80 Gbps Deep Packet Inspection Hardware Announced

An anonymous reader writes to tell us that Procera Networks is launching a new weapon on the deep packet inspection (DPI) front. At $800,000 these 80 Gbps tanks aren't going to be sitting in everyone's closet, but it could mean that more traffic shaping is on the way. "The PL10000 can handle up to 5 million subscribers and can track 48 million real-time data flows. That's certainly a potent piece of hardware, but larger ISPs will need more. That's why Procera designed the new machines with full support for synchronizing traffic flows where return traffic might be routed to a different PacketLogic machine. The machine receiving the return traffic can make the machine monitoring the outbound traffic aware that it sees the other half of a TCP/IP conversation, for example, giving the devices more accuracy than those which might only have access to one side."

DPI - Encrypt

[Unlikely_Hero]

DPI has only one option when presented with encrypted information however (at least afaik). Give the packet a low priority or pass it through normally (of course, it could also drop it entirely but doing that as a rule would be problematic to say the least). So it would be possible to force a bet. Can the ISPs afford to give encrypted traffic a very low priority?

Let the encryption wars commence.

[Anonymous Coward]

Sounds like strong encryption needs to become the norm for everything. Encrypt everything and they have to fight harder to inspect it. It'll turn into a ridiculous arms race, but they're firing the first volley with this, and to do nothing is giving in to it.

I also think that stronger net privacy laws won't be enough to really stop it, since it's not just our government (Or indeed, not just governments in general,) that'll be using these.

?? subscribers @ 80gbps

[imunfair]

only 80Gbps with 5 million subscribers? If my math isn't way off, that's about 16kbps - which is pretty pitiful speed. You'd have to throttle a lot just to be able to use one of these machines at max subscribers per machine.

Welcome to Comcast - our new TOS allows you to view text-only web pages with your *high speed* internet connection!

I've decided: this is evil.

[TheGratefulNet]

think about the original definition of ethernet and of IP, in general.

in general, it was setup to pass packets and ideally to keep them in the same order and not drop them. beyond that, the upper layers (tcp and udp) did any higher level functions.

this worked! for the longest (damned) time, it worked.

and now, ISPs (and large networks) are starting to try to break out the 'cable is a bunch of bits' into discrete 'services' and then try to re-order things, drop things, queue them differently or somehow treat things non-uniformly.

I think this is Evil(tm).

I've been in the networking field for a few decades (really) and I've seen traffic shaping (what a euphemism, btw!) try to argue its case over and over again. but I keep getting back to the basic design principles of ethernet (csma-c/d) and tcp/udp-ip and when you have large enough pipes, you don't NEED a 'fast lane' or diamond lane, so to speak. it just mucks up the works, makes things harder to design and manage and really isn't helpful since you still need large pipes and all the shaping in the world won't CURE that, it only DEFERs things. that's not a cure.

data should be 'opaque' and first-come first-served. equal access. standard layer (phys, dl, network) rules should still apply.

ISPs who employ shaping are simply RIPPING OFF customers from their rightful bandwidth and also passing along the COST of the packet snooping hardware to us, the users. (don't think they'll just spring for the hardware on their own; they'll pass the costs of this stuff to us, to be sure).

I think its evil. once you look at it from enough angles, you see that its not at all a good thing.

Re:DPI - Encrypt

[Shadow-isoHunt]

The problem with this whole "it's encrypted so they'd have to throttle SSL too" idea is that bittorrent doesn't use SSL, and lacks a Diffie Hellman exchange. Encrypted BT traffic looks nothing like any other traffic, so it can still be picked out of the traffic flows and thrown into another QoS bracket. Using SSL for BT would also be stupid, because SSL(the key exchange in partciular) is computationally expensive. You'd peg your CPU at 100% the whole time you were grabbing your porn.

Re:Will be obsolete...

[evanbd]

Heck, to defeat this you could just use AES with a default key. Everyone can use the same key, and have it be publicly known. It's fine because this thing doesn't have the compute power to decrypt in real time, even if it knows what it needs to be decrypting and what the key is. Screw handshaking, key management, etc -- just make the CPU cost nonzero and you're done.

Re:I've decided: this is evil.

[gzerphey]

You are absolutely correct. For the longest (damn) time this did work. The problem is now the traffic doesn't burst like it used to. It's more sustained and oversubscription rules are breaking. Most ISPs are honestly trying to play a game of self-preservation so they can keep their service alive without being cost prohibitive.

DPI is not evil so long as it is used to make the network better as a whole. As with anything it can be bent to the will of evil, but I disagree with that completely. I believe in certain forms of limiting so long as it doesn't degrade the internet experience as a whole.

And yes, I consider myself a backer of net neutrality. All I can say is, I am a realist.

Re:DPI - Encrypt

[kriss]

Actually, the whole idea of DPI is *not* to detect things based on port. There's definitely legitimate uses for encrypted traffic - heck, even encrypted P2P, but it'd be a bit premature to say that you can't separate protocols from each other even if they're encrypted.

It's a bit beside the point though. A sane approach to DPI is just to give some traffic a lower priority than other traffic. If the pipe goes full, you don't want to RED drop some WoW traffic (unhappy user) over some BT traffic (decidedly non-interactive). You might also want to keep web browsing at a better priority than bulk HTTP transfers and P2P, whatnot.

Re:$800,000?

[sgt scrub]

Better yet, force the telco's to put up the fiber networks they were awarded huge tax cuts to put up! They don't have bandwidth problems they have accountability problems created by the RIAA et el backed by people desperately trying to find a way to sensor the net.

Re:$800,000?

[Ioldanach]

force the telco's to put up the fiber networks they were awarded huge tax cuts to put up!

Just bill them for the back taxes for the networks they failed to install as promised.

Re:Lots of Issues

[the eric conspiracy]

Deep packet inspection is necessary to identify and provide QoS for many modern internet applications. For example it is quite common for services to tunnel video over HTTP (example - YouTube). Skype cannot be identified without DPI.

Of course it can be used for good or evil. But the fact of the matter is that DPI is in the mix as one approach to provide QoS for real time internet applications like streaming video and audio that don't play well with the 'best effort' delivery paradigm that packet switched networks are really designed to provide.

If you really want network neutrality for every packet, fine. But be aware that right now time sensitive traffic types like VOIP are being prioritized, and network neutrality will degrade performance for some applications.