FEBRUARY 9, 2021
By (Mitrasingh) Danny Chetlall, Product Manager, Enea Qosmos
What is First Packet Classification?
First packet classification has become widespread within the Deep Packet Inspection (DPI) component of traffic management solutions over the past couple of years. It consists of using the very first packet to identify the protocol or service related to a traffic flow (i.e. the TCP SYN segment or first UDP datagram).
Why is There a Need for First Packet Classification?
Traffic management solutions often use a combination of DPI-based techniques to identify all the flows of a given application and steer traffic accurately and efficiently over the network. This, however, requires analysis of multiple packets and some appliances, such as load balancers, ADCs or SD-WAN appliances, cannot wait that long; they need to steer traffic from the very first packet in order to optimize network link utilization.
To illustrate this, let us consider the WhatsApp application, which spawns flows both over HTTPS and TCP layers. Without first packet classification, identifying this application over TLS can be either SNI based (i.e. first TLS client hello – 4th packet) or based on TLS Common Name (6th packet or later). To identify its TCP related flow, binary pattern matching needs a minimum of 4 packets (including the TCP handshake) on the TCP client or server packet payload.
SD-WAN solutions dynamically optimize multiple paths to the Internet, datacenters, and cloud services across multiple enterprise sites via dedicated SD-WAN appliances, “programmed” dynamically by the SD-WAN controller to choose the best path (based on bandwidth, latency, QoS criteria) depending on the applications and services being transported. (The same applies in principal for SD-WAN functions in SASE solutions).
DPI provides application-level visibility for SD-WAN routing
This means that SD-WAN appliances on each site need to perform application-based routing as quickly as possible to obtain a maximal benefit from the optimized network paths “programmed” by the SD-WAN controller on the different enterprise location appliances.
Although the DPI software accurately identifies all flows for a given application, without first packet classification it is often too late for the SD-WAN solution to benefit from this information, since the connection has already been established and traffic cannot be rerouted.
Solving the Problem with First Packet Classification
With a caching mechanism on the SD-WAN solution, first packet classification is possible based on trusted information such as server IP addresses and ports. The SDN controller establishes a default route for the initial unclassified flows. Once these flows are classified, routes defined by the SDN controller are tied to this classification cache, so that subsequent packets are steered from the very first packet. This enables performance gains, as flows matching the classification cache don’t go through the DPI software, thereby reducing the overall demand on processing resources.
Enea’s Unique Solution for First Packet Classification
Enea Qosmos ixEngine®’s standard First Packet Advantage feature improves on conventional cache-based first packet processing in two important ways:
First packet classification can significantly speed up and optimize traffic management by enabling solutions to apply pre-programmed criteria for network link utilization as data flows arrive. For non-traffic steering appliances, performance can also be boosted by choosing to omit the DPI software validation phase for flows that match the classification cache.
About the Author
(Mitrasingh) Danny Chetlall is Product Manager at Enea Qosmos. He has over 15 years’ experience in the architecture, design and development of IP technologies with specific expertise in Deep Packet Inspection and networking applications. His responsibilities include the Qosmos ixEngine® DPI engine, protocol signatures and protocol bundle updates.