Home / Blogs

DPI is Not a Four-Letter Word!

As founder and CTO of Ellacoya Networks, a pioneer in Deep Packet Inspection (DPI), and now having spent the last year at Arbor Networks, a pioneer in network-based security, I have witnessed first hand the evolution of DPI. It has evolved from a niche traffic management technology to an integrated service delivery platform. Once relegated to the dark corners of the central office, DPI has become the network element that enables subscriber opt-in for new services, transparency of traffic usage and quotas, fairness during peak busy hours and protection from denial of service attacks, all the while protecting and maintaining the privacy of broadband users.

Yet, DPI still gets a bad rap. Guilty until proven innocent! Why is that?

DPI means different things, because it is an overloaded term. I can think of at least four separate product categories of DPI:

  1. Traffic Management: DPI that classifies application traffic by examining the headers, without looking into the actual content itself.
  2. Surveillance: DPI that logs, reconstructs, or plays back communication exchanges.
  3. Ad-Insertion (and profiling): DPI that profiles subscriber web browsing or search activities, inserts cookies, or logs URLs visited by a subscriber.
  4. Security: DPI that examines content for viruses, trojans, or other forms of vulnerabilities.

Paramount to each of these product categories is privacy. Service providers and consumers share in concerns over privacy, as do industry luminaries. Yesterday, according to ZDNet, Sir Tim Berners-Lee, “inventor” of the World Wide Web, spoke out against the use of deep packet inspection citing concerns over how snooping on clicks and data reveals more information about people than listening to their conversations.

His concerns are valid. And I can attest, having worked with service providers around the globe, that service providers are deeply aware of how important it is to protect consumer privacy. That is why service providers are becoming more transparent and giving consumers choices with opt-in and opt-out capabilities. This new era of transparency is as much a result of consumer interests, service provider best practices, and increasing regulatory pressures, as it is an indication of the broader shift of how DPI-based services are being used.

That is why Phorm, the targeted advertising service company mentioned in the ZDNet article which uses DPI, has a technology that can’t know who users are and allows users to switch it off or on at any time (opt-out or opt-in).

But transparency and consumer opt-out are not limited to broadband service providers and DPI. Yesterday, Google launched “interest-based” advertising on their partner sites and on YouTube, where ads will associate categories of interest based on the types of sites you visit and the pages you view. And, in line with DPI and service provider models of transparency and consumer choice, Google is offering transparency, choice with Ads Preference Manager, and a non-cookie based opt-out capability.

So at the heart of any service over broadband, not just DPI-based services, is the need for transparency, fairness, consumer choice and protection while preserving the privacy of individuals. These are the new discussion points that need to transcend specific technologies in the network. The public debate and regulatory directions has to be centered on these key areas (stay tuned as Arbor becomes more active in these arenas).

As for DPI itself, it has proven to be a critical network element in service provider networks, by providing those things that we all hold dear: privacy, protection, fairness and transparency. DPI is not a four-letter word!

By Kurt Dobbins, Chief Technology Officer, IP Services, Arbor Networks

Filed Under


I'm a bit confused as to how Scott Francis  –  Mar 13, 2009 5:47 PM

I’m a bit confused as to how exactly a third party eavesdropping on a conversation provides privacy (or protection, fairness or transparency). Perhaps you define these terms differently from the average network end-user?

However, I can certainly see how DPI can provide revenue opportunities, and LEO cooperation opportunities, and media industry monitoring opportunities, and ever more over-subscription opportunities. (why build out capacity when you can simply degrade performance for users, protocols or content deemed “unacceptable”?)

The era of ubiquitous transparent encryption for all traffic between endpoints can’t come soon enough.

Why do you confuse port 25 filtering with dpi, Joe XX? Suresh Ramasubramanian  –  Mar 14, 2009 3:35 AM

I am probably wasting my time asking this ..

Indeed you are Richard Bennett  –  Mar 17, 2009 1:04 AM

But it's noble of you to try to spread a little light.

Don't use port 25 Richard Bennett  –  Mar 17, 2009 2:33 AM

Personally, I use port 465 to send e-mail from my Comcast account at home and 993 to receive it, so any use of port 25 on my home router would be a solid indication of a bot infection. As I don’t know what goes on inside your home network (neither do you, apparently,) that’s all I have to go on. I’m a Comcast customer with no e-mail blockage problems.

So rather than whining about a perfectly rational practice on the part of your ISP and imagining sys admins are reading your personal mail, why don’t you secure your system and setup your e-mail in a responsible way? Comcast will give you a copy of McAfee for free to help get you started.

Hilarious Richard Bennett  –  Mar 17, 2009 3:39 AM

You don't have time to check the SSL button in Thunderbird (or the equivalent) but you do have time to draft a meritless lawsuit? Damn, you must write fast.

Practicalities The Famous Brett Watson  –  Mar 17, 2009 5:21 AM

Joe, I think you are going to save yourself a lot of time and aggravation by avoiding this issue rather than tackling it head on. It seems perfectly likely to me that Comcast are not upholding their promises in relation to information disclosure, but I’m a firm believer in Hanlon’s Razor here: they are not being evil or devious, they are just a large bureaucracy which is incapable of internal consistency by merit of simple size. You could take the matter to the courts if you so desired, but that seems like an awful lot of time, effort and money, given the best possible outcome is what? You get to know why they’re blocking you? Or maybe you think it will be a worthwhile ideological victory? You’re far less cynical than I am if that’s the case.

Were I in your position, here’s what I would do: observe best current practices for message submission (BCP 134, RFC 5068) and send email to a smarthost via port 587. That way you get the satisfaction of being a technical purist, and Comcast’s beliefs about your use of port 25 become irrelevant. Yes, it’s a little annoying that you can’t use port 25 even though it is a technically reasonable approach, but port 25 hasn’t been the gold standard for mail submission in a decade or so, and a technical purist needs to keep up with the times.

So the thought I would like to leave you with is this: if you were observing best current practices, this would not be a problem for you. Solve the problem at your end, not Comcast’s: it’s the path of least resistance and fewest ulcers.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix