3126

Deep Packet Inspection as a Service

Hay-Saikevich David, HUJI, School of Computer Science and Engineering, Computer Science

 

Category

Computer Science and Engineering   

Keywords

DPI, Telecommunication

Current development stage

TRL4 Technology validated in lab            

Application

Middleboxes play a major role in Software Defined Networks (SDN) as forwarding compressed packets is not enough to meet operators demands in terms of security, QoS/QoE provisioning and load balancing. In current systems, Deep Packet Inspection (DPI) is a common task in many middleboxes and the most resource-consuming one.

Today, the traffic is usually routed through a chain of middleboxes before reaching its destination. The traffic is scanned over and over again by middleboxes with a DPI component. Even consolidated middlebox solutions perform DPI separately from scratch.

 

There is a need to offer a middlebox hardware as a services outside the network to consolidate multiple middleboxes and thus optimize network efficiency and reduce operating costs.  

Our Innovation

This technology extracts the DPI engine from the different middleboxes and provides it as a service for various middleboxes in the network. This service is provided by deploying one or more service instances around the network, all controlled by a logically-centralized DPI Controller. Thus, a packet in such network would go through a single DPI service instance and then visit middleboxes according to its policy chain

Advantages

  • Superior throughput and reduced memory footprint
  • Resource sharing as the hardware used for DPI is decoupled from the specific middlebox
  • Robustness and security due to avoiding concentrating the traffic in a single location
  • Single DPI scan per packet e.g. decompression or decryption is inspected only once for each packet

3126.jpg

Figure 1 Examples of the chain middleboxes (a.k.a. policy chains with and withough DPI as a service)

 

Technology

Each packet that requires a DPI by any of the middleboxes on its policy chain is forwarded to the DPI service, where it is inspected only once. Then, the inspection results (namely, the patterns that were matched) are communicated to the corresponding middleboxes, either on the same packet (e.g., using NSH) or on a different packet.

The proposed framework relies heavily on virtualization and therefore includes both a virtual DPI service, which is instantiated across the network, and a DPI controller, whose role is to orchestrate the different DPI service instances. Making DPI a service has implications not only for the architecture and the system design of a middlebox that uses DPI, but also for the algorithmic aspects of the DPI engine (which is implemented by the virtual DPI service) itself. Specifically, the researchers present one such tailor-made algorithm that benefits from the flexibility of a virtual environment.

3126-2.jpg 

Figure 2 DPI as a Service, system architecture.  The DPI controller abstracts the DPI process to other network elements and controls DPI service instances across the network. Packets flow through the network as dictated by policy chains.

Opportunity

  • Deploying DPI as a service is a catalyzer for innovation in the middlebox domain
  • Deep Packet Inspection as a Service will enhance network performance and flexibility, efficiency and robustness in SDN systems.

 

 

Contact for more information:

Aviv Shoher
SVP BUSINESS DEVELOPMENT
+972-2-6586635
Contact ME:
Image CAPTCHA