Reference articles: DPI and DFI technical analysis , DPI technology
Background: In recent years, new network services have emerged in an endless stream, such as Peer-to-Peer (P2P), VoIP, streaming media, Web TV, audio and video chat, interactive online games, and virtual reality. The popularization of these new services has absorbed a large amount of customer resources for operators, and at the same time has had a great impact on the network's underlying traffic model and upper-layer application model, bringing about bandwidth management, content billing, information security, and public opinion control. Series of new questions. Especially P2P, VoIP, streaming media and other services. The current P2P business traffic has accounted for 50%-70% of the Internet data traffic. If you add streaming media and other services, the data traffic of the new business is quite huge, which breaks the previous "high bandwidth, low load" IP network QoS The provisioning mode has aggravated network congestion to a large extent, reduced network performance, degraded network service quality, and hindered the development of normal network services and the popularization of key applications. At the same time, the widespread use of P2P also brings great challenges to network information security monitoring and management.
Due to the bandwidth-swallowing characteristics of P2P traffic, simple network upgrades and expansions cannot meet the needs of operators for data traffic growth. In addition, network equipment lacks effective technical supervision methods and cannot realize the perception and recognition of emerging services such as P2P/WEB TV. As a result, network operators cannot effectively manage the operation of the network.
Traditional network operation and maintenance management often implements network element-level management through equipment network management, and later developed to network-level management, which can manage and control simple upper-level applications. Most of these application-level management and control technologies use simple network management protocols SNMP or based on The flow identification of the port is analyzed and managed.
Therefore, how to deeply perceive Internet/mobile Internet services, provide application-level management and control methods, and build an "operable and manageable" network has become the focus of operators' attention.
DPI technology
The full name of DPI is "DeepPacketInspection", which is called "Deep Packet Inspection". DPI technology adds analysis to the application layer on the basis of analyzing the packet header. It is a traffic detection and control technology based on the application layer. When IP data packets, or UDP data streams pass through a bandwidth management system based on DPI technology, The system reorganizes the application layer information in the OSI7 layer protocol by deeply reading the content of the IP packet payload, thereby obtaining the content of the entire application program, and then shaping the traffic in accordance with the management strategy defined by the system.
For different protocol types, DPI identification technology can be divided into the following three categories:
- Characteristic word recognition technology:
Different applications usually use different protocols, and various protocols have their special fingerprints. These fingerprints may be specific ports, specific strings, or specific bit sequences. The identification technology based on the characteristic word is to identify the application carried by the service by identifying the fingerprint information in the data message. According to the different detection methods, the feature word-based recognition technology can be subdivided into three branch technologies: fixed feature location matching, variable feature location matching, and state feature word matching. Through the upgrade of fingerprint information, the recognition technology based on characteristic characters can be easily extended to the detection of new protocols.
-Application layer gateway recognition technology:
In the business, there is a separation of control flow and business flow. For example, the business related to signalling No. 7 does not have any characteristics in the business flow. The application layer network management identification technology is aimed at this kind of business. The network manager recognizes the control flow, and selects a specific application layer gateway to analyze the service flow according to the control flow protocol, thereby identifying the corresponding service flow. For each protocol, different application layer gateways are required to analyze it. For example: H323, SIP and other protocols belong to this category. The data channel is obtained through negotiation through the signaling interaction process, which is generally a voice stream encapsulated in RTP format. Purely detecting the RTP stream cannot determine which RTP stream passes through. When the protocol is established, it is to determine what kind of business it is. Only by detecting the SIP or H232 protocol interaction can a complete analysis be obtained.
-Behavior pattern recognition technology:
Before implementing behavior pattern technology, operators must first conduct research on various behaviors of the terminal and establish a behavior recognition model on this basis. Based on the behavior recognition model, behavior pattern recognition technology is to judge customers based on the behaviors they have implemented. Action in progress or action to be implemented.
Behavioral pattern recognition technology is usually used for services that cannot be distinguished by the protocol itself. For example, judging from the content of e-mail, there is no difference between the business flow of spam and ordinary mail. Only further analysis is required. Only by comprehensively analyzing the size, frequency, destination and source email addresses, frequency of change and frequency of rejections, can it be judged whether it is spam or not by establishing a comprehensive identification model.
These three types of identification technologies are applicable to different types of protocols and cannot be replaced with each other. Only when these three technologies are comprehensively used can various applications on the network be effectively and flexibly identified, thereby achieving control and billing.
DFI technology
DFI (Deep/DynamicFlowInspection, deep/dynamic flow inspection) is different from DPI for application layer load matching. It uses an application identification technology based on traffic behavior, that is, different application types are reflected in the status of session connections or data streams. Each is different.
For example, the characteristics of the Internet IP voice traffic reflected in the flow state are very obvious: the packet length of the RTP stream is relatively fixed, generally 130 to 220 bytes, the connection rate is low, 20 to 84 kbit/s, and the session duration is relatively long. Long; and the characteristics of the traffic model based on P2P download applications are that the average packet length is above 450byte, the download time is long, the connection rate is high, and the preferred transport layer protocol is TCP. DFI technology is based on the behavioral characteristics of this series of flows, and establishes a flow characteristic model. It compares with the flow model by analyzing the packet length, connection rate, transmission byte volume, and the interval between packets of the session connection flow. So as to realize the identification of application type.
Analysis of the pros and cons of DPI and DFI
Analysis of the advantages and disadvantages of DPI and DFI
DFI processing speed is relatively fast:
The use of DPI technology requires unpacking operations on a packet-by-packet basis and matching and comparison with the back-end database; the use of DFI technology for traffic analysis only needs to compare the flow characteristics with the back-end flow model. Therefore, most of the current bandwidth management systems based on DPI The processing capacity can reach a line speed of about 1Gbit/s, while the DFI-based system can reach a line speed of 10Gbit/s traffic monitoring capability, which can fully meet the needs of operators;
DFI maintenance costs are relatively low:
The bandwidth management system based on DPI technology always lags behind new applications, and needs to keep up with the generation of new protocols and new applications and continuously upgrade the background application database, otherwise it will not be able to effectively identify and manage the bandwidth under the new technology and improve the efficiency of pattern matching; and The DFI-based system requires less management and maintenance than the DPI system, because the traffic characteristics of the same type of new application and the old application will not change significantly, so there is no need to frequently upgrade the traffic behavior model.
Each has its own advantages in recognition accuracy:
Because DPI adopts packet-by-packet analysis and pattern matching technology, it can accurately identify the specific application types and protocols in the traffic; while DFI only analyzes the traffic behavior, so it can only classify the application types in general. Applications that meet the P2P traffic model are uniformly identified as P2P traffic, and the types that conform to the network voice traffic model are uniformly classified as VOIP traffic, but it is impossible to determine whether the traffic uses H.323 or other protocols. If the data packet is encrypted for transmission, the DPI method of flow control technology cannot identify its specific application, and the DFI method of flow control technology is not affected, because the state and behavior characteristics of the application flow will not be fundamentally changed due to encryption .