Deep Packet Inspections and Virtual Private Networking


I'm investigating deep packet inspection and I'm wondering how DPI works in the context of VPN.  

I don't know much about VPN, but I believe it functions as a "pipe within a pipe" so I'm basically viewing it as encrypted traffic flowing over my main ISP connection. Is this basically correct?

In other words, is VPN traffic fundamentally different from encrypted, I guess I'll call it normal, traffic as far as DPI is concerned? My understanding is that DPI can't inspect encrypted traffic throughly but it can notice patterns in the traffic and categorize into classes of traffic, such as peer to peer.  

Is DPI able to do similar categorizations with VPN traffic by observing traffic patterns?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

As far as i know it's not possible to determine what's the encrypted information about. Only if you can get it unecrypted. Sometimes using MITM (man in the middle) for example in SSL (HTTPS) communication you can get the unencrypted information. But I doubt it's possible with VPN. Definitely not for example in OpenVPN.
In one sense VPN traffic is no different than encrypted traffic.

The VPN traffic is an encrytped IP packet within a IP packet.

Think of it this way.  SSL is me encrypting a letter and putting in to an envelope and mailing it to you.  VPN is me encrypting a letter, putting into an envelope, encrypting the address on that envelope, and then sticking that envelope into another envelope.

And today given enough time and enough CPU power all encryption is breakable.  

However, it is much easier if you know the encryption methods being used and you know how the keys are generated and you capture the setup of the tunnel.

OpenVPN is a SSL based VPN and since SSL can be intercepted and decrypted if you have the private keys used as part of the session setup, then OpenVPN can be compromised.
ZodanAuthor Commented:
Well assuming it can't unencrypt the information I'm wondering if DPI could determine patterns in the VPN traffic to guess at what the application was.  

Maybe I shouldn't be saying DPI, but I've read about devices that have the ability to monitor patterns in network traffic, even encrypted network traffic, to determine the source application.  I believe they can do this for bitTorrent traffic for example.  

I believe VPN provides additional layers on top of the standard network protocol stack.  I guess I'm just wondering if this VPN approach would prevent an ISP or government from determing what the source application was...or if similar to nonVPN based traffic, they could make a guess on it based on traffic patterns. I don't know much about VPN, does it alter the network traffic patterns in some way?
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

"...devices that have the ability to monitor patterns in network traffic.."
Well I guess that depends on method used for encryption. Since most of them use symetric key for encryption of the data which is changing and the asymetric key to encrypt the symetric one. It really doesn't sound possible to me.

giltjr: You're right, but I was really thinking about exchanging the keys other way, or singing it.

DPI can NOT tell anything other than the traffic is encrypted.  It can't tell that it is bitTorrent or any other

Go back to my envelope example.  Now lets say there are 100 offices in my building and 100 offices in your building.

If I want to send "normal" traffic from office #23 in my building to office #44 in your building, I would put your building's address and office #44 as the destination and my building's address and office #23 as the source.

Now we setup a "VPN".  Now to hide things we use a post office box to send mail from and to.  So on the outside envelope I send it to your post office box and my post office box is the return address.  On the inner envelope is the real addresses, but they are encrypted.  So DPI can see the post off box addresses on the outside fine, but it can only tell that it is to/from post office boxes.  It opens the outer envelope to find a inner envelope, but it can't tell that it is a inner envelope because it is encrypted and it can't decrypt it.

If it could decrypt the inner envelope, then it could also open the inner envelope and decrypt the message.  That would not be too secure, now would it?
Remember, all DPI sees is traffic between the two end points in the VPN connection.  It can't tell if the traffic is a single user accessing a single web server, or 10,000 users access 500 web servers, and 400 users doing ftp.  All the DPI box can see is data flowing from A to B.
A couple notes to add regarding VPN and Deep Packet Inspection

Article on detecting Skype traffic

Google Search "Traffic Classification in the Dark", there are many interesting articles/publications including one by Antonio Nucci, and papers that reference his work.

The two articles above focus on traffic classification of encrypted/obfuscated traffic.  It should also be noted that characteristics of encrypted traffic may allow one to make assumptions.  For example, a classified Skype session may show characteristics of voice, video, or chat.

On another note, some DPI-based devices share SSL certificates /keys with end-points/servers.  This enables the device to decrypt, inspect, and re-encrypt traffic in motion (similar to man-in-the-middle)  This may be done in Enterprise environments for example to keep traffic encrypted, but retain the capability to search traffic for compliance or data leakage prevention purposes.

There is a difference between encrypted/obfuscated traffic and tunneled traffic.  In the Skype article it even states that you can NOT do this:

"While the coupled per-host per-flow approach makes PBC identification very robust and reliable, it must not be neglected that PBC has several important drawbacks. First, since it requires packet payload inspection and per-host state, it is expensive. Second, and even more important, PBC is unfeasible when TCP is selected as transport layer protocol, or when tunneling techniques, e.g., VPNs, are used. "

The problem is that when you look at encrypted/obfuscated traffic you know what ports are the real source and target ports.  You can make assumptions based on what normally uses those ports, packet sizes, and a few other things.

With a VPN all traffic (voice, chat, ftp, samba, telnet, ssh, ftp, http, and so on) all use the same source and target port.  Further more it all looks like a single flow.  Every single packet, from the 1st packet after the tunnel is started to the last packet just before the tunnel is torn down, is part of a single flow.  It does not matter if the tunnel is up for 5 minutes, 5 days, or 5 months.  It is a single flow.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.