ImageStream: Who Needs to Read Encrypted Traffic?

At ISPCON, ImageStream will be demonstrating new products and technologies. Perhaps the most iconoclastic is PUFQ.

by Alex Goldman ISP-Planet Managing Editor [November 11, 2008]

Across the world, equipment makers are urging ISPs to determine the content and context of every packet traversing their network, much to the dismay of privacy advocates.

J.C. Utter, president of ImageStream, points out that using Deep Packet Inspection (DPI) in an effort to classify encrypted packets requires a powerful and expensive box, one that every equipment maker would love to sell, but that many ISPs don't want to buy.

Instead, Utter advocates a system his company has come up with that uses some simple open source concepts to preserve user privacy. He calls this system Per User Fair Queuing (PUFQ).

Limit each customer fairly
The idea is to limit the traffic any one user can consume, in a fair manner. He says it's difficult to limit inbound traffic because it can come from so many sources. If you try to limit inbound traffic only in the last mile, you can end up with a traffic jam within your network as, for example, a Bit Torrent user starts downloading off of every peering connection you have, and from several of your other customers.

Instead, the company works with PowerCode software to implement PUFQ and enforce bandwidth policies across the entire network. "The PUFQ methodology may also be implemented in other Operations Support Systems (OSSes) and home grown user management systems that are used to manage customers and automate operations," says Utter.

Because the system is just measuring bandwidth, and is not determining the content of every packet, its load on your routers will be minimal.

"It's not heuristics," says Utter. "There's no complex math or classification of traffic. If we can absolutely control the user's access to bandwidth, they cannot exceed their allocation no matter what they do."

Not every user is equal. This is fair queuing, not equal queuing. Fair queuing means that everyone gets what they have paid for, allowing ISPs to sell more expensive business accounts and cheaper residential accounts, each with a variable bandwidth allocation that is enforced throughout the network.

"Most solutions that compete with PUFQ attempt to classify and limit encrypted P2P traffic," says Utter. "This approach can be expensive, and it can require the ISP to backhaul network traffic to a single point. Specifically limiting P2P can also put the ISP at risk with regard to network 'fairness.' The FCC has now established some precedence with its Comcast ruling, and there are now savvy internet consumers out there just looking for a reason to take file a complaint with the FCC."

The details
There is a box to buy, but it's smaller and cheaper than a DPI box that attempts to classify encrypted traffic. It's cheaper in part because what it's doing is simpler, in part because its work is distributed across your network, and in part because most networks already have and need routers, so you don't have to buy an additional appliance just for packet classification.

The box, an ImageStream router, does have to inspect traffic so it can apply the bandwidth limits associated with each user based on his or her IP or MAC address.

However, it is possible to leave traffic outside the fair queuing system. For example, you might decide to trust business customers to not abuse their bandwidth allocation (and you can change this later if you wish). Some traffic goes straight through the device, while the rest goes into the PUFQ queue.

PUFQ depends on LinuxIMQ. "Linux IMQ is a virtual network device that can be used to queue packets" says Utter. "First, the PUFQ methodology classifies high-priority traffic using IP tables, and marks each packet so later stages will know how to properly prioritize each packet. Then the traffic is redirected to the PUFQ and non-PUFQ paths based on the rule set for IP blocks or other parameters."

"The PUFQ path splits the traffic into separate rate-limited queues for each user," says Utter. "Then the packets are forwarded through a high priority or low priority queues based on the priority mark. The packets return to the normal routing path until they are ready to be forwarded. Then on the exit path, PUFQ traffic is separated into high and low priority queues again. It is at this point where the high and low priority traffic can be rate limited on an aggregate basis if needed. High-priority traffic leaves immediately through a Pfifo queue, while low priority traffic exits through an ESFQ, which provides a fair sharing of the remaining bandwidth for the low priority traffic."

On the ESFQ page, its creator writes, "ESFQ is a modified version of the original SFQ which allows the user control over several originally hardcoded values. The most useful modification, for me, is the ability to change 'hash type' so that ESFQ allocates bandwidth fairly per source IP rather than per connection."

The result of all of this, claims Utter, is a queuing system that is cheaper, scales better, and works faster than the competition, while ensuring that individual users never take more bandwidth than their fair share.

ImageStream will also be showcasing new products and new software. We'll have more on that after the show, but you can visit the ImageStream booth during the show to learn more.

— End