Deep Packet Inspection (DPI) -- Good, Bad, and/or Ugly?

[lauren]

A tremendous amount of controversy revolves around the use of Deep Packet Inspection (DPI) by ISPs. It is hailed as a basic and necessary network management tool by some observers (and many ISPs), but has also been used to spy on and manipulate users' data in ways that are unethical, or even illegal, and can be used to enable anticompetitive behaviors as well.

What's your take? What are valid uses of DPI, and under what circumstances? When is DPI use unacceptable, or even worse?

To your knowledge, does your ISP use DPI? If so, for what purposes?

--Lauren--

[kriss]

Very shameless plug (mostly since I've written this stuff more than once - referring beats rewriting) - http://www.shortpacket.org/2008/08/dpi-w...-name.html and http://www.shortpacket.org/2008/08/on-st...video.html

I work for a DPI vendor, ymmv.

[dawog]

I don't consider this a "shameless plug" at all. In the context of this forum, I know exactly what Lauren means and I am TOTALLY against it's use. I consider DPI use UNACCEPTABLE for ascertaining the content of what a user is downloading, it's legality, copyright enforcement, etc., etc. Just my two cents worth...

[ellodrith]

This type of thing is a leftover from the "unlimited use" ISP wars where every ISP promised 24/7 Internet access at ### speed for $5.00 per month (numbers are for discussion purposes only). Competition is gone now and so most ISP's are starting in with bandwidth caps, DPI, usage charges, etc. We all knew that the marketing BS was BS from way back the 90's, now the BS is starting to stink and companies are having to find ways to deal with the smell.

It's simple, DPI makes ISP's responsible for the content of every packet crossing their network and as such they are now criminally and civilly liable, I'm sure we will see test cases appear soon on this issue. It also is an invasion of the privacy of every user on their system.

Ask any person if its ok for the telephone company to listen in on their conversation to see if its more important than their neighbors because they may run out of lines and have to terminate one of the calls. It is simply a lack of technical knowledge by the end users (they don't understand what DPI is) that makes its use arguable at all at this point.

We will soon see encryption begin to be heavily used and it wouldn't surprise me to see private encrypted "friend to friend" networks develop soon along the lines of the old fidonet BBS systems from back in the 80's. These "friendnets" will exist as an additional layer on the exisiting IP network and will depend upon invitation and most likely similar use groups.

The telco's/cable guys forget that we have all done this before in some form or fashion and that people will not tolerate random control of their use.

cheers
Jeff

[kriss]

While I won't be knocking your opinions, there's a few misconceptions I'd like to point out:

Quote:It's simple, DPI makes ISP's responsible for the content of every packet crossing their network

I've seen this a couple of times, but I'm yet to see a good reason for why it would be true - references are welcome. My guess is that you'd be referring to OCILLA and the Safe Harbour provisions.

Let's analyze the bits that are interesting: (For the whole kaboodle, see the Wikipedia entry)

• not have actual knowledge that the material or an activity using the material on the system or network is infringing (512©(1)(A)(1)).
• upon obtaining such knowledge or awareness, must act expeditiously to remove, or disable access to, the material. (512©(1)(A)(2) and 512©(1)©)
• accommodate and not interfere with standard technical measures used to identify and protect copyrighted works (512(i)(1)(B)).
  

Can DPI devices give knowledge of material or activity, etc, etc, infringement, etc? Yes. Some, not all. There's DPI gear that'll lookup BitTorrent infohashes against a list provided by various interest groups (that tend have abbreviations ending in AA) and there's DPI gear that doesn't.

In the case of the DPI gear that do this sort of analysis, the ISP is actually required to use it to block it (or remove it, but from a network perspective, blocking is easier)

So yes, if a provider would deploy a device like that, they'd have to use it. Which sucks for all parties involved. But don't make the mistake of saying that DPI is synonymous with this usage. Also, don't make the mistake of assuming that DMCA is an international law - it's your mess, americans.

(Not, of course, that we don't have crap legislation in the EU. IPRED2 is pretty insane as well)

Quote:I don't consider this a "shameless plug" at all. In the context of this forum, I know exactly what Lauren means and I am TOTALLY against it's use.

Yes, as I'd expect that most members of the forum would be. Same thing with the nn-list really. But (part of) the questions were "What are valid uses of DPI, and under what circumstances?" and "To your knowledge, does your ISP use DPI? If so, for what purposes?"

Since I actually know the answer to that question for some multiple hundred cases around the world - and have blogged about it - it kind of made sense to reference that. Either read it and apply the same grain of salt that ought to be applied to anything on the Internet, or assume that I'm a lying scoundrel and it's not even worth looking at. Seemingly, you made up your mind. Your choice, and I won't be losing sleep over it either way.

[lauren]

The elephant in the room continues to be encryption. Whether current usage of DPI by ISPs in any particular cases are viewed as reasonable or not, the inexorable rise in strong encryption as a default modality will render DPI increasingly irrelevant. That's not to say that we shouldn't be interested and/or concerned about how DPI is used now, but simply that the playing field is dramatically changing under our feet at this very moment. DPI is an opportunistic technology that takes advantage of the historically-based fact that most Internet contents have been in the clear, but that window of opportunity -- like it or not -- is rapidly closing. Traffic analysis is still possible even in many encrypted environments of course, but I doubt that anyone would argue that it is as powerful as true DPI, and even traffic analysis can be fooled.

--Lauren--

[kriss]

(02-28-2009 08:45 AM)Lauren Wrote:  The elephant in the room continues to be encryption. Whether current usage of DPI by ISPs in any particular cases are viewed as reasonable or not, the inexorable rise in strong encryption as a default modality will render DPI increasingly irrelevant.

[...]

Traffic analysis is still possible even in many encrypted environments of course, but I doubt that anyone would argue that it is as powerful as true DPI, and even traffic analysis can be fooled.

The short answer to that is "that depends". Keep in mind that DPI is a collective term for multiple industries. The only common denominator really, is that L7 information is being processed.

Devices that look deeper into the actual content will be hit much harder when and if encryption becomes more prevalent, granted. For traffic management devices (my area), I can't say there's much of a difference in terms of whether the protocol can be properly identified, for the vast majority of cases.

Also note the 'when and if'. You don't see all too many new plaintext ones - but a decent chunk of the proprietary ones are obfuscated or just plain undocumented (as far as the public is concerned) rather than encrypted.

[jackypunker]

The uses of DPI appliances are regularly under fire by network neutrality advocates, privacy advocates, and people who are generally concerned about communication infrastructure. DPI lets network operators ‘penetrate’ data packets that are routed through their networks and this practice is ‘new’, insofar as prior networking appliances were generally prevented from inspecting the actual payload, or content, of the data packets that are shuttled across the ‘net. Virtualization giant VMware has launched a new product vSphere 4 positioned as the first cloud computing operating system combining under one roof a diverse set of dynamic virtualization management tools.