Technology, Thoughts & Trinkets

Touring the digital through type

Iran, Traffic Analysis, and Deep Packet Inspection

iranelectionLet me start with this: I am woefully ignorant and Iranian politics, and have no expertise to comment on it. I’ll save my personal thoughts on the matter for private conversations rather than embarrass myself by making bold and ignorant statements here. Instead, I want to briefly note and comment on how the Wall Street Journal (WSJ) is talking about Deep Packet Inspection (DPI) and the data traffic that is flowing in and out of Iran.

The WSJ has recently disclosed that Iranian network engineers are using DPI to examine, assess, and regulate content that is entering and exiting Iran. They note that the monitoring capacity was, at least in part, facilitated by infrastructure that was sold by Nokia-Simens. The article proceeds, stating that traffic analysis processes have been experimented with before, though this is the first major deployment of these processes that has captured the attention of the world/Western public. This is where things start getting interesting.

The article notes that;

The Iranian government had experimented with the equipment for brief periods in recent months, but it had not been used extensively, and therefore its capabilities weren’t fully displayed – until during the recent unrest, the Internet experts interviewed said.

“We didn’t know they could do this much,” said a network engineer in Tehran. “Now we know they have powerful things that allow them to do very complex tracking on the network.”

From a statement of ‘complex tracking’, we get to a talk about DPI. It’s at this point that we can say that Iran is either using DPI in incredibly complex and sophisticated ways that push the technology to its limits, or the WSJ is blowing smoke. The authors of the article state that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover,  “Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”

I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed, and am also incredibly interested to know what the tests are to see if DPI is being used. I’m not saying that such tests don’t exist, but I’m not certain what, exactly, you’d be looking for. A network engineer would have a better grasp, but I haven’t found any product that Marshal8e6 offers that would give them particular insight into this. Now, if we were talking about spam or phishing I wouldn’t doubt their competencies. I also have to note that the data Marshal8e6 fed to the WSJ isn’t available on their website anywhere that I could find it.

Further, I don’t know that DPI is necessarily required to perform the level of surveillance discussed in the Iranian network environment. There is a lot of digital networking equipment that can easily be used for interception; you don’t need DPI appliances to intercept and analyze traffic, given that a large amount of network equipment can be configured to ‘dump’ data flows to secondary storage for subsequent analysis (and this is perhaps more sensible – capture tons of data now, and then scan it, and then derive rules from it that can be applied to subscriber connections). Now, to totally pull together packet flows, examine them for content, and then send them on their merry way to the destination in real time seems a bit of a stretch. Sure, it is theoretically possible for this to be done, but it would be a truly massive undertaking in practice – one that might exceed capacities of equipment on the market. Such practical limitations and impossibilities are what we keep hearing from North American ISPs as a way of allaying privacy worries, and such limitations have been reaffirmed by independent network engineers. This leaves me doubting that total content analysis is possible, let alone occurring. It is more likely that something like this is happening:

The DPI device looks at the first 5-100 packets in a packet stream. These packets are then evaluated against a rule list – are the packets going somewhere that is impermissible? is a disallowed application or application-type trying to send packets? – and then allowed to continue to their destination (or not) depending on what the rule set dictates. In the case of images/movies/songs, it is possible for some DPI devices to quickly look at the first packets of a .mov, .jpeg, etc file’s packet flow and correlate that particular file and flow with a particular digital ‘fingerprint’. That fingerprint can then be examined against all disallowed files/flows and, if a match is found, the packet stream terminated. This method of analyzing content is not perfect, though it does have high degrees of accuracy in many cases. This is what copyright-oriented devices presently do, and can be used to prevent the dissemination of ‘fingerprinted’ pictures, movies, sounds, documents, and so forth.

In essence, I worry that the WSJ is claiming that DPI is more effective in screening communications than it is in reality, much like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI could, potentially, in an ideal world do what the WSJ is suggesting, but networking environments where admins are trying to regulate gigabytes of traffic each second are hardly these ideal environments for mass surveillance and content regulation using DPI appliances. Hopefully the pressure gets Nokia-Siemens or other network manufacturer to fess up about what they sold, but I’m not holding my breath.


  1. Thanks for the post, Chris. Nokia Siemens Networks is claiming they provided lawful intercept capability for monitoring local voice phone calls, and no DPI.

    • Thanks for that link! It hadn’t come through my filters yet, and is key to dispelling the nonsense that Nokia is the new devil. Glad you enjoyed the post!

  2. Depending on the country you find yourself in, “Lawful Intercept” does have a somewhat different meaning and consequence

    Whatever communications interception and monitoring capability the Iran regime has at present, you cam be sure that they using it to the fullest extent they are able.

    • @ Tim
      True, but it appears as though Nokia-Siemens deployed systems that were good for voice. On good faith I take them to be telling the truth in that their systems are not meant to be hacked to allow for the massive surveillance and intrusion that the WSJ is claiming is going on using DPI appliances, at least until other reports suggest otherwise. I would certainly agree that the Iranian government appears to be using their technological prowess to the best of their ability, and it seems to be reasonably successful, the amount of information emerging from the country notwithstanding.

  3. Chris, you are correct. This line is bull: “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds.”

    There is no deconstruction that takes place. There is no opening, it is not a file. They are data packets.

    Again, DPI devices don’t have the storage capability to do deep analysis of keyword content. As you point out, its much more effective to dump to another device. And Nokia (or “Western”) devices are not necessary for this. There’s no betrayal of Western ideals in selling this technology. The Open Source community has provided tools that can analyze data dumps for years now. You don’t even have to pay to do this, you just need a few really smart network engineers.

    This is another case of hyperventilating about DPI. As I keep harping on, there’s nothing deep, (or magical), or new about DPI. Packets are transmitted in the clear and they are open to inspection at any time. We really need to start harping on that point, as everyone needs to be educated on that.

    The article does not mention that SSL encryption would be sufficient to avoid content filtering. The WSJ is hysterically spreading ignorance and that is a massive disservice to their readers and to the technology community.

  4. Thanks for the comment Catelli.

    A question: is there actually some ‘test’ that can be done to see if content analysis is going on, beyond just realizing that a lot of stuff is being filtered or something like that? I’m unfamiliar with a technique that would definitively prove that such analysis was going on. I can’t see how there is a direct and/or necessary correlation between not being able to access particular websites, and DPI being used for packet analysis techniques.

  5. No there is no test you can do. You’d have to get a special forces team to crash the network ops centre and kidnap some IT gurus and subject them to questioning.

    From the outside there is no way to know if a data stream has been inspected or not. As no data changes, the surveillance is completely passive.

    Even active shaping or blocking devices are hard to detect. On my network I have almost a dozen such devices, and when a particular network traffic type is dropped it even takes me a while to figure out which device did it, or even if it is one of my devices. Sometimes a service is just unavailable due to some other outage. And this is for a network I designed and manage.

  6. Chris,
    Thanks for your comment on my post on the same topic and for directing me here. I absolutely agree with the stance that you took in your post. The notion that DPI can intercept all Internet traffic at a single choke point, inspect it all for content (rather than application, source, destination, usage parameters, etc), and then choose to selectively block or allow, all in a real-time fashion, is simply absurd. Even the vendors in the space, who love to pump up the technology’s capabilities, would balk at that statement. And that’s leaving aside the fact that NSN was not selling DPI, but rather commonly accepted Lawful Intercept equipment for voice traffic, which is mandated by regulatory bodies in both the US and EU.

    My sense is that the WSJ caught wind that Iran was doing some level of surveillance on the Internet communications that have garnered so much publicity as of late, and took that supposition to the nth degree without doing the necessary due diligence on the technology. It may seem like semantics, but the reality is that mistakes like this from someone with a large bullhorn such as the Wall Street Journal can create widespread misconceptions, cost companies money and cost people jobs.


  7. @ David,

    I have my own concerns about DPI, but for all those concerns it really bothers me when poor fact checking from a major paper leads to hysterics about non-issues about this technology. I think that it’s blatant inaccuracies like this that has, in part, led to many DPI vendors and ISPs going to ground and not wanting to talk about this issue with the public, on the basis of the often poor information the public actually has on the tech. Thanks for the visit and comment!

Leave a Reply

Your email address will not be published.