Internet to be modernised at long last

[Paul Jakma]

On Thu, 23 Apr 2009, Florian Weimer wrote:

> from your router vendor, and a mediation device.  Chances are very 
> good that the routers themselves already support it.

I don't have first-hand knowledge of current routing products, but I 
would be a bit sceptical of this claim. Operators of common routers 
are seeing problems with their kit keeping up just with the growth in 
BGP churn - my impression is these machines are engineered to have 
/just/ enough resources for near-term IP forwarding, BGP and OSPF 
processing needs. Further, for high-speed applications, IP forwarding 
functionality (which is well-understood and reasonably 
straight-forward) is baked into ASICs. You just can't do that with 
DPI (for commercially useful applications) - least, not without 
shipping expensive FPGAs, and reprogramming hardware as part of 
software updates.

So my strong feeling would be that DPI-capable routers would require 
resources that would make them cost significantly more than 
forward/filter routers. From which I'd conclude that most routers 
deployed are not DPI capable.

Further evidence: Witness the architecture deployed in China and the 
UK for web-censorship:

- routers divert a subset of traffic, those packets destined to
   listed IPs and to certain ports, to special machines

- the special machines do the actual application-layer
   packet-inspection and carry out whatever block/allow/log actions

Such that the special machines are off of the main forwarding path.

And this is just for HTTP (a well-understood and fairly trivial to 
filter protocol)!

ObOpinion:

I suspect mandated DPI will:

- finally encourage mass-deployment of encryption (if those lobbying
   to have ACTA criminalise end-user, P2P file-sharing copyright
   infringement get their way, at least).

- increase the costs of internet delivery.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Kiss your keyboard goodbye!