1、 International Telecommunication Union ITU-T Y.2771TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/2014) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Framework for deep packet inspection Recommendation ITU-T
2、 Y.2771 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.400Y.499 Number
3、ing, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource management Y.1200Y.1299
4、 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and functional architecture mo
5、dels Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Enhancements to NGN Y.2300Y.2399 Network management Y.2400Y.2499 Network contro
6、l architectures and protocols Y.2500Y.2599 Packet-based Networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 FUTURE NETWORKS Y.3000Y.3499 CLOUD COMPUTING Y.3500Y.3999 For further details, please refer to the list of ITU-T Recommenda
7、tions. Rec. ITU-T Y.2771 (07/2014) i Recommendation ITU-T Y.2771 Framework for deep packet inspection Summary Recommendation ITU-T Y.2771 provides a framework for deep packet inspection (DPI). The primary purpose of this framework is to describe a structured approach for designing, defining and impl
8、ementing DPI solutions in support of service/application awareness for facilitating interoperability in the evolving networks. It serves to identify and assist in understanding the network issues, from primarily an architectural viewpoint. This Recommendation also provides DPI framework aspects from
9、 modelling and performance. The purpose of such frameworks is especially to outline possible relationships between a DPI function and other network functions, to assist in identifying requirements for DPI functions (which would be the subject of other ITU-T Recommendations like, e.g., Recommendation
10、 ITU-T Y.2770) and to help for terminology work (e.g., when a definition would be related to a functional model). History Edition Recommendation Approval Study Group Unique ID*1.0 ITU-T Y.2771 2014-07-18 13 11.1002/1000/12178 _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the
11、 address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T Y.2771 (07/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications,
12、 information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on
13、 a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid do
14、wn in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication
15、 administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandator
16、y provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws atte
17、ntion to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or other
18、s outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent
19、the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2771 (07/2014) i
20、ii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation . 3 4 Abbreviations and acronyms 4 4.1 General abbreviations and acronyms 4 4.2 Mathematical symbols 6 5 Conventions 6 6 Architectural framework . 7 6.1 Network
21、architecture framework High-level network scenarios . 7 6.2 Protocol architectural framework Packet inspection level for some example network applications 8 7 Modelling framework . 16 7.1 Functional models 16 7.2 Information and data models 30 7.3 Traffic models 31 7.4 Identification of possible DPI
22、-FE subcomponents . 37 7.5 Fault tolerance models 38 8 Performance framework . 43 8.1 Purpose and scope of performance considerations . 43 8.2 Performance metrics . 44 8.3 Performance of policy enforcement points, estimation of qualitative performance behaviour . 52 9 Categorization of DPI functiona
23、l entities . 55 9.1 Categorization principles 55 9.2 Capabilities in terms of conditions processing . 55 9.3 Capabilities in terms of actions processing 55 9.4 DPI-FE types 55 10 Security considerations . 56 Appendix I Example functional architecture of probabilistic DPI based on the bloom filter 57
24、 I.1 Introduction 57 I.2 Functional model of bloom filter based probabilistic DPI . 58 Bibliography. 59 Rec. ITU-T Y.2771 (07/2014) 1 Recommendation ITU-T Y.2771 Framework for deep packet inspection 1 Scope This Recommendation provides a framework for deep packet inspection (DPI) in packet-based net
25、works. The primary purpose of this Recommendation is to describe the fundamental concepts, functional components and capabilities of DPI that can be used to identify information flows in packet-based networks by DPI entities, to support the specification of DPI requirements and to guide structured s
26、olutions for packet-based networks (such as NGNs). This Recommendation provides high-level system information with regard to some fundamental concepts as typically relevant when realizing DPI entities. However, it is not expected to present all-inclusive detailed specifications for the DPI. Rather,
27、this Recommendation provides an high-level information (i.e., a framework) and is intended to be used as background material for use by ITU Study Groups and other expert groups outside the ITU, e.g., as input for their development of detailed standards for DPI functionalities. The scope of this Reco
28、mmendation includes: a) basic architectural principles that will be encountered in combining DPI in various network architectures; b) protocol architectural aspects from the perspective of DPI; c) example functional models and their application to DPI use case scenarios; and d) performance framework
29、s in order to assist in DPI performance discussions like the identification of key performance indicators related to DPI. Implementers and users of this ITU-T Recommendation shall comply with all applicable national and regional laws, regulations and policies. The mechanism described in this Recomme
30、ndation may not be applicable to international correspondence in order to ensure the secrecy and sovereign national legal requirements placed upon telecommunications providers, as well as the ITU Constitution and Convention. 2 References The following ITU-T Recommendations and other references conta
31、in provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the
32、 possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a R
33、ecommendation. ITU-T E.800 Recommendation ITU-T E.800 (2008), Definitions of terms related to quality of service. ITU-T G.602 Recommendation ITU-T G.602 (1988), Reliability and availability of analogue cable transmission systems and associated equipments. ITU-T H.248.86 Recommendation ITU-T H.248.86
34、 (2014), Gateway control protocol: H.248 Support for deep packet inspection. ITU-T X.200 Recommendation ITU-T X.200 (1994), Information technology Open Systems Interconnection Basic Reference Model: The basic model. 2 Rec. ITU-T Y.2771 (07/2014) ITU-T X.731 Recommendation ITU-T X.731 (1992), Informa
35、tion technology Open Systems Interconnection Systems management: State management function. ITU-T Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. ITU-T Y.2770 Recommendation ITU-T Y.2770 (2012), Requirements for deep packet inspection in next generation network
36、s. ETSI TS 132 410 ETSI TS 132 410 (2012), Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Telecommunication management; Key Performance Indicators (KPI) for UMTS and GSM (3GPP TS 32.410 version 11.0.0 Release 11. IETF RFC 791 IETF RFC 7
37、91 (1981), Internet Protocol DARPA Internet Program Protocol Specification. IETF RFC 2460 IETF RFC 2460 (1998), Internet Protocol, Version 6 (IPv6) Specification. IETF RFC 5101 IETF RFC 5101 (2008), Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow
38、Information. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 application ITU-T Y.2770: A designation of one of the following: An application protocol type (e.g., IP application protocols ITU-T H.264 video, or session initiation protocol
39、 (SIP); A served user instance (e.g., VoIP, VoLTE, VoIMS, VoNGN, and VoP2P) of an application type, e.g., “voice-over-Packet application“; A “provider specific application“ for voice-over-Packet, (e.g., 3GPP provider VoIP, Skype VoIP); and an application embedded in another application (e.g., applic
40、ation content in a body element of a SIP or an HTTP message). An application is identifiable by a particular identifier (e.g., via a bit field, pattern, signature, or regular expression as “application level conditions“, see also clause 3.2.2 of ITU-T Y.2770), as a common characteristic of all the a
41、bove listed levels of applications. 3.1.2 availability ITU-T E.800: Availability of an item to be in a state to perform a required function at a given instant of time or at any instant of time within a given time interval, assuming that the external resources, if required, are provided. 3.1.3 applic
42、ation-descriptor (also known as application-level conditions) ITU-T Y.2770: A set of rule conditions that identify the application (according to clause 3.2.1 of ITU-T Y.2770). This Recommendation addresses the application descriptor as an object in general, which is synonymous with application-level
43、 conditions. It does not deal with its detailed structure, e.g., syntax, encoding and data type. 3.1.4 deep packet inspection (DPI) ITU-T Y.2770: Analysis, according to the layered protocol architecture OSI-BRM ITU-T X.200, of: payload and/or packet properties (see list of potential properties in cl
44、ause 3.2.11 of ITU-T Y.2770) deeper than protocol layer 2, 3 or 4 (L2/L3/L4) header information, and other packet properties Rec. ITU-T Y.2771 (07/2014) 3 in order to identify the application unambiguously. NOTE The output of the DPI function, along with some extra information such as the flow infor
45、mation is typically used in subsequent functions such as reporting or actions on the packet. 3.1.5 DPI engine ITU-T Y.2770: A subcomponent and central part of the DPI functional entity which performs all packet path processing functions (e.g., packet identification and other packet processing functi
46、ons in Figure 6-1 of ITU-T Y.2770). 3.1.6 DPI policy condition (also known as DPI signature) ITU-T Y.2770: A representation of the necessary state and/or prerequisites that identify an application and define whether a policy rules actions should be performed. The set of DPI policy conditions associa
47、ted with a policy rule specifies when the policy rule is applicable (see also b-IETF RFC 3198). A DPI policy condition must contain application level conditions and may contain other options such as state conditions and/or flow level conditions: 1) State condition (optional): a) network grade of ser
48、vice conditions (e.g., experienced congestion in packet paths); or b) network element status (e.g., local overload condition of the DPI-FE). 2) Flow descriptor/Flow level conditions (optional): a) packet content (header fields); b) characteristics of a packet (e.g., number# of MPLS labels); c) packe
49、t treatment (e.g., output interface of the DPI-FE). 3) Application descriptor/application level conditions: a) Packet content (application header fields and application payload). NOTE The condition relates to the “simple condition“ in the formal descriptions of flow level conditions and application level conditions. 3.1.7 DPI policy decision functional entity (DPI-PDFE) ITU-T Y.2770: The function remote to the DPI-FE that decides the signat