DPI

Deep packet inspection (DPI) is introduced against shallow packet inspection (SPI). Different from the SPI technology that focuses on the
Transmission Control Protocol/Internet Protocol (TCP/IP) Layer 3 and Layer 4 technologies, the DPI technology emphasizes on Layer 7
(application layer) protocol analysis but also includes Layer 3/Layer 4 analysis.
DPI achieves parsing, protocol identification, and content identification of user data packets and obtains the valuable information such as the
destination uniform resource locator (URL) to provide reference for functions such as service resolution and security protection. DPI parses user
data packets in the following sequence:
 Layer 3/Layer 4 Parsing
 Protocol Identification
 Layer 7 Parsing
Requirements of DPI for the GGSN9811

The GGSN9811 is required to provide the following capabilities for implementing the DPI function:
 The GGSN9811 must parse multiple common protocols. That is, the GGSN9811 must identify and parse key charging and control
protocols, and identify basic control protocols.
The key charging and control protocols are as follows:
 Hypertext Transfer Protocol (HTTP)
 File Transfer Protocol (FTP)
 Wireless Application Protocol (WAP)
 Real-Time Streaming Protocol (RTSP)
 Multimedia Messaging Service (MMS)
 Domain Name Server (DNS)
 Simple Mail Transfer Protocol (SMTP)
 Post Office Protocol revision 3 (POP3)
 Interactive Mail Access Protocol (IMAP)
 Trivial File Transfer Protocol (TFTP)
 Microsoft Multimedia Server Protocol (MMSP)
  NOTE:
A higher than 99% accuracy is required for identification of key charging and control protocols.
The basic control protocols are as follows:
 Point to Point (P2P)
 Voice over IP (VoIP)
 BLACKBERRY
 MISCELLANEOUS (MISC)
It indicates the miscellaneous protocols which can not be classified properly. It is defined by Huawei privately.
 Instant Messaging (IM)

 NOTE:
A higher than 90% accuracy is required for identification of basic control protocols. It is not recommended for accurate charging.

 The pipeline mode of HTTP, a new request processing scheme stipulated in HTTP 1.1, can help to improve the speed of processing
multiple requests and reduce the waiting time and transmission time. The GGSN9811 must be able to match requests and responses, that is,
distinguish multiple requests and their responses on the same flow.
 Triggering services on the network side means that the server actively sends messages to user terminals. The push service is a typical
one. The GGSN9811 must be able to identify services triggered on the network side and implement the service resolution function for these
services.
 The GGSN9811 must be able to reassemble disordered TCP fragments and parse the keywords that are separated into two TCP
fragments.
 The GGSN9811 must be able to identify retransmitted packets. Based on requirements, the traffic of retransmitted packets can be
excluded from the total traffic or be associated with the original service.

DPI Protocols and Charging Modes Supported by the GGSN9811

Protocol Type Related Description Charging Mode

DPI-HTTP The GGSN9811 can parse HTTP packets to obtain the following key Volume-based, time-based, or event-based charging
information: The GGSN9811 supports volume-based, time-based,
 URL or event-based charging on HTTP services of
 Protocol Type Related Description Charging Mode

 Host accessing a URL such as www.isp.com/* by using an

 X-Online Host access point name (APN) such as MNET. The
extension field of the GGSN charging data record (G-
 Content-Type
CDR) records the URL accessed by the user.
 User-Agent
Through DPI of the HTTP protocol, the GGSN9811 obtains the URL
that a user accesses, based on which the GGSN9811 determines service
contents, and identifies the service. This provides a basis for service
resolution and security protection of services differentiated by
application layer protocols.
The GGSN9811 can parse HTTP fragments. Even if HTTP packets are
fragmented, the GGSN9811 can identify the HTTP services correctly.
The GGSN9811 can record the URL that the user accesses in the
charging data record (CDR) of service resolution.

DPI-FTP The GGSN9811 can parse FTP packets. It supports two FTP data Volume-based or time-based charging
transmission modes: PORT (active mode) and PASV (passive mode). The GGSN9811 supports volume-based or time-
The well-known port number 21 is used for FTP; users can define other based charging on FTP download services of
ports. Port information can be added in the detection for parsing. accessing a URL such as www.isp.com/* by using an
APN such as MNET. Data can be downloaded in
active mode or passive mode.

DPI-WAP The GGSN9811 supports the parsing of the WAP protocols, including Volume-based, time-based, or event-based charging
WAP1.X and WAP2.0. WAP parsing helps to obtain detailed service The GGSN9811 supports volume-based, time-based,
information such as the URL and provides a basis for service resolution or event-based charging on common WAP services
and security protection of services differentiated by application layer such as accessing wap.isp.com by using an APN.
protocols. The GGSN9811also supports volume-based charging
Based on the parsing result, the GGSN9811 matches the services with on other WAP services such as MMS and KJava
the configured rules, and then implements the specific action or services accessed by using an APN. The resolution of
charging policy accordingly. the X-Online-Host field is supported. The extension
 Protocol Type Related Description Charging Mode

field of the G-CDR records the URLs accessed by

users.

DPI-RTSP The GGSN9811 can parse and measure video on demand (VOD) Volume-based, time-based, or event-based charging
services that are based on RTSP. The GGSN9811 supports volume-based, time-based,
The GGSN9811 obtains the Real-Time Transport Protocol (RTP) or or event-based charging on VOD services accessed
Real-time Transport Control Protocol (RTCP) port information after by using an APN such as MNET.
RTSP negotiation by parsing the setup request, obtains the URL by
parsing the play request, and obtains the status of user services by
parsing the pause and teardown requests. The GGSN9811 judges
services and measures the service volume based on the parsing results.
After the services are complete, the GGSN9811disables the
corresponding ports and measures and reports the service information.

DPI-MMS The GGSN9811 can identify the MMS service through the Content- Volume-based, time-based, or event-based charging
Type field in the HTTP message. The GGSN9811 supports volume-based, time-based,
 The GGSN9811 obtains the content type in an HTTP message or event-based charging on MMS services accessed
and compares the content type with that of a multimedia message. by using an APN such as WAP.
If the content type is the same as that of a multimedia message,
the GGSN9811 considers this message as a multimedia message.
 If the content type is different from that of a multimedia
message or if the HTTP message does not contain the Content-
Type field, the GGSN9811 compares the URL of this message
with that of a multimedia message. If the URLs are the same, the
message is considered as a multimedia message.
 If a message does not carry the Content-Type field or carries an
incorrect content type and if the URL of the MMS center is
incorrect, the message is not considered as a multimedia message.
Keywords, such as x-mms-message-type, x-mms-transaction-id, to, cc,
and bcc, of a multimedia message are parsed to obtain the information
 Protocol Type Related Description Charging Mode

including the results of multimedia message transmitting and receiving.

DPI-DNS The GGSN9811 can obtain the URL in the DNS query request by Volume-based or time-based charging
parsing the request and measure or filter services based on certain rules. The GGSN9811 supports volume-based or time-
The tariff of the DNS data can be the same as or different from the tariff based charging on DNS services.
of the associated services.

DPI-HTTP The GGSN9811 supports the DPI function of HTTP requests in -

pipeline & WAP pipeline mode. To match one request with one response,
concatenation the GGSN9811 must identify and differentiate multiple service requests
on the same flow.
The GGSN9811 can parse and identify the multiple service requests in
a WAP concatenation packet and measure the service traffic based on
the service type.

TCP The GGSN9811 can identify retransmitted TCP packets by checking Volume-based, time-based, or event-based charging
retransmission the sequence numbers of the TCP packets. If two TCP packets have the The GGSN9811 can apply any of the following
identification same sequence number, the GGSN9811 considers the later one as a charging policies to the traffic of retransmitted
retransmitted packet. packets:
 The retransmitted TCP traffic is charged
associating with the service.
 The retransmitted TCP traffic is not charged.
 The retransmitted TCP traffic is separately
charged.

Layer 7 traffic The GGSN9811 can measure the traffic at the bearer layer Layer Volume-based charging
measurement 3/Layer 4 or that at only the application layer. In service resolution, The GGSN9811 can distinguish services based on the
the GGSN9811measures the traffic based on the actual configurations. IP address and port of the server accessed by a user
for volume-based or time-based charging.
 Protocol Type Related Description Charging Mode

DPI-SMTP The GGSN9811 can process SMTP parsing results, including Volume-based or time-based charging
performing volume-based or time-based charging. For parsing SMTP The GGSN9811 supports volume-based or time-
services, the GGSN9811 must identify SMTP data flows and parse the based charging on SMTP-based email sending
keywords. services.

DPI-POP3 The GGSN9811 can process POP3 parsing results, including Volume-based or time-based charging
performing volume-based or time-based charging. For parsing POP3 The GGSN9811 supports volume-based or time-
services, the GGSN9811 must identify POP3 data flows and parse the based charging on POP3-based email receiving
keywords. services. For example, using Outlook that supports
POP3 to receive emails.

DPI-IMAP The GGSN9811 can process IMAP4 parsing results, including Volume-based or time-based charging
performing volume-based or time-based charging. For parsing IMAP4 The GGSN9811 supports volume-based or time-
services, the GGSN9811 must identify IMAP4 data flows and parse the based charging on IMAP-based email sending and
keywords. receiving services. For example, using Outlook that
supports IMAP to send and receive emails.

DPI-TFTP The GGSN9811 can parse the following types of TFTP packets: Volume-based or time-based charging
1. Read request (RRQ) The GGSN9811 supports volume-based or time-
2. Write request (WRQ) based charging on TFTP download services of
3. Data (DATA) accessing a URL such as www.isp.com/* by using an
APN such as MNET.
4. Acknowledgment (ACK)
5. Error (ERROR)
TFTP also defines the functions of associations between the signaling
plane and the data plane, and of mappings between file names and
URLs.

DPI-MMSP The GGSN9811 can process MMSP parsing results, including Volume-based or time-based charging
performing volume-based or time-based charging. The GGSN9811 can The GGSN9811 supports volume-based or time-
parse the hosts and URLs of MMSP packets. In addition,
 Protocol Type Related Description Charging Mode

the GGSN9811 can obtain information about bearer data flows by based charging on MMSP services of accessing a
parsing signaling flows. URL such as www.isp.com/* by using an APN such
as MNET.

DPI-P2P The GGSN9811 can identify P2P services, and identify the configured -

sub-protocols. You can update the signature database by adding or
configuring sub-protocols.

DPI-VoIP The GGSN9811 can identify VoIP services, and identify the configured -

sub-protocols. You can update the signature database by adding or
configuring sub-protocols.

DPI- The GGSN9811 can identify BLACKBERRY services, and identify the -

BLACKBERRY configured sub-protocols. You can update the signature database by
adding or configuring sub-protocols.

DPI-MISC The GGSN9811 can identify MISC services, and identify the -

configured sub-protocols. You can update the signature database by
adding or configuring sub-protocols.

DPI-IM The GGSN9811 can identify IM services, and identify the configured -

sub-protocols. You can update the signature database by adding or
configuring sub-protocols.

DPI signature The GGSN9811 supports signature database files from a server. You -

database update can upload these files to the GGSN9811 through the M2000 or the local
maintenance terminal (LMT) to update the signature database on
the GGSN9811. In this manner, the GGSN9811 can identify new sub-
protocols of the protocols such as P2P, VoIP, and IM after the update of
the signature database, thus helping operators control services flexibly.