Deep Packet Inspection

Deep packet inspection is a traffic classification mechanism that enables the BIG-IP Next system to classify both encrypted and unencrypted traffic for application visibility. Command line interface (CLI) can be used to display ‌network traffic statistics, and classification information by application, category, protocol, type of device, and so on. This level of detailed information and application awareness provides deep visibility into your network infrastructure. This also helps you ‌identify and monitor various kinds of traffic and resolve performance issues, which as a result can better the experience for the subscriber, and incremental revenue for the service provider.

Deep packet inspection (DPI) uses signatures by analyzing Layer 4 (L4) to Layer 7 (L7) headers and/or payloads to identify and classify specific applications and services that the subscribers are using. Service providers can use this information to create service plans that meet the needs of their subscribers, along with regulating ‌‌network usage.

Following are a few examples of the types of applications and protocols that BIG-IP PE supports:

  • P2P - BitTorrent, Gnutella

  • VoIP - SIP, Skype, Yahoo, Jabber

  • Web - HTTP, HTTPS, FTP, YouTube, Facebook

  • Streaming - HTTP streaming, RTSP, HTTP audio

With the growing number of applications and services on the network, signature libraries must be regularly updated to ensure accurate protocol classifications and subscriber plans based on usage patterns. The BIG-IP PE supports dynamic and hitless signature upgrades, allowing you to obtain new signatures for new or existing applications without upgrading the software.

Procedures

Install the IM Package

For Deep Packet Inspection (DPI) use case, loading the IM Package is a prerequisite. The IM package loads the required applications and categories that PE supports for DPI. For more information on how to install the IM Package, see IM Package page.

Apply DPI Profile

Deep packet Inspection requires F5BigDpiProfile CR to enable the DPI feature. Following CR sets the application detection to true.

  1. Copy the following example into the dpi-profile.yaml file.

kind: F5BigDpiProfile
metadata:
  name: "dpi-profile"
spec:
  name: "dpiprofile-cnf"
  enableApplicationDetection: true
  enableLogUnclassifiedDomain: true
  enableIruleEvent: true
  preset:
    enableFlowBundling: true
    analyzeSslServerside: true
    enableCacheResults: true
    analyzeDns: true
    allowReclassification: true

  1. Run the following command to apply the DPI Profile.

    oc apply -f dpi-profile.yaml -n <name_space>

  2. Verify that the DPI Profile CR is applied by checking the f5ingress logs.

    Sample output:

    I0221 07:37:40.941844      13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigDpiProfile", Namespace:"default", Name:"dpiprofile-cnf1", UID:"ecd6ef14-2a79-4e7c-8cb2-d6d658e802fc", APIVersion:"", ResourceVersion:"8710", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' F5DpiProfile default/dpiprofile-cnf1 was added/updated

    For more information on DPI Profile, see F5BigDPIprofile CRD page.

Apply PE Policy

Following is the procedure to apply the F5BigPePolicy. The PE policy tries to allow the Google traffic and classifies it as tcp.http.google traffic, when Google traffic is detected.

  1. Copy the following example in pem-policy-dpi.yaml file.

kind: F5BigPePolicy
metadata:
  name: "pem-policy-dpi"
spec:
  description: "pem policy for dpi"
  rule:
    - name: "dpi-rule"
      precedence: 1
      filter:
        deepPacketInspection:
          - name: "class1"
            match: "match"
            category: "Search_Engines"
            application: "any"
      action:
        enableGate: true

For the complete list of parameters supported, see spec.rule.filter.deepPacketInspection

  1. Run the following command to apply the PE Policy.

    oc apply -f pem-policy-dpi.yaml -n <name_space>

  2. Verify that the PE Policy CR is applied by checking the f5ingress logs.

    Sample output:

    I0221 08:02:01.809495      13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigPePolicy", Namespace:"default", Name:"pe-policy", UID:"2485a783-3029-430b-b054-cacd9c9575af", APIVersion:"", ResourceVersion:"12153", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' pePolicy default/pe-policy was added/updated

    For more information on PE Policy, see F5BigPePolicy CRD page.

Apply PE Profile

Following is the procedure to apply the F5BigPeProfile. The PE Profile CR applies the PE policy applied earlier under unknownSubscriberPolicy.

  1. Copy the following example in pem-profile-dpi.yaml file.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigPeProfile
metadata:
      name: "pem-profile-dpi"
spec:
  description: "pem profile for dpi"
  globalPolicy: {}
  unknownSubscriberpolicy:
    - "pem-policy-dpi"

  1. Run the following command to apply the PE Profile.

    oc apply -f pem-profile.yaml -n <name_space>

  2. Verify that the PE Profile CR is applied by checking the f5ingress logs.

    I0221 08:02:55.145541      13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigPeProfile", Namespace:"default", Name:"pe-profile-sri", UID:"1405a7e8-402a-4490-80b6-710ae6b3f79c", APIVersion:"", ResourceVersion:"12241", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' peProfile default/pe-profile-sri was added/updated

    For more information on PE Profile, see F5BigPeProfile page.

Apply Secure Context

Following is the procedure to apply the Secure Context CR.

  1. Add the following example in secure-context.yaml file.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigContextSecure
metadata:
  name: "virtual-server"
spec:
  destinationAddress: "0.0.0.0/0"
  destinationPort: 0
  ipProtocol: "tcp"
  snat:
    type: "automap"
  peProfile: "pem-profile-dpi"
  dpiProfile: "dpi-profile"
  profile: "tcp"

  1. Run the following command to apply the PE Profile.

    oc apply -f secure-context.yaml -n <name_space>

  2. Verify that the Secure Context CR is applied by checking the f5ingress logs.

    I0221 08:06:28.013501      13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigContextSecure", Namespace:"default", Name:"vs-internal", UID:"ec203939-44ef-4c32-9bc6-8e84b1501869", APIVersion:"", ResourceVersion:"12572", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' SecureContext default/vs-internal was added/updated

    For more information on Secure Context, see F5BigContextSecure CRD page.

Policy Enforcement statistics

If the TMM Debug sidecar is enabled (default), use the following steps to verify DPI statistics.

  1. Log in to the TMM debug Pod.

    oc exec -it deploy/f5-tmm -c debug -n <name_space> -- bash

  2. Verify the DPI statistics.

    tmctl -d /var/tmstat/blade/ -w 200 gpa_dpi_stats

    Sample output:

    result          count dpi flbl srdb custom bytes_in bytes_out pkts_in pkts_out
--------------- ----- --- ---- ---- ------ -------- --------- ------- --------
tcp                 8   8    0    0      0        0         0       0        0
udp                 0   0    0    0      0        0         0       0        0
tcp.http.google     8   8    0    0      0     3664      6176      48       48

Stats Supported

The following table lists the supported DPI Stats for PE CNFs:

Stat name Description
Count Specifies a number of classified flows to specific application.
dpi specifies the number of classification decisions by classification engine (DPI).
flbl Specifies the number of classification decisions because of flow bundling.
srdb Specifies the number of classification decisions by SRDB Cache.
custom Specifies the number of classification decisions from custom categories.
bytes_in Specifies the bytes in of the classified application.
bytes_out Specifies the bytes out of the classified application.
pkts_in Specifies the packets in of the classified application.
pkts_out Specifies the packets out of the classified application.

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.