By Mitrasingh Chetlall, Product Manager, Qosmos Division, Enea
What is first packet classification?
First packet classification has become widespread within the Deep Packet Inspection (DPI) component of traffic management solutions over the past couple of years. It consists of using the very first packet to identify the protocol or service related to a traffic flow (i.e. the TCP SYN segment or first UDP datagram).
Why is there a need for first packet classification?
Traffic management solutions often use a combination of DPI-based techniques to identify all the flows of a given application and steer traffic accurately and efficiently over the network. This, however, requires analysis of multiple packets and some appliances, such as load balancers, ADCs or SD-WAN appliances, cannot wait that long; they need to steer traffic from the very first packet in order to optimize network link utilization.
To illustrate this, let us consider the WhatsApp application, which spawns flows both over HTTPS and TCP layers. The technique used to identify this application over TLS can be either SNI based (i.e. first TLS client hello – 4th packet) or based on TLS Common Name (6th packet or later). To identify its TCP related flow, binary pattern matching needs a minimum of 4 packets (including the TCP handshake) on the TCP client or server packet payload.
- WhatsApp needs 4-6 packets to be classified (including TCP handshakes)!
SD-WAN solutions dynamically optimize multiple paths to the Internet, datacenters, and cloud services across multiple enterprise sites via dedicated SD-WAN appliances, “programmed” dynamically by the SD-WAN controller to choose the best path (based on bandwidth, latency, QoS criteria) depending on the applications and services being transported.
DPI provides application-level visibility for SD-WAN routing
This means that SD-WAN appliances on each site need to perform application-based routing as quickly as possible to obtain a maximal benefit from the optimized network paths “programmed” by the SD-WAN controller on the different enterprise location appliances.
Although the DPI software accurately identifies all flows for a given application, it is often too late for the SD-WAN solution to benefit from this information, since the connection has already been established and traffic cannot be rerouted.
Solving the problem with first packet classification
Thanks to a caching mechanism on the SD-WAN solution, first packet classification is possible based on trusted information such as server IP addresses and ports. The SDN controller establishes a default route for the initial unclassified flows. Once these flows are classified, routes defined by the SDN controller are tied to this classification cache, so that subsequent packets are steered from the very first packet. This cache has to be as up-to-date as possible to minimize false positives.
Can first packet classification improve performance?
First packet classification using the classification cache can significantly boost performance. Lab tests have shown, for example, an average gain of 5% CPU Cycles Per Packet (CPP – the standard measurement of CPU load) when using Enea’s Qosmos ixEngine for DPI-based first packet classification with a classification cache. This can be translated to an equivalent increase of appliance throughput.
In order to achieve these performance gains, flows matching the classification cache don’t go through the DPI software for validation because this would raise demand on processing resources. For this reason, this approach is not recommended for traffic management solutions where accuracy is more important than performance.
Overview of first packet classification using a classification cache
The figure below shows how Enea’s Qosmos ixEngine carries out first packet classification within a DPI framework using a classification cache.
Qosmos ixEngine as an example of first packet classification using the classification cache
Two separate application programming interfaces (APIs) are provided to access the standard DPI information and the cached DPI information.
First packet classification can be activated in 2 modes:
- 1. Standard mode: In order to have the cache as up-to-date as possible, a systematic Qosmos ixEngine classification is performed to validate or update the cache entry based on the actual packet information. In this case several packets could be needed to achieve “standard DPI” classification, although the very first packet is classified using the cache.
- 2. Performance mode: Bypasses DPI validation to improve performance. Manual cache cleanup functionalities are made available to the appliance embedding Qosmos technology.
If no match is found by the classification cache in either mode, Qosmos ixEngine will perform standard DPI classification.
In certain specific cases, Qosmos ixEngine will perform standard DPI classification whether the cache is activated or not, for example: when metadata extraction is requested, when the flow uses the STUN protocol, or when the final state of classification is not reached.
DPI first packet classification can significantly speed up and optimize traffic management by enabling solutions to apply pre-programmed criteria for network link utilization as data flows arrive. For non-traffic steering appliances, performance can also be boosted by choosing to omit the DPI software validation phase for flows that match the classification cache.
First packet classification is a standard function of the latest version of Enea’s DPI engine, the Qosmos ixEngine, enabling our customers to provide leading edge traffic management solutions.
Article first published on September 5th 2018 in The Fast Mode
About the Author
(Mitrasingh) Danny Chetlall is Product Manager at the Qosmos Division of Enea. He has over 14 years’ experience in the architecture, design and development of IP technologies with specific expertise in Deep Packet Inspection and networking applications. His responsibilities include the Qosmos ixEngine® DPI engine, protocol signatures and protocol bundle updates.