What is deep packet inspection (DPI) and why do we need it? An in-depth guide.
By Christine Lorenz
Published on: 06.06.2023
When we started this blog series two years ago, we were so thrilled with the idea of creating our own collection of articles that explored the ever-growing significance of deep packet inspection (DPI) in networking. Ever since, we uncovered many exciting use cases for deep packet inspection, ranging from SASE, ZTNA and 6G to cloud-native networks and edge computing. In fact, we became so caught up with the fast pace at which DPI was expanding its forte that we forgot (or perhaps took for granted) the fact that we never penned an article exclusively about deep packet inspection. It is long overdue, of course, but here it is finally – an article that takes a deep dive into our most favorite technology: DPI. We'll explore how deep packet inspection works, its applications in network security, and why DPI is essential for modern networks.
Deep packet inspection, in short DPI, in the networking context is a traffic processing methodology used to analyze IP data packets, classify IP traffic and extract metadata. Unlike traditional packet filtering, deep packet inspection enables network administrators to inspect the content of data packets, allowing for enhanced network security, bandwidth management, and regulatory compliance. DPI logs IP packets as they move through the network using either in-line or out-of-bounds filtering, delivering real-time analysis at the packet, flow and network level. DPI is essentially a technology that network administrators can use to observe, route, filter, control, duplicate, quarantine and block packets. DPI technology is used widely by networking and cybersecurity solutions, such as SD-WAN and next-gen firewalls, where its real-time inputs are programmed as the basis for various policies and network responses.
As a leading vendor in the deep packet inspection market, ipoque boasts cutting-edge DPI technology that leverages the latest developments in the IP space. Our network traffic classification methodology combines advanced deep packet inspection techniques such as statistical, behavioral and heuristic analysis as well as advanced machine learning (ML) and deep learning (DL) to accurately identify underlying protocols, applications and services. ipoque’s layer 3 to layer 7 network traffic analysis encompasses protocols on layers 3 and 4, such as IPv4/IPv6 and TCP/UDP, and layer 7 protocols, applications and service types, such as HTTPS, WhatsApp and video downloads, respectively. Diagram 1 shows real-time classification, delivered by DPI, at each one of these different layers.
Our DPI technology additionally extracts metadata to determine traffic attributes, including bandwidth used, traffic speed, latency, jitter, user locations and types of devices. It also examines traffic behavior and detects traffic that is malicious, suspicious or anomalous.
ipoque’s DPI technology is built into its renowned DPI engines R&S®PACE 2 and R&S®vPACE. Our long-standing DPI software R&S®PACE 2 is based on scalar packet processing and caters to traffic filtering needs in traditional networks, while our VPP DPI engine R&S®vPACE, which was introduced last year, is based on vector packet processing (VPP) frameworks such as FD.io or DPDK Graph, making it ideal for more intensive computing environments. Both engines leverage an extensive traffic signature library that is updated weekly and that comprises thousands of protocol and application signatures.
DPI technology has evolved significantly over the years. With a series of ground-breaking innovations ipoque has managed to take the lead in this area. These innovations make it possible to go beyond standard DPI to offer next-gen intelligence solutions which are capable of addressing the needs of future networks. One such enhancement is performance, which is critical in addressing the rapid growth in traffic volumes. R&S®PACE 2 delivers a throughput per core of 14 Gbps on average, while its cloud-native VPP counterpart, R&S®vPACE, delivers up to three times speedup, leveraging an improved average clocks-per-packet ratio. Both DPI engines feature first packet classification, that is, identifying flows from the very first packet, allowing faster and consistent policy responses across all related packets.
Further key criteria for next-gen DPI are scalability and ease of deployment. Our DPI software boast a minimal processing footprint and can be embedded in both virtualized and cloud-native environments and scaled linearly to meet any capacity. This lean form factor allows traffic filtering to take place closer to the traffic source, minimizing latency and improving traffic performance. To give you an idea, in the case of a network with a distributed user base who accesses mostly cloud and SaaS applications, traffic does not need to be backhauled to the data center for filtering and inspection, but can instead be routed through a cloud access security broker (CASB) that is equipped with R&S®PACE 2. Similarly, for IoT use cases, R&S®PACE 2 can be deployed in the edge network close to where a smart city or an Industry 4.0 network is located.
What often sets standard DPI tools apart from advanced DPI-based network intelligence solutions is coverage and comprehensiveness. A frequently updated signature library is key to any deep packet inspection solution. ipoque tops its weekly updated library with its custom service classifier (CSC), which allows customers to add their own signatures. This is especially useful for customer-specific applications and newly discovered threats. The CSC comes with a predefined list of thousands of web services, allowing customers to focus on hard-to-detect applications and threats.
Encrypted traffic intelligence (ETI) by ipoque takes application awareness to the next level by extending visibility into encrypted, obfuscated and anonymized traffic. ETI involves ML/DL, high-dimensional data analysis and advanced caching methods, such as service caching and DNS caching, to address latest protocols, including TLS 1.3 and TLS 1.3 0-RTT as well as DNS over TLS and DNS over HTTPS (collectively referred to as DoX). Encrypted traffic intelligence mitigates concerns around DPI’s limitation against encrypted traffic, and provides a future-proof method for traffic inspection as more and more network traffic becomes encrypted. ipoque is the only DPI vendor in the market who offers encrypted traffic intelligence (ETI) as part of its DPI technology, whereas rival solutions rely on third-party tools.
From prioritizing critical enterprise applications to safeguarding enterprise data from infiltration and data breaches, DPI is at the heart of hundreds of network use cases.
Deep packet inspection helps
The most powerful use case for DPI is perhaps the traffic insights themselves which power thousands of analytics solutions with granular records of packets, flows and applications. From application monitoring and network performance management to active probing, DPI-based analytics offer a high degree of versatility with customizable logging and reporting templates. ipoque customers can also pair their DPI engine with the R&S®PACE 2 flow data exporter plug-in which translates DPI data logs into IPFIX-encoded messages. This offers comprehensive analyses that merge NetFlow/IPFIX reporting with DPI-based insights.
The continuous research and development by ipoque in the network intelligence space and years of deployment experience have paved the way for next-gen DPI solutions that are highly adaptive to network requirements.The VPP DPI engine R&S®vPACE is a prime example of this, with its cloud-native implementation which addresses demanding, high-performant networks. The recently released long-term support (LTS) is another example. LTS delivers an up-to-date release without the need for recompiling or rebooting and eliminates regressions. LTS complements the dynamic upgrade (DU) feature by ipoque which enables signature upgrades and additions during runtime.
New milestones such as these are setting new standards for DPI performance and are pushing DPI deployments across more use cases, especially those that require leaner setups. DPI is already embedded in hundreds of appliances, VNFs and CNFs across various network environments. Both enterprise and telecom networks rely on DPI for real-time traffic visibility with various innovative use cases being announced on the market every month. Some recent innovative DPI use cases powered by ipoque are:
The rise of latency-sensitive applications and prevalence of rich content such as 8K video or virtual reality requires micro-level policies that route, optimize and control packets based on network capacity, security requirements and SLAs. With deep packet inspection, a network can be fine-tuned to the content it carries, the devices it connects to, the users it serves, its available capacity and its capabilities. Fine-grained insights by next-gen DPI support the continuous alignment of these elements, regardless of whether you are dealing with a small local area network at a branch office or a radio access network that covers an entire city. In other words, deep packet inspection makes it possible for networks to keep performing and to keep delivering a seamless and secure network experience for everyone.
Discover more details in our solution guide on next-gen DPI.