80 Gbps Deep Packet Inspection Hardware Announced

An anonymous reader writes to tell us that Procera Networks is launching a new weapon on the deep packet inspection (DPI) front. At $800,000 these 80 Gbps tanks aren't going to be sitting in everyone's closet, but it could mean that more traffic shaping is on the way. "The PL10000 can handle up to 5 million subscribers and can track 48 million real-time data flows. That's certainly a potent piece of hardware, but larger ISPs will need more. That's why Procera designed the new machines with full support for synchronizing traffic flows where return traffic might be routed to a different PacketLogic machine. The machine receiving the return traffic can make the machine monitoring the outbound traffic aware that it sees the other half of a TCP/IP conversation, for example, giving the devices more accuracy than those which might only have access to one side."

Anonymous Coward

I'm sure this will work just as well as the others. A waste of money.

Just in time!

[courteaudotbiz]

Just in time for the olympic games!

Re:Just in time!

[keneng]

It's not that funny. I live in China. We will even have slower traffic now. As it stands forget watching youtube. All I can get is about 30KB/s download/upload on a single connection which is barely enough to listen to internet radio. The good news is that I can have more than one connection open with other countries, but from what I understand no media players or streaming servers have this parallel 30KB/s connection capability to total the necessary 4Mbps/download for watching internet video. That's why China's "Golden Shield" works so well. In order to circumvent it, one must have tools to open multiple connections for the single purpose intended i.e. media player, web serving one large page through multiple data sending connections. Oddly enough if I connect to websites inside China I can get 4Mb/s connections. The world's internet is crippled with equipment like this in my perspective and experience already. I'm grateful I can actually express my opinion about this here. BTW for the last four to five months slashdot has had this quantserve in-your-face job ad when accessing the site. From China, it often slows down the page access and takes sometimes 5 to 10 minutes before I can read the main page. Is this normal?

Re:Just in time!

[knutkracker]

Use the NoScript Firefox extension and block the offending ad server. Works perfectly and its more secure.

Re:Just in time!

[msromike]

I agree, there is nothing funny about the Communist Red Chinese.

Re:Just in time!

I'm also in China, but haven't noticed the job ad accessing slashdot. Maybe it's your ISP trying to earn a few yuan.

$800,000?

[Bovius]

At almost a million dollars a pop, is it really saving money for ISPs to use these? How many would a major ISP need to shape all of their traffic?

Re:$800,000?

Yep, and how much were computers, originally? The price on these will drop when enough of them are bought.

Re:$800,000?

[blhack]

Yep, and how much were computers, originally? The price on these will drop when enough of them are bought. No it won't. There is realistically only a market for a handful of these worldwide. Not several million of them like PCs. Its exactly like cisco hardware, it has remained astronomically expensive simply because only a very small select group of people (network admins) actually buy them.

Re:$800,000?

[Deadplant]

Seriously.
Spend the money on a couple more 40Gb fiber lines instead.

Re:$800,000?

[GreggBz]

At almost a million dollars a pop, is it really saving money for ISPs to use these? How many would a major ISP need to shape all of their traffic?

Not only that but it seems like a dumb technical solution for P2P traffic shaping.

Most ISPs would be geographically distributed. I can't think of to many places where you would actually see this much traffic. You'd need, what, 10 OC-192's to see 80Gb/s? Maybe they add all the GigE ports together and cheat to advertise a big number, but still.

Second, this is the kind of device you want closest to your customers, not down the line where your traffic aggregates. If you want to stave upstream traffic, do it as soon as possible in the network.

Third, it's better in almost every aspect of IT to scale out, not up. Every node would be different. You could have business customers in one CDIR or another and different configurations for each. I'm sure this thing is configurable per port, but I'd think it would be easier and more cost effective to have smaller distributed individually configurable devices only where you need them.

No, I don't think this thing is best suited to do traffic shaping for the typical ISP. If you can do DPI on that much traffic, there's bigger, less benign applications I can think of.

Re:$800,000?

[sgt+scrub]

Better yet, force the telco's to put up the fiber networks they were awarded huge tax cuts to put up! They don't have bandwidth problems they have accountability problems created by the RIAA et el backed by people desperately trying to find a way to sensor the net.

Re:$800,000?

[Deliveranc3]

Route high throughput users onto seperate system, route high throughput users of that system into this thing... kill them.

Pirate Hotel: They check in they don't check out.

It does provide security against your users getting uppity and using what they paid for.

God I hate trying to stick up for ISPs, I'm going back to beig a devil's advocate for Bush and Hitler.

Re:$800,000?

[nurb432]

Its not about saving money, its 'for the children'.

Re:$800,000?

[Ioldanach]

force the telco's to put up the fiber networks they were awarded huge tax cuts to put up!

Just bill them for the back taxes for the networks they failed to install as promised.

Re:$800,000?

"I think there is a world market for maybe five computers" --Thomas J. Watson, 1943, President of IBM

Re:$800,000?

[smellotron]

Second, this is the kind of device you want closest to your customers, not down the line where your traffic aggregates. If you want to stave upstream traffic, do it as soon as possible in the network.

I concur. I used to work at an ISP. The topology at one site was basically "Ethernet Jack -- Building Switch -- Site-Wide Switch -- Core Router -- Internet Cloud". When viruses hit, it was the fiber (from building to core switch) that saturated first. A desktop machine was capable of taking out an entire block of apartments just by saturating the local switch. QoS in the core gear wouldn't help at all if one of the building switches was doing nothing but sending out spam.

Re:$800,000?

[totally+bogus+dude]

Actually, Cisco hardware has remained astronomically expensive because a lot of people (network admins) keep buying them regardless of the fact that there's much cheaper equipment out there that does the same job just as well.

I know, because I'm one of them -- and even I don't know why I keep getting Cisco hardware! I think there may be witchcraft involved.

Re:$800,000?

[neomunk]

$200,000,000,000? They'd probably rather install the fiber.

(count those zeros again and then call your telco asking where the fiber you've paid handsomely for is)

Re:$800,000?

[Ioldanach]

Yes, that's the point. Bill them, tell them they can pay it in installments every 3 months for 2 years. Or they can confirm that 1/8th of the work has been done every 3 months. If they fail to do either, they start losing licenses.

Re:$800,000?

[neomunk]

I like the way you think, but, unfortunately, your idea could be considered offensive to the owners in the so-called 'ownership society' we have apparently conceded to. I think the main rule goes something like 'Possession is nine tenths of the law, lawyers and superior firepower bringing up the other ten percent.' So yeah, unless you can somehow 'own' your representative's opinion more than a major campaign contributor can 'own' it, then we're pretty much outta luck.

Call them and annoy them anyways, at the least we can put some flies in the so-very-personal ointment they're whipping up with our resources. At least that's MY opinion on the subject. I've been wrong before... back in '82 that one time ;-D

Re:$800,000?

[theglassishalf]

I've seen a few people talk about these tax cuts. Does anyone have a reference to them? They seem to have escaped into my memory hole.

Re:$800,000?

[msromike]

No. You want them where the traffic transits to a peer. Aggregating them is exactly what you want. Tha's why they are so damn beefy.

Use your imagination. Why wouldn't you just place 10 or so on the backbones so that you get 98% coverage of all US traffic? Then the NSA, Comcast, FBI, DHS, ATT, Blockbuster, and anyone else with a need for this technology can pool resources to implement wide scale.

Remember the boxes talk to each other. So if you put, I don't know maybe 100 of them in the right locations around the world, I bet you would have ALL INTERNET COMMUNICATIONS nailed down pretty good.

You just use VLAN, QOS technology to route traffic you don't want inspected around the boxes. You obviously don't need to inspect a lot of the corporate and government traffic, especially if they belong to the consortium that will operate these.

What has Comcast got to do eith this anyway? I don't see their name mentioned in the article.

You guys crack me up. You are about to be permantaly enslaved by your governments and you are worried about how technology is going to prevent you from stealing software and music.

Re:$800,000?

I have learned a valuable lesson today.

Do not comment on slashdot on less than three hours sleep.

That is all.

tank

[BorgCopyeditor]

80 Gbps tanks aren't going to be sitting in everyone's closet

Not until Wrath of the Lich King comes out ... wait, what were we talking about?

Re:tank

I see wut u did there

Obligatory

[sexconker]

How many Libraries of Congress...?

80 Gbps? Almost... 88 mph!

Joining separate incoming and outgoing paths? 5 million subscribers? Deep Packet? Surely the porn industry will invest in this technology.

Also - $800,000 for 80 Gbps? That's just 1 cent per kilobit per second! What a bargain!

Re:Obligatory

[oodaloop]

And imagine a Beowolf cluster, and if it ran Linux, etc etc.

Re:Obligatory

[Hal_Porter]

And imagine a Beowolf cluster, and if it ran Linux, etc etc. I've just stuck a Post It with "oodaloop" written on it to my voodoo doll and I'm sticking pins in it now. Can you feel anything?

Re:Obligatory

[oodaloop]

I think I finally messed with someone's OODA Loop.

cost

[Kartoffel]

I guess a handful of these would beat a hojillion racks full commodity servers running pf+altq, but how does the cost really add up?

DPI - Encrypt

[Unlikely_Hero]

DPI has only one option when presented with encrypted information however (at least afaik). Give the packet a low priority or pass it through normally (of course, it could also drop it entirely but doing that as a rule would be problematic to say the least). So it would be possible to force a bet. Can the ISPs afford to give encrypted traffic a very low priority?

Re:DPI - Encrypt

[Shakrai]

Can the ISPs afford to give encrypted traffic a very low priority?

No, but if they wanted to be pricks they could identify p2p users and give THEIR encrypted traffic a very low priority.

Even if you ran with full encryption and encrypted the communication with the tracker it's still trivial to identify you as a p2p user -- not many VPNs make connections with dozens (or hundreds) of remote hosts.

The only way around that would be to VPN somewhere and use that VPN link to pass all your p2p traffic -- but if you have the means at your disposal to set that up then you likely have the means to find an ISP that doesn't throttle your p2p traffic.

Re:DPI - Encrypt

[mikael]

Can the ISPs afford to give encrypted traffic a very low priority?

Definitely not. If people find that their online web purchases fail to complete because some marketing executron has decided to put shttp protocols in the slow lane, word will soon get round on the consumer newsgroups.

Re:DPI - Encrypt

[Unlikely_Hero]

quite true, good points all around. One issue with the last part though, the means to find an ISP that doesn't throttle? Sure. To have that ISP be in your area...not so sure.

Re:DPI - Encrypt

[TooMuchToDo]

https://www.relakks.com/?lang=en does exactly what you've described. I believe the cost is $10/month US.

Re:DPI - Encrypt

[leuk_he]

they can, but they will eiterh make false positives, or miss a lot of traffic.

If only a effective QOS standard was applied then users could choose the level of quality they wanted.

Re:DPI - Encrypt

Exactly. The most expensive gear in the world is instantly defeated with encryption.

the cool part is that there are lots of legitimate uses for encrypted traffic so they either piss off lots of voip and VPN users or they let the new bittorrent guys have a free ride.

Until they can crack RC5 encryption realtime they have no chance in hell stopping or even slowing down P2P.

The cool part is most people that do P2P dont do vpn, so specify your P2P traffic to use VPN ports and you confuse them even more. Or set it for web ports. fun fun!

Re:DPI - Encrypt

The only way around that would be to VPN somewhere and use that VPN link to pass all your p2p traffic -- but if you have the means at your disposal to set that up then you likely have the means to find an ISP that doesn't throttle your p2p traffic.

There is services like Relakks https://www.relakks.com/?cid=gb that will do the job quite well.

Re:DPI - Encrypt

[Em+Adespoton]

It should be trivial to limit any end nodes to a maximum of, say, 8 encrypted connections with unique netblocks on the destination. Any new sessions negotiated after that will automatically be given very low priority.

Also, a TCP packet contains a lot more than just an encrypted payload: you can tell a lot about a packet from the other parts: source and destination ports, sequence and acknowledgement numbers, header length, reserved ID bits, urgent flag, ACK flag, push flag, RST flag, SYN flag, FIN flag, Window size, checksum, urgent pointer and even the options field. I'm sure that it wouldn't be very difficult to set up a bayesian detection ruleset using this data to identify what protocol is being used. The checksum and flags wouldn't be all that useful, but the port numbers, header length, window size, urgent pointer and seq/ack number progressions can be quite telling.

Re:DPI - Encrypt

[Shadow-isoHunt]

The problem with this whole "it's encrypted so they'd have to throttle SSL too" idea is that bittorrent doesn't use SSL, and lacks a Diffie Hellman exchange. Encrypted BT traffic looks nothing like any other traffic, so it can still be picked out of the traffic flows and thrown into another QoS bracket. Using SSL for BT would also be stupid, because SSL(the key exchange in partciular) is computationally expensive. You'd peg your CPU at 100% the whole time you were grabbing your porn.

Re:DPI - Encrypt

[Amouth]

i agree that info is revealing.. but if it is done as a tunnle connection.. the revealing info will look like a point to point tunnle.. all the good stuff is going to be in header info inside the encrypted payload

Re:DPI - Encrypt

[kriss]

Actually, the whole idea of DPI is *not* to detect things based on port. There's definitely legitimate uses for encrypted traffic - heck, even encrypted P2P, but it'd be a bit premature to say that you can't separate protocols from each other even if they're encrypted.

It's a bit beside the point though. A sane approach to DPI is just to give some traffic a lower priority than other traffic. If the pipe goes full, you don't want to RED drop some WoW traffic (unhappy user) over some BT traffic (decidedly non-interactive). You might also want to keep web browsing at a better priority than bulk HTTP transfers and P2P, whatnot.

Re:DPI - Encrypt

[Hal_Porter]

Yeah but the connection speeds you get over relakks are lousy if you leave it running for a few hours. They probably throttle too.

Re:DPI - Encrypt

[TooMuchToDo]

For $10/month, I would expect throttling. But the connection is fully encrypted, and can masquerade as a true VPN connection.

Re:DPI - Encrypt

[SiriusStarr]

Yes, but the fear is not that it will be used to give BT lower priority (which would rarely have much effect). The fear is that it will be used to block P2P outright. Or at least try; bittorrent will start to look more and more like "legitimate" internet usage with time. ISPs should just face the fact that they are on the reactionary side here; P2P will always have some new development that lets them bypass the latest blocking mechanisms, simply because it's much easier to break a defense than to defend against a future attack, the nature of which is uncertain.

Re:DPI - Encrypt

[InlawBiker]

That's what all the new-fangle dual core CPUs are for. One to download the porn the other to watch it.

Re:DPI - Encrypt

[evanbd]

Freenet runs over UDP with fully randomized ports. It acknowledges messages, but even the ACKs are encrypted. Window sizes are hidden behind the crypto as well. Except for the initial connection, handshaking is done by routing through previously established connections.

I'd like to see them DPI that. The best they can do is traffic analysis and decide it looks like P2P and throttle on that.

Re:DPI - Encrypt

sorry to disperse your parade here, but in my mdpi [manual dpi] seq/ack #'s in at least the linux world are incremented using a system time scheme for the initial number. In fact this is not something set by the layer-7 application period. As well I haven't seen any p2p program or standard utility (that i've inspected) set TCP options, so headers would be same length. window size--wtf is all i have to say there. Lastly port#...have you ever looked at what local port is used when you connect to a remote ssh? I'll give you a hint, its not port 22 for both machines. Try again, please drive thru.

Re:DPI - Encrypt

[Shadow-isoHunt]

Rapid key exchanges can bring quad cores to their knees with ease. There's a reason there's coproccessors for SSL acceleration.

Re:DPI - Encrypt

[kriss]

Oh, it's a tool - could definitely be used for good - or evil (and as a bonus, one mans good is another mans evil). Could you block P2P outright? Pretty much, yes. Would it make sense? Not really, for several reasons (See the collective public happiness about Comcast and BitTorrent blocking for one)

Could you rather use it to allow a decent amount of P2P (keep in mind that you could shape/limit, it rather than outright block it) while keeping the net snappy for the non-filesharers as well? Sure, definitely possible.

It boils down to tools. If you *only* can block stuff, that's a blunt instrument. If you can shape as well, I'd be hard pressed to think of a scenario where blocking would be preferable to an ISP, worms and Windows Messenger Service (Not MSN, rather the popup crud in windows) excluded.

Say you got a pipe of 1Gbps and limit P2P and bulk transfers to 700 Mbps of that, you still allow a lot while keeping interactive stuff.. well, interactive.

Re:DPI - Encrypt

[Vellmont]

Encrypted BT traffic looks nothing like any other traffic, so it can still be picked out of the traffic flows and thrown into another QoS bracket.

Because nobody has bothered to make it look like other traffic yet.

Using SSL for BT would also be stupid, because SSL(the key exchange in partciular) is computationally expensive.

That's funny, I don't recall my low powered computers having any trouble setting up an SSL connection. Usually when people talk about SSL being "computationally expensive" they're talking about it in a server environment that services tens of thousands of people every minute.

The underlying algorithms don't require that much computational power. My lowly 200mhz MIPS router can encrypt on the order of a megabyte or two a second using the same algorithms SSL uses. My several years out of date workstation could easily encrypt my several megabit data stream. Setting up the connection, while "computationally expensive" only has to happen once/connection.

Re:DPI - Encrypt

[Shadow-isoHunt]

That's right, each time the connection is established(and renegotiations after X amount of data or X amount of time). BT opens sockets constantly, and the key exchange is the expensive part, not the AES that comes after. Pop open top/taskmgr, and then pop open an SSH connection. Watch the CPU spike. Now consider that same spike happening constantly with multiple connections at once, happening over and over again after each chunk. Worse, you don't have control over the rate that this happens at because other peers are connecting to you, too. Easy DoS.

Re:DPI - Encrypt

[Vellmont]

BT opens sockets constantly, and the key exchange is the expensive part, not the AES that comes after.

I've used BT. It doesn't open/close hundreds of connections a minute. It might open tens of connections an hour. Big deal.

Even if it did, you'd just have to do a little re-design on the bittorent protocol.

Re:DPI - Encrypt

[Em+Adespoton]

You seem to have missed the point... everything you state is obvious; the trick is that different OSes use different "random" port ranges, use a different random number generator, have different systime drift etc. If you examine all the extra packet information over time when someone is running, say, a torrent client (or even a Tor router or Freenet node), they affect your sequence number patterns. An ISP knows what standard traffic looks like on their network; if they see any signs of shift (including encrypted ACKs), they can adjust priority based on that data, and have a pretty good idea of what network software you're running (as well as what OS you're running it on). This is an issue that the current FreeNet project is trying to overcome; they've made strides, but still haven't achieved true "stealth" mode.

As stated, there's no way they can DPI encrypted traffic, but they can usually tell what software was used to encrypt the traffic based on a short TCP packet inspection.

Of course, tunneling should be completely secure as most of that info is wrapped inside the tunnel. Since they can't really throttle SSH or IPSec, this provides a means to push any data through the network. Of course, p2p apps still need to access the Internet SOMEWHERE. All you do with a tunnel is shift that point to some other location.

Re:DPI - Encrypt

[Technician]

https://www.relakks.com/?lang=en does exactly what you've described. I believe the cost is $10/month US.

Their netblock is known. Connections to the service for the VPN is a red flag. The system is designed to monitor both directions of a connection and associate them. How many ways can a VPN connection be intercepted by a man in the middle attack where all initial handshakes is known to the man in the middle?

Re:DPI - Encrypt

[nairb774]

Why not go for broke? It has an upper limit on the number of connections it can handle. 48 million real-time flows. A single machine could never achive this number, or even a small number of computers on the network since it would just close the connections (think spam prevention). However, with a large number of computers each doubling (who knows on the real number - so this may just be a pipe dream) the number of active connections might be exceeded. The question is what happens when this number is exceeded?

Will be obsolete...

in a few years when every client does opportunistic point-to-point encryption. We are headed that way, right?

Re:Will be obsolete...

[Kartoffel]

Encryption is a good idea, but ISPs can still detect undesirable content by the handshaking and unencrypted header info. Maxwell Smart's communications might be ultra-secure, but nearby KAOS agents still hear whenever his shoe rings, y'know?

Re:Will be obsolete...

[penix1]

We could resort to the always reliable Cone of Silence. It should prove to be about as reliable as this technology...

Re:Will be obsolete...

[evanbd]

Heck, to defeat this you could just use AES with a default key. Everyone can use the same key, and have it be publicly known. It's fine because this thing doesn't have the compute power to decrypt in real time, even if it knows what it needs to be decrypting and what the key is. Screw handshaking, key management, etc -- just make the CPU cost nonzero and you're done.

Re:Will be obsolete...

[irc.goatse.cx+troll]

I doubt my bank will use that, so does it really matter? Anybody using this encryption to circumvent filtering gets prioritized.

For that matter as pointed out elsewhere, theres more to track than l7 content. If your ip has more than N encrypted connections, or sent more than N bytes, you get deprioritized. I can't think of any legit real world use for sending >500MB a day of https traffic. Even >100MB really. Or more than 50 new encrypted peers per hour.

We're not even talking dropping packets, just sending other packets in front of them. A false positive means loading your banks page might take 5 seconds longer if you load it at a really badly timed time. Hardly something most customers would notice.

Re:Will be obsolete...

[Kartoffel]

Why that's the second best idea I've ever heard. Good thinking!

Re:Will be obsolete...

[znerk]

I can't think of any legit real world use... Yeah, cuz no one has more than one pc in their home, or seeds BT streams for linux isos, or pulls down huge wads of F/OSS software... none of that's "legit", anyways...

You might wanna get offa yer high horse, there, and take a peak at the world around you. We'd hate to leave someone as short-sighted as yourself behind, eh?

Oh, yeah... you might wanna check the amount of data you transmit just playing an online MMORPG, or some of the better FPS games out there... or are they not "legit" reasons for sending/receiving gobs and gobs of packets to/from multiple hosts?

Re:Will be obsolete...

Oh, yeah... you might wanna check the amount of data you transmit just playing an online MMORPG, or some of the better FPS games out there... or are they not "legit" reasons for sending/receiving gobs and gobs of packets to/from multiple hosts? It'd be a pretty skewed comparison right there. ~0.5% of the traffic on the net would be gaming, WoW accounting for quite a lot of that. P2P consumes slightly more.

Re:Will be obsolete...

[Beryllium+Sphere(tm)]

AES was designed with fast hardware implementations in mind.

Re:Will be obsolete...

[evanbd]

Yes... which this does not have. That was kinda my point. It doesn't matter what some other thing that hasn't been built could do; what matters is what the currently available stuff can do. And decrypt AES at 80Gbps isn't on the list.

Re:Will be obsolete...

This would work for a year or two. Eventually, someone would build an optimized, load-balanced AES encryptor/decryptor farm that would act as a pre-filter for the DPI engine. That would certainly add cost, power consumption and latency, but if the ISP feels the need, they'll do it.

Re:Will be obsolete...

[irc.goatse.cx+troll]

Yeah, cuz no one has more than one pc in their home

You'd need to be housing dozens of people all of which are doing MASSIVE online banking to hit the numbers I mentioned, and frankly if you have enough computers on the one connection your isp would probably care just as much -- i.e one cable connection being resold to everyone in your appartment building or similar.

None of that should legitly be higher priority than my low-bandwidth latency-dependent ssh session, no.

Oh, yeah... you might wanna check the amount of data you transmit just playing an online MMORPG, or some of the better FPS games out there... or are they not "legit" reasons for sending/receiving gobs and gobs of packets to/from multiple hosts?

I don't play WoW anymore so I cant gather my own data, but the number blizzard gives is 21MB/hour which feels high as that comes out to 6kB/s, and WoW is playable on dialup.

At 21MB/hour you're still talking about barely 500MB/day if you played 24hrs a day, when even the biggest addicts are closer to 17hrs. All of this of course being a moot point -- Spend all the bandwidth you want on WoW, it's easily identified and will be tracked on its own. My point was ENCRYPTED data to/from multiple hosts-- namely that once people start encrypting things you just need to track the bandwidth/connection stats of encrypted/'unknown' connections and you can easily find network abuse.
Things like games will never be encrypted as that is unneeded overhead that cuts in to their bottom line -- latency and framerate.

I guess I should also point out that most gaming is also not even p2p, it is all client/server (excluding RTS games, which are 8 connections and usually stable long connections)

I'm actually for net neutrality, just against ignorance. If they want to limit you they will find a way, pretending that encryption will stop them is just false hopes.

Re:Will be obsolete...

Isn't it illegal to decrypt encrypted communications you are not intended to be a recipient of?

Re:Will be obsolete...

..aaaand the DPI tries that key/s once per encrypted stream. If it works, dump that stream. The feature would be called Dynamic Public Encrypted Stream Mitigation.

Re:Will be obsolete...

[msromike]

Duh, encrypted traffic will be disallowed unless you have a license and provide your keys to the government so they can inspect your traffic.

Gee I don't mind every thought that I ever communicate will get monitored as long as I can get free music. You are worried about the wrong things young man.

Re:Will be obsolete...

You don't have to actually decrypt an entire message to know whether or not you have the proper key. A constant-time filter could easily be set up that does just enough analysis to see if the publicly-available decryption key (or one of a small set of such keys [and if the public DB is bigger than "a small set," your solution doesn't work any more]) is the proper one for the encrypted packet in question, flag it as a BT packet (or whatever protocol you're trying to protect), and apply the appropriate routing rules. No more CPU cost would be involved than ordinary TCP header analysis.

A waste?

[Nimsoft]

Surely that money could be better spent improving their capacity by purchasing new equipment with better signaling methods or even extra lines rather than on equipment to inspect and shape (i.e. selectively throttle) traffic?

Even if improving the capacity costs a fair bit extra the space for more customers at higher speeds and more consistent service for existing customers will surely increase their profits by offering more than their competition right?

Re:A waste?

[Kartoffel]

Investing in more capacity means a linear increase in customers and profits. Investing in network anti-neutrality, OTOH, means new and lucrative pricing structures for various services. They're just putting money where it stands to return the greater profit.

Re:A waste?

Installing more capacity doesn't help with congestion when all of the P2P apps on the network automatically increase their bandwidth consumption in response to the increase in available bandwidth. TCP, by design, will keep increasing its bandwidth usage as long as it has data to send and it's not seeing packets get dropped by the network due to congestion. The trouble is that congestion is bad for latency(and thus latency-sensitive applications like VoIP, online gaming or streaming media).

No economical amount of available bandwidth can alleviate this.

Re:A waste?

[Shakrai]

Installing more capacity doesn't help with congestion when all of the P2P apps on the network automatically increase their bandwidth consumption in response to the increase in available bandwidth

It does if you invest in more capacity without increasing the speeds available to your end-users. Put another way, my torrent seeding at 768k might be consuming 1% of a backhaul link -- if they triple the speed of that link without increasing my upstream bandwidth then I'm only using 0.33% of it.

If you can't supply 10mbit speeds to your customers then stop offering them.....

Re:A waste?

[Nimsoft]

If you can't supply 10mbit speeds to your customers then stop offering them.....

Exactly, I'd much rather have the ISP sell me a fixed amount of bandwidth and that's what I get to use before paying extra. I'm sick of all this Unlimited!!!* (*Until we decide you've had to much and stick you with extra charges or disconnection) or 20mbps!!!* (*Unless you transfer a few GBs, then it's 6mbps until tomorrow! Oh, and BitTorrent is always 512kbps!)

I think it should be illegal to advertise packages in such a confusing and downright misleading way.
My old ISP used to clearly state you get 500GBs a month else you get throttled, right there next to the price, and newhere did is say unlimited, because it's not! That's how it should be!

Ok... I have a question...

[jskline]

How much of this advertised speed is more or less advertising hype more than anything else??? We all know what it takes to do packet inspection and rules table lookups, so to me, this number seems a bit on the hyped up side...

Anyone else getting this same riff??

Re:Ok... I have a question...

[KnightElite]

It seems possible to me. I'm a computer engineer who specializes in HDL (I design custom logic that runs in FPGAs, basically). For a project I've worked on, with a relatively mid-range FPGA I've done real time MPEG packet analysis as well as UDP checksums, etc... on a 12.8 Gbps datastream. What I've done isn't the same as what Procera is doing, but it's at least similar enough that I don't doubt that they're also using FPGAs to do this. That also gives them the ability to upgrade to detect new protocols, which the article mentions. When you're dealing with FPGA fabric, doing analysis on multiple gigabits of traffic going through the device simultaneously with minimal latency isn't anything that's beyond the capability of modern devices.

Re:Ok... I have a question...

I would agree. These are most likely switch numbers, where the hardware just forwards packets. Let see some applications on there, that actually do DPI and then give out what the real numbers are.

Re:Ok... I have a question...

How much of this advertised speed is more or less advertising hype more than anything else??? We all know what it takes to do packet inspection and rules table lookups, so to me, this number seems a bit on the hyped up side... Anyone else getting this same riff??

Doesn't look at all like hype to me.

Based on the picture of the PL10000 on Procera Networks web site, it looks to me like they're using eight ATCA-PP50 cards from CCPU to inspect the packets.

The ATCA-PP50 cards look to me like they're designed to have enough horsepower to process 10Gbs each (in a bump-in-the-wire configuration).

Let the encryption wars commence.

Sounds like strong encryption needs to become the norm for everything. Encrypt everything and they have to fight harder to inspect it. It'll turn into a ridiculous arms race, but they're firing the first volley with this, and to do nothing is giving in to it.

I also think that stronger net privacy laws won't be enough to really stop it, since it's not just our government (Or indeed, not just governments in general,) that'll be using these.

?? subscribers @ 80gbps

[imunfair]

only 80Gbps with 5 million subscribers? If my math isn't way off, that's about 16kbps - which is pretty pitiful speed. You'd have to throttle a lot just to be able to use one of these machines at max subscribers per machine.

Welcome to Comcast - our new TOS allows you to view text-only web pages with your *high speed* internet connection!

Re:?? subscribers @ 80gbps

[blhack]

only 80Gbps with 5 million subscribers? Those 5 million subscribers are not all using their connections concurrently. Think about what just happened when I loaded this webpage: it downloaded a text file full of HTML/CSS/Javascript/Whatever else slashdot uses, and now it sits here while I type this comment. I'm not using my connection right now, and won't be using it again until I hit the submit button.

Re:?? subscribers @ 80gbps

[harry666t]

> I'm not using my connection right now, and won't
> be using it again until I hit the submit button.

You underestimate: youtube, p2p, pr0n, online gaming, apt-get dist-upgrade...

ohh common

[Durdenator]

wtf is the point? p2p isn't going to slow down. It would also be hard to deal with encrypted p2p as instant messaging applications are using encrypted communication too, not to mention gov networks and credit networks.

I'm waiting for an ISP to use one of these so someone can sue the shit out of them for throttling their data connection.

Re:ohh common

[chrisjwray]

This is exactly what Bell Canada are doing right now, except they are also doing it to their competition!!

Re:ohh common

[Tuzanor]

They can limit each encrypted bank or IM connection to 10-20KB/sec and you wouldn't even notice. You would notice your torrents slowing down though. Many ISPs are already using deep packet inspection. Hell, rogers in canada is playing around with inserting messages into websites! I can only hope that it pushes more of the web to https.

Re:ohh common

[Skapare]

I can only hope that it pushes more of the web to https.

That or to IPsec, or maybe both. They'll still at least see what IP address the traffic is going to, so they could still try to hussle the other site for some bandwidth favoritism money.

Re:ohh common

[Durdenator]

That will be interesting, besides paying for a faster connection rate you'll also have to for bandwidth priority. Plus, how will DPI effect distributed networks?

Math is fun.

[Cedric+Tsui]

$800,000/5 million subscribers = $0.16 per subscriber.

Expect to see the surcharge in your next bill!!!

Re:Math is fun.

[gnick]

$800,000/5 million subscribers = $0.16 per subscriber. Yeah, but 80Gbps/5 million subscribers = 2kBps. How long can you keep 5 million subscribers with speeds like that?

Re:Math is fun.

[D'Sphitz]

assuming every single subscriber is using his connection continuously 24 hours per day, not even stopping to so much as read a webpage or an email ...

Re:Math is fun.

[morgan_greywolf]

Who says you need to inspect every packet?

Re:Math is fun.

[dwandy]

Yeah, but 80Gbps/5 million subscribers = 2kBps. How long can you keep 5 million subscribers with speeds like that?

forever when you're a monopoly, or at best part of a small oligopoly where everyone plays along.

Re:Math is fun.

[gnick]

If you don't route all of the packets through this thing, what device will do the cursory inspection and decide which packets warrant "deep" inspection? (I'm really asking - If somebody has a good answer, I'd be interested.)

Re:Math is fun.

[Bovius]

This is also assuming every single packet that an ISP manages goes through a single physical location. So unless Comcast routes every packet to their headquarters at the top of Mt. Doom for inspection before delivery, they're going to need a lot more of these.

Re:Math is fun.

You'd need to see every stream, not necessarily every packet in every stream.

Re:Math is fun.

[Sentry21]

Assuming everyone using my level of connection (10 megabit) maxes out their connection (unlikely), they could handle about 8200 users, making their cost about $100/user⦠which is still potentially reasonable. $50/user if people average 5 megabits (far more likely), and $25 if they top out at 250 Kbyte/s on average.

So all in all, not so bad.

Re:Math is fun.

[gnick]

Yes, 2kBps would be the available average bandwidth. So, assuming that nobody is running p2p software, downloading pornos, or retrieving linux isos, the available peak bandwidth would be much higher. But that would mean that you'd have to advertise speeds that you can't provide during high-demand times and hide a "we'll provide whatever we feel like providing and you'll have to keep paying for it whether you're satisfied or not" clause in the contract. Would any ISP ever stoop so low as to try something like that?

Re:Math is fun.

[Gerzel]

I think the question is:
Would any ISP NOT stoop so low as to try something like that?

Re:Math is fun.

[jandrese]

2kBps would be 172.8 mB per day. If everybody spread their usage out evenly over the course of the day it might work, but since usage is not uniform it probably would not work. This box would be in the ballpark though, especially if it was effective at shutting down all of the P2P users on your network. Install three or four of them and it might actually work.

Re:Math is fun.

[Tweenk]

172.8 mB per day You mean millibytes, like 5.8 days per byte? That's slow. I think that postal pigeons would be faster.

Re:Math is fun.

and you should be fine as long as you don't cross them.

Re:Math is fun.

[Dekker3D]

RNG

*hopes for the "shortest-insightful-post-ever-award*

Re:Math is fun.

[Urza9814]

Uh, Comcast at least already _has_ stooped that low. Right on their package description it says, "Actual speeds may vary and are not guaranteed. Many factors affect speed."

Re:Math is fun.

[old+and+new+again]

it's called a torrent and it runs 24/7 lol

Re:Math is fun.

[smellotron]

So unless Comcast routes every packet to their headquarters at the top of Mt. Doom for inspection before delivery...

I think that's the best phrase I've heard about Comcast ever. But on a serious note, think about the NSA wiretap room that AT&T had... that's gotta at least count as Orthanc or something.

Re:Math is fun.

[Eddi3]

Whoooosh!

Re:Math is fun.

[ILongForDarkness]

Well clearly then you need to trottle the P2P users to speeds much much lower than 2kBps so that you free up the bandwidth for the "legal" users :)

Got to love it when service providers get to choose who's data is more important. Sorry sir you get less than you paid for because we don't like your protocol. Have a nice day and thank you for calling X.

Re:Math is fun.

[rkd2110]

The ISP's border router/firewall can filter the traffic according to certain protocols. Then, it can forward protocols that warrant a deeper inspection to the deep packet inspection gateway. For instance, HTTP or SMTP go only through the basic FW/IPS inspection, but RTSP/XMMP goes on to the next stage of inspection (this is just an example and those are completely arbitrary protocols).
Remember that a large ISP has routers that can handle 80GBS and more for a long time now...

Re:Math is fun.

My ISP does. I have a standard ADSL line which (as I found out later) is shared by the whole apartment block (about 20 families).
But then, my ISP is China Telecom, which has no competition. >.>

Re:Math is fun.

[BosstonesOwn]

Yes , but if you read more of the article for that NSA wiretap you would see they were accused of having even more rooms just like it on the at&t backbone.

Lots of Issues

[postbigbang]

Privacy is the big one. I can see a justification for finding DDoS attacks and zero-second malware propagation, this machine is nothing more than a net-neutrality killer of the highest order.

First big customers: Comcast, Rogers, Bell Canada, AT&T, and the others that we love to hate.

The FCC needs to investigate this thing NOW. It's a monopoly-maker in just 12U.

Re:Lots of Issues

[the+eric+conspiracy]

Sometime traffic shaping can be a good thing. For example, on a VOIP call you really do want to give priority to the packets associated with the call so that the codecs will be able to reconstruct a reasonable facsimile of a voice.

Re:Lots of Issues

[postbigbang]

QoS issues and those that depend on connection latency need to be addressed, but deep-diving packets is unnecessary to do this. You need only look to the header, find that it's TCP and the service requested to accept or reject latency. The remaining issues are handled by various protocols. This is like swatting a fly with a freight train.... an eight hundred thousand dollar monopoly building freight train.

Re:Lots of Issues

[turbidostato]

"Sometime traffic shaping can be a good thing. For example, on a VOIP call you really do want to give priority to the packets associated with the call"

Yes. And it's a good thing for your ISP to know you are, for example, on VoIP to really *slowdown* the packets associated with the call so they can push through your throat their "premium service for VoIP" which is just de-capping again your VoIP calls.

Oh! and *they* -not you, are the owners of the device so, what of those two "good things" do you thing you will see on a very near future?

Re:Lots of Issues

[the+eric+conspiracy]

Deep packet inspection is necessary to identify and provide QoS for many modern internet applications. For example it is quite common for services to tunnel video over HTTP (example - YouTube). Skype cannot be identified without DPI.

Of course it can be used for good or evil. But the fact of the matter is that DPI is in the mix as one approach to provide QoS for real time internet applications like streaming video and audio that don't play well with the 'best effort' delivery paradigm that packet switched networks are really designed to provide.

If you really want network neutrality for every packet, fine. But be aware that right now time sensitive traffic types like VOIP are being prioritized, and network neutrality will degrade performance for some applications.

Re:Lots of Issues

[the+eric+conspiracy]

Yes. And it's a good thing for your ISP to know you are, for example, on VoIP to really *slowdown* the packets associated with the call so they can push through your throat their "premium service for VoIP" which is just de-capping again your VoIP calls.

Yeah, and the bad fairies might come in the night, steal your firstborn and replace it with a gollum.

Your scenario is a paranoid fantasy.

Re:Lots of Issues

[postbigbang]

At huge speeds, I'm not sure that the 20KB/sec needed for fdx VoIP is going to get noticed. Voice is communications in full duplex as an app, and isochronous media needs a little room; add some more for multiple streams. YouTube or other video over who-cares-what protocol is entertainment and can get in line with all other entertainment. The amount needed to protect VoIP from latency issues for single streams is trivial, and routing problems inject more latency than do packet squishes and misfires.

What's even more onerous is the fact that deep-analysis is an invasion of privacy.

I prefer the egalitarian approach, until the whole planet agrees that a specific type of traffic gets priority, and the reasons had better be better than oh, it's my RPG or top-ranked video.

Until then, my packets are red hot, and your packets are doodly squat. Only neutrality gets it unless you want to change the premise of all of the rules. This box purportedly tries to allow monopoly ISPs/telcos/cable nitwits to unfairly pimp their own traffic. Fie.

Re:Lots of Issues

[the+eric+conspiracy]

At huge speeds, I'm not sure that the 20KB/sec needed for fdx VoIP is going to get noticed.

You are missing the point. QoS is needed due to congestion due to total traffic; it has noting to do with the bandwidth of the traffic being prioritized.

Everybody prefers the egalitarian approach, the problem is that for the egalitarian approach to work under all conditions you need an economically unsustainable level of capital investment in network infrastructure.

Re:Lots of Issues

[postbigbang]

QoS certainly needs latency control. But static routing, the kind afforded by MPLS and other constructs tends to achieve this better than brute force allocation, as a misrouting is possible unless every single member of the routing path respects the QoS call and the routing path stays reasonably static from a latency perspective.

The TCP/IP protocol set wasn't designed well, or with isochronous media needs in mind. More onerous, however, is the ability for this box to deep-dive packets and look into conversations where there is no permission granted by the user to do so. Data mining, advertising/profiling, and many other misuses are possible in such a construct.

When you suggest that the investment needed isn't sustainable, I think you underestimate the amount of dark fiber out there, and the fact that codecs and compression techniques are in their infancy. Optimization is largely random, and local/regional cacheing is the next big wave.

It's seemingly a great idea to try to exert control, but in doing so, a pandora's box of problems emerges. Are my packets more important than yours? If I go to politically sensitive sites frequently, should I be targeted? If I send fat videos to my friends in, say, Pakistan, should I be a person of interest?

This is a king hell router, and it's also Big Brother to me. This is not how the Internet's been designed and violates numerous equal access and net neutrality principles. QoS is one thing, deep-diving of packets for fun and profit is another.

Re:Lots of Issues

[turbidostato]

"Your scenario is a paranoid fantasy."

Of course. It is not as if there were somebody interested in that little "net neutrality" niusance.

Cue existential question:

Maxwell Smart's communications might be ultra-secure, but nearby KAOS agents still hear whenever his shoe rings, y'know?

But if Agent 86's shoe phone rings while he is inside the Cone of Silence, does KAOS stll hear it?

ISP's motive

[d3l33t]

ISPs will spend money on DPI/traffic shaping whether i like it or not, so might as well make it efficient.

slashdot likes to whine about big brother

[circletimessquare]

in ankle bracelets on truants, cameras around london, etc.

those are just stunts, it is propaganda and hysteria to overinflate the significance of those developments

but this massive dpi stuff, this is big brother for real

but its not as sexy a lightning rod visceral symbolic issue like ankle bracelets on truants. so it won't experience the same outcry

Porn #1

[Durdenator]

I'm pretty sure porn will get 1st priority!

I've decided: this is evil.

[TheGratefulNet]

think about the original definition of ethernet and of IP, in general.

in general, it was setup to pass packets and ideally to keep them in the same order and not drop them. beyond that, the upper layers (tcp and udp) did any higher level functions.

this worked! for the longest (damned) time, it worked.

and now, ISPs (and large networks) are starting to try to break out the 'cable is a bunch of bits' into discrete 'services' and then try to re-order things, drop things, queue them differently or somehow treat things non-uniformly.

I think this is Evil(tm).

I've been in the networking field for a few decades (really) and I've seen traffic shaping (what a euphemism, btw!) try to argue its case over and over again. but I keep getting back to the basic design principles of ethernet (csma-c/d) and tcp/udp-ip and when you have large enough pipes, you don't NEED a 'fast lane' or diamond lane, so to speak. it just mucks up the works, makes things harder to design and manage and really isn't helpful since you still need large pipes and all the shaping in the world won't CURE that, it only DEFERs things. that's not a cure.

data should be 'opaque' and first-come first-served. equal access. standard layer (phys, dl, network) rules should still apply.

ISPs who employ shaping are simply RIPPING OFF customers from their rightful bandwidth and also passing along the COST of the packet snooping hardware to us, the users. (don't think they'll just spring for the hardware on their own; they'll pass the costs of this stuff to us, to be sure).

I think its evil. once you look at it from enough angles, you see that its not at all a good thing.

Re:I've decided: this is evil.

[gzerphey]

You are absolutely correct. For the longest (damn) time this did work. The problem is now the traffic doesn't burst like it used to. It's more sustained and oversubscription rules are breaking. Most ISPs are honestly trying to play a game of self-preservation so they can keep their service alive without being cost prohibitive.

DPI is not evil so long as it is used to make the network better as a whole. As with anything it can be bent to the will of evil, but I disagree with that completely. I believe in certain forms of limiting so long as it doesn't degrade the internet experience as a whole.

And yes, I consider myself a backer of net neutrality. All I can say is, I am a realist.

Re:I've decided: this is evil.

[TheGratefulNet]

when you simply pass traffic as you get it, you can avoid paying (in real dollars) for equipment that looks inside.

you can avoid the network management complexity if you simply let networks 'work' as they always have.

are you running into a lot of dropped packets? simple: you are over-selling. there is an EASY way to fix that.

oh, and an evil way. guess which one most ISPs and large public networks pick?

by the time you factor in the cost of the snooper silicon, all its overhead and the training/support overhead, I argue that simply just upping the network pipes would have been cheaper and generated more goodwill and user satisfaction.

sometimes, I am in disbelief as to why the most simple solutions are side-stepped in favor or more expensive and more complicated ones!

charge for bit-rates, but please stop trying to carve them out into sub-channels. its wrong, its against the whole idea of a shared network (up and down the layers) and people will still try to find ways around your 'ways'. its an arms race. HOWEVER, if you stop the arms race and simply let people pay for their rate of data, you avoid all this nonsense.

the simple solution evades. yet again. why am I not surprised ;(

Re:I've decided: this is evil.

[gzerphey]

Again though, its not feasible to have a 1:1 ratio of bandwidth at the WAN. Unless you want to play T1 prices, or more, for guarantied bandwidth there has to be something put in place for control. People are not going to just regulate themselves, nor should they have to.

Again, I am not advocating tearing down the broadband experience, but there is no reason that the ISP has to let the system destroy the network for everyone. Lets be realistic, completely unregulated P2P CAN destroy a network for ALL users.

Re:I've decided: this is evil.

[Shakrai]

The problem is now the traffic doesn't burst like it used to. It's more sustained and oversubscription rules are breaking

Cry me a river. Even ignoring the rise of p2p, did anyone seriously believe that the same oversubscription ratios that worked in the early 90s were still going to be valid in the 21st century? It's not like people didn't foresee the rise of streaming video and online content distribution.

Most ISPs are honestly trying to play a game of self-preservation so they can keep their service alive without being cost prohibitive.

"so they can keep their service alive without reducing dividends to the shareholders", there, fixed that for you.

Re:I've decided: this is evil.

[TheGratefulNet]

using a tech solution to avoid giving actual bandwidth to paying customers is still SIDE-STEPPING.

if the wan is overburdened, again, they must be over-selling! its really that simple.

power users are willing (or should be willing) to pay for their high network usage. light users (email and light browsing) should pay a lower rate.

but choking data because you have 'trouble' doing the money maths right is NOT the right way, my friend! its an easy out but its the wrong 'out', imho.

fix your pricing levels so that you don't HAVE to gyp people out of their power-user experience. be fair and the users will be fair. I've always found that to be the case - treat people with respect and you generally get respect.

either the pricing is wrong or the pipes are too thin (or both). fix the right problem but please stop trying to invent new ways to cut IP packets into pieces. that's just a crying shame and its Wrong with a capital W.

Re:I've decided: this is evil.

[gzerphey]

"so they can keep their service alive without reducing dividends to the shareholders", there, fixed that for you.

So what is wrong with running a business. These guys are not a non-profit and they are frankly not oversubscribing nearly as much as you think they are. I can say that its self-preservation until I am blue in the face, but chances are good you wont believe me.

So there we have it. I believe we will have to agree to disagree.

Re:I've decided: this is evil.

[Shakrai]

Again though, its not feasible to have a 1:1 ratio of bandwidth at the WAN

You don't have to have a 1:1 ratio. You just have to have a decent enough ratio that on the typical day your customers aren't competing for bandwidth with one another. Obviously there will be times that they do (a WAN link goes down, some event/disaster happens that causes a spike in traffic, etc, etc) but if that's happening more than occasionally then you need to consider investing in some network upgrades.

People are not going to just regulate themselves, nor should they have to.

Maybe the ISPs should invest in backhaul upgrades without raising the speed level delivered to the end users? Seems like that would solve the problem. What's the point in offering 10-15-20mbit speeds if your customers can only achieve them at 3AM?

Lets be realistic, completely unregulated P2P CAN destroy a network for ALL users.

Not a well designed network.

Re:I've decided: this is evil.

[Shakrai]

So what is wrong with running a business

Nothing, but don't pretend they have to throttle p2p to 'survive'. Lot's of ISPs (both here in the states and elsewhere) have managed to survive without throttling p2p. Verizon doesn't throttle. They seem to be doing just fine the last time I checked.

Re:I've decided: this is evil.

[TubeSteak]

but I keep getting back to the basic design principles of ethernet (csma-c/d) and tcp/udp-ip and when you have large enough pipes, you don't NEED a 'fast lane' or diamond lane, so to speak. it just mucks up the works, makes things harder to design and manage and really isn't helpful since you still need large pipes and all the shaping in the world won't CURE that, it only DEFERs things. ISPs will never actually purchase enough bandwidth to come close to meeting their customers' needs in a 1:1 fashion. More importantly, the problem is that P2P will expand to fill up whatever bandwidth is available.

So the ISPs have two choices:
1. Buy ABC more bandwidth, multiplied by forever, to serve a fixed number of users, thus raising their fixed costs without adding new customers
2. Buy XYZ worth of traffic shaping equipment, multiplied by once

From a business standpoint, it makes a lot of sense to try and get the most use from your existing infrastructure before raising your fixed costs.

ISPs who employ shaping are simply RIPPING OFF customers from their rightful bandwidth and also passing along the COST of the packet snooping hardware to us, the users. (don't think they'll just spring for the hardware on their own; they'll pass the costs of this stuff to us, to be sure). Which is going to cost more: more bandwidth or packet inspection?
You think they wouldn't pass along the cost of fatter pipes?

I don't like where ISPs are heading, but for them, it makes sense to head down that path.

Re:I've decided: this is evil.

[roju]

Do you need DPI for that? If the problem is users using too much data, then throttle based on data-consumption. Who cares what's in the packets?

e.g., Based on total data transferred within the last 24 hours:
0-2 Gigs -> 12 Mbps
2-4 Gigs -> 6 Mbps
4+ Gigs -> 3 Mbps

Re:I've decided: this is evil.

[WolfWithoutAClause]

I think if you buy your connection from a decent Isp (if that is possible in your area), then the Isp will specify how much capacity you're supposed to use.

The question then is, what happens when you exceed that?

I think if you exceed it, then traffic shaping is reasonable (the alternative is to pay per byte- that's normally simply begging to be massively overcharged, don't do that).

The question then is, what type of traffic shaping?

I think that you should be given budgets, X high priority, Y low priority. And if you ask for too many high priority then they get turned into low priority, and if you have too many low priority then they get traffic shaped.

If you think about it, that's *not* what deep packet inspection is. DPI is when your ISP tries to guess what your packets are, and tries to tell *you* how fast your traffic 'should' go, and they ignore what you say is important to you and what isn't, and they do it, independently of how much bandwidth they've sold you. If you want all your agreed bandwidth to be P2P- tough.

DPI completely violates network neutrality and is evil, pure and simple.

Re:I've decided: this is evil.

[HaveNoMouth]

Absolutely agreed.

But the biggest evil has nothing to do with traffic shaping: If you can do Deep Packet Inspection, you can do Deep Packet Injection. Which means you can modify packets or add advertising packets to the stream. Which means that censors and advertisers will love it.

Five years from now, fighting these things will probably be have to be #1 on EFF's agenda. Sigh.

No matter how you read it

[koan]

It's bad for the end user and good for the "corps" nothing good will come from this from my perspective, and not just because I am a p2p user.

Re:No matter how you read it

If you read the article, they mention a few beneficial uses. Activities such as (D)Dos and worms can be detected and quarantined in real time.

Although these abilities will by no means be their primary function.

I've said it before, I'll say it again

[Aranykai]

If my ISP is going to inspect my packets to the point of identifying their content as p2p, then they should be 100% responsible for any and all illegal activities I may or may not conduct on their connections.

The entire concept of the DMCA safe harbor clause was founded on the understanding that it would be virtually impossible for providers to monitor and filter illegal or unlawful activities and data. However, now it has become perfectly reasonable that they can identify and reroute or slow this traffic. This clearly nullify's the safeharbor provisions.

The ISP's need to realize they cant have it both ways.

Re:I've said it before, I'll say it again

[Osurak]

Ah, but they *can* have it both ways, as long as they keep their friendly neighborhood congress-critter on their payroll.

Re:I've said it before, I'll say it again

[John+Hasler]

> The entire concept of the DMCA safe harbor clause was founded on the
> understanding that it would be virtually impossible for providers to monitor
> and filter illegal or unlawful activities and data.

No. The "safe harbor" provision of the DMCA is founded on the understanding that it would be virtually impossible for providers to reliably identify material that infringes copyrights. It has no relevance to any other activity.

Re:I've said it before, I'll say it again

[Aranykai]

Precisely my point good sir.

If they are inspecting packets to this level, they can readily compare that information to a database provided by the RIAA/MPAA/Microsoft/Apple etc..

They CAN easily identify materials that are copyrighted.

Re:I've said it before, I'll say it again

[GrayNimic]

If the ISPs became legally responsible, wouldn't that simply be a motivation for them to simply drop all dubious-looking customers? Things like the proposed "three accusations and you're cut off" would probably look downright generous in comparison. I have no numbers of course, but simply cutting off the most suspicious customers seems like it wouldn't do too much harm to their bottom line, while shielding the ISP from most of the legal wrath. I can't see how a customer could have any recourse to get "reinstated", and with the pseudo-monopolies in so many places, P2P would become dancing with dialup rather than todays blank-filled russian roulette. Am I missing something?

Re:I've said it before, I'll say it again

[jonaskoelker]

The ISP's need to realize they cant have it both ways. I think the whole problem is that the ISPs are having it both ways and getting away with it. Someone needs to do something about it, but I think that any Someone with real influence has been bribed by^W^W^H receiving contributions from the ISPs.

The USA must be a sad place to live (even without Bush).

Somethng Wicked This Way Comes

[Whuffo]

This is quite the impressive machine they're talking about. But what they don't seem to cover very well are the legitimate uses for such a device. Just because they call "monitoring your communications" deep packet inspection doesn't make it right.

It looks like a disaster in a box to me: not only does it allow anyone with the price of the machine to monitor and inspect each and every packet you exchange, it also is capable of destroying the legal protections that ISPs currently enjoy.

The ISPs are treated like common carriers and are exempt from many liabilities because they carry all traffic equally and don't know or control the content of that traffic. Now that they're insisting that they need to "prioritize" some traffic at the expense of others, monitor and drop traffic because of its content, and are installing machines like these that further refine their ability to monitor and control what traffic you'll be allowed to transmit - well, their "safe harbor" exemptions are based on them not doing any of this.

Just the existence of this machine will be the undoing of many...

Actually...

It kind of does, actually (at least on some management bits and pieces)

Fails

[edivad]

Like all regex/NFA/DFA based inspection engines, they all fail when malware hides inside archive files.

What do they think it's for?

[argent]

But Brear and Lindén made the case that this shouldn't be seen as a looming consumer nightmare, nor should it be seen as having anything to do with network neutrality.

What ELSE do they think it's for?

Don't say that he's hypocritical
Say rather that he's apolitical
"Once the rockets are up, who cares where they come down
That's not my department," says Wernher von Braun -- Tom Lehrer

Its official

[LameAssTheMity]

From the people that brought you the War on Drugs and the War on Terror, its the War on Privacy!

Re:Its official

[gzerphey]

DPI != spying.

DPI is mostly used for the sake of bandwidth control rather then seeing what the customer is doing. And yes, we can debate as to the nature of bandwidth controls, but to give a blanket DPI == spying is the same as saying P2P == illegal music downloads.

My 2 cents...

Re:Its official

[LameAssTheMity]

Perhaps DPI as a rule isn't used for spying, but in the context of stopping or slowing P2P, it is only a matter of time before your ISP is on the RIAA/MPAA payola and is producing DPI spreadsheets for the said spying.

Personally, I'm against my ISP doing anything other than providing a cable to my house.

Re:Its official

[gzerphey]

Then purchase a T1 line. Then you can do whatever you want and you have dedicated bandwidth.

In a residential ISP setup you share the bandwidth with others. That, my friend, is why its cheaper then getting a dedicated, business connection.

Re:Its official

[LameAssTheMity]

Maybe you recall an article from not too long ago about different nations and their comparative access speeds and penetration and whatnot? In South Korea, the average connection speed was like 60-70mbp/s with something like 80+% of the population connected to the internet...

So, I think that our ISP's need to get their asses in gear and provide better service, not to keep dividing a small pie into increasingly smaller pieces.

Here: An Ars Technica article for you to read.

ISPs are not common carriers

This is quite the impressive machine they're talking about. But what they don't seem to cover very well are the legitimate uses for such a device. Just because they call "monitoring your communications" deep packet inspection doesn't make it right.

It looks like a disaster in a box to me: not only does it allow anyone with the price of the machine to monitor and inspect each and every packet you exchange, it also is capable of destroying the legal protections that ISPs currently enjoy.

The ISPs are treated like common carriers and are exempt from many liabilities because they carry all traffic equally and don't know or control the content of that traffic. Now that they're insisting that they need to "prioritize" some traffic at the expense of others, monitor and drop traffic because of its content, and are installing machines like these that further refine their ability to monitor and control what traffic you'll be allowed to transmit - well, their "safe harbor" exemptions are based on them not doing any of this.

Just the existence of this machine will be the undoing of many...

As said many times here, in the USA, an ISP is not, repeat. not. a. common. carrier.

RTFA:Encryption barely slows this thing down.

[foo+fighter]

To everyone saying, well, I'll just encrypt everything: That's great, but this thing falls back on service fingerprints to identify traffic if it can't inspect packet contents. This is a similar concept to nmap's service and OS fingerprinting tech. Idiosyncracies of timings, handshake protocols, header flags, and traffic patterns can give away that a packet contains p2p content.

Repeat after me: encryption isn't a panacea.

Re:RTFA:Encryption barely slows this thing down.

[Skapare]

OTOH, IPsec can deprive them of knowing the port number and few other things.

Re:RTFA:Encryption barely slows this thing down.

[foo+fighter]

That's true, but no P2P network is using IPSec, nor is it likely any will since it's a serious PITA to set up and maintain.

Your $800K machine is no match for my puny skills

[Vellmont]

I'll bet in the war against p2p, making p2p data look like normal "priority" data is going to be far easier, and far cheaper than the ISPs trying to identify and block/slow the data they don't like. Consider that hiding p2p data takes one person with a keyboard and some smarts. In a month this guy will work around any solution the $800K machine guys have put together, and the next machine will be 8 million dollars to do the same job.

Encryption? Just the first salvo. Others have pointed out that p2p makes a lot of connections. That's fine, just create a secure queuing system where people wait their turns (and don't have multiple data streams). Or, a repeater system where you get one or two data feeds in, and feed to one or two other people. There's no reason why a p2p system has to have 50 different connections to different people. Start looking at the data itself and see if it's http-like? Okee-doke, just create an http wrapper around your data so it looks like http. These are just the dumb ideas I came up with on the fly. Real solutions would be a lot better.

This kind of asymmetric "war" has been fought before, namely with copyright protection in the 80s. The result? Cracked programs are more valuable than non-cracked programs (oh, and all copyright protection schemes were cracked)

In a system with untrusted intelligent nodes, you can't really create a priority system without some people making their non-priority data look like priority data. The internet was designed for the end nodes to be smart, and the network to be dumb. (The exact opposite of the phone system). It seems to me this is just a basic design principle of the internet.

I wish this was more saterical and less true.

[theaceoffire]

As they have proven, they just blame the slow speeds on hackers and pirates, kick everyone off who complains or uses too much, and then over charge the rest.

Why don't ISPs just monitor bandwidth?

Why don't ISPs just monitor bandwidth and just throttle people who consume too much. All this packet inspection crap is easily overcome through encryption but bandwidth usage is transparent.

Re:Why don't ISPs just monitor bandwidth?

[Skapare]

Maybe it's because they want to do more than just monitor traffic volumes. One of the potential evils of this thing is that it can, for non-encrypted traffic like web access, track your web visits, see what you like, and report the top ten keywords for you to their spammer partners.

Use IPsec

[Skapare]

With IPsec, they won't even be able to see what protocol is being used. The more we use IPsec for everything, the less these things will look like an attractive way to spend money that would otherwise go to expanding capacity.

gpus

[mynicknamewasused]

why cant this be done in a powerfull pc, a few gpus to do the math (trivial to paralelize), and a couple of pcie 16x channels to do the trafic... ad a few pcie 10gb ethernet and write good code... i mean, a 35k computer (cluster?) can do this, at a fraction of the cost!

Re:gpus

Dude, try to do it, and you will understand why.

I don't care

They can try to block p2p traffic all they want I don't care if my isp starts to block p2p traffic I'll simply change to an isp who doesn't block it. So they can buy all the 800,000 dollar machines they want its going to cost them that plus unhappy customers. The free market will speak.

Cloudshield has had similair capabilities

[bleh-of-the-huns]

for years. This is not new. They have products (marketed towards the intelligence side of the world initially) that have been able to do DPI in near realtime on OC circuits. They can even take it a step further and do near real time packet replacement and data insertion... This is what you should be afraid of.. not of the fact that they can read your traffic in real time, but they can manipulate it in near realtime. It goes much deeper as well when you tie these types of products into other things like firewalls, IDS/IPS, netflow monitoring, etc etc...

Re:Your $800K machine is no match for my puny skil

[smallfries]

OK then lets play a game. I can still spot your traffic and classify it as p2p with near 100% accuracy. I'm not going to tell you how, you have to guess and experiment. If you reply here with another attempt then I'll tell you if you pass or fail, but not why.

Still want to play? If this sounds unfair then consider how this machine will be deployed...

PS You still haven't defeated the encryption fingerprints that the DPI uses but there is something much more obvious that identifies your traffic as p2p

There's another option

[roystgnr]

Look at the priority the user requested for that packet, check to make sure the router you received the packet from hasn't filled their quota for that priority, and if not, give the packet that priority.

Remember when the internet was supposed to be a "dumb" network that could therefore be easily and seamlessly improved by just improving the software at the endpoints? Those were good times.

Parent has not seen Bell Canada's DPI boxes

What the parent said does not work in Canada. Basically, Bell Canada subject ALL traffic (including those that are leased to other ISP) through its last mile with DPI. They capped ALL traffic that are not on their white list. If you use SSL or any encryptions, you get 30kB/s caps...

No amount of encryption is going to work when they are throttling your PPPoE on its way to your ISP.

http://www.dslreports.com/forum/r20465278-Proof-Bell-throttles-everything-but-known-portsprotocols

Re:Your $800K machine is no match for my puny skil

[Vellmont]

I'm not going to tell you how, you have to guess and experiment.

You obviously have underestimated peoples tenacity at solving puzzles. The is FUN to a lot of people, and all it takes is one guy to find out your secret.

but there is something much more obvious that identifies your traffic as p2p

I'm sure there is, and the P2P guys will work around that problem. Are you (the ISP) will to continue shoveling money into the companies that develop this, or would you rather just either buy more bandwidth, or establish real bandwidth usage limits? I'm betting on the latter. The war has to be worth fighting. The guys fighting the copy protection wars largely gave up 15+ years ago because they decided the cure was worse than the disease.

Re:Your $800K machine is no match for my puny skil

The war has to be worth fighting. Does it, really? What's the best case scenario in your book? ISP's imposing bandwidth limits? You can morph, disguise, encrypt and generally mess about with your traffic fingerprint to your hearts content, and the best case scenario is that you'll get a harsher bandwidth limit than today, either in bits per second or in gigs per month. Pyrrhic victory if you ask me (you don't since I'm an AC, but hey...) That's assuming that it's a victory in the first place - say that some people on the other side of the router likes puzzles as well and get paid to spend their entire day solving them. With full source code or protocol spec in hand, at that. Grim odds.

Yes, some providers do some pretty bad mangling of BitTorrent and yes, that's pretty daft. The worst case scenario for them even if they were to block it entirely on the other hand is that they lose a limited number of customers hogging the majority of their bandwidth. For now. P2P usage is increasing in non-filesharing scenarios as well, one being IPTV. Extremely common in China, we westerners are slow on the uptake. The ISP will need to adjust.

Enter distance-aware P2P - P4P if you prefer buzzwords. This will enable the providers - especially the larger providers - to keep the majority of the P2P traffic within their networks. Sure, it'll still lead to congestion points (trust me, 10 gig fibers isn't feasible everywhere for a while yet), but it won't eat into the global transit like it does today. Now there's a solution - faster speeds and no traffic limits for you, less valuable transit traffic eaten for the ISP. Fancy your puzzle? Implement better P2P routing algorithms that allows willing providers to participate in some fashion and adapt this in P2P clients.

As for DPI, if it means that my SSH usage or WoW raid doesn't lose out on packets to your downloading of porn, nice. Or better, if it means that your neighbours won't suffer much when you hog all the bandwidth in your cable loop. As long as the usage is sane, there's benefits. Insane usage won't pan out in the end.

Re:Monopoly Markets

[Technician]

'll simply change to an isp who doesn't block it.

You are lucky and in the minioriy who can choose from several broadband providers. I have a choice also.

It's Comcast of any of several dial-up offerings in the area.

Have you tried to do P-P on 0.3 Kbs dial-up lately?

DPI is not only for blocking P2P

[lsolano]

It can be used to offer different flavors of connections. Maybe people here at /. can not even imagine it, but, there are millions of people that could agree to pay a little less if they have the P2P blocked.

What about companies, buying internet connections with P2P blocked on the ISP? ISP could even sell that as a plus, then, they can charge more giving less, and IT admins can forget about managing they're own filters.

What about a http/smtp/pop3 only connection?

Obviously, DPI was developed to cut P2P down, but it can used for many more.

War on P2P TERRORISM gogo

[cyrus0]

l2iptables? All this hype seems to imply that 80gbps of data is actively changed... which would be impressive, but since it just queues it into priority based classes, it isn't. My SparcStation 5 can do 100mbps traffic shaping while sitting at 0.0 average load. So, for a machine that costs 800k, seems like an overpriced piece of hardware that can always be overcome by advanced protocol encryption. Why not spend it on giving everyone a bigger pipe? Oh WAIT, that would be more bandwidth for the P2P TERRORISTS, AHHHHHHH.

I've seen their lower end...

entry level models, and these things are pure evil on a stick, the kind that gets packet snoopers salivating. I was watching a live demo where they were using a control console with a box installed in another country at some ISP, and we were quickly able to drill down and watch a chat between some manager and his secretary (NSFW by the way), real easy. Procera is locking up the ISP market in europe , and is pressing hard into other markets. These guys make these kinds of capabilities affordable, compared to the Narus boxes used on those AT&T taps, which brings the barriers to trivial and largely unverified use down.

Re:Your $800K machine is no match for my puny skil

[smallfries]

You obviously have underestimated peoples tenacity at solving puzzles. The is FUN to a lot of people, and all it takes is one guy to find out your secret. No I understand that fun, I wouldn't do this job if I didn't. What I'm pointing out is that some of the give-aways that label a stream as p2p traffic are not simple to fix. They impact download performance. They are a downright pain in the ass to fix - the pool of people skilled enough to do it that think it is fun is shrinking rapidly.

There is major difference between this and copy protection. btw I've never heard someone with so much religosity on the subject, outside of this bizarre context that is slashdot you would be quite scary :) To fix copy protection (whoops, just done it myself) you really do have a puzzle - you play with it to see where the routines are in a debugger. You get instant feedback on if you are right or wrong. When you are wrong you get to see some information about why you are wrong.

This "puzzle" has none of those characteristics. You are changing one of a million attributes of a dataflow. Somebody else is reading and estimating that attribute. You have to get the whole set to fall below their threshold before you get any feedback. That is what we call "work".

Re:Your $800K machine is no match for my puny skil

[Vellmont]

What I'm pointing out is that some of the give-aways that label a stream as p2p traffic are not simple to fix. They impact download performance.

Does that really matter? Reduced performance is better than no performance.

the pool of people skilled enough to do it that think it is fun is shrinking rapidly.

Why?

btw I've never heard someone with so much religosity on the subject, outside of this bizarre context that is slashdot you would be quite scary

Thanks for the douche bag comment. I really don't see any reason to get personal here.

You are changing one of a million attributes of a dataflow. Somebody else is reading and estimating that attribute.

I nice theoretical assessment, but how well will it stand up to the real world? How much processing can you reasonably do to each data flow to find out if you like it or not? How many false positives are you going to identify as p2p? How much maintenance cost do you have to do the system to keep it in working order? This is a non-trivial problem, as the environment keeps changing. In the end it's all about $$, and I'm betting the p2p guys can make it cheaper for the ISPs to stop trying to block p2p (or whatever other traffic they decide they don't like).

Re:Your $800K machine is no match for my puny skil

[smallfries]

btw I've never heard someone with so much religosity on the subject, outside of this bizarre context that is slashdot you would be quite scary :) Thanks for the douche bag comment. I really don't see any reason to get personal here. I added the smiley that you deliberately left out of the quote so that there wasn't any ambiguity. Your level of fervour on the subject of copyright protection does reach religious levels. Maybe you can't see that because your social skills are underdeveloped (yes, that actually is a personal comment). I base this on you selectively quoting the rest of my post and ignoring the crux of the argument. Does it make sense for you to quote the part about the pool of people shrinking (but not the argument about why) just so that you can ask why?

OT -- Freenet

[synaptik]

I'd like to see them DPI that.

Why bother? My experience with Freenet is that it is self-throttling.

Seriously. I have seen glaciers that move faster than Freenet.