This is the third in a series of articles by Karl Wale on the topic of deep-packet inspection. See also Part I and Part II of the series: “3G and LTE Need DPI” and DPI: Friend or Foe?
It’s not easy for lawful intercept (LI) these days.
When it comes to sniffing out criminals, law enforcement agencies must take into account the full spectrum of communication applications they might be using, including voice, VoIP, e-mail, and the ever-increasing number of social networking, peer-to-peer (P2P), and even gaming applications that can be used to transmit information between parties. Detecting, analyzing and intercepting content from these different media presents a very large challenge – but luckily DPI is up to the task.
In addition to the plethora of new communication mechanisms, the widespread availability and adoption of mobile broadband makes the task of tracing lawful intercepts back to individual subscribers even more complex. This problem will also get more difficult when one considers that mobile networks are looking to offload traffic from their core network as close to the edge as possible (e.g., at a femto gateway).
The final dimension to the problem is the sheer amount of data that needs to be monitored in order to find the traffic of interest applicable to the specific target. This is particularly true for intercepts located at peering points and high-capacity aggregation points in IP networks.
We should also distinguish between different applications of LI, even though they share a great deal in terms of the challenges and, to a certain extent, the technology. Broadly speaking, we can consider LI as applied to criminal investigations and then LI as applied to national security. The requirements and specifications will differ, and some may require more advanced techniques such as “keyword detection.”
In fact, with regard to national security, the technology is very flexible and has also been adapted to support cyber security requirements that protect many types of critical networks from attack, such as essential computerized monitoring and management services for electrical power, water supply, etc.
How does DPI help? For one, the systems use highly specialized algorithms to collect and analyze packets associated with a specific session or flow. Modern LI systems must scale from a few gbps to many 10s or even 100s of gbps depending on their location in the network. Given that this throughput is beyond the capacity of any single processor or standalone device, we have seen a strong move in this space to large-bladed architectures such as AdvancedTCA (ATCA). Not only can ATCA provide the scalability and performance required, it is also best suited to deployment in carrier-grade networks due to its cooling and mechanical specifications. In addition, the wide range of interfaces encountered in carrier networks – including Ethernet and optical links such as OC-12, OC-48, and OC-192 – make ATCA an ideal platform choice for LI.
