the chassis or appliance stack. Second, running the same OS that the application developer is already familiar with shortens product launch cycles and removes risks and uncertainty about coding the application into a special-purpose chip.

 

The specific implementations differ widely in their respective features, benefits, and challenges. For example, the inner workings of the packet distribution mechanism shuffling packets between interfaces and the appropriate processor can lead to significant differences in performance and suitability for a given application. Switches and routers trying to “bolt on” DPI computing blades may experience performance trade-offs with the switch capacity and require extension to the switch’s management system. Power consumption and space utilization in the data center where the equipment gets deployed are also important factors.

 

Networks have evolved a long way from the early days of just enabling two devices to communicate on a LAN. Today’s networks are dynamic systems that require a new class of powerful and flexible components to function. Safety, high performance, and a high-quality experience on these networks will depend on their ability to analyze traffic to the last bit and exert control over it. Consequently, the trend is irreversible: DPI has emerged as a crucial element of this new class of network functions and an emerging industry of innovative networking devices is addressing this new challenge. How this industry evolves will shape the role and impact of networking in our lives for many years to come.