DPI for residential gateways at a glance

Residential gateways (RGs) have over the past decade evolved dramatically into devices that support time sensitive and higher bandwidth applications. RGs are now capable of delivering a vast array of services – such as VoIP, IPTV and security services. Web 2.0 is driving even more new applications which introduce significant security threats. As a result, service providers need complex RGs that can deftly handle new applications while safeguarding users from potential security breaches.
The capabilities of today’s RGs have become pivotal to service providers’ success. Service providers increasingly rely on the RGs to deliver the best quality of service (QoS) and highest level of security for delivering services to the networked digital home. Providing the expected quality of experience (QoE) while delivering advanced applications is critical to ensuring a service’s providers continued, successful growth.
A key element essential to ensuring QoE is the overall security framework of the service providers’ network. While the traditional VPN model provides a certain degree of security, it does not fully address security threats like denial-of-service attacks that exploit protocols and packet payload embedded signature-specific threats.
A comprehensive security framework must protect against IP header checksum anomalies, header options and spoofing, IP fragment attacks involving buffer full conditions, overrun and over write conditions, Internet control message protocol anomaly protection involving large ICMP packets, and denial-of-service attacks that originate from universal datagram protocol/transmission control protocol operations.
While an overall security framework still requires the functionality of firewalls, advanced stateful firewalls and a comprehensive set of policy-based access control lists, their effectiveness is limited because they are dependent mainly on packet header parameters. To be effective, service providers must ensure security by comprehensively examining the entire packet.
Deep packet inspection (DPI) uses packet payload inspection to prevent hackers from attacking end nodes, and prevents hackers from manipulating service delivery parameters and impacting QoS requirements of sensitive traffic.

What is DPI?

DPI is a mechanism of examining the packet from Layer 3 to application Layer 7. In addition, DPI examines signatures in the content and behavior of the packet flow and protocols. DPI-enabled RGs make decisions, based on the positive identification of any signature, rule or policy match that takes place while examining the packet payload.
DPI scans every packet in its entirety. Because services deployed to the digital home and SOHO/SMEs include time- and latency-sensitive traffic, DPI requires minimal overhead and its implementation needs to be highly optimized. 
A number of key applications – such as intrusion detection/prevention systems (IDS/IPS), antispyware, spam detectors and antivirus – can leverage DPI.
DPI plays an important role in “unified threat management.” As RGs continue to evolve, they will not only incorporate interfaces for high bandwidth access and home area network. The RG will go beyond triple play and include the system-level infrastructure needed for supporting unified threat management. Such integration is essential for ensuring reliable and guaranteed service delivery.
The foundation for integrated RGs includes complex and highly efficient system-on-chip (SOC) devices. RG SOCs are purpose-built network processors that, unlike current generation processors, integrate sophisticated engines to execute performance-intensive expression processing algorithms inside the device.
To tackle the issue of high performance while carrying out deep packet inspections, gateway devices of the future are not expected to implement purely software-based DPI mechanisms. These next-generation gateway processors are expected to support DPI hardware-based assist engines to help speed the payload scanning process.
Next-generation RGs are also expected to offer native standard operating systems, like Linux, integrated with publicly available open source SNORT-based IDS packages, including antivirus agents like ClamAV. These systems leverage next-generation gateway silicon devices incorporating sophisticated DPI engines and support flexible policy languages that facilitate rule creation.
Emergence of these advanced RGs provide an opportunity for service providers to deliver an integrated triple play service offering combined with a broad set of unified threat management services to secure the digital home and SOHO/SME.
Service providers must deploy systems that natively support architectures designed to incorporate engines, like DPI, to ensure their systems do not quickly become obsolete and require replacement. With the advent of standardized and centralized network management systems, service providers could ultimately deliver managed security services to compliment their current triple play service offerings.
Vertically integrated service providers are also moving up in value chain by deploying video servers and their associated ecosystem. With DPI and unified threat management, service providers can now integrate security servers in their core infrastructures that effectively interwork with their deployed RGs and SOHO/SME gateways.

DPI deployment Scenarios

Service providers can deploy DPI-based security network elements in two ways. The security framework can be integrated into RGs and SOHO/SME gateways. These gateways have now become a nodal network element where both access network and home area networks terminate. It also is possible to introduce a new purpose-built security network element at the edge of the network, but at an additional cost and operational overhead.
Security threats will continue to evolve, as will the applications that subscribers demand. Remote configuration capabilities and software download features in standardized remote RG management frameworks can help service providers quickly adjust to changing conditions.
Sanjeev Challa is chief technologist for Ikanos Communications’ gateway products group