I may have to drop Chris Parsons off of my Twitter feed... Today he tweeted a link to an article about DPI technology. Yet again, another misinformed post decrying the evils of Deep Packet Inspection technology and my blood pressure quickly started to rise again. If I want to maintain my health and sanity I'll have to stop reading these posts; posts which Chris is damned good at finding!
This particular article is written by Art Reisman, Chief Technology Officer of APConnections, which is a manufacturer of network management appliances. In this article, Art warns of the evils of DPI, and his company's claim is that "APconnections removed all Deep Packet Inspection technology from their NetEqualizer product over 2 years ago." So the implicit claim is that APConnections is less evil than their DPI using competitors. We'll get to that in a minute.
Quick refresher. Every network packet has two parts, a header and a data portion. The header contains the routing information, and the data packet has the actual data to be delivered. The information in the header is what none-DPI (i.e. "regular") network equipment uses to get the data where it is supposed to go. DPI network equipment will look at the whole network packet, and take action on what it finds in any part of the packet.
So what does this difference mean? For network management purposes, you can derive a lot of useful information from the header. Where the data came from, where it is going, what application type was used, etc. From this information a network manager can prioritize (or control) how much bandwidth is allocated based on source or destination IP address and also the type of traffic (e-mail, web surfing, P2P, etc.). Sometimes though the header information doesn't tell the whole story and it can be hard to tell one type of traffic from another. So a DPI appliance looks at the data packet and based on algorithms and signatures can more finely tune those controls. This is a very important point, you do not need DPI to control network traffic, it just allows for more accurate matching of rules to data types.
So lets move on to demolishing Art's claims:
Art claims that Internet Providers use DPI technology to allow Targeted Advertising, Reducing "unwanted" traffic or Offensive Material, and Government Spying.
You do not need DPI technology to do targeted advertising. Without inspecting the data packet an ISP can determine if you spend a lot of time at children's clothes websites, just by inspecting the IP addresses of the sites you go to. That information is all in the header. Again, DPI may allow for more accurate analysis, but an ISP is not helpless without it. So an ISP can serve up ads from clothing suppliers every time you connect to the Internet. But it isn't evil DPI provided advertising!
You also do not need DPI technology to reduce "unwanted" traffic. DPI technology allows for accurate classification of unwanted traffic. If you subcribe to the "if you are going to do something, do it right the first time!" line of thinking, DPI technology can improve the classifications, reducing the instances when "wanted" traffic is classified as "unwanted" traffic. ISPs are going to control your traffic; we can outlaw DPI technology, but it will not stop them from controlling traffic. Case in point: APConnections NetEqualizer products do not use DPI, but they are sold as network management appliances that can filter unwanted Peer to Peer file sharing programs. Less evil network shaping! Because it is not DPI! Do you feel better now?
DPI can also be used for government spying!!!! Actually that is mostly bullshit. You do not spy using DPI technology, you spy by capturing entire data streams and analyzing it later with software. In other words, wiretapping. And the United States passed a law, the Communications Assistance for Law Enforcement Act, which requires ISPs to provide real-time access to consumer internet traffic. And look, NetEqualizers are CALEA compliant! So with a NetEqualizer, you can do none-evil, none-DPI wiretapping!
I should really thank Art for his post. By trying to whip up hysteria over DPI (and gain sales for his company as the not evil option) he proves 100% that you do not need DPI to rate shape traffic, block content and wiretap your data.
The lesson once again is, it is not the technology that is evil, it is how you use it.