Why is deep packet inspection technology such a thriving business in the Middle East and Asia?
The connection has timed out. You are not connected to the Internet. Server not found.
We’ve all experienced one of these dread messages at some point in our digital lives, courtesy of the inner workings of our Web browser. Most of the time they appear because of a problem with the networking hardware and associated software that stands between us and the websites we want to access.
In other cases they may be the result of a deliberate act perpetrated by an Internet service provider – often at the request of a repressive regime intent on blocking the free flow of information.
It happens in China every day, where typing the words ‘Tiananmen Square’ into a search engine will produce either a blank page or a heavily filtered list of results. Beyond these automated content filtering restrictions, there have been reports of Chinese Web users suddenly being unable to access YouTube whenever a video that the government has deemed as seditious is becoming too popular.
Similar experiences have been reported in Iran and in many of the countries in the Middle East that have been pressing for democratic change since the beginning of this year. One key technology that many suspect is being used to carry out such online censorship is deep-packet inspection (DPI).
How it works
The concept behind DPI is simple. Internet traffic consists of a multitude of IP (internet protocol) packets that are exchanged between two computers – a server and an end user. Before packets reach their destination to be reassembled, they must traverse a series of routers and switches that determine the best path for them, based on the information contained in each packet header.
DPI equipment mimics the ‘reading’ function of routers and switches, and can also look into each packet’s payload, which holds the data being exchanged.
Privacy advocates – particularly in North America and Europe – have been vocal about the fact that installing DPI hardware and software may give Internet service providers the ability to monitor all email, Web-based and audiovisual content going through their networks.
Shira Levine, directing analyst for next-generation operational support systems and policy at Infonetics Research, remembers how Virgin Media in the UK was heavily criticised last year after it said it would trial DPI technology to detect copyright infringement among its file-sharing customers.
‘Even that application,’ says Levine, ‘which you certainly couldn’t argue would be a violation of privacy as copyright protection is a legal mandate, created a lot of uproar. There’s been a significant perception in [Western] markets linking DPI with a ‘Big Brother’ technology. I think that’s really limiting operator investment in those countries.’
Privacy concerns are just one of the factors limiting DPI take-up in the Western hemisphere. Another is the net-neutrality debate. When the first DPI systems started to be marketed in the early 2000s, operators used them to perform network traffic optimisation. But since this involved making a number of assumptions about the value of certain types of packets and prioritising traffic accordingly, net-neutrality supporters (and, in some countries, communications regulators) asked for limits on their use.
That’s the end of the matter, then – the DPI industry has no future, right? Well, from a global market worth less than $250m in 2009, sales of standalone DPI gear (which currently account for more than 90 per cent of the market) will surge to $1.5bn by 2014, according to Infonetics.
‘There’s a lot of growth potential in some of the emerging markets,’ says Levine, such as the Middle East and Asia.
So, with Western demand for DPI inhibited, is it the more authoritarian states in the East that are buying the technology to control what residents are able to view on the internet?
Well, it’s one thing to say that governments which censor online content are probably using DPI tools to do so. It’s another to assert that this is driving the strong growth in demand. ‘I don’t see that being a huge driver at the moment,’ says Levine. ‘I’m not ruling it out going forward, though.’
From cyber security to targeted services
So what is driving demand? E&T put that question to Procera Networks, one of the top three suppliers of standalone DPI products, together with Sandvine and Allot.
‘If I look specifically at the Middle East, they’re pretty far along when it comes to service packaging, which is probably why we’re seeing a more rapid increase in that market than in many others,’ says Jon Linden, Procera’s vice president of global marketing.
Levine agrees, and explains what service packaging involves: ‘There’s less of a concern about privacy in those markets. So a lot of operators are looking at combining DPI with their policy and charging-control system to create value-added services – really being able to identify what the subscriber is doing and then turning that [data] into marketing and loyalty opportunities.
‘It’s about understanding and addressing the needs of the subscribers,’ says Dan Joe Barry, vice president of marketing at Napatech, which claims to have developed the most advanced programmable network adapters for traffic analysis and application offloading for wireless broadband operators.
‘There’ll be a period when you’ll have to monitor how they are using their services to build up an idea of what these guys like, what their needs are, how they use their service,’ Barry says. ‘Then, a dialogue can be established where you could say: ‘Look, I know that you use Facebook a lot – would you like a service where Facebook is prioritised so you can get a really good service for that [on your mobile]?”
Another emerging DPI application that Middle Eastern and Asian operators are keen on is lawful interception and cyber-security. ‘There is a need for anti-terrorism and other public security agencies to be able to go in and see what’s going on in the networks,’ says Barry.
‘Consumers have the idea that whatever I send is going to be encapsulated and nobody will be able to see what I’m sending. Well, that’s not going to be the case. And we don’t want it to be the case,’ he says, ‘because we want to be able to protect the network.’
Levine adds that some countries have specific government mandates that require communications providers to be able to filter or block traffic: ‘In some parts of Asia, for example, Skype traffic is blocked. So, quite often, it’s government mandates that are driving DPI investments.’
Scale, scale and scale
Whether it is for network security, traffic shaping or value-added service creation, many of the applications for DPI rely on combining fast microelectronics systems capable of processing the vast amounts of traffic that wireline and wireless networks are currently experiencing with software smart enough to make sense of the captured packets by comparing them with sophisticated data banks.
Only then can the network generate automated responses. It is what Procera calls ‘intelligent policy enforcement’.
‘We’ve been working with service provider deployments since 2001, and capacity is always a big question,’ says Linden.
Indeed, if a broadband operator is going to authorise a piece of equipment to sit in the packet path, it will face numerous questions about the product’s ability to operate transparently, without compromising network performance.
In the case of Procera, its DPI product will introduce a worst-case latency of 0.1ms, which Linden claims is a very impressive performance. But he admits: ‘We have to scale, and scale and scale to accommodate that [operators] are constantly building up their networks.’
Napatech’s Barry says his company’s DPI network adaptors, which can run at 10Gbit/s, don’t interfere at all with network performance, as the connection they are inspecting will typically be tapped: ‘It’s essentially a tap on the connection that’s providing us with a copy of everything that’s going past.’
Asked whether an ISP operating in a country where there’s government pressure to censor Internet traffic could use DPI to that end, Barry replies: ‘Of course you could. But you’ve always had that possibility anyway. I mean, you could tap telephone calls’ this is not a technology breakthrough. It’s been possible for a long time to do these sorts of things. You could have that fear, but it’s a question of trust. Do you trust that your carrier is interested in providing you with a better service?’