1. Field
Embodiments of the invention relate to the field of computer networking; and more specifically, to peer-to-peer, gaming, and application traffic detection and treatment.
2. Background
Peer-to-peer (peer), gaming and application traffic has come to be the lion's share of the data traffic on the Internet. Peer traffic is defined herein as traffic used, generated, consumed, processed, and/or exchanged by peer-to-peer, gaming and other peer application that communicate this traffic between end stations. Peer traffic typically comprises data packets (“packets”) that can include data or control information used by the peer, gaming, and/or other peer applications. Similarly, peer networks are the network used by peer, gaming, and/or other peer applications.
With most networks not engineered for this kind of traffic, peer has the ability to impair networks and upset traditional network design philosophies and principles. Traditional network design is based on the assumption that not every client is transmitting and/or receiving traffic at an intermittent rate and not a high, sustained rate. Typically, a user sends email or surfs the web, which are both intermittent uses of the network. However, for example, a savvy user may want to initiate a movie download which can result in a high demand placed on the network over a long period of time. As such, service providers typically have an important goal of detecting this traffic and using customized treatment techniques.
Peer networks are highly distributed network architectures such that all clients in the peer network provide bandwidth, storage space, and computing power for the network. Adding a client to the peer network increases the capacity of the peer network. By providing the computing resources clients make available content stored on the client to other directly without going through a central server. In a pure peer network, there is no central server and each client publishes lists of available content to the other clients in the peer network. Alternatively, in a hybrid peer network, central servers do not store the available content, but instead typically host information about which clients are part of the peer network and what content each client has available.
Typical applications of peer networks is exchanging of content between clients. While in one embodiment, content is audio-visual media (music, pictures, movies, sounds, etc.), in alternate embodiments, content can be other types of entities capable of being transmitted across the peer network (documents, software, etc.). Because each piece of content can be large, continual exchanging of content can put a high strain on the underlying network supporting the peer network. In addition, peer networks tend to be ad hoc, meaning peer networks are overlaid on a service provider's existing network without the service provider's permission.
Gaming applications allow one gamer at one end station to play another gamer at another end station. In one embodiment, gaming applications typically uses a client-server model where a central server controls the game between different gamers. In an alternate embodiment, the gamers directly transmit information between the gamer's end stations. Other peer applications known in the art are voice over Internet Protocol (VOIP), such as SKYPE, etc.
FIG. 1 illustrates one embodiment of a service provider network 100 with a router forwarding traffic between end stations content servers through a network. In FIG. 1, network 100 comprises end stations 102A-C, router 104, core network 106, and content servers 108A-B. End stations 102A-C couple to router 104 and router couples to content servers 108A-B through core network 106. While in one embodiment, end station 102A-C are home personal computers, in alternate embodiments, end stations can be the same or different type of machine (e.g. business computer, personal digital assistant, cell phone, game console, handhleld game system, laptop) computer, etc.). End stations can couple to router 104 through any one of the means know in the art (e.g., Ethernet, wireless, digital subscriber line (DSL), cable modem, Fiber, etc.). Router 104 provides an entry point into core network 106 by forwarding data traffic from end stations 102A-C to content servers 108A-B, from content servers 108A-B to end stations 102A-C, and data traffic going between end stations 102A-C. While in one embodiment, router 104 is an edge router that forwards traffic between the edge network servicing end stations 102A-C and core network 106, in alternate embodiments, router 104 can be a router or switch positioned differently in the service provider's edge and/or core networks.
Core network 106 is the backbone network of the service provider that typically has high capacity to handle that high volume of traffic traveling through network 100. Content servers 108A-B serve content and/or control information for peer, gaming, and other applications to end stations 102A-C. In one embodiment, content servers 108A-B host peer services by keeping information on the peers in the networks (e.g., end stations 102A-C) and responds to requests for information. In this embodiment, content servers 108A-B keep track of what end stations 108A-C has to share with the other end stations and makes this information available to other interested end stations. In an alternate embodiment, the peer network does not use the content servers, but allows for direct communication between the corresponding end stations 102A-C.
Because peer networks generate high volumes of traffic, service providers typically try to control the flow of peer traffic. Controlling of peer traffic typically entails detecting the peer traffic and then applying a policy on how to treat the traffic. FIG. 2 (Prior Art) is an exemplary flow diagram of method 200 for detecting and processing peer traffic. In FIG. 2, at block 202, method 200 identifies the peer traffic. Typically, there are two basic ways to detect peer traffic: heuristic model analysis and deep packet inspection (DPI).
A heuristic model analysis identifies peer traffic by comparing a traffic pattern to a known peer signature without inspecting the contents of each packet. For example, volume of traffic above a certain rate from one end station to another may characterize peer traffic. Alternatively, a burst pattern may also signal peer traffic. Heuristic models are based on external characteristics of the packets and packets flow. While in one embodiment, a heuristic model is based on duration of the packet flow, in alternate embodiments, the heuristic is based on the same and/or different characteristics (average packet size, inter packet gap, etc.) For example, and by way of illustration, a movie download may have an open connection for hours and/or a VOIP call may have a fixed size inter-packet gap. The advantage to a heuristic model is that because there is no packet inspection, the computational resources needed are relatively small. While heuristic model analysis typically accurately detects existing peer traffic, heuristics models tend be over-inclusive by detective additional traffic as peer traffic. Thus, some legitimate services may be interrupted or disconnected altogether because of this misidentification.
On the other hand, DPI inspects the contents of each and every packet in the data traffic to determine if the packet is part of peer traffic. Packets involved in peer traffic have characteristic data content patterns of each packet. Peer networks typically use two types of packets: control packets and data packets. Controls packet contains information to setup and maintain peer content exchanges. Data packets contain the data being used in the peer transaction. DPI matches the data content pattern of the control and/or data peer packet with known data content patterns. DPI models are very accurate and do not suffer from the over-inclusive problems of the heuristics approach. Nevertheless, DPI is very computational intensive when DPI is used on every packet flowing through a high-throughput network element, such as router 104.
At block 204, method 900 processes the packets that are part of the identified peer traffic. While in one embodiment, method 200 simply drops these packets, in alternate embodiments, method 200 processes give the packets differently (transmits at a fixed or reduced transmission rate, marks the packets as peer, preferential treatment, etc.).
Peer traffic can be a severe problem for a service provider. The common way to handle this problem is to detect peer traffic and either drop the peer traffic or rate limit it so as to not disrupt the service provider's network. Nevertheless, the two ways to detect peer traffic have drawbacks. The heuristic model approach identifies too much traffic as peer traffic, whereas DPI is very computationally intensive.