1 Scope 10
1.1 Applicability 10
1.2 Policy Rules 11
2 References 12
3 Definitions 13
3.1 Terms defined elsewhere 13
3.2 Terms defined in this Recommendation 14
4 Abbreviations and acronyms 17
5 Conventions 21
6 DPI functional entity requirements 22
6.1 Flow and application identification 22
6.2DPI signature management 22
6.2.1 General signature requirements 23
6.2.2 Management of DPI signature library 24
6.2.3 Location of management function 24
6.2.4 Initiation of management actions 24
6.3 Traffic inspection aspects 24
6.3.1 Flow identification aspects 25
6.3.2 Protocol-stack aware and protocol-stack agnostic DPI aspects 25
6.3.3 DPI policy rule actions aspects 26
6.4 Reporting capability 28
6.4.1 Reporting to the Network Management System (NMS) 28
6.4.2 Reporting of new, unknown or incorrect application 29
6.4.3 Reporting of abnormal traffic 30
6.4.4 Reporting of events related to the DPI-PE 30
6.5 Interaction with a policy decision function 31
6.6 Traffic control 31
6.7 Session identification 32
6.7.1 Requirements for session identification 32
6.7.2 DPI actions at ‘session level’ 32
6.8 Inspection of encrypted traffic 32
6.8.1 Extent of encryption 32
6.8.2 Availability of decryption key 33
6.8.3 Conditions for inspections based on encrypted information 33
6.8.4 IPsec-specific DPI requirements 33
6.9 Inspection of compressed traffic 34
6.9.1 Awareness of compression method 34
6.10 Detection of abnormal traffic 35
6.10.1 Requirements for detection of abnormal traffic 35
7 Functional requirements from the network viewpoint 35
7.1 General requirements 35
7.1.1 Emergency Telecommunications 35
7.2 Data plane, control plane and management plane in DPI node 36
7.2.1 Traffic planes and traffic types from DPI node perspective 36
7.2.2 Requirements related to management plane 37
7.2.3 Requirements related to control plane 38
7.2.4 Requirements related to user (data) plane 38
7.2.5 Requirements across planes 38
8 Interfaces of the DPI-functional entity 38
8.1 External DPI-FE interfaces 38
8.1.1 Inspected traffic (p1) 39
8.1.2 Control/management of traffic inspection (e1) 39
8.1.3 Reporting to other network entities (e2) 39
8.2 Internal DPI-FE interfaces 39
8.3 Interface requirements 40
9 Security considerations and requirements 40
9.1 Security threats against DPI entities 40
9.2 Security requirements for DPI entities 41
A.1 Protocol syntactical perspective 42
A.2 Specifying information element values 43
A.3 Relation between flow descriptor, IPFIX flow identifier and IPFIX flow key 43
I.1 Introduction 45
I.2 DPI use cases: Application scenarios in packet-based network 45
I.2.1 Differentiated services based on service identification 45
I.2.2 Traffic monitoring 48
I.2.3 Security 49
I.2.4 Traffic statistics and services-based billing 51
I.3 DPI use case: Application scenarios of DPI specific to NGN 51
I.3.1 DPI used as a bidirectional tool for service control 54
I.4 DPI use case: Network- versus Link-oriented DPI 55
I.4.1 Overview 55
I.4.2 Link-oriented DPI 55
I.4.3 Network-oriented DPI 56
I.5 DPI use case: Traffic control 56
I.5.1 Overview of traffic control functions 56
I.5.2 DPI-based shaping of application traffic 57
I.5.3 DPI-based policing of peer-to-peer traffic 57
I.5.4 DPI-based marking of specific packet types 57
I.6 DPI use case: Detection of abnormal traffic 57
I.6.1 Background 57
I.6.2 Example use cases 58
I.7 DPI use case: Example concerning statistical versus deterministic packet inspection methods 58
I.8 DPI use case: Example concerning packet modification 59
I.8.1 DPI use case: Modification of packet header information 59
I.8.2 DPI use case: Modification of packet payload 60
I.9 DPI use case: Example concerning DPI engine capabilities 61
I.9.1 Background 61
I.9.2 DPI engine use case: Simple fixed string matching for BitTorrent 64
II.1 Introduction 65
II.1.1 Purpose 65
II.1.2 Specification level of rules 65
II.1.3 Generic rule format 65
II.2 Example policy rules for Application-dependent, Flow-dependent DPI – Identification order “1st Application, 2nd Flow” 66
II.2.1 Example “Security check – Block SIP messages with specific content types and derive SIP device address” 66
II.2.2 Example “Detection of Malware” 66
II.2.3 Example “Detection of specific video format” 67
II.2.4 Example “Detection of File Transfer in general” 68
II.3 Example policy rules for Application-dependent, Flow-dependent DPI – Identification order “1st Flow, 2nd Application” 68
II.3.1 Example “Security check – Process SIP messages (from a particular user) with specific content types – User identification via flow information” 68
II.3.2 Example “Application-specific traffic policing” 69
II.3.3 Example “Business Card (vCard) application – Correlate Employee with Organization” 69
II.3.4 Example “Forwarding copy right protected audio content” 70
II.3.5 Example “Measurement-based traffic control” 71
II.3.6 Example “Detection of a specific transferred file from a particular user” 71
II.4 Example policy rules for Application-dependent, Flow-independent DPI 72
II.4.1 Example “Security check – Block SIP messages (from a particular user) with specific content types – User identification via application information” 72
II.4.2 Example “Security check – Block SIP messages (across entire SIP traffic) with specific content types” 72
II.4.3 Example “Checking resource locators in SIP messages” 73
II.4.4 Example “Deletion of a particular audio channel in a multi-channel media application” 73
II.4.5 Example “Identify particular host by evaluating all RTCP SDES packets” 74
II.4.6 Example “Measure Spanish Jabber traffic” 74
II.4.7 Example “Blocking of dedicated games” 74
II.4.8 Example “Statistics about Operating Systems of game consoles” 75
II.4.9 Example “Measure abnormal traffic with respect to packet sizes” 75
II.4.10 Example “Detect abnormal MIME attachments in multiple application protocols” 76
II.4.11 Example “Identify uploading BitTorrent users” 76
II.4.12 Example “Measure BitTorrent traffic” 77
II.4.13 Example “Blocking Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols” 77
II.4.14 Example “Specific handling of old IP packets” 78
II.4.15 Example “Security check – SIP Register flood attack (using a SNORT rule)” 78
II.4.16 Example “Detection of BitTorrent traffic” 79
II.4.17 Example “Detection of eDonkey traffic” 80
II.5 Example policy rules for mixed (“stateful”) Application-dependent, Flow-independent/Flow-dependent DPI 81
II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols” 81
II.6 Examples of multiple, different DPI policy rules for the same DPI application 83
II.6.1 Example “Detection of Remote Telnet” 83
II.7 Further examples 83
II.7.1 Example for application detection without independent of flow descriptor usage or not 83
III.1 Introduction 85
III.2 (DPI) Policy rule 85
III.2.1 Concept 85
III.2.2 (DPI) Policy condition 85
III.2.3 Hierarchical (DPI) policy conditions or/and (DPI) policy rules 86
III.3 (DPI) Policy Enforcement 87
III.3.1 Staged Process Model 87
III.3.2 Processing Stage 1: Packet Classification 90
III.3.3 Processing Stage 2: Action Execution 90
III.4 Notes to Staged Process Models 90
IV.1 Introduction 91
IV.2 PSL for Policy Control and Policy Management Interfaces 91
IV.3 Survey of possible PSLs (non-exhaustive list) 92
IV.4 PSLs on different network levels 95
IV.5 Recommendations for selected PSLs 98
V.1 DPI versus non-DPI 100
V.2 Example reference models for some layered protocol architectures 101
V.2.1 DPI for packets according IETF-BRM protocol layering 101
V.2.2 DPI for packets according other IETF reference models 102
VI.1 Introduction 104
VI.2 Summary and illustration of terms 104
VI.3 Using a formal description technique for the terms 106
VI.3.1 Formal specification of flow descriptor (flow level conditions) 106
VI.3.2 Formal specification of application descriptor (application level conditions) 106
VI.3.3 Formal specification of DPI Signature 107
VII.1 Introduction 108
VII.2 Rule-oriented Packet Processing 108
VII.3 Major Categories of Packet Policing 109
VII.4 Packet descriptor 111
VII.5 Session descriptor 113
VII.6 Terminology on identification, classification and filtering of packets, flows and traffic 114
VII.7 Application and flow tag 114
Bibliography 117