Begin forwarded message:
From: Roger Bohn <Rbohn@ucsd.edu>
Date: May 12, 2008 7:48:39 PM EDT
To: David Farber <dave@farber.net>
Subject: Deep packet inspection at 80 Gbps
For IP if interested. Excerpted.http://arstechnica.com/news.ars/post/20080512-throttle-5m-p2p-users-in-real-time-with-800000-dpi-monster.htmlThrottle 5 million P2P users with $800K DPI monster
By Nate Anderson | Published: May 12, 2008 - 05:00AM CT
Procera Networks will announce today a new standard in deep packet inspection (DPI) gear: an 80Gbps monster called the PacketLogic PL10000 that is targeted at tier-1 network operators. At up to $800,000 a unit, these aren't cheap, but when you want to throttle, inspect, and shape traffic in real-time on a major network, this is now the fastest thing on the market (and by a large margin)........The PL10000 can handle up to 5 million subscribers and can track 48 million real-time data flows. That's certainly a potent piece of hardware, but larger ISPs will need more. That's why Procera designed the new machines with full support for synchronizing traffic flows where return traffic might be routed to a different PacketLogic machine. The machine receiving the return traffic can make the machine monitoring the outbound traffic aware that it sees the other half of a TCP/IP conversation, for example, giving the devices more accuracy than those which might only have access to one side. The capability also incurs overhead of only 2-6 percent, far better than the 25 or 50 percent sometimes seen in competing products.........DPI gear in general is astonishing technology, able to drill down to the packet level in real time, but the PL10000 can do this at 80Gbps with 96 percent accuracy. But how does it fare with P2P content, especially when it's encrypted? This is one of the key issues for ISPs using DPI gear as a less-expensive alternative to increasing capacity. I spoke James Brear, Procera's CEO, and Jon Lindén, the VP of Product Management, about the issue. While they did not break out specific accuracy numbers on P2P, they indicated that Procera was quite good even at sniffing out encrypted P2P traffic.
Breaking such encryption in real-time isn't currently possible, nor is it desirable from a privacy perspective, but Procera doesn't need to; most P2P protocols can be detected simply by analyzing header information, handshake peculiarities, or the way in which a particular application exchanges encryption keys. Such telltale traces can give away various kinds of encrypted traffic, and while the information within remains secure, the entire flow can be shaped or blocked if desired by the ISP. (Note that this alone isn't enough to filter copyrighted content, but it can put the kibosh on entire protocols that might be heavily used for copyright infringement.)