DPI and DFI bandwidth management technology analysis

I. Current situation and challenges

Fixed network transformation, broadband has become the biggest highlight, and the thriving broadband business development has brought considerable profits and customers to operators. However, with the emergence of network applications, P2P, online games, IPTV, WebTV and other emerging services occupy most of the Internet bandwidth, p2P applications represented by Bt and eDonkey account for more than 2/3 of Internet traffic, and the operator's infrastructure is in an abnormal situation of "congestion-expansion-re-congestion, profitability decreases accordingly.

According to current domestic statistics, P2P cross-domain traffic occupies 80% of the bandwidth of the trunk line. In China's bandwidth unlimited subscription mode, most of the bandwidth of the network is occupied by a small number of users, these users did not pay the corresponding cost, but affected the network quality of most other users. Therefore, the service quality of operators also encountered problems.

The main cause of the above phenomenon is that the operator lacks effective control and differentiation measures for users, and the operator does not know what the user is doing online, there is no way to guarantee different service quality and service levels for different users. Of course, you cannot set a reasonable rate based on your business characteristics, and you cannot convert your business increments to revenue increments, instead, it is provided with ISP and ICP for voice, Im, game, and other applications. It uses cheap network resources to develop its customers and obtain the cream on the cake.

The inability to implement business identification and content billing increases the operator's operating costs and reduces customer satisfaction. Therefore, how to deeply perceive network applications, provide network service control and management means, build a harmonious network that can be operated and managed, effectively restrict P2P, and reasonably guide, turning disadvantages into what I use has become a hot topic that telecom operators need to study.

Ii. bandwidth management technology

By increasing network traffic monitoring, You can accurately identify the business types in the traffic to a certain extent, including DPI (deeppacketinspection, Deep Packet detection) and DFI (deep/dynamicflow inspection, deep/Dynamic Flow Detection) the technology of the two major technical systems has been commercially available abroad. It is suitable for Detecting Non-operator businesses through network equipment based on business flow, and services carried by P2P.

The IMS (ipmulti-mediasubsystem, IP Multimedia Subsystem) architecture identifies network device businesses by notifying the application layer. This architecture is suitable for businesses in the C/S model centrally operated by operators, such as VoIP businesses, in this way, billing and carrier-level security assurance and services are provided for business content, and QoS Assurance is provided to customers who require high service quality and bandwidth assurance. IMS technology is the development direction, but its technical deployment and policy application will be a complex and long-term process. Therefore, this article will not introduce it.

1. DPI Technology

The traditional IP packet traffic identification and QoS Control Technology only analyzes the "5tuples" ("quintuple") Information in the IP packet header to determine the basic information of the current traffic, the traditional IP router uses this series of information to implement traffic identification and QoS Assurance to a certain extent. However, it only analyzes the content below four layers of the IP package, this includes the source address, Destination Address, source port, destination port, and protocol type. As the number of application types on the Internet continues to increase, the application type in the traffic cannot be determined only through the layer-4 port information, the application types cannot be transmitted based on open ports, random ports, or even encrypted. Based on the analysis of the header, DPI technology adds the analysis of the application layer, which is a traffic Detection and Control Technology Based on the application layer, when IP data packets, TCP or UDP data streams pass the DPI-based bandwidth management system, the system reads the IP packet load content to reorganize the application layer information in the osi7 protocol, in this way, the content of the entire application is obtained, and then the traffic is resized according to the system-defined management policy. DPI recognition technology can be divided into the following three types for different protocol types:

The first type is the Feature Word Recognition Technology: different applications usually use different protocols, and various protocols have their special fingerprints, these fingerprints may be specific ports, specific strings, or specific bit sequences. The Feature Word-based recognition technology identifies the application carried by the business by identifying the fingerprint information in the data packets. Based on different detection methods, the Feature Word-based recognition technology can be subdivided into fixed feature location matching, changed feature location matching, and State Feature Word matching. Through the upgrade of fingerprint information, the feature-based recognition technology can be easily extended to the detection of new protocols.

The second type is the Application Layer Gateway identification technology: in the business, there is a type of control flow that is separated from the business flow. For example, the business flow related to signaling 7 has no characteristics, the application layer network management identification technology targets such businesses. First, the application layer network management identifies the control flow, and selects a Specific Application Layer Gateway Based on the control flow protocol to parse the business flow to identify the corresponding business flow. Different Application Layer gateways are required to analyze each protocol. For example, h323, sip and other protocols belong to this type. Through the signaling interaction process, it obtains the data channel through negotiation, which is generally the voice stream encapsulated in RTP format, pure detection of RTP streams does not determine which protocol is used to establish the RTP stream, that is, to determine what service it is. Only by detecting the Protocol interaction of SIP or h232, to obtain the complete analysis.

The third type is behavior pattern recognition technology: before implementing the behavior pattern technology, operators must first study the various behaviors of terminals, and then establish a Behavior Identification Model Based on the behavior recognition model, behavior Pattern Recognition Technology determines the customer's ongoing actions or the actions to be implemented based on the customer's behaviors.

Behavior pattern recognition technology is usually used for businesses that cannot be determined by the protocol itself. For example, from the perspective of email content, there is no difference between the spam and normal mail business flows, only further analysis is required. A comprehensive identification model is established based on the comprehensive analysis of the size, frequency, source email address, change frequency, and rejected frequency of the sent email, to determine whether the email is spam.

These three types of identification technologies are applicable to different types of protocols and cannot be replaced by each other. Only by using these three technologies can we effectively and flexibly identify various applications on the network, to achieve control and billing.

2. DFI Technology

Different from DPI's Load Matching at the application layer, DFI uses a traffic behavior-based application recognition technology, that is, different application types are reflected in session connections or data streams in different States. For example, the characteristics of the online IP voice traffic reflected in the stream status are very obvious: the RTP stream package length is relatively fixed, generally between 130 ~ 220 byte, low connection rate, 20 ~ 84 kbit/s, and the session duration is relatively long; the Traffic Model Based on P2P download applications features average packet length over bytes, long download time, high connection rate, and TCP as the preferred transport layer protocol. DFI is based on this series of traffic behavior characteristics to establish a traffic feature model, compare with the traffic model by analyzing the packet length, connection rate, transmission byte volume, packet and packet interval of the session connection stream, so as to identify the application type.

 

3. Advantages and Disadvantages

DFI processing speed is relatively fast: DPI technology is used because package-by-package splitting is required and matched with the background database; DFI technology is used for traffic analysis. You only need to compare the traffic characteristics with the backend traffic model. Therefore, most DPI-based bandwidth management systems currently provide a line rate of about 1 Gbit/s, the DFI-based system can achieve the traffic monitoring capability of 10 Gbit/s at the wire speed, which can fully meet the needs of operators;

DFI maintenance costs are relatively low: bandwidth management systems based on DPI technology are always lagging behind new applications, and background application databases need to be constantly upgraded due to the emergence of new recommendations and new applications, otherwise, the bandwidth under the new technology cannot be effectively identified and managed to improve the pattern matching efficiency. However, the workload of DFI-based systems in management and maintenance is less than that of DPI systems, because the traffic characteristics of New and Old applications of the same type do not change significantly, you do not need to frequently upgrade the traffic behavior model.

Recognition accuracy has its own merits: DPI uses package-by-package analysis and pattern matching technologies, so it can accurately identify specific application types and protocols in traffic. DFI only analyzes traffic behavior, therefore, only application types can be classified in general. For example, applications that meet the P2P Traffic Model are identified as P2P Traffic, and those that comply with the network voice traffic model are classified as VoIP traffic, however, you cannot determine whether the traffic uses H.323 or other protocols. If the data packet is encrypted, the DPI-based traffic control technology cannot identify its specific application, while the DFI-based traffic control technology is not affected, because the status and behavior characteristics of the application stream will not be fundamentally changed due to encryption.