Traffic flow management in next generation service provider networks — Are we there yet?

For years a number of savvy Internet users have avoided firewalls and traffic engineering measures by directing traffic through ports seemingly unrelated to the application. These ports are those often marked by firewall administrators as “safe” or those given a higher priority on quality of service systems. This problem has been effectively managed by implementing deep packet inspection techniques, giving the administrators a view into the underlying layer 7 protocol of each flow. The reliance on transit payload to be in plain text format in order to reliably match the underlying content has put this method of classification at a major disadvantage. The use of encryption by users to render the contents of a data packet opaque is, therefore, of major concern to network administrators who rely heavily on deep packet inspection. Without the ability to interrogate the underlying payload of traffic flows, a new method to identify this type of traffic needs to be discovered in order to retain control of the network. As an increasing number of users turn to IP tunneling to secure their data transfers, network service providers need to ensure their systems are ready to handle this type of traffic. A failure to do so would result in them facing the reality of a badly managed network. This paper highlights the challenges faced by network service providers in opaque traffic classification for both existing and future, next generation networks. It investigates and evaluates the various solutions implemented in order to manage network traffic “in the dark”.