Why is First Packet Classification So Important in Traffic Management?

What is First Packet Classification?

First packet classification has become widespread within the Deep Packet Inspection (DPI) component of traffic management solutions over the past couple of years. It consists of using the very first packet to identify the protocol or service related to a traffic flow (i.e. the TCP SYN segment or first UDP datagram).

Why is There a Need for First Packet Classification?

Traffic management solutions often use a combination of DPI-based techniques to identify all the flows of a given application and steer traffic accurately and efficiently over the network. This, however, requires analysis of multiple packets and some appliances, such as load balancers, ADCs or SD-WAN appliances, cannot wait that long; they need to steer traffic from the very first packet in order to optimize network link utilization.

To illustrate this, let us consider the WhatsApp application, which spawns flows both over HTTPS and TCP layers. Without first packet classification, identifying this application over TLS can be either SNI based (i.e. first TLS client hello – 4th packet) or based on TLS Common Name (6th packet or later). To identify its TCP related flow, binary pattern matching needs a minimum of 4 packets (including the TCP handshake) on the TCP client or server packet payload.

• WhatsApp needs 4-6 packets to be classified (including TCP handshakes) using traditional processing!

SD-WAN solutions dynamically optimize multiple paths to the Internet, datacenters, and cloud services across multiple enterprise sites via dedicated SD-WAN appliances, “programmed” dynamically by the SD-WAN controller to choose the best path (based on bandwidth, latency, QoS criteria) depending on the applications and services being transported. (The same applies in principal for SD-WAN functions in SASE solutions).

DPI provides application-level visibility for SD-WAN routing

This means that SD-WAN appliances on each site need to perform application-based routing as quickly as possible to obtain a maximal benefit from the optimized network paths “programmed” by the SD-WAN controller on the different enterprise location appliances.

Although the DPI software accurately identifies all flows for a given application, without first packet classification it is often too late for the SD-WAN solution to benefit from this information, since the connection has already been established and traffic cannot be rerouted.

Solving the Problem with First Packet Classification

With a caching mechanism on the SD-WAN solution, first packet classification is possible based on trusted information such as server IP addresses and ports. The SDN controller establishes a default route for the initial unclassified flows. Once these flows are classified, routes defined by the SDN controller are tied to this classification cache, so that subsequent packets are steered from the very first packet. This enables performance gains, as flows matching the classification cache don’t go through the DPI software, thereby reducing the overall demand on processing resources.

Enea’s Unique Solution for First Packet Classification

SASE’s standard First Packet Advantage feature improves on conventional cache-based first packet processing in two important ways:

• First, it uses a multi-tiered, cascading cache structure that greatly expands the volume of traffic that can be accurately identified using first packet processing.
• Second, the cache leverages a database of hundreds of millions of rigorously and continuously verified IP addresses (IPDB) for maximum accuracy and granularity across the broadest spectrum of traffic.
• As an added bonus, First Packet Advantage applies service categories to Office 365 traffic based on first packet data alone, enabling ultra-efficient, category-based management of this widely used software suite.

Conclusion

First packet classification can significantly speed up and optimize traffic management by enabling solutions to apply pre-programmed criteria for network link utilization as data flows arrive. For non-traffic steering appliances, performance can also be boosted by choosing to omit the DPI software validation phase for flows that match the classification cache.