Federal Internet Law & Policy
An Educational Project
Notes :: Deep Packet Inspection (DPI) Dont be a FOOL; The Law is Not DIY
- - AT&T History
- - - AntiTrust
- - - Industry : AT&T
- - CPE Carterfone
- -Long Distance
- - ILECs
- - BOCs
- Universal Service
- Telegraph
- Internet
- - Computer Inquiries
- - Info Services
- Common Carrier
- Telecom
- VoIP
- Comm Act 34
- Telecom Act 96
- FCC Chairs & Commissioners

The Internet's original design involves a subnetwork of computers which were dedicated to network transmissions. Computers in the subnetwork would talk to other computers in the subnetwork; host computers (at say a university) would talk with its representative subnetwork computer, and not directly with the other host computers at the other universities. Originally, in the ARPANet these were known as Interface Message Processors (IMPs) (not to be confused with ecumenicalism of Interfaith Message Processors). Today they are known as routers.

Computational resources available to these subnetwork computers was limited; therefore the IMPs would not engage in processing of data transmissions, but would only be involved in the routing and transmission of the packets. All processing of the packets would be done by the end, host computers, leading to what is known as the "end-to-end" principle. The principle for routing became refered to as "best effort" and "first in, first out." There was no discrimination of packets within the network as there was no ability to discriminate.

Computational power grew. In time, the computational resources available to a network were sufficient such that it could engage in some levels of packet processing and analysis. This packet inspection was initially superficial.

In time, computeration resources available to networks grew even more and routers could now engage in Deep Packet Inspection (DPI), making sophisticated analyses of the packets flying by. In a combination of Intrusion Detection Systems and firewalls, networks could now look inside the packets at layers 4 through 7, and take action accordingly. Networks using DPI can look at

  • Port numbers
  • domain names
  • SIP numbers
  • IP numbers
  • application signatures
  • Content filtering
  • IM chat channels
  • Transport protocol
  • Differentiated service code point or traffic class
  • Packet's length
  • Media Access Control (MAC) address
  • This creates a departure from the previous routing policy of "best effort" and "first in, first out."

    DPI can be used to

  • Block spam, malware, DOS, and other secruity threats
  • Block certain types of traffic (ie., P2P)
  • Block competitors
  • A policy issue has developed over whether and when the use of DPI constitutes reasonable network managment and when it constitutes a violation of network neutrality. According to the FTC

    "To treat some data packets differently than others, as opposed to simply using a first-in-first-out and best-efforts approach, a network operator must be able to identify certain relevant characteristics of those packets. One source of identifying information is the packet's header, which contains the IP address of its source and destination. The packet header also contains several types of information that suggest the type of application required to open the data file, such as the source and destination port numbers, the transport protocol, the differentiated service code point or traffic class, and the packet's length. Additionally, the header contains the Media Access Control ("MAC") address of the packet's source and destination, which provides information about the manufacturer of the device attached to the network.108

    "In recent years, router manufacturers have refined packet-inspection technologies to provide network operators with a wide range of information about the data traffic on their networks, including information not provided in packet headers. These technologies were developed in part to help local area networks direct traffic more efficiently and to thwart security risks. Deep packet inspection may also be implemented on the Internet to examine the content of packet streams - even search for keywords in text - and to take action based on content- or application-specific policies. Such actions could involve tracking, filtering, or blocking certain types of packet streams. Further, deep packet inspection can map the information it accumulates to databases containing, for instance, demographic or billing information.

    "Another relatively new technology that may be implemented to reveal information about packet streams is flow classification. This technology monitors the size of packets in a data stream, the time elapsed between consecutive packets, and the time elapsed since the stream began, with the goal of making reasonable determinations about the nature of the packets in the stream. Thus, flow classification may reveal information about a packet stream even if the individual packets themselves are encrypted against packet inspection. With the development of these two technologies, it is now costeffective for a network operator to gain extensive knowledge about the nature of the data traveling across its network." [FTC Staff Report 2007 p 30]

    Previous tracking of end-user behavior online was achieved, and is still achieved, through the use of cookies. DPI however is a significant advancement in tracking personal information over cookies.


  • Web based
  • Captures only predetermined information
  • Static
  • On users hard drive
  • End user can block use of cookies
  • End user can see cookies on computer
  • DPI

  • Captures data from all application
  • Captures all information
  • Dynamic
  • Located within network
  • End user cannot block DPI
  • End user cannot see use of DPI
  • [Person 442]