WHITE PAPER Qosmos* Deep Packet Inspection Characterization Executive Summary Packet classification is an essential part of most (if not all) network functions. It is the process of associating packets with identifiers by analyzing the layers of the protocol stack up to, but not including, the application layer (see Figure 1). Actions taken by a VNF are based on these identifiers. Since different applications can use the same protocol parameters from the perspective of the transport and network layer (i.e., same IP addresses, protocol IDs and ports), it is impossible to reliably distinguish between them with this type of packet classification. Figure 1. Layers of the protocol stack. In contrast, Deep Packet Inspection (DPI) is concerned with analyzing not only the headers up to the application layer, but also the application layer itself. The classification result is at a higher level of detail. It allows the implementation of detailed network analytics and fine-grained policies. Service providers are interested in this since it allows them to improve network performance and implement services to improve end-user quality of experience. More specifically, bandwidth costs can be reduced, and fine-grained congestion control can be applied. DPI is becoming increasingly relevant in NFV due to its applicability in many well-known network functions. 2 White Paper: Qosmos* Deep Packet Inspection Characterization Table of Contents This report characterizes a VNF that performs DPI. The DPI capability is provided by Qosmos* through IxEngine.* Qosmos provides a broad product portfolio: DPI Executive Summary. .1 engine as an SDK, DPI as a VNFc (VNF component), L7 Classifier for Open vSwitch* 1 Performance Characterization and a Service classifier. This report focuses on the DPI engine as an SDK solution Approach. .3 meant for integration due to its broad applicability. For this, a prototype VNF was developed in which the SDK was used. The Prototype analyzes packets (DPI path), 2 Use-Case Details. 5 while at the same time forwarding it through the network (data path). The VNF does 2.1 Background on DPI not take any action on the classification result, but still performs all the necessary Workload . 5 steps for the classification. One way the classification result could be used is in a VNF that implements traffic shaping. Here, the classification result could be used 2.2 Intuition on DPI Throughput to determine which of the queues within the traffic shaping algorithm will be used Performance. .5 to buffer the given packet. A use-case for this is a VNF that prioritizes HTTP traffic 2.3 System Setup . 5 over bittorrent. 2.4 Traffic Profiles. 6 The results in this report show DPI performance in function of the number of cores assigned to DPI tasks. The bars refer to the highest link utilization for which 2.4.1 Traffic Profile 1. .6 the DPI cores were handling at least 99.999% of all packets. Figure 2 shows the 2.4.2 Traffic Profile 2. .8 DPI performance for a VNF with 1, 2, 3, 4 and 7 DPI cores (2, 4, 6, 8 and 14 hyper- threads respectively) on an Intel® Xeon® processor E5-2690 v3 with 8 x 10GbE 2.4.3 Traffic Profile 3. 10 ports for one specific traffic profile. The fact that the maximum link utilization is below 100% has to do with the constraints of the traffic parameters as detailed 3 Test Results. 12 in Section 1. For other results under different network characteristics, refer to 3.1 Results for Networks Section 3.¹ Characterized by Traffic Profile 1. 12 3.2 Results for Networks Characterized by Traffic Profile 2. 15 3.2 Results for Networks Characterized by Traffic Profile 3. 18 4 Appendix: Hardware and Software Details. 21 Figure 2. DPI classification performance for a VNF configured with 1, 2, 4 and 7 DPI cores. The number of concurrent connections in steady state set to 400K.² 1 Tests conducted in this paper were conducted by Intel. Hardware configurations for all tests are detailed in the Appendix. 2 See Section 3.1 for full configuration details for these results. White Paper: Qosmos* Deep Packet Inspection Characterization 3 1 Performance Characterization Approach For most networking applications, like the example above, there tends There are two approaches to characterize a VNF by measuring its performance. to be more downstream traffic than The first approach is to place the VNF in a real production network, and the second upstream traffic (peer-to-peer being an approach is to simulate the network around the VNF through the use of traffic exception). It is also for this reason that generators. The second solution is preferred due to the control it offers and due service providers support asymmetric to its low cost. It is also the approach used in this report. The information in this SLAs (higher downstream bitrates, section serves only as background. It is not required to interpret the results, but lower up stream bitrates). Since the it might help to understand all the details. load generated by flow blasters is Characterization is typically done by applying stateless load on a system under test also asymmetric since it is based on (SUT) running the VNF workload. The constructed traffic contains packets based on real traffic, it is expected that the link a fixed set of template packets with randomized bit-patterns or a range of values capacities are not reached in most written at pre-determined offsets. The transmission rate is fixed, possibly below cases. line-rate (i.e., at 85% of line-rate). This is done by repeatedly inserting periods of Practically, it is too time consuming silence on the wire. A characterization report then details the rates at which the to measure VNF performance in all VNF is able to perform its functions for the provided traffic. Other characterization possible circumstances. Furthermore, details, like latency, could also be reported. measuring all possible data points DPI inspects packets in context of flows. In many cases, it needs to inspect multiple would also result in many data points packets before the classification is available. Clearly, loading the SUT that runs the with little use. Therefore, the approach DPI workload with the packets that do not carry any state (referred to as packet is to extract network applications blasting) repeatedly is not sufficient to characterize performance. Instead, the SUT including their characteristics (for needs to be loaded with traffic consisting of flows (referred to as flow blasting). example, the bitrates used by those The important parameters for a given traffic profile are the maximum setup rate applications) and the behavior of users (reached mainly at the initial ramp up phase), the total number of concurrent from a packet capture (for example, the connections and total bandwidth. The traffic profile itself also has an influence on sequence of applications used). This the resource requirements for DPI. information then forms the templates to simulate users at runtime taking The following sequence of packets demonstrates which packets need to be into account the constraints of the exchanged by the flow blaster to simulate a host visiting an HTTP webserver. A configuration. Since the SUT influences DNS request and a DNS reply is exchanged first. This is followed by a three-way the dynamics of the flows (i.e., it adds TCP handshake to set up a connection to the HTTP server. The HTTP get-message delay and it possibly drops packets is consequently sent by the initiator, and the HTTP reply containing the webpage is causing TCP retransmits or other returned by the webserver. Finally, the TCP connection is torn down. The payload, timeouts), simply replaying the pcap is speed and the number of packets is determined by the emulated applications and not enough. the network characteristics. A traffic profile refers to all the characteristics of the traffic observed on the network. It defines the steady- state setup rate, and the distribution of flows (both their payload and their bitrates). Furthermore, it also defines the maximum number of concurrent connections. The maximum setup rate is an additional parameter that is relevant during the simulation. It determines the duration of the ramp up phase. After the traffic profile has been extracted from a pcap, the parameters are altered by the traffic generator to cover a broader range of networks for a Figure 3. Example of packets exchanged during DNS (left) and HTTP (right). more complete characterization of the Time flows from top to bottom. Slow shows network latency. SUT. 4 White Paper: Qosmos* Deep Packet Inspection Characterization Due to the interdependences of all the actual data transfer follows the setup (see the HTTP example from Figure 3). parameters, the approach is to first After P2, the bandwidth is in a steady state. This phase is the measurement phase numerically find the solution space for which the downstream bandwidth is reported in the results. It lasts for 120 boundaries for the maximum setup seconds. The peak in P2 is the reason why the link utilization during steady state rate, maximum number of concurrent is lower than during the peak. The number of concurrent connections is shown in connections and the per connection Figure 5. Note that the data shown by Figure 4 and Figure 5 is measured data. bitrate. The first two parameters can be chosen arbitrarily. The last parameter is specified indirectly. A transformation function takes as input the distribution of connection bitrates and a scaling factor. The function scales all connections bitrates by the scaling factor unless the connection bitrate is limited by the link speed. This means that the bit-rate ratios are maintainedwhenever possible. As a consequence, the link utilization is increased.