Deep Packet Inspection use cases: Lawful Intercept and CALEA compliance

(DPI) has many use cases and can involve a wide range of capabilities. Some use cases involve making more intelligent and effective use of network resources. Other uses involve identifying traffic anomalies, viruses/malware, or network misuse/abuse or illegal activity. In this month’s column, I’ll be providing an overview of DPI and how it works, then describe a specific – using DPI for Communications Assistance for Law Enforcement Act (CALEA) compliance.

What exactly is DPI?

DPI involves looking beyond layers 2 and 3 of the packet and using content information to make decisions about the packet. DPI is different from standard routing and switching systems because routers, for example, simply use IP addresses (layer 3 information) to make routing and forwarding decisions. Similar things can be done using DPI, but DPI extends this notion to provide more value.

A baseline application that demonstrates the value of DPI is load balancing. Let’s say there is a simple router that connects a number of users to two identical application servers. A simple router might route users to a specific server based on an IP address hash, which could create saturation on one server and starvation of the other. A slightly smarter algorithm might use IP subnets and route half the subnets to one server and the other half to the other server. But if it happens that the fixed group of subnets going to one specific server are all streaming the “big game” video and the subnets using the other server are lightly loaded, you get into the same situation. If DPI is used, the router/load balancer can look deeper into the packet and understand what the application is on that network flow (whether it is video, file transfer, low-bandwidth gaming or text communication, for example). Based on the application information, a DPI-enabled device can spread the high-bandwidth applications across both servers and makes the source of the traffic irrelevant. As a result, the servers are better utilized, provide a better service, and are more profitable.

DPI can be characterized as having two potential components: classification and application inspection.

The classification component involves the DPI engine looking at each packet individually, past the IP and layer 4 headers into the content. The content is typically matched against specific byte sequences called signatures, and when a signature matches, the classification layer puts a label with that packet indicating the application running on that flow. It could be a bit more complicated – sometimes you can’t get to the distinction with a single packet. In these cases, the classification layer might be forced to reassemble a small number of packets in a flow before the signature uniquely identifies the application.

The application inspection part of DPI may or may not be included with something that’s being called a “DPI engine.” Application decode is a more complex processing phase in which most (if not all) the packets that make up a logical application transaction for a flow are reassembled, fully analyzed, and relevant information is pulled from the transaction. All of the relevant pieces of information (usually called metadata or tag) are then output to a system element that can analyze what’s going on in the network and take some kind of action.

I like to call the classification step “wide and shallow” processing, because this step inspects every flow, but only up to a few packets of each flow to get general information. This approach can be effective in identifying an application, but can’t be used to identify who is running the application or what transaction or interaction is being performed.

I call the application inspection step “deep and narrow” processing. If a system is reassembling an entire logical transaction, then identifying what the transaction is, who is involved, and pulling out relevant pieces of information for that transaction, it typically can’t do so for every single flow – there are too many packets and the processing is too intensive. In this case, the classification phase is armed with some kind of “relevant packets” information, which enables it to filter out irrelevant flows before sending to the application inspection processing component. This way, the application inspection doesn’t waste its time with applications it doesn’t care about.

Some applications just need the classification part. DPI engines that perform just classification can be lighter weight and used in-line for things like load balancing or intrusion prevention. When DPI engines implement application inspection, these engines are typically used in a passive mode where the network line is tapped and the tap feeds the DPI engine for heavier processing. Passive devices can’t prevent things happening on the network because they are just getting a copy of the data flying by on the wire. But they can provide comprehensive and detailed real-time notifications of events happening on the network.

CALEA compliance and Lawful Intercept

Some of you may not remember, but there was a day when your phone was connected to a wire and your voice traveled that wire in its natural state. With this system, the government could pretty easily tap someone’s phone line and listen in if they had a warrant to do so. Then came the digital network and Time Division  (TDM) and things got tougher, but were still doable. Enter the Internet and Voice over IP (VoIP).

The CALEA law simply says that a Network Service Provider (NSP) must be able to provide Internet communications (VoIP calls or Internet data access) to law enforcement when provided with a warrant. Prior to any communications intercept standards, the method of operation is scary for Americans – some providers would simply route all traffic for a particular subnet location to law enforcement and the agents would have to sift through everything going on in that subnet for a specific person under warrant. That means that if you happen to share a trunk line with a bad guy, law enforcement not only gets the bad guy’s stuff but yours too, which is a violation of privacy.

Applying DPI to CALEA

Enter DPI to solve the privacy issues on the Internet for CALEA. Using a narrow DPI engine, a device can be created that allows the service provider to program in the information for a single subscriber, and the DPI engine in the box can identify the specific subscriber, their application, and whether just the signaling information or the entire content of the application can be delivered to law enforcement.

You might think, “Well, a subscriber is ultimately assigned an IP address, so why not just use a simple router or SPAN port to ship out that IP address and be done with it?” In fact, this is exactly what some Lawful Intercept-capable routers do – the Cisco SII is one such implementation. However, warrants are more complicated than that. Some warrants allow law enforcement to get voice calls but not Internet data. If voice calls are allowed, they may only be authorized to get
caller/callee information but not the call content. Or perhaps just the to/from e-mail addresses and not the actual e-mail message or attachments can be obtained. In order to execute on these kinds of specific warrants, application inspection is needed. Companies like IP Fabrics and Packet Forensics make such devices that are specifically targeted at providing CALEA compliance for service providers.

How does it work?

Step 1 – Enter the warrant information: This configuration information is usually stored in some kind of a database and a runtime table is created. The runtime table is organized for efficient DPI classification and application inspection, and the database information is only used to rebuild the runtime table if the device is power cycled.

Step 2 – Classification: The “what services does law enforcement get to see” part is implemented in the classification processing. The classifier looks through the packets to identify the ones that are relevant to the warrant, and passes this information on to application inspection.

Step 3 – Application inspection: The application inspection processing involves reconstructing the packets into application transactions, looking in the runtime table to determine if the person named in the warrant is involved with the transaction, and if just the summary information is allowed or full content.

Step 4 – Output message generation: Once the information is gathered, an output message is generated with this information and sent to law enforcement. There are standardized output message interfaces defined by the ATIS standards body in the United States and ETSI in Europe. This ensures interoperability with law enforcement analytics systems and also protects the privacy rights of individuals.

DPI and next-gen network management

The steps described above can almost be cut-and-pasted and applied to a wide range of applications involving least-cost routing, software-defined network processing, and Service Level Agreement (SLA) enforcement to name just a few.

DPI will continue to have a profound impact in the evolution of IP-based networks and the ability to effectively manage and roll out new services in the face of the mind-boggling increases in bandwidth usage in the coming years.