Surasak DPI 100gbps
-
Upload
chakphanu-komasathit -
Category
Documents
-
view
24 -
download
4
description
Transcript of Surasak DPI 100gbps
2
3
4
Ethernet Network
Layer (IP)
Transport Layer
(TCP/UDP) Payload
L2 L3 L4 L5 – L7
Packet Payload/Application Layers Packet Header Layers
5
Ethernet Network
Layer (IP)
Transport Layer
(TCP/UDP)
Email (SMTP, POP3, IMAP) Web (HTTP/S)
File Transfer (FTP, Gopher) Instant Messaging (IM)
Peer-to-Peer (P2P) Applications Directory Services
L2 L3 L4 L5 – L7 Packet Payload/Application Layers Packet Header Layers
Deep Packet Inspection
6
Ethernet Network
Layer (IP)
Transport Layer
(TCP/UDP)
Email (SMTP, POP3, IMAP) Web (HTTP/S)
File Transfer (FTP, Gopher) Instant Messaging (IM)
Peer-to-Peer (P2P)
L2 L3 L4 L5 – L7
Deep Packet Inspection
Shallow Packet Inspection
7
Fixed Operations
Packet Header Packet Data
Dynamic & Adaptive
Operations
Routers ACLs, QoS
Switches
Dynamic Routers
Firewalls
Adaptive L4 Traffic
Management • IDS/IPS • Anti-spam • Anti-virus • DDoS protection • Content/XML Load Balancers • VoIP security, monitoring, analysis • WAN/Application optimization
Load Balancers
Dynamic Load
Balancers
1st gen. L7 Load
Balancers
8
9
Hardware Theft
DoS/DDos
Intrusions
Viruses
Trojans
Worms
SPAM
More complex applications
Carry much richer content
Page 10
CONNECTIVITY “Dumb Pipes”
PERFORMANCE “Fast Pipes”
POLICY Software-defined
“Smart Pipes” • Enterprise: Security, traffic
management, VoIP, acceleration • Federal: Security, Information
Awareness, Information Assurance • Carriers: Enhanced services
The 70s/80s The 90s 21st Century
Specific/Limited use within the fixed enterprise
Explosion of the Internet Broader expansion within and beyond the enterprise and to
customers and business partners
Network is mission critical to business success &
survivability
Evolution to a “Policy-Centric Network”
USA
GE
INFR
AST
RU
CTU
RE
11
12
Intrusion Prevention System
Intrusion Detection System
Stateful Firewall
13
permit tcp any host <Mail Server> port 25 deny any any Mail Client Mail Sever
SYN
SYN/ACK
ACK
14
permit tcp any host <Mail Server> port 25 deny any any
Mail Client Mail Sever
HELO
HELO
Mail From: <[email protected]>
15
deny SMTP <Mail Client, port> <Mail Server, 25> Mail Client Mail Sever
VRFY root
VRFY Buffer Overflow
16
17
18
P2P
VoIP/Skype
Virus/Worm/Trojan
Spam
DoS
Forwarding
Redirection
Denying
Throughput Control
QoS/Shaping
Protocol Report
Services Report
Subscriber Report
Attack Report
Logging
19
How to handle the speed and volume of incoming data?
How to handle the large number of attack signatures?
How to efficiently analyze complex and overlapped pattern?
20
100000
10000
1000
100
10
1
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 !
10 Mb/s !
100 Mb/s !
1 Gb/s !
10 GbE !
40/100 GbE !
year !
Mb/s ! 400 GbE 1 Terabit?!
21
0 1 2 3 4 5 6 7 8 9
64 128 256 512 1024 1518
Zero Loss Throughput V.S. Frame size
0
10
20
30
40
50
60
70
64 128 256 512 1024 1518
Zero loss CPU Utilization
Gbps
%
Bytes
Bytes
22
Altera Stratix Xilinx Virtex
Intel IXP Series
ClassiPi PMC Tarari T1000 Netlogic NetLT
23
24
ATCA Shelf Manager
10G Switch Blade Processors Blade
25
12U Modular AdvancedTCA chassis
80 Gbps capacity
5 million subscribers handle
48 million data flows tracking
26
ISPs start implementing DPI for services control
More new hardware platforms hit the market for high speed network
Controversy about net neutrality and end-to-end nature of Internet
27
28
Q&A
29