IP Fabrics Technology

A Quick Overview of IP Fabrics’ Innovative Technology Used in the DeepProbe and DeepSweep Systems

DeepProbe and DeepSweep systems are powered by IP Fabric’s innovative multi-core DAPI/DPI (Deep Application Protocol Inspection/Deep Packet Inspection) engines and virtualization technology. This technology allows complex IP packet analysis to be parallelized (or, to run concurrently) across multi-core network processors, allowing wire-speed DAPI/DPI on 1Gbps and 10Gbps networks. 

This approach has many benefits over more-traditional approaches (e.g., ASICs, FPGAs, general-purpose processors, etc.) including increased performance, increased capacities, and extensibility.  This underlying technology facilitates the rapid introduction of new features by simply adding additional software modules that run on the multi-core network processors.

IP Fabrics’ DPI and DAPI Technology

 

At the core of the DeepProbe is a technology termed Deep Packet Inspection (DPI).   Quite simply, DPI enables network devices to access portions of network traffic beyond the packet headers (“looking deeply into the packet”).  Traditional networking devices such as routers and switches access only the packet headers to perform their networking function.  Even early security devices (e.g., firewalls) only looked at packet headers.  However, as communications are increasingly based on IP (e.g., VoIP, person-to-person communications, email, chat, etc) it is insufficient to simply inspect the information contained in packet headers.  A common analogy is to equate network equipment that simply looks at packet headers to inspecting the packages carried in the US mail by simply looking at the ‘TO:’ and ‘FROM:’ labels on the package. 

DPI fills this gap by enabling networking equipment to look at entire packets, including the payload (also called the content).  Some common examples of important information contained in the content portion of packets are email addresses, user-ids used in logins, and text strings found inside of communications.  To continue the prior analogy, DPI is equated to having the agency inspect the contents of each package. 

While DPI is a powerful technology, state-of-the-art surveillance systems need more sophisticated techniques for identifying, discovering, and intercepting targets.  This is where DAPI comes in.   In short, DAPI is the ability to inspect and understand how applications are communicating.  This includes understanding an application’s syntax and semantics to the extent users can be discovered and their subsequent communications can be decoded and pertinent traffic intercepted.

A good example where DAPI is used is intercepting a typical webmail application, which might use a variety of layer 4 ports during a session and might gzip compress much of the communications, including the addressing information.  While traditional DPI would have visibility to the pertinent packet bytes, it wouldn't understand what they mean.  This is where the DAPI state machines and heuristics are used to piece together and decode the information from multiple packets. 

 

Where DPI isn’t Good Enough	Description
Layer 4 ports aren’t reliable	Some applications don’t use standard ports; others have fallback ports to use when primary ports are blocked.
Established conversations don’t stick the initial ports used	Some applications cycle through a wide range of ports during a single session.
TCP sessions span multiple packets	Key data might be split across multiple packets, so looking at individual packets could result in missing required information.
Many hosted services use compressed or encoded data	This includes key addressing information and varies from service to service.
Many hosted applications are cluttered	Most of the data in webmail sessions is irrelevant – i.e., banners, advertisements, etc.

 

IP Fabrics’ Surveillance Module Architecture

IP Fabrics’ Surveillance Module Architecture gives the DeepProbe and DeepSweep products many unique advantages over "PC-based" surveillance systems or hard-wired ASIC/FPGA-based system. This modular system architecture enables DeepSweep to e used as a stand-alone network surveillance system, or in conjunction with other security/surveillance systems (e.g., as a pre-filter), and even supports hosting user-applications on the system processor. The architecture is also highly scalable, allowing multiple DeepSweeps to be configured in parallel or pipelined configurations.

Surveillance Modules (SMs) can be though of as being 'filter templates', that are easily configured by the DeepSweep user. SMs typically apply specific surveillance applications, such as VoIP intercept or email surveillance. Figure 1 below illustrates SM usage, while Figures 2 and 3 depict some common SMs.

Figure 1: Using DeepSweep

Figure 2: CALEA SMs

 

Figure 3: Other SMs

 

Other Surveillance Modules Architecture advantages include the ability to combine multiple SMs into 'chains' to construct complex surveillance logic. Once the filtering logic is constructed, each SM can be configured to 'act on' traffic of interest in many ways. Figure 4 illustrated the range of actions available to DeepSweep SMs.

Figure 4: Range of Actions

 

IP Fabrics’ Packet Processing Language

IP Fabrics’ Packet Processing Language (PPL) is a very high-level, functional programming language for describing the types of packet processing found in many of today’s networking applications. PPL is oriented toward layer 3 IP packets, toward specific protocols at layer 4 (e.g., TCP and UDP), and toward “deep” packet processing at layers 5-7. It has many “built-in” algorithms/state machines oriented toward complex packet processing applications such as encryption, authentication, content inspection, state­less and stateful firewall filtering, detection of intrusions and denial-of-service attacks, layer 7 filtering, signature analysis, and content-based load balancing. PPL also has the capability to easily integrate and interoperate with external programs (e.g., user-written microcode, control plane code, protocols stacks) as well as external application processors such as DSPs.

IP Fabrics’ Virtual Machine Approach

Initially, IP Fabrics has implemented PPL as a high-performance virtual machine atop the Intel IXP family of network processors – a truly innovative programming model for NPUs. While PPL could be compiled to machine code which would run directly on an NPU, there are many benefits to the virtual machine approach, such as:

• Portability - because applications can be ported across successive generations of NPU and can also be mapped to physical machines with very different anatomy;
• Scalability - because the VM approach allows the complexity and performance level increase to the physical machine capabilities increase;
• Robustness - because the syntax and semantics of PPL is focused on packet processing and eliminates many of the programming errors associated with low-level, machine-dependent functional languages and because the virtual machine implementation is rich with built-in, runtime error checking

In short, PPL is a very simple yet powerful language that network engineers can use to create networking and communications applications in a blink of the eye. Learn more by reviewing IP Fabrics’ presentation - Creating NPU Applications in a ‘Blink of the Eye', the Brief Overview of PPL and the PPL Virtual Machine technical brief, and the PPL Datasheet.

For complete specifications on the DeepSweep network surveillance systems, please refer to the DeepSweep Datasheet, DeepProbe Datasheet, DeepSweep for CALEA Datasheet, DeepSweep for CALEA w/CBIS Datasheet, and DeepSweep Secure Buffered Delivery Datasheet,

For more information about Network Surveillance using DeepSweep, please refer to the IP Network Surveillance White paper.

For information on how the DeepSweep achieves is high performance, please refer to the DeepSweep Performance white paper in our White Papers and Briefs page.