Deep Packet Inspection White Paper

Technology, Applications & Net Neutrality Klaus Mochalski, Hendrik Schulze

Deep packet inspection has been subject to controversial debates about network neutral-
ity and online privacy for the last few years. In this white paper we will argue that DPI as
such is a neutral, neither good nor bad technology, and that it depends on the applica-
tion that utilizes DPI if and how it will affect the Internet and our society. This paper will
focus on Internet bandwidth management based on DPI. Interestingly, the technology has
been around in other applications such as firewalls and virus scanners for much longer
without sparking similar controversy. After a simple technical explanation of what DPI is
– and what it is not –, we will straighten some myths and untruths. Future discussions,
particularly in the area of bandwidth management, should not focus on DPI as a tech-
nology, but on its specific applications. To facilitate these discussions, we will propose a
simple system of categories that classify different Internet traffic management schemes
according to their impact on net neutrality, market competition and online privacy.

Introduction Examples are network monitoring for lawful interception,

which can include mass interception and target profiling,
New technologies often spark controversy, particularly if and in-line content injection used for targeted advertise-
their use has a potential impact on our daily lives. The abil- ment. So it is all about the application DPI is used for, and
ity – and necessity – to embark on an open discussion be- not the technology itself. Thus it is important to discuss all
fore a wider adoption is an important pillar of modern so- these applications separately.
ciety. One such technology that recently made rather con-
troversial headlines is deep packet inspection (DPI). A This white paper will focus on DPI-based traffic or band-
number of quite vocal adversaries has presented a host of width management. After a technical introduction of DPI
concerns, some of them reasonable and worth a discussion, and DPI-based Internet traffic management, this paper will
but many also polemic and based on false statements or extensively discuss the benefits and potential dangers of this
poor technical understanding. DPI has been branded by technology, including the weakening of net neutrality and
some as evil technology that could end the Internet as we freedom of speech in the Internet.
know it.

This white paper aims to contribute to this debate by first Technical Background: What Is DPI?
clarifying the technological background from the perspec-
tive of a vendor of networking products based on DPI tech- At first glance, a technical definition of deep packet inspec-
nology, and by second discussing the potential impact the tion is straightforward to write down and in fact very sim-
widespread deployment of DPI applications may have on ple. DPI systems inspect entire packets traveling the network
the Internet and society. as part of a communication, looking not only at packet
headers like legacy systems, but also at the packet’s pay-
Critics often mix up DPI with a network service or function load.
using DPI as its base technology. Examples of network func-
tions using DPI include spam and virus filters, intrusion de- The central point of this definition is the inspection of packet
tection and prevention systems (IDS/IPS), and firewalls, all payload. While this seems to be quite clear, both terms
of which have been around for many years. And there has require a closer look, not least because this payload inspec-
hardly been a debate about the perils of any of these. So tion constitutes the main draw for criticism of DPI technol-
what is happening in the DPI discussion? ogy. The key problem is that Internet packets do not have
only a single header plus payload. Instead, there is a
The target of it was not so much DPI, but Internet traffic packet header and payload at each layer of the multi-layer
management based on DPI as a new network function – yet Internet architecture that can be found in each network-
another application using DPI. The core claims of its oppo- connected host. A detailed discussion of this header-
nents is the alleged violation of privacy and net neutrality. payload dilemma can be found in the boxed text on the
In fact there are other DPI-based network functions that following page.
could be seen even more critical than traffic management.
Deep Packet Inspection – Technology, Applications & Net Neutrality

The most useful definition is based on the demarcation line Nevertheless, the IP header boundary is the most commonly
between IP header and IP payload. It is also used in used limit for packet inspection and is frequently cited by
Wikipedia’s definition of DPI 1: DPI opponents. It is a sensible and understandable position,
“Deep Packet Inspection (DPI) is the act of any IP net- and even if one choses to deviate from it, it is still a useful
work equipment which is not an endpoint of a commu- baseline and starting point for any DPI discussion. We will
nication using any field other than the layer 3 destina- indeed go beyond this very restricted understanding of
tion IP [...]. [...] This is in contrast to shallow packet what inspection operations should be allowed for a packet
inspection (usually called Stateful Packet Inspection) in transit. Exactly how deep a DPI system has to look, and
which just checks the header portion of a packet.” what data it needs to gather, strongly depends on the ap-
plication or network function that it is used for.
This many-headers dilemma can be confusing, which be-
comes apparent in the contradiction in the above definition. Myths and Wrong Analogies
Its second sentence implies that stateful packet inspection is
the same as shallow inspection. However, stateful inspec- Analogies are a favorite instrument to illustrate technical
tion – or filtering –, as it is commonly deployed in pretty matters for a non-technical audience. It is often a challenge
much all of today’s firewalls, keeps track of network con- to get them right. And sometimes a poor analogy is inten-
nections or flows by grouping all packets with the same 5- tionally used to convey a personal opinion instead of tech-
tuple {source IP, destination IP, source port, destination port, nical facts – or worse, to evoke fear, uncertainty and doubt.
layer-4 protocol}. Port numbers are encoded in the TCP and One such analogy has enjoyed particular popularity in the
UDP headers, which are part of the IP payload. This would recent debate about DPI. In its “Memorandum Opinion and
be a clear violation of the first statement. Order” from 1 August 2008 2, the FCC states:

The Header–Payload Confusion

The architecture of any Internet node follows a standardized layering structure. Each layer implements a subset of functions necessary
for end-to-end data transmission. Defined interfaces between these layers provide a data hand-over point. In a sending system, each
layer receives data via this interface from its upper layer. These data constitute the payload for the current layer. Data are processed
and a header is added at the head of the packet. (Sometimes, trailing information is also added to the tail of the packet, usually pad-
ding or checksums, but that is irrelevant for our discussion.) This process repeats at each of the layers.
As an example, let us look at the sending of an e-mail. After composing a message and pressing the send button of the e-mail client
(e.g. Microsoft Outlook, Mozilla Thunderbird), this is what happens:
1. The message including e-mail-specific header fields (e.g. subject, from, to, cc, bcc, attachments) is encoded in the Internet Message
Format (IMF).
2. The IMF-encoded message is sent to the SMTP handler, which in turn encapsulates the IMF payload by adding its header.
3. The SMTP packet is then handed to the sending host’s TCP instance, that again adds its header (with port numbers identifying the
communicating application, plus other, connection-state and flow control information) to the SMTP payload data.
4. The TCP segment is passed on to the IP instance, that adds an IP header with IP source and destination addresses.
5. The data link layer (Ethernet in most cases) takes the IP packet and encapsulates it in an Ethernet frame, again adding a header
with Ethernet addressing information (source and destination MAC addresses).
6. Only now this Ethernet frame is put as an electromagnetic signal, representing the ‘0’ and ‘1’ bit values that comprise the frame,
onto the copper or fiber-optical cable.
The same process, only in reverse order, happens again at the receiver.
This description shows that there is no sharp distinction between header and payload in the Internet. An IP packet is an Ethernet frame’s
payload, a TCP segment (i.e. the TCP packet) is the payload of an IP packet, and so on. So where exactly does ‘deep’ packet inspec-
tion start? While there is no definite answer to this, a demarcation line can be established by looking at the Internet’s packet delivery
process.
Packets are exchanged between user applications (e.g. e-mail client and server, Web browser and server, or peers in a peer-to-peer
network). For packet forwarding in the Internet, however, the applications sending and receiving the packets are irrelevant. Packets are
sent from one host (represented by the sender IP address) to another (represented by the receiver IP address). These two addresses are
the only information required by Internet nodes (the sending and receiving hosts and the intermediate routers) to deliver a packet.
So one could assume an understanding where only the communicating end systems should look beyond the IP header at TCP/UDP port
numbers. That is necessary to deliver data to the correct application, of which several may run on any given host. At any other point
along the network path between the communicating hosts, the look-up needs only go as deep as the IP header, as this is all what is
necessary to route the packet.

1
http://en.wikipedia.org/wiki/Deep_packet_inspection, retrieved 1 September 2009
2
Document: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.pdf, linked from
http://www.fcc.gov/Document_Indexes/WCB/2008_index_WCB_Order.html, row FCC-08-183, retrieved 1 September 2009

2 © ipoque 2009
 White Paper

“[...] Comcast opens its customers’ mail because it Internet for many years without drawing much criticism.
wants to deliver mail not based on the address or type Here is a short list of examples:
of stamp on the envelope but on the type of letter con- ◦ E-mail spam filtering
tained therein.” ◦ Anti-virus filtering for e-mail and other Internet content
Later in the same document, a statement by then FCC ◦ Intrusion detection and prevention systems (IDS/IPS)
chairman Kevin J. Martin begins with: ◦ Firewalls
◦ Content caching systems (e.g. for Web pages)
“Would it be OK if the post office opened your mail,
◦ Network probes for network monitoring and trouble-
decided they didn’t want to bother delivering it, and hid
shooting
that fact by sending it back to you stamped ‘address
unknown –return to sender’? Or would it be OK, when All these technologies have a certain misuse potential as
someone sends you a first class-stamped letter, if the they all have access to user content data. DPI-based traffic
post office opened it, decided that because the mail management is just another DPI application on this list and
truck is full sometimes, letters to you could wait, and should be treated as such.
then hid both that they read your letters and delayed
them?
Bandwidth Management –
Unfortunately, that is exactly what Comcast was doing
A DPI Application
with their subscribers’ Internet traffic.”

So DPI is like ‘opening’ a letter and ‘reading’ its content,

right? One could argue about opening because a sealed
letter is clearly marked ‘private content – do not open’, a
network packet, if it is unencrypted, is not. But this is de-
batable. DPI systems, at least those used for bandwidth
management as in the case of Comcast, by no means
‘read’ or even ‘understand’ the communication content.
Instead, they scan for certain markers – or patterns – to
classify the protocol or application that generated the
packets used to transmit the content. Such systems only find
what they are looking for, i.e. if they do not scan for the
The rest of this white paper will focus on one particular
word ‘bomb’, they will not know if it is there or not. Or in
application of DPI: Internet traffic or bandwidth manage-
other words, DPI does not index the content of network
ment.
packets as search engines like Google do for Web pages.

DPI in bandwidth management systems does not read all The Big QoS Failure
packets. Instead, it only scans for patterns in the first few
It is common knowledge that different network applications
packets of each network flow – about 1-3 packets for unen-
have varying quality of service (QoS) requirements. For
crypted and 3-20 packets for encrypted communication
instance, Internet telephony and online games work best
protocols. The rest is done by a flow tracking – or stateful
under low-latency, low-jitter conditions, but consume little
filtering as known from firewalls. Scanning all packets of a
bandwidth. Large downloads are nearly unaffected by la-
flow would be both unnecessary and rather expensive.
tency and jitter and only need as much bandwidth as pos-
If one really wants to use the ‘reading of letters’ analogy, it sible.
should be postcards instead of letters, and the ‘reader’
Unfortunately, the Internet has so far failed to bring about
should be one who does not understand the language of
QoS support. Not that there have been no attempts. ATM3
the letter and who only scans certain parts of the contents
tried to solve this issue by overturning the entire architecture
for matching symbols from a list of symbols – or patterns. It
of the Internet – and failed due to its overwhelming com-
is important for our discussion to understand that DPI is not
plexity. Then, extensions to TCP/IP were proposed, most
automatically a privacy violation.
prominently Integrated Services (IntServ) and Differentiated
Services (DiffServ). The more comprehensive IntServ failed
Applications and Systems Using DPI
for its poor scalability. The simpler DiffServ failed because it
Interestingly, there have been DPI-based applications and would have required the support by all router hops of an
network functions deployed in many places across the end-to-end communication path, hence the cooperation of

3
ATM: Asynchronous Transfer Mode is a standards suite developed by the International Telecommunications Union (ITU) and the ATM
Forum (an industry consortium) with the ultimate goal to replace the entire Internet infrastructure from the core to the end system, includ-
ing the TCP/IP protocol suite that is the very basis of the Internet.

3
Deep Packet Inspection – Technology, Applications & Net Neutrality

all network operators along the path – something which is sizes, per-flow data and packet rates, number of flows
and will be difficult to achieve. and new flow rate per application.
◦ Statistical analysis:
All these legacy mechanisms for providing QoS guarantees
the calculation of statistical indicators that can be used
to certain types of network traffic relied on marking of spe-
to identify transmission types (e.g. real-time audio and
cific requirements by the end points. Basically, the sending
video, chat, or file transfer), including mean, median
application would mark a certain packet as, for instance,
and variation of values collected as part of the behav-
real-time traffic (i.e. requiring low latency and jitter) with a
ioral analysis, and the entropy of a flow.
certain data rate profile. All intermediate routers would
then assign the marked packets to a separate queue that Once the classification has been done, bandwidth man-
gets special treatment according to the required QoS pro- agement systems installed at those points in the network
file. As mentioned above, one challenge that prevented that that will most likely become a bottleneck during periods of
approach from being widely implemented is the missing high network load can at least provide ‘soft’ QoS guaran-
cooperation among all network operators. A second prob- tees similar to what DiffServ could have offered. ‘Soft’
lem for such an implementation would be the proper mark- means that the guarantees would only be network-local to
ing of network traffic. The routers along the path would where the bandwidth management system is deployed.
have to rely on the marking as set by the sending applica- While this falls short of providing full, end-to-end QoS sup-
tion. Without any additional access policing at the network port, it can solve the most common problems in today’s
edge, mismarkings cannot be avoided and can potentially Internet infrastructure: congestions in network access links
mess up the QoS guarantees for an entire traffic class (e.g. at the edge (i.e. at the DSLAM or CMTS level), and at tran-
if a large download would be marked as time-sensitive sit and peering points.
voice traffic).
The following list gives some examples of potential uses for
DPI-based bandwidth management. More can be found in
DPI Bandwidth Management
the last part of this paper.
DPI can effectively solve the traffic marking problem by its
◦ Prioritize interactive real-time applications such as Inter-
capability to classify network flows according to the com- net telephony, online gaming and remote access
municating application. This marking would be a network
◦ Rate-limit bandwidth-intensive applications such as large
function – as opposed to an end system function – and thus downloads from peer-to-peer (P2P) networks and Web-
be immune against intentional mismarkings. For this classi- based file hosting services during periods of congestion
fication to work reliably, DPI is a necessity. Inspecting
◦ Block access to undesired applications such as P2P file
headers only – looking at port numbers in TCP and UDP sharing in an enterprise environment
headers – does not yield a reliable protocol or application
classification anymore, as many modern applications use DPI bandwidth management is a rather new technology. A
dynamic ports or even ports that have traditionally been commonly cited reason is that powerful-enough hardware
used by other applications (e.g. Skype and other peer-to- to inspect the content of network packets has become
peer systems often used port 80 that is historically reserved available only in recent years. This is wrong. In fact, Inter-
for Web traffic). Note that even this type of header inspec- net data rates have been growing faster than the perform-
tion would already violate the above mentioned DPI de- ance of any other information technology, including CPU,
marcation line between IP header and payload. Interest- memory and bus systems. DPI would have been easier ten
ingly, this has never drawn any complaints from privacy or years ago using the then available technology than it is
net neutrality activists. today. No, the right reason for the advent of DPI bandwidth
management is the continuing increase of data rates along
The DPI-based protocol and application classification is with proprietary, non-standard applications that use arbi-
achieved using a number of different techniques: trary TCP and UDP ports for their data exchange, defying
◦ Pattern matching: legacy methods of application classification necessary for
the scanning for strings or generic bit and byte patterns network management, troubleshooting and capacity plan-
anywhere in the packet, including the payload portion, ning.
usually at fixed locations.
◦ Behavioral analysis: DPI & Encryption
the scanning for patterns in the communication behavior
It is a common claim that encryption and obfuscation pre-
of an application, including absolute and relative packet
vent DPI systems from being able to classify the encrypted

4 © ipoque 2009
 White Paper

The P2P Encryption Lie The Potential Impact of

DPI Applications on Society
The common claim among P2P users and DPI opponents that the
use of encryption and obfuscation in P2P networks like eDonkey DPI opponents regularly point out the potentially devastat-
and BitTorrent is a measure to ensure the users’ privacy is plain
ing effect an extensive deployment of such technology
dishonest. Even if encryption is enabled, files are still shared
with the general public, so for everybody to download, store would have on the Internet and society in general. Here it is
and read – of course in unencrypted format. This is also why important to differentiate between two main uses of DPI:
encryption does not provide any protection against copyright
◦ DPI used by ISPs for commercial reasons
investigations in P2P networks, where investigators use normal
P2P clients to participate in the network and download files from ◦ DPI as a technological basis for new regulatory systems
potential infringers. The only sensible reason for encryption is
the attempt to circumvent bandwidth limitations imposed for P2P DPI and Network Operator Business Models
transfers by the ISP. However, with modern traffic management
systems, which are able to reliably detect obfuscated and en- Internet service providers have deployed or plan to deploy
crypted P2P traffic, this measure is totally ineffective. DPI-based traffic management systems. Their interests are
almost always commercial – maintaining or, better, increas-
ing their revenues. Foremost, that means attracting new
network flow. While it is true that plain pattern matching
customers and reducing subscriber churn – the loss of cus-
does not work with encrypted communication, modern DPI
tomers to competitors. At the same time, they need to pro-
systems go beyond this simple method. They use behavioral
tect their infrastructure investments from congestion by a
and statistical analysis as described above. In fact, encryp-
few users or applications. These two goals are somewhat
tion has very little effect on the classification ability and
contradictory, so it is important to find the delicate balance
accuracy of advanced DPI equipment. 4
between them. At the end, the use of this kind of DPI traffic
Of course encryption prevents inline systems to ‘read’ management will be regulated by the market. Governments
packet content thus protecting the privacy of a communica- only need to ensure a properly working market with suffi-
tion, at least in cases were information is not shared with cient competition.
the general public (see box “The P2P Encryption Lie”).
Internet Regulation
Benefits of Bandwidth Management
So far in human history, every new technology, such as the
◦ Can improve the economics of providing access to re- automobile, the television and even the printing press and
mote and rural geographic areas with it freedom of speech, eventually got regulated. Such
◦ can improve the average performance for Internet users regulation always has to take into account the specifics of a
(at the cost of limiting the resources for a few excessive new technology. For printing press and television it is suffi-
users) cient to make publishers and senders liable for the distrib-
◦ Can provide users with a tailored service, including uted content because it is easy for law enforcement to iden-
‘soft’ QoS guarantees, at a higher or lower price, de- tify the source. For cars, there is a speed limit (at least in
pending on the required service level; users that only use most countries) and tight registration and liability laws.
Web and e-mail would get a lower price; everyone pays
The same legislative process will happen for the Internet as
only for what they use
well. In theory, existing offline laws covering issues like
libel, organized crime, terrorism and child abuse already
Dangers of Bandwidth Management
apply. Unfortunately, due to the distributed, multinational
◦ Can limit access to certain Internet services (e.g. P2P file nature of the Internet, current national legislation rarely
sharing) provides a satisfying solution. In many cases, suspects and
◦ Misuse potential for protocol/application censorship criminals are beyond the reach of the executive of a coun-
◦ Can stifle innovation by slowing down capacity exten- try. Solutions can be investments in online law enforcement
sion of the Internet along with international cooperation agreements, but also
new Internet-specific regulation relying on technological
advances.

DPI and Regulation

Traffic filtering systems that use DPI have been proposed as
a technical regulatory measure in various countries to en-

4
In January 2009, the European Advanced Networking Test Center (EANTC) conducted an independent test
of DPI system with special focus on the detection capabilities with respect to encrypted P2P protocols. The
results clearly showed that the three participating vendors had no difficulties with encryption. The test results
are available at Internet Evolution: http://www.internetevolution.com/document.asp?doc_id=178633.

5
Deep Packet Inspection – Technology, Applications & Net Neutrality

force existing or new legislation. In most instances, DPI is

TCP and Net Neutrality
supposed to enable a fine-grained content classification.
This goes far beyond what most ISPs use – or plan to use – The Transport Control Protocol (TCP) is the workhorse of the
Internet providing reliable data transport from host to host for
DPI for, who are usually only interested in protocol or ap-
the large majority of all traffic. One of its important properties is
plication classification for commercially driven bandwidth a mechanism called sender-based flow control which ensures
management purposes. Examples of potential regulatory that each sending TCP instance does not overload the network
uses of DPI filtering systems are: path to the receiver and, on average, gets its fair share of the
available bandwidth on that path. TCP provides fairness among
◦ Blocking of illegal (i.e., in accordance with local laws) data transport connections.
contents such as child pornography As long as each network application utilizes one TCP connec-
◦ Blocking of encryption and tunneling systems that render tion to send data, this transport fairness also ensures fair re-
lawful interception systems (as required by many legisla- source sharing among applications. TCP has no enforcement
tions) ineffective mechanism that limits the number of connections per host. This is
important because server applications usually serve many clients
◦ Blocking of unregulated Internet telephony
in parallel, each over a separate connection. But this also
means that two hosts can open parallel connections between
Net Neutrality them to achieve higher transfer rates. The math is simple: open-
ing ten parallel connections provides this aggregate connection
One of the most common allegations against DPI and DPI-
with a transfer speed ten times higher than its fair share. And
based traffic management is that it violates net neutrality. P2P file sharing applications, for example, often open hundreds
Yet, there is no clear and generally applicable definition of of parallel transport connections. This is particularly critical in
net neutrality. It is a principle that is described differently by congested networks where this behavior will deprive single-
different people coming from different regional, social and connection applications (which are most other applications) of
their fair bandwidth share.
scientific backgrounds. Wikipedia provides a short defini-
tion 5:
time applications like Internet telephony and online games,
“At its simplest network neutrality is the principle that all
effectively rendering them unusable. Hence, an unregulated
Internet traffic should be treated equally.”
network cannot be called neutral because it does not guar-
A more precise technical definition would be that all IP antee fairness among users.
packets should be treated equally on a best-effort basis. But
Bandwidth management can correct this shortcoming of
net neutrality is not a technical principle but a social para-
today’s Internet. It can enforce a fair bandwidth distribution
digm that strives to preserve the Internet in a perceived
among network users particularly in times of network con-
state of maximum freedom and equality among its partici-
gestion. The simplest form would be a fair distribution of
pants. Hence, ultimately, society will have to decide about
available bandwidth among all network users. This proto-
how much freedom and equality there will be in the Internet
col- or application-agnostic bandwidth management would
of the future. Here we will focus on the more technical as-
indeed not require DPI technology.
pects of net neutrality.
However, this may not always be the smartest approach
If net neutrality is to be understood in a way that it guaran-
since bandwidth or, more generically, quality of service
tees equal access to all its users, then certainly the Internet
requirements differ widely between applications. For ex-
of today is by no means neutral. Usage statistics across
ample, an Internet telephony application requires very little
many regions gathered over many years agree that less
bandwidth but with a guaranteed minimum at all times. A
than 20 percent of network users generate over 80 percent
file sharing application requires as much bandwidth as
of the traffic. This phenomenon can not only be explained
possible, but can sustain periods of very low data rates
by mere differences in demand. Instead, tech-savvy Internet
without noticeable service degradation. As mentioned
users can get significantly more than their fair share of the
above, the Internet has failed to provide a QoS reservation
available bandwidth, which is particularly critical in times
and guarantee mechanism. Application-aware traffic man-
of network congestion when this inequality adversely affects
agement can improve this situation by providing bandwidth
the performance of other users. An example are P2P file
guarantees, priorities, or a combination of both. This kind
sharing applications such as BitTorrent and eDonkey. To
of bandwidth management requires DPI-based classification
maximize download speeds, they open many, sometimes
of application traffic because particularly those file sharing
hundreds of parallel connections to many different peers.
applications that utilize multi-connection mechanisms tend
Legacy client-server applications such as Web browsing
to obfuscate or hide their activities. Generally, DPI and de-
only open one connection to a server, or in some cases, a
rivative technologies such as behavioral and statistical
few connections to a small number of servers. The multi-
analysis provide the only way in today’s Internet to reliably
connection applications will also win in the competition for
classify applications and application types.
bandwidth in a network without bandwidth management.
Worse, they can completely displace low-data rate, real-

5
http://en.wikipedia.org/wiki/Net_neutrality, retrieved 1 September 2009

6 © ipoque 2009
 White Paper

The simplest form of such an application-specific traffic Ultimately, the long-term solution to the net neutrality dispute
management would be the assignment of priorities to dif- is rather simple. Governments have to ensure a competitive
ferent application classes. A ruleset could for instance be: environment among service providers. And then, the market
◦ Internet telephony (e.g. SIP, H.323, Skype) gets the – including ISP subscribers – can and will decide.
highest priority
◦ Interactive applications (Web, instant messaging) get Privacy
high priority DPI as such has no negative impact on online privacy. It is,
◦ Non-interactive applications (FTP, e-mail) get normal again, only the applications that may have this impact.
priority Prohibiting DPI as a technology would be just as naive as
◦ High-bandwidth downloads (P2P file sharing, file host- prohibiting automatic speech recognition because it can be
ing6 ) get low priority used to eavesdrop on conversations based on content. Al-
It is important to understand that providing priorities to se- though DPI can be used as a base technology to look at
lected applications does not necessarily cause a service and evaluate the actual content of a network communica-
degradation. For instance, giving voice traffic a higher tion, this goes beyond what we understand as DPI as it is
priority than P2P will not at all affect the bandwidth avail- used by Internet bandwidth management – the classification
able to P2P. This is because only less than 1 percent of all of network protocols and applications. Other applications
Internet traffic is voice versus at least 50 percent P2P traffic. of DPI, for instance lawful interception and targeted injec-
The voice traffic increase will be unnoticeable and insignifi- tion of advertisements, do indeed go further, but they are
cant relative to the P2P traffic volume. The fear that low beyond the scope of this paper.
priority does automatically mean a slower application is Ultimately, it is again a matter of regulation and social dis-
unfounded. course to decide what levels of DPI and what applications
However, if there are two types of high-volume applica- are considered acceptable. But it is also naive to believe
tions, for instance P2P and Internet TV, then priorities can that intelligence services will refrain from using the latest
indeed have an adverse effect on the lower-priority applica- available technology for wiretapping. This, too, is a matter
tion. In the specific case of Internet TV, which requires a lot of regulation. Quis custodiet ipsos custodes?
of network resources, this is why most service providers
who offer such a service have chosen to build a separate Content-Specific Filtering
network dedicated to this service only. Filtering of data transfers based on their content is one ap-
plication where DPI goes beyond a simple protocol or ap-
Now even if everybody agreed that priorities are a good
plication classification. Here, not only the application or
idea, one open problem remains: who decides what appli-
communication protocol get classified, but the content that
cation gets what priority? One option would be to let users
is exchanged. After this classification, certain content types
pick their priorities themselves. This option has two prob-
may be blocked. Today, this type of content filtering is usu-
lems. First, it requires knowledge about the quality of serv-
ally limited to Web traffic and is only deployed in certain
ice requirements of applications and network protocols,
countries.
and second, users would most likely tend to over-prioritize
their own traffic. So the other option would be to have the This DPI application does indeed have a potential impact
Internet service provider assign priorities. Here it is impor- on net neutrality and freedom of speech and thus becomes
tant that assignments are not driven by the interests of a a matter of national – and maybe also international – legis-
certain ISP, but only by the QoS requirements of an applica- lation. Every country has its own rules on what is legal and
tion or application class. Even an international standardiza- what is not. Freedom of speech is not unconditional even in
tion process is conceivable. The same applies to bandwidth the USA, meaning there are limits to what kind of content
management that goes beyond simple priority management can legally be made publicly available. This kind of regula-
by assigning application-specific bandwidth guarantees. tion of course exists in most countries for non-Internet con-
tent. There are age ratings for movies, and one country
A totally different solution to this fairness problem among
would certainly not accept the categorization of another
users would be going back from flat rate Internet access
country. Access to movies is controlled based on these rat-
fees to volume-based billing. While this would provide for
ings. There is no similar classification scheme along with
maximum fairness among users – yes, there is a cost per
access control for Internet content. This is something we
transmitted byte! – and indeed most users, probably over
could see in the Internet of the future, and whether this is
80 percent, would financially benefit by paying less for
desirable or not needs to be decided by society.
their Internet access, it would also severely limit the Inter-
net’s potential to foster innovation.

6
“File hosting” refers to Web-based services that allow to upload files, including very large ones, and then provide a URL, or link, to that
file which can be shared with other users who can then simply download the file by following that link. These services are also known as
“direct download links” (DDL). The largest operators of such services currently are RapidShare and MegaUpload.

7
Deep Packet Inspection – Technology, Applications & Net Neutrality

This debate of content filtering is already happening in

Country Borders & the Internet
some countries. Currently, there are discussions in Ger-
many, France and other countries about technical solutions
for filtering of child pornography. This is a good prototype
for any Internet filtering discussion because the distribution
of such material is clearly outside any freedom-of-speech
legislation. No one seriously challenges the illegality of
pedophiliac material. This allows to focus on technical chal-
lenges, their possible solutions, and what advantages, dis-
advantages and dangers each proposed solution implies.

The current proposals for pedophilia filtering solutions in

Germany are not based on DPI. Instead they will use block
lists of DNS host names and IP addresses. The proposed
law would obligate ISPs to deploy an encrypted black list
of host names and URLs provided by the Federal Criminal
Police Office (Bundeskriminalamt, BKA) to their DNS serv- It is another common statement that national regulation is impos-
ers to send users trying to access these addresses to a block sible to enforce in the Internet. That this is wrong can be seen by
page with a stop sign. This DNS-based access blocking is the many examples of national access restrictions to certain
the minimum requirement of the law. It can be easily cir- applications or content. iTunes content availability strongly de-
pends on the country the user is in. Pandora, an Internet stream-
cumvented by using external DNS servers. The optional IP
ing radio site, is unavailable outside the United States. So it
address blocking also has its problems. It potentially blocks seems that country borders are existent even in the transnational
access to legitimate content that is hosted on the same Internet – if there is sufficient commercial interest.
server as the illegal material. Admittedly, in all these examples a company stands behind the
offerings that can be held responsible for its online activities. DPI
technology in combination with traffic management can extend
this control to any entity offering online content. If, for instance,
a certain kind of content is legal in country A, but illegal in
country B, access to such content can be selectively blocked in
country B. Whether such a ‘nationalization’ of Internet access
regulation is desirable is again a matter of social discourse and
regulation.

A danger that is generally seen with such filtering legisla-

tion is the future emergence of a wider censorship in the
Internet. And indeed, some politicians already call for filter-
ing of other illegal material such as extreme-right propa-
ganda or copyright-protected media files.

A different, to a certain degree already implemented

measure is the threat of prosecution. This is similar to traffic
laws. Cars, for instance, can also drive faster than the
speed limit, and it is also possible to drive the wrong direc-
tion into a one-way road. The law is not directly enforced. It
could well be that this is a sufficient deterrence also for the
Internet if it was implemented with a similar coverage as in
the offline world. This would require a huge additional ef-
fort in most countries for law enforcement activities in the
Internet.

8 © ipoque 2009
 White Paper

Levels of Bandwidth Management Per-User Bandwidth Fairness

Currently, the Internet only provides per-connection fairness
for the TCP transport protocol as described above. Band-
width-greedy applications that use UDP for bulk data trans-
fer or open many simultaneous TCP connections can easily
circumvent this transport capacity fairness and use more
than their fair share of the available bandwidth. A traffic
management system can rather easily enforce a per-
subscriber bandwidth usage fairness that ensures all users
getting on average an about equal share of the available
bandwidth, which is particularly important during periods
of network congestion.
Pros:
◦ Heavy users have no negative performance impact on
others
The focus of this paper is Internet bandwidth management ◦ Fair distribution of available resources among all users
based on DPI. The previous sections have explained the ◦ No DPI required
technical, legal and social aspects of this technology. In Cons:
many of the public discussions, the participants are in ir- ◦ None found
reconcilable opposition. Particularly DPI opponents often
assume a very extreme position in their arguments. FUD User-Configurable Disabling of Selected Applica-
and other scare tactics are no rarity. tions

We strongly believe that a more differentiated discussion The ISP offers its subscribers the ability to block access to
has been long overdue. For this reason we propose a clas- selected protocols, applications or even content as a man-
sification scheme with seven levels of bandwidth manage- aged service. Residential customers can use this feature for
ment – some involving DPI, some not. The following list is in parental control and enterprise customers for blocking of
ascending order according to a bandwidth management non-work-related applications. For example, residential
policy’s potential impact on net neutrality. All measures subscribers may chose to disable P2P file sharing to avoid
could be deployed separately or in combination. prosecution for copyright infringements done by their chil-
dren. The same could be done in a company network or at
Independent of the bandwidth management policy imple-
a public hotspot to avoid any liability issues for user activi-
mented by ISPs we strongly believe that this policy should
ties. Also, access to recreational applications (e.g. media
be openly communicated to customers and – more impor-
streaming, social networking sites, online games) could be
tantly – to prospective customers. This is also were legisla-
blocked for company staff.
tion, if deemed necessary, should put its focus on. Instead
of trying to define what kind of bandwidth management is Pros:
acceptable, it should enforce transparency and let the mar- ◦ Improved security and application control for Internet
ket do the regulation. users
◦ Protection against copyright liabilities
Best Effort Service ◦ Protection against application-specific attacks
This has been the status quo in the Internet since its incep- Cons:
tion. Every packet is treated equally independent of its type ◦ Requires DPI equipment
or content. In case of congestion at a particular router hop
along a network path, packets are randomly dropped de- Application-Aware Congestion Management
pending on their arrival time and router buffer occupancy. Based on the fact that certain QoS guarantees (e.g. mini-
Pros: mum available bandwidth, maximum delay and jitter,
◦ Provides maximum net neutrality according to some maximum packet loss) are more critical for some applica-
definitions tions than for others, an ISP implements a QoS manage-
◦ No additional implementation cost ment scheme taking into account the specific requirements
for an application or application class. In its simplest form,
Cons:
this could be a tiered priority scheme as in the following
◦ Prevents the implementation of QoS guarantees example:
◦ Unfair to the majority of network users
◦ Highest priority: network-critical protocols such as BGP,
ICMP, DNS, maybe TCP FIN and ACK packets

9
Deep Packet Inspection – Technology, Applications & Net Neutrality

◦ High priority: interactive real-time applications such as Cons:

VoIP, online games, remote control software ◦ More expensive for heavy users
◦ Default priority: all applications with no specified priority ◦ More complex tariff models
◦ Low priority: high-bandwidth applications such P2P file ◦ Requires DPI equipment
sharing, large Web downloads, NNTP, e-mail

In addition, bandwidth guarantees can be assigned per QoS Guarantees for Provider Services
application – either aggregated for an entire network or Triple play providers offering Internet, telephone and TV
even per individual subscriber or subscriber group. service over a single broadband connection need to ensure
Pros: that each of these application classes gets its required QoS
parameters. Some run entirely separated networks for each
◦ Better congestion protection
service so that there is no QoS interdependency between
◦ Better QoS for network users with the same available
bandwidth them and with third-party services. A less expensive way to
solve this problem is to simply prioritize VoIP over IPTV over
◦ Better resource utilization at the ISP which can mean
lower charges for Internet access service everything else that runs through a shared pipe. The priori-
tization only has an effect during network congestion, and
Cons: it would be limited to the ISP’s VoIP and IPTV services.
◦ Low priority applications will get slightly less bandwidth
in times of network congestion Higher priorities for a provider’s own service always has a
◦ Requires DPI equipment certain misuse potential. A priority advantage of the ISP’s
services over competing, over-the-top third-party services
Tiered Services and Pricing limits competition and could in turn drive up prices. A clear
regulation that defines how much resources can by used
Internet access fees have seen an evolution from online- exclusively by the infrastructure provider versus resources
time, over data volume charges, to today’s prevalent model that need to be available for third-party use would be de-
of flat rates that differ mostly by maximum access data sirable.
rates. Usage-based charges are still the norm in mobile
networks, but even in wireline networks they have reap- Pros:
peared in the discussion due to the huge disparity in data ◦ Guaranteed performance for providers’ business-critical
volumes between normal and heavy users. This is a bad applications
idea because – and this is a widely accepted assumption – ◦ Better resource utilization, which can potentially mean a
it would stifle innovation in the Internet. cheaper Internet access for subscribers
Cons:
A possible way out of this dilemma for ISPs and their sub-
scribers is an approach that strikes a balance between flat ◦ Misuse potential requires regulation
rates and usage-based charging. The basic idea is to offer ◦ Depending on the specific infrastructure, DPI equipment
customers a choice of which services they require from their may be required
ISP – and they are happy to pay for – and which they do
not. Below is a short list with examples of different services Revenue Protection and Generation
that could be offered by an ISP with such a tiered services An ISP blocks services that directly compete with its own,
and pricing model: revenue-generating product. If the ISP offers a triple-play
◦ A very cheap or ad-financed Web-only service package including VoIP and IPTV, and there is a usage-
◦ A cheaper service that excludes certain high-bandwidth based charge for instance for international calls, services
applications like Skype are a clear competitor and decrease the poten-
◦ In addition to the previous service, allow customers to tial revenues of the provider’s service. Free voice services
enable excluded services for an additional one-time fee have caused headaches particularly for mobile operators.
on demand via a customers portal Customers are asking for data flat rates, and the operators
◦ A more expensive all-inclusive service want to offer them for a fee to generate additional revenue,
◦ An expensive business service with QoS guarantees for but they fear that Skype and free SIP services will bite big
user-selected applications such as VoIP, the corporate chunks out of their normal voice revenues. This fear has so
VPN, and business-critical SaaS sites like Salesforce.com far limited the introduction of data flat rates in the mobile
Pros: market.

◦ Better, more flexible access services The networks of mobile operators are also more susceptible
◦ More fairness among subscribers (normal vs. heavy us- to congestion due to their limited capacity. A few P2P users
ers) can have a devastating effect on the performance of an
◦ Subscribers get more control over access fees entire network cell. Thus, providers may chose to exclude
high-bandwidth services that have a negative performance

10 © ipoque 2009
 White Paper

impact on other subscribers as a form of infrastructure in-

vestment protection.

In addition, ISPs have the option to monetize their gateway

position between the subscriber and the Internet. By moni-
toring the online behavior of their customers, they can serve
targeted advertisements to generate additional revenue.
Transparency – or the lack of it – is a big problem for this
kind of activity. The DPI equipment required for this ad in-
jection needs to have special capabilities to extract infor-
mation on content downloaded by subscribers to serve
relevant advertisements. This goes far beyond what DPI
bandwidth management systems do, at least for a small
subset of the entire traffic as this kind of monitoring is usu-
ally limited to Web traffic. On the more open side, the ISP
could offer this ad injection as a customer-selectable option
that reduces the monthly Internet access fee.
Pros:
◦ Allows the ISP to monetize on advertisements, which has
been traditionally limited to content providers
◦ Can reduce Internet access fees
Cons:
◦ Privacy and transparency problems
◦ Requires special, single-purpose DPI equipment

Feedback Welcome!
The presented list is not meant to be complete, but as a
contribution to bring more structure into the public debate
about DPI Internet traffic management. Feedback and
comments are always welcome.

11
Deep Packet Inspection – Technology, Applications & Net Neutrality

About ipoque Distributed by

ipoque is the leading European provider of deep packet

inspection (DPI) solutions for Internet traffic management
and analysis. Designed for Internet service providers, en-
terprises and educational institutions, ipoque's PRX Traffic BRAIN FORCE Software GmbH supplies intelligent IT solutions
Manager allows to effectively monitor, shape and optimize based on best practices, effective services, and innovative
network applications. These include the most critical and products in the business solutions and infrastructure
optimization areas. Customers profit from tailored service
hard to detect protocols used for peer to peer file sharing
offerings, flexible solutions, and innovative goods. With its
(P2P), instant messaging (IM), Voice over IP (VoIP), tunnel- product offering for professional IT processes, BRAIN FORCE is
ing and media streaming, but also many legacy applica- reducing costs and thus contributing to the economic success
tions. For further information, please visit www.ipoque.com . of customers.

Contact Contact:
ipoque BRAIN FORCE Software GmbH
Mozartstr. 3 Ohmstr. 12
D 04107 Leipzig 63225 Langen (near Frankfurt)
Germany Germany
Tel.: +49 (341) 59 40 30 Tel.: +49 (0)6103 906-767
Fax: +49 (341) 59 40 30 19 Fax: +49 (0)6103 906-789

E mail: [email protected] E-mail: [email protected]

Web: www.ipoque.com Web: www.brainforce-channel.com

12 © ipoque 2 0 0 9