Transcript DPI Applications

Content Aware Networks
Sailesh Kumar
Cisco Research
Two Important Applications
• Security
– IDS, IPS, AV, SPAM, App-firewall etc
• Content Based Forwarding
– Application Identification
– Protocol Analysis
– Field extraction (subscriber, URL, email
address, etc)
Two Important Applications
• Security
– IDS, IPS, AV, SPAM, etc
• Content Based Forwarding
Multi-billion $
Market
Can become
– Application Identification
much bigger
market
– Protocol Analysis
– Field extraction (subscriber, URL, email
address, etc)
Trends
• Security - regex is popular
– Old, outdated approach
– New techniques such as machine learning (IronPort),
anomaly detection, data mining etc are gaining
popularity
• Content Based Forwarding
– Application Identification (p2p, skype, video over http)
– Content based admission control (firewall)
– Protocol analyzer (requires more than pattern
matching)
– Subscriber, content based statistics, billing
Industry Trends
• Vanilla regex acceleration
–
–
–
–
–
Vihana (Cisco supported)
Netlogic (ASIC)
LSI (Tarari acquisition)
Sensory (Software regex)
Most of these target security market
• Niche markets – Xambala, GV, Nevis, Exegy, Allot,
Tigerme
• What about content based forwarding?
– Few startups (P-Cube, Cisco acquired), Cisco products (NBAR,
PISA), Juniper has some < few 100 million $
Why Content based Forwarding is
not Gaining Traction?
• Based on discussion with real customers
(BT 21CN, Savis, Telecom Italia)
1. Customer friendliness
• Regular languages are not easy to use by end
customers
2. Performance
3. Cost
Customer Friendliness
• Regex is cumbersome
• Customers want ability to recognize applications
– regex is not sufficient
• Customers want to use important attributes of
applications
– URL, port, MIME mail contents, etc
• Want a simple interface to specify content
classification rules
– Block facebook.com from all users except marketing
– Block SMTP if MIME subject contains xyz keyword
Challenges
• We are developing a 100 Gig system for content based
forwarding
– A number of important issues
– Create efficient rules for application recognition, data analysis
• We strongly believe that vanilla regex is not the right approach
• Rules should be composed of grammar, and efficient logic around it
–
–
–
–
–
–
Easy to use by customers
Extraction of critical attributes of communication
TCP normalization
Character encoding issues
Buffering issues
System architecture
• Co-software, hardware design, interface, etc
• Unfortunately academia has focused too much on regex
For Discussion
• Can we develop better mechanisms to inspect packet
content?
– Customer friendliness is critical
• What should be do in face of encryption?
• What about net-neutrality?
• Cisco is interested to support content based networking
research; academia can show us the right way?
– University participation through
www.cisco.com/web/about/ac50/ac207/crc_new/ciscoarea/content.html