DPI in Iran

Over the past couple of weeks I've been reading reports of Iran's government's attempts to control communications into and out of the country. One of the recurrent topics is that of DPI (or deep packet inspection), including how Iran might be using it and who is supplying the equipment. I found this aspect of the political situation intriguing since I had to wonder just how DPI could usefully be applied by their government. I was also skeptical - DPI is one of those buzz-words tossed around by the media and the semi-informed whenever subversive filtering and monitoring are conducted by a government or an ISP, and it is almost always wrong.

First, let's dispense with the 'coarse' filters that are easily used, and without specialized equipment. DNS modification can be used to block access to URLs such as web addresses, and DNS poisoning can redirect users to a warning page, or even raise an alarm. This latter method is not commonly done in real-time since there are typically too many hits to deal with. Since a compromised DNS is easy to circumvent, IP address and sub-net blocking can be used instead. This does require basic DPI of the sort found in pretty much any carrier-grade firewall. This, too, can be circumvented, most commonly with cooperative proxies. Many people outside Iran are providing this ad hoc service, and it is difficult for the authorities to keep track of this and provision their firewalls fast enough to block all these specific addresses to have a major effect.

Other coarse filters include turning off the mobile and wireline data networks that are used to transmit photos, video, IM and SMS. The collateral damage is high (disrupts legitimate traffic) but acceptable if the authorities are sufficiently motivated. They could limit the shut down to only towers in the vicinity of demonstrations and other hot spots, thus limiting the commercial impact. This should be combined with wireline internet access blocking to prevent use of local Wi-Fi base stations. Of course, material can be recorded for later transmittal, if the authorities fail to confiscate all electronic devices in use by the protesters. An even coarser version of this approach is to cut electrical power to the neighbourhood (it's been done by some Eastern Bloc police units back in the communist era).

Then there is data mining. This is done real-time or non-real time to search messaging systems and call records for selected keywords and numbers; data mining does not allow for real-time intervention in traffic streams. It is done best when only a fractional set of end-points (subscribers) is monitored so that the problem is tractable, both for the equipment and for the people that have to review and act on the reports. One approach is to identify key individuals and monitor them in the expectation of getting all the pertinent data, since these people are those serving as nexuses in the protest movement. This is, again, easy to circumvent. At-risk individuals can borrow a random person's mobile phone. Also, messages can be deliberately misspelled to foil keyword scanners, much as spammers get around email spam filters.

After all of this, we have barely even touched on DPI. Just what is it and what can it do? I read the Wikipedia entry and found it a bit vague and only somewhat useful. Even if DPI is of benefit to them, could Iran get hold of it? Nokia Siemens Network claims not to have provided DPI to Iran - I find this believable - although I find it easy to believe they could get their hands on some, even the very best available. After all, if they can import large amounts of restricted munitions and nuclear material, you have to think that it is trivial for them to import commercially available high-tech boxes. Small boxes.

So what is DPI, and what makes it so interesting that it has become such a prevalent buzz word? At its most basic, I would define DPI as real-time, wire-speed monitoring and intervention of communications traffic - a definition that is both simple and descriptive. It covers everything from firewall pinholes and NAT to application blocking and speed throttling, to broadband metering to, well, quite a lot more.

That wire speed constraint is particularly important. Whatever the DPI unit is doing, it must be able to do it without failing to keep up with the data link running at full bore. This is easy enough for a consumer-grade firewall which can deal with the several Mbps data rate in software alone, without specialized hardware like network processors. However, on the network side where 1 and 10 Gbps IP links are common, the problem is far more challenging. If the DPI equipment fails to operate at wire speed under all traffic conditions, it will disrupt service quality, possibly quite severely, and will also be detectable to the endpoints. DPI is essentially equivalent to a MITM (man-in-the-middle) attack, so this is a problem if there is an intent for monitoring and intervention to be inconspicuous.

I do not want to go into details here of how a DPI box is built - its architecture - fascinating as it is. Suffice it to say that the greater the depth and extent of processing involved, the more complex its design, and the more it challenges the state of the art. As the operations performed get deeper into the packets, correlate across packets and other data streams, and are highly application sensitive, the application of network processors, its firmware rules, and cooperation with ancillary transaction processors become increasingly critical. For this reason, any one DPI unit (and even product design) is typically finely-tuned for one or just a few specific applications.

Knowing this, just what are these purported DPI units being used in Iran? The first question to ask is if, for whatever it is they need to accomplish, there an available commercial product? If there isn't, they could of course roll their own with a level of investment in personnel, design and operations. They may be able to get their hands on the chips, but if they need to acquire them outside of export restrictions they will have a large problem when it comes to manufacturer support. Using these chips, in particular the most sophisticated chips, without hand-holding by the supplier, is very difficult indeed.

Let's assume then that the products (and documentation!) must be purchased. They will now be able to move some of their near-real time data mining to real-time. Is this helpful? Perhaps, if time is really that critical. DPI isn't a magic pill: you can only do what you can already do, including all of an algorithm's inherent limitationss. Monitoring for specific words or other patterns within applications is subject to the same user circumventions already mentioned. It is even less useful since the pattern search will of necessity be more restricted and absolutely not modifiable quickly (or even slowly).

Monitoring a specific user can be made more timely with DPI by opportunistically mirroring a specific user's traffic for further near-real time analysis. This is already a requirement for CALEA (in the US) and similar law enforcement usage in other countries, and is available for VoIP and other applications. NSN has said they've provided equipment of this sort to Iran, although I have not heard if it's only for the voice networks or also for IP networks. However, as already mentioned, users who suspect they're being monitored can circumvent the authorities by using another protester's phone. Besides, since mirroring is already supported by commercial routers there is no need for separate DPI boxes to do this.

Beyond this class of applications I strongly doubt that DPI is seeing significant use by the authorities in Iran to combat the protesters. There may come a time in the future when DPI will be able to do far more, but right now it's too fragile and imperfect for what Iran would like to do. They'll stick with coarse network controls and monitoring of individuals, and some good, old-fashioned brutality.