Traffic classification

Traffic classification is an automated process which categorises computer network traffic according to various parameters (for example, based on port number or protocol) into a number of traffic classes.[1] Each resulting traffic class can be treated differently to differentiate the service implied for the user (data generator/ consumer).

Contents

Typical uses

Once packets have been classified, for example, each traffic class could be subject to a different rate limit, shaped separately and/or prioritized relative to other traffic classes. This differentiation can be used by a network operator to treat different types of application traffic differently (for example, prioritize voice over file sharing for the responsiveness perceived by end users), and to offer premium services at a higher price point than basic ones.[2]

Traffic classification is a cornerstone of the differentiated treatment of Internet traffic, including some data discrimination techniques, and consequently is an important and at times controversial factor in debates on network neutrality. Traffic classification is one of several mechanisms used in teletraffic engineering and traffic management in IP and ATM networks.

Differentiated Services specifies that packets are marked according to their class, determined by a traffic classifier - a node in the network which assesses which class a particular packet should belong to, and marks it with a Differentiated Services Code Point (or DSCP) accordingly.

Implementation

Classification is achieved by various means. Matching bit patterns of data to those of known protocols is a simple, yet widely-used technique. An example to match the BitTorrent protocol handshaking phase would be a check to see if a packet began with character 19 which was then followed by the 19-byte string 'BitTorrent protocol'.[3] More advanced traffic classification techniques rely on statistical analysis of attributes such as byte frequencies, packet sizes and packet inter-arrival times.[4] Upon classifying a traffic flow using a particular protocol, a predetermined policy can be applied to it and other flows to either guarantee a certain quality (as with VoIP or media streaming service[5]) or to provide best-effort delivery. This may be applied at the ingress point (the point at which traffic enters the network) with a granularity that allows traffic management mechanisms to separate traffic into individual flows and queue, police and shape them differently.[6]

Typical traffic classes

Operators often distinguish three broad types of network traffic: Sensitive, Best-Effort, and Undesired.

Sensitive traffic

Sensitive traffic is traffic the operator has an expectation to deliver on time. This includes VoIP, online gaming, video conferencing, and web browsing. Traffic management schemes are typically tailored in such a way that the quality of service of these selected uses is guaranteed, or at least prioritized over other classes of traffic. This can be accomplished by the absence of shaping for this traffic class, or by prioritizing sensitive traffic above other classes.

Best-effort traffic

Best effort traffic is all other kinds of non-detrimental traffic. This is traffic that the ISP deems isn't sensitive to Quality of Service metrics (jitter, packet loss, latency). A typical example would be peer-to-peer and email applications.[7] Traffic management schemes are generally tailored so best-effort traffic gets what is left after sensitive traffic.

Undesired traffic

This category is generally limited to the delivery of spam and traffic created by worms, botnets, and other malicious attacks. In some networks, this definition can include such traffic as non-local VoIP (for example, Skype) or video streaming services to protect the market for the 'in-house' services of the same type. In these cases, traffic classification mechanisms identify this traffic, allowing the network operator to either block this traffic entirely, or severely hamper its operation.

File sharing

Peer-to-peer file sharing applications are often designed to use any and all available bandwidth which impacts QoS-sensitive applications (like online gaming) that use comparatively small amounts of bandwidth. P2P programs can also suffer from download strategy inefficiencies, namely downloading files from any available peer, regardless of link cost. The applications use ICMP and regular HTTP traffic to discover servers and download directories of available files.

In 2002, Sandvine Incorporated determined, through traffic analysis, that P2P traffic accounted for up to 60% of traffic on most networks.[8] This shows, in contrast to previous studies and forecasts, that P2P has become mainstream.

P2P protocols can and are often designed so that the resulting packets are harder to identify (to avoid detection by traffic classifiers), and with enough robustness that they do not depend on specific QoS properties in the network (in-order packet delivery, jitter, etc. - typically this is achieved through increased buffering and reliable transport, with the user experiencing increased download time as a result). The encrypted BitTorrent protocol does for example rely on obfuscation and randomized packet sizes in order to avoid identification.[9] File sharing traffic can be appropriately classified as Best-Effort traffic. At peak times when sensitive traffic is at its height, download speeds will decrease. However, since P2P downloads are often background activities, it affects the subscriber experience little, so long as the download speeds increase to their full potential when all other subscribers hang up their VoIP phones. Exceptions are real-time P2P VoIP and P2P video streaming services who need permanent QoS and use excessive overhead and parity traffic to enforce this as far as possible.

Some P2P applications[10] can be configured to act as self-limiting sources, serving as a traffic shaper configured to the user's (as opposed to the network operator's) traffic specification.

Some vendors advocate managing clients rather than specific protocols, particularly for ISPs. By managing per-client (that is, per customer), if the client chooses to use their fair share of the bandwidth running P2P applications, they can do so, but if their application is abusive, they only clog their own bandwidth and cannot affect the bandwidth used by other customers.

References

  1. ^ IETF RFC 2475 "An Architecture for Differentiated Services" section 2.3.1 - IETF definition of classifier.
  2. ^ PlusNet's Traffic Classes show classification and prioritisation policies used to differentiate between more and less expensive Internet service
  3. ^ BitTorrent Protocol
  4. ^ E. Hjelmvik and W. John, “Statistical Protocol IDentification with SPID: Preliminary Results”, in Proceedings of SNCNW, 2009
  5. ^ SIN 450 Issue 1.2 May 2007 Suppliers' Information Note For The BT Network BT Wholesale - BT IPstream Advanced Services - End User Speed Control and Downstream Quality of Service - Service Description
  6. ^ Ferguson P., Huston G., Quality of Service: Delivering QoS on the Internet and in Corporate Networks, John Wiley & Sons, Inc., 1998. ISBN 0-471-24358-2.
  7. ^ The spam problem has actually led some network operators to implement Traffic shaping on SMTP traffic. See Tarpit (networking)
  8. ^ Leydon, John. "P2P swamps broadband networks". http://www.theregister.co.uk/2002/09/12/p2p_swamps_broadband_networks/.  The Register article which refers to Sandvine report - access to the actual report requires registration with Sandvine
  9. ^ Identifying the Message Stream Encryption (MSE) protocol
  10. ^ "Optimize uTorrent Speeds Jatex Weblog". http://jatex.wordpress.com/2008/08/08/optimize-utorrent-speeds/.  Example for client side P2P traffic limiting