Introduction to DPI: System Composition and Connection Diagrams
Hi, Habr! We at VAS Experts specialize in the creation and implementation of services in the field of monitoring and analyzing Internet traffic. In our blog, we will share our own experience and talk about how these or other technologies related to our field of work are arranged.
/ Flickr / Andrew Hart / CC
The global market for in-depth traffic analysis (DPI) in 2013 was estimated at almost $ 742 million. According to analysts, by 2020 it will grow by more than 6 times and will be estimated at 4.7 billion. DPI-systems are mainly used by Internet providers and telecom operators, who seek to protect their subscribers and optimize the bandwidth to the client through filters, priorities and caches.
')
DPI analyzes all packets passing through it up to the 7th level of the OSI model and recognizes applications that do not use previously known headers and structures for data exchange. However, the DPI system alone does not solve the problems and tasks described above. It interacts with other devices and services of the data transmission network of the operator. About this today and talk.
Standards and specifications for mobile networks are not developed by each operator separately, the 3GPP (3rd Generation Partnership Project), created in 1998, deals with this.
The central concept of 3GPP networks is the PCC (Policy and Charging Control). Decisions of this class allow to personalize services, actively manage traffic and quality of service, using PCC rules for making PCC decisions. Implements the application of these PCC rules to the PCEF (Policy and Charging Enforcement Function) function. DPI systems are part of the PCEF, scanning all passing traffic and applying the required policies to it.
However, there are other elements in the scheme, for example, the Policy Control and Charging Rules Function (PCRF) is the decision to apply subscriber service policies to establish QoS parameters and charging rules depending on various conditions. There is also an OCS (Online Charging System), which bills services and controls the subscriber’s balance.
The billing system, which stores the subscriber balance database and provides it to the OCS server, and the UDR (User Data Repository) repository, which stores user data (services available to the subscriber, QoS parameters, and others), should be noted. A complete list of the components involved can be found in our blog .
There are two main schemes for connecting the device for in-depth analysis of traffic to the operator’s equipment - the so-called “break” installation (active circuit) and traffic mirroring (passive circuit).
Installation setup "break"
This type of connection is used to implement the functionality of any DPI system. In this case, the traffic analysis system is connected to the uplink after the border router.
The advantage of this scheme is that absolutely all traffic passes through DPI. This allows prioritization, as well as setting up notifications, caching, and other functions. However, this type of connection has a significant drawback: the DPI device becomes a point of failure - if it fails, the connection is completely broken.
But there are ways to solve this problem:
Traffic mirroring scheme
Traffic is mirrored through SPAN ports or optical splitters. With this scheme, it is possible to analyze the history of visits in real time, redirect requests for blocking, caching and work with bonus programs.
The advantages of this connection option are minimal changes in the structure of the existing network and the absence of the need to use a bypass card. In this case, it is possible to remove analytics from the traffic, connect the cache server and “mirror” the traffic to the SORM equipment, but all the functionality of the DPI system will not work.
Note that both connection options are supported by our SCAT DPI solution, which allows you to limit the size of the band occupied by protocol groups, control the priority of packets passing through it, block advertising content, etc. You can find more detailed information about the system here .
DPI-systems, which appeared as a result of combining several younger packet filtering systems (if you are interested, you can find the origin history of DPI and information about predecessors of the solution here and here ), simplified the processes of support and administration of networks and sites, increased the security of the latter from all sorts of attacks and expanded the scope of applicability of traffic analysis technologies.
Details on how to apply DPI, we will talk in our next article. We welcome your suggestions on topics for further consideration in the blog.
/ Flickr / Andrew Hart / CC
The global market for in-depth traffic analysis (DPI) in 2013 was estimated at almost $ 742 million. According to analysts, by 2020 it will grow by more than 6 times and will be estimated at 4.7 billion. DPI-systems are mainly used by Internet providers and telecom operators, who seek to protect their subscribers and optimize the bandwidth to the client through filters, priorities and caches.
')
DPI analyzes all packets passing through it up to the 7th level of the OSI model and recognizes applications that do not use previously known headers and structures for data exchange. However, the DPI system alone does not solve the problems and tasks described above. It interacts with other devices and services of the data transmission network of the operator. About this today and talk.
Interaction with other systems
Standards and specifications for mobile networks are not developed by each operator separately, the 3GPP (3rd Generation Partnership Project), created in 1998, deals with this.
The central concept of 3GPP networks is the PCC (Policy and Charging Control). Decisions of this class allow to personalize services, actively manage traffic and quality of service, using PCC rules for making PCC decisions. Implements the application of these PCC rules to the PCEF (Policy and Charging Enforcement Function) function. DPI systems are part of the PCEF, scanning all passing traffic and applying the required policies to it.
However, there are other elements in the scheme, for example, the Policy Control and Charging Rules Function (PCRF) is the decision to apply subscriber service policies to establish QoS parameters and charging rules depending on various conditions. There is also an OCS (Online Charging System), which bills services and controls the subscriber’s balance.
The billing system, which stores the subscriber balance database and provides it to the OCS server, and the UDR (User Data Repository) repository, which stores user data (services available to the subscriber, QoS parameters, and others), should be noted. A complete list of the components involved can be found in our blog .
DPI wiring diagrams
There are two main schemes for connecting the device for in-depth analysis of traffic to the operator’s equipment - the so-called “break” installation (active circuit) and traffic mirroring (passive circuit).
Installation setup "break"
This type of connection is used to implement the functionality of any DPI system. In this case, the traffic analysis system is connected to the uplink after the border router.
The advantage of this scheme is that absolutely all traffic passes through DPI. This allows prioritization, as well as setting up notifications, caching, and other functions. However, this type of connection has a significant drawback: the DPI device becomes a point of failure - if it fails, the connection is completely broken.
But there are ways to solve this problem:
- Use a bypass device as part of the DPI system, which, in the event of a failure of the main frontend, will begin to “drive” traffic through itself (traffic analysis will not be carried out).
- Use a backup DPI platform, which would filter traffic in case of failure of the main one.
Traffic mirroring scheme
Traffic is mirrored through SPAN ports or optical splitters. With this scheme, it is possible to analyze the history of visits in real time, redirect requests for blocking, caching and work with bonus programs.
The advantages of this connection option are minimal changes in the structure of the existing network and the absence of the need to use a bypass card. In this case, it is possible to remove analytics from the traffic, connect the cache server and “mirror” the traffic to the SORM equipment, but all the functionality of the DPI system will not work.
Note that both connection options are supported by our SCAT DPI solution, which allows you to limit the size of the band occupied by protocol groups, control the priority of packets passing through it, block advertising content, etc. You can find more detailed information about the system here .
Instead of conclusion
DPI-systems, which appeared as a result of combining several younger packet filtering systems (if you are interested, you can find the origin history of DPI and information about predecessors of the solution here and here ), simplified the processes of support and administration of networks and sites, increased the security of the latter from all sorts of attacks and expanded the scope of applicability of traffic analysis technologies.
Details on how to apply DPI, we will talk in our next article. We welcome your suggestions on topics for further consideration in the blog.
Source: https://habr.com/ru/post/313554/
All Articles