Zodan
asked on
Deep Packet Inspections and Virtual Private Networking
Hi,
I'm investigating deep packet inspection and I'm wondering how DPI works in the context of VPN.
I don't know much about VPN, but I believe it functions as a "pipe within a pipe" so I'm basically viewing it as encrypted traffic flowing over my main ISP connection. Is this basically correct?
In other words, is VPN traffic fundamentally different from encrypted, I guess I'll call it normal, traffic as far as DPI is concerned? My understanding is that DPI can't inspect encrypted traffic throughly but it can notice patterns in the traffic and categorize into classes of traffic, such as peer to peer.
Is DPI able to do similar categorizations with VPN traffic by observing traffic patterns?
I'm investigating deep packet inspection and I'm wondering how DPI works in the context of VPN.
I don't know much about VPN, but I believe it functions as a "pipe within a pipe" so I'm basically viewing it as encrypted traffic flowing over my main ISP connection. Is this basically correct?
In other words, is VPN traffic fundamentally different from encrypted, I guess I'll call it normal, traffic as far as DPI is concerned? My understanding is that DPI can't inspect encrypted traffic throughly but it can notice patterns in the traffic and categorize into classes of traffic, such as peer to peer.
Is DPI able to do similar categorizations with VPN traffic by observing traffic patterns?
stranger9002
As far as i know it's not possible to determine what's the encrypted information about. Only if you can get it unecrypted. Sometimes using MITM (man in the middle) for example in SSL (HTTPS) communication you can get the unencrypted information. But I doubt it's possible with VPN. Definitely not for example in OpenVPN.
In one sense VPN traffic is no different than encrypted traffic.
The VPN traffic is an encrytped IP packet within a IP packet.
Think of it this way. SSL is me encrypting a letter and putting in to an envelope and mailing it to you. VPN is me encrypting a letter, putting into an envelope, encrypting the address on that envelope, and then sticking that envelope into another envelope.
And today given enough time and enough CPU power all encryption is breakable.
However, it is much easier if you know the encryption methods being used and you know how the keys are generated and you capture the setup of the tunnel.
OpenVPN is a SSL based VPN and since SSL can be intercepted and decrypted if you have the private keys used as part of the session setup, then OpenVPN can be compromised.
The VPN traffic is an encrytped IP packet within a IP packet.
Think of it this way. SSL is me encrypting a letter and putting in to an envelope and mailing it to you. VPN is me encrypting a letter, putting into an envelope, encrypting the address on that envelope, and then sticking that envelope into another envelope.
And today given enough time and enough CPU power all encryption is breakable.
However, it is much easier if you know the encryption methods being used and you know how the keys are generated and you capture the setup of the tunnel.
OpenVPN is a SSL based VPN and since SSL can be intercepted and decrypted if you have the private keys used as part of the session setup, then OpenVPN can be compromised.
ASKER
Well assuming it can't unencrypt the information I'm wondering if DPI could determine patterns in the VPN traffic to guess at what the application was.
Maybe I shouldn't be saying DPI, but I've read about devices that have the ability to monitor patterns in network traffic, even encrypted network traffic, to determine the source application. I believe they can do this for bitTorrent traffic for example.
I believe VPN provides additional layers on top of the standard network protocol stack. I guess I'm just wondering if this VPN approach would prevent an ISP or government from determing what the source application was...or if similar to nonVPN based traffic, they could make a guess on it based on traffic patterns. I don't know much about VPN, does it alter the network traffic patterns in some way?
Maybe I shouldn't be saying DPI, but I've read about devices that have the ability to monitor patterns in network traffic, even encrypted network traffic, to determine the source application. I believe they can do this for bitTorrent traffic for example.
I believe VPN provides additional layers on top of the standard network protocol stack. I guess I'm just wondering if this VPN approach would prevent an ISP or government from determing what the source application was...or if similar to nonVPN based traffic, they could make a guess on it based on traffic patterns. I don't know much about VPN, does it alter the network traffic patterns in some way?
"...devices that have the ability to monitor patterns in network traffic.."
Well I guess that depends on method used for encryption. Since most of them use symetric key for encryption of the data which is changing and the asymetric key to encrypt the symetric one. It really doesn't sound possible to me.
giltjr: You're right, but I was really thinking about exchanging the keys other way, or singing it.
Well I guess that depends on method used for encryption. Since most of them use symetric key for encryption of the data which is changing and the asymetric key to encrypt the symetric one. It really doesn't sound possible to me.
giltjr: You're right, but I was really thinking about exchanging the keys other way, or singing it.
DPI can NOT tell anything other than the traffic is encrypted. It can't tell that it is bitTorrent or any other
Go back to my envelope example. Now lets say there are 100 offices in my building and 100 offices in your building.
If I want to send "normal" traffic from office #23 in my building to office #44 in your building, I would put your building's address and office #44 as the destination and my building's address and office #23 as the source.
Now we setup a "VPN". Now to hide things we use a post office box to send mail from and to. So on the outside envelope I send it to your post office box and my post office box is the return address. On the inner envelope is the real addresses, but they are encrypted. So DPI can see the post off box addresses on the outside fine, but it can only tell that it is to/from post office boxes. It opens the outer envelope to find a inner envelope, but it can't tell that it is a inner envelope because it is encrypted and it can't decrypt it.
If it could decrypt the inner envelope, then it could also open the inner envelope and decrypt the message. That would not be too secure, now would it?
Go back to my envelope example. Now lets say there are 100 offices in my building and 100 offices in your building.
If I want to send "normal" traffic from office #23 in my building to office #44 in your building, I would put your building's address and office #44 as the destination and my building's address and office #23 as the source.
Now we setup a "VPN". Now to hide things we use a post office box to send mail from and to. So on the outside envelope I send it to your post office box and my post office box is the return address. On the inner envelope is the real addresses, but they are encrypted. So DPI can see the post off box addresses on the outside fine, but it can only tell that it is to/from post office boxes. It opens the outer envelope to find a inner envelope, but it can't tell that it is a inner envelope because it is encrypted and it can't decrypt it.
If it could decrypt the inner envelope, then it could also open the inner envelope and decrypt the message. That would not be too secure, now would it?
Remember, all DPI sees is traffic between the two end points in the VPN connection. It can't tell if the traffic is a single user accessing a single web server, or 10,000 users access 500 web servers, and 400 users doing ftp. All the DPI box can see is data flowing from A to B.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.