Dubai, 20 November 29 November 2012
Download 1.36 Mb.
|
- Navigate this page:
- PLENARY MEETING Document 30-E
ADD SG13/30/1 Draft New Recommendation ITU-T Y.2770 (formerly Y.dpireq) Requirements for Deep Packet Inspection in Next Generation Networks Summary
This Recommendation specifies the requirements for Deep Packet Inspection (DPI) in Next Generation Networks (NGN). This Recommendation primarily specifies the requirements for Deep Packet Inspection (DPI) entities in NGN, addressing, in particular, aspects such as application identification, flow identification, inspected traffic types, signature management, reporting to the network management system (NMS) and interaction with the policy decision functional entity. Although aimed at the NGN, the requirements may be applicable to other types of networks. This Recommendation also contains use cases and other complementary information as appendixes. CONTENTS 1 Scope 10 1.1 Applicability 10 1.2 Policy Rules 11 2 References 12 3 Definitions 13 3.1 Terms defined elsewhere 13 3.2 Terms defined in this Recommendation 14 4 Abbreviations and acronyms 17 5 Conventions 21 6 DPI functional entity requirements 22 6.1 Flow and application identification 22 6.2DPI signature management 22 6.2.1 General signature requirements 23 6.2.2 Management of DPI signature library 24 6.2.3 Location of management function 24 6.2.4 Initiation of management actions 24 6.3 Traffic inspection aspects 24 6.3.1 Flow identification aspects 25 6.3.2 Protocol-stack aware and protocol-stack agnostic DPI aspects 25 6.3.3 DPI policy rule actions aspects 26 6.4 Reporting capability 28 6.4.1 Reporting to the Network Management System (NMS) 28 6.4.2 Reporting of new, unknown or incorrect application 29 6.4.3 Reporting of abnormal traffic 30 6.4.4 Reporting of events related to the DPI-PE 30 6.5 Interaction with a policy decision function 31 6.6 Traffic control 31 6.7 Session identification 32 6.7.1 Requirements for session identification 32 6.7.2 DPI actions at ‘session level’ 32 6.8 Inspection of encrypted traffic 32 6.8.1 Extent of encryption 32 6.8.2 Availability of decryption key 33 6.8.3 Conditions for inspections based on encrypted information 33 6.8.4 IPsec-specific DPI requirements 33 6.9 Inspection of compressed traffic 34 6.9.1 Awareness of compression method 34 6.10 Detection of abnormal traffic 35 6.10.1 Requirements for detection of abnormal traffic 35 7 Functional requirements from the network viewpoint 35 7.1 General requirements 35 7.1.1 Emergency Telecommunications 35 7.2 Data plane, control plane and management plane in DPI node 36 7.2.1 Traffic planes and traffic types from DPI node perspective 36 7.2.2 Requirements related to management plane 37 7.2.3 Requirements related to control plane 38 7.2.4 Requirements related to user (data) plane 38 7.2.5 Requirements across planes 38 8 Interfaces of the DPI-functional entity 38 8.1 External DPI-FE interfaces 38 8.1.1 Inspected traffic (p1) 39 8.1.2 Control/management of traffic inspection (e1) 39 8.1.3 Reporting to other network entities (e2) 39 8.2 Internal DPI-FE interfaces 39 8.3 Interface requirements 40 9 Security considerations and requirements 40 9.1 Security threats against DPI entities 40 9.2 Security requirements for DPI entities 41 A.1 Protocol syntactical perspective 42 A.2 Specifying information element values 43 A.3 Relation between flow descriptor, IPFIX flow identifier and IPFIX flow key 43 I.1 Introduction 45 I.2 DPI use cases: Application scenarios in packet-based network 45 I.2.1 Differentiated services based on service identification 45 I.2.2 Traffic monitoring 48 I.2.3 Security 49 I.2.4 Traffic statistics and services-based billing 51 I.3 DPI use case: Application scenarios of DPI specific to NGN 51 I.3.1 DPI used as a bidirectional tool for service control 54 I.4 DPI use case: Network- versus Link-oriented DPI 55 I.4.1 Overview 55 I.4.2 Link-oriented DPI 55 I.4.3 Network-oriented DPI 56 I.5 DPI use case: Traffic control 56 I.5.1 Overview of traffic control functions 56 I.5.2 DPI-based shaping of application traffic 57 I.5.3 DPI-based policing of peer-to-peer traffic 57 I.5.4 DPI-based marking of specific packet types 57 I.6 DPI use case: Detection of abnormal traffic 57 I.6.1 Background 57 I.6.2 Example use cases 58 I.7 DPI use case: Example concerning statistical versus deterministic packet inspection methods 58 I.8 DPI use case: Example concerning packet modification 59 I.8.1 DPI use case: Modification of packet header information 59 I.8.2 DPI use case: Modification of packet payload 60 I.9 DPI use case: Example concerning DPI engine capabilities 61 I.9.1 Background 61 I.9.2 DPI engine use case: Simple fixed string matching for BitTorrent 64 II.1 Introduction 65 II.1.1 Purpose 65 II.1.2 Specification level of rules 65 II.1.3 Generic rule format 65 II.2 Example policy rules for Application-dependent, Flow-dependent DPI – Identification order “1st Application, 2nd Flow” 66 II.2.1 Example “Security check – Block SIP messages with specific content types and derive SIP device address” 66 II.2.2 Example “Detection of Malware” 66 II.2.3 Example “Detection of specific video format” 67 II.2.4 Example “Detection of File Transfer in general” 68 II.3 Example policy rules for Application-dependent, Flow-dependent DPI – Identification order “1st Flow, 2nd Application” 68 II.3.1 Example “Security check – Process SIP messages (from a particular user) with specific content types – User identification via flow information” 68 II.3.2 Example “Application-specific traffic policing” 69 II.3.3 Example “Business Card (vCard) application – Correlate Employee with Organization” 69 II.3.4 Example “Forwarding copy right protected audio content” 70 II.3.5 Example “Measurement-based traffic control” 71 II.3.6 Example “Detection of a specific transferred file from a particular user” 71 II.4 Example policy rules for Application-dependent, Flow-independent DPI 72 II.4.1 Example “Security check – Block SIP messages (from a particular user) with specific content types – User identification via application information” 72 II.4.2 Example “Security check – Block SIP messages (across entire SIP traffic) with specific content types” 72 II.4.3 Example “Checking resource locators in SIP messages” 73 II.4.4 Example “Deletion of a particular audio channel in a multi-channel media application” 73 II.4.5 Example “Identify particular host by evaluating all RTCP SDES packets” 74 II.4.6 Example “Measure Spanish Jabber traffic” 74 II.4.7 Example “Blocking of dedicated games” 74 II.4.8 Example “Statistics about Operating Systems of game consoles” 75 II.4.9 Example “Measure abnormal traffic with respect to packet sizes” 75 II.4.10 Example “Detect abnormal MIME attachments in multiple application protocols” 76 II.4.11 Example “Identify uploading BitTorrent users” 76 II.4.12 Example “Measure BitTorrent traffic” 77 II.4.13 Example “Blocking Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols” 77 II.4.14 Example “Specific handling of old IP packets” 78 II.4.15 Example “Security check – SIP Register flood attack (using a SNORT rule)” 78 II.4.16 Example “Detection of BitTorrent traffic” 79 II.4.17 Example “Detection of eDonkey traffic” 80 II.5 Example policy rules for mixed (“stateful”) Application-dependent, Flow-independent/Flow-dependent DPI 81 II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols” 81 II.6 Examples of multiple, different DPI policy rules for the same DPI application 83 II.6.1 Example “Detection of Remote Telnet” 83 II.7 Further examples 83 II.7.1 Example for application detection without independent of flow descriptor usage or not 83 III.1 Introduction 85 III.2 (DPI) Policy rule 85 III.2.1 Concept 85 III.2.2 (DPI) Policy condition 85 III.2.3 Hierarchical (DPI) policy conditions or/and (DPI) policy rules 86 III.3 (DPI) Policy Enforcement 87 III.3.1 Staged Process Model 87 III.3.2 Processing Stage 1: Packet Classification 90 III.3.3 Processing Stage 2: Action Execution 90 III.4 Notes to Staged Process Models 90 IV.1 Introduction 91 IV.2 PSL for Policy Control and Policy Management Interfaces 91 IV.3 Survey of possible PSLs (non-exhaustive list) 92 IV.4 PSLs on different network levels 95 IV.5 Recommendations for selected PSLs 98 V.1 DPI versus non-DPI 100 V.2 Example reference models for some layered protocol architectures 101 V.2.1 DPI for packets according IETF-BRM protocol layering 101 V.2.2 DPI for packets according other IETF reference models 102 VI.1 Introduction 104 VI.2 Summary and illustration of terms 104 VI.3 Using a formal description technique for the terms 106 VI.3.1 Formal specification of flow descriptor (flow level conditions) 106 VI.3.2 Formal specification of application descriptor (application level conditions) 106 VI.3.3 Formal specification of DPI Signature 107 VII.1 Introduction 108 VII.2 Rule-oriented Packet Processing 108 VII.3 Major Categories of Packet Policing 109 VII.4 Packet descriptor 111 VII.5 Session descriptor 113 VII.6 Terminology on identification, classification and filtering of packets, flows and traffic 114 VII.7 Application and flow tag 114 Bibliography 117
Draft New Recommendation ITU-T Y.2770 (formerly Y.dpireq) Requirements for Deep Packet Inspection in Next Generation Networks Directory: wp-content -> uploads -> 2012 2012 -> The Case Against the nypd’s Quota-Driven ‘Broken Windows’ Policing What Is It? 2012 -> Aa and na members Dying from Tobacco 2012 -> [Baby Crying] 01: 04 [Ching 2012 -> Unit Name / Nom de l’unité uic / ciu dates 2012 -> What We Owe Jehovah’s Witnesses 2012 -> Oceans Challenge Badge 2012 -> Canadian cycling olympians 2012 -> Greg landry, june olkowski and tom lysiak 2012 -> William goldman 2012 -> Does translocation and restocking confer any benefit to the European eel population? A review Download 1.36 Mb. Share with your friends:
| ||||||||||||||||||||||
