Openwave: How Could MNOs Optimize Traffic in the Encryption Era?

According to Openwave Mobility "encrypted traffic travelling on many mobile networks has risen fivefold in just one year and has now reached 60% of all data. 

Based on current trends, encrypted traffic levels will exceed 80% within 12 months in several regions. This is now one of the biggest areas of concern for mobile network operators as sites such as Google, Facebook and Wikipedia use HTTPS encrypted protocols. 

The findings are based on observing and analyzing traffic trends at a number of mobile operator customers around the globe". 

Related post: "[ABI] Encryption Drives Mobile Optimization to a $40B Over 5 Year Market" - here.
 
"As networks go “dark”, carriers are unable to gain insight into the encrypted data travelling on their networks. Operators can struggle to optimize the traffic and this can seriously impact users’ Quality of Experience (QoE). Moreover, some operators are unable to apply filters to block content such as adult material or to identify video streams that could even be used for extreme purposes such as to radicalize vulnerable individuals"

John Giere [pictured], CEO, Openwave Mobility advice to MNOs: “Operators need to consider solutions that optimize the TCP/IP layer of their networks and apply smart heuristics to achieve optimization in the application layer too. There are solutions that can identify bandwidth-hungry objects, even when encrypted, and achieve 50% data savings on HD video, audio and apps. Best of all, they do not compromise subscriber privacy.” (see "Openwave Mobility: Federated SDM; Encrypted Traffic Optimization" - here)

See "Over 80% of Traffic on Mobile Networks will be Encrypted in 12 months" - here.

Sandvine: Netflix Brings us to the Encrypted Age

Sandvine released a new paper on encrypted Internet traffic. Based on data collected for a live, representative network in North America, the research findings and projections are:

• Netflix’s recent decision to encrypt their traffic will result in over two-thirds of North American Internet traffic being encrypted in 2016
   
• YouTube is the largest source of encrypted traffic in North America, and still a significant contributor of unencrypted traffic
   
• Google Play traffic is encrypted, preventing the ability for third-parties to identify the apps, movies, and music being consumed by subscribers. Apple’s iTunes traffic remains unencrypted.
   
• The simplicity of the Electronic Frontier Foundation’s “Let’s Encrypt” program, due to launch in mid-2015, will help drive encryption adoption among smaller sites

See "Sandvine: Two-Thirds Of North American Internet Traffic Will Be Encrypted In 2016" - here.

Openwave Mobility: Federated SDM; Encrypted Traffic Optimization

    

Openwave Mobility recent announcements: 

• "launched the industry’s first carrier grade subscriber data federation solution. Smart Data Federator (SDF) is a flexible interface between data silos that reads and writes data to existing systems, allowing for a consolidated view of all subscriber data. SDF uses proven technology installed in the largest deployment of a UDR in the world, with over 130 million subs and over 5 nines availability. 
  Operators can use SDF to make the connection between the data and the repository, regardless of structure and storage type. SDF is placed centrally to other data repositories, giving operators the flexibility they need to build applications across silos. SDF also creates a secure link between the applications and the data. This means that operators can secure and manage all their data repositories through SDF. By deploying SDF the applications that need data federation get the benefits of federation, while other applications can continue to use their data repositories directly as required".
  
  See "Openwave Mobility Unveils Subscriber Data Federation Solution" - here. 

• "a new solution, Secure Traffic Manager, leveraging its NFV-enabled Integra, that optimizes encrypted mobile video and audio streaming traffic. Network operators will now benefit from a comprehensive solution that optimizes not just the TCP/IP transport layer, but also the video and audio application layer for encrypted traffic to maximize network utilization. Operators can now achieve 50% data savings on encrypted HD video, delivering an improved user experience for congested networks without compromising subscriber privacy.
   
  Matt Halligan [pictured], CTO, Openwave Mobility said: “Secure Traffic Manager uses patent pending heuristics to detect and manage streaming content. We enable smarter policy-aware traffic management for the carrier while retaining the highest levels of security protocols for robust encryption”.
  
  See "Openwave Mobility First to Optimize Encrypted Video Streaming" - here.

Vasona Adds Support for Encrypted Traffic

Vasona Networks [see "[Vendor Review]: Vasona's Cell Traffic Management" - here] announced the "latest feature set for its SmartAIR™1000 edge application controller and SmartVISION™ analysis suite:

• Mobile operators gain a much-needed solution for managing the rising share of encrypted applications and content, which already accounts for nearly 25 percent of traffic on networks.
  
  SmartAIR now assesses characteristics of encrypted content from application types such as streaming, social media, email and file transfer, and can intelligently manage their resource usage during periods of network congestion. As the share of encrypted traffic rises, this is vital for delivering the best experiences across all users. With this functionality, Vasona Networks achieves a key distinction, since encrypted traffic can be completely opaque for other approaches to bandwidth management. 
    
• .. rolling out the SmartCONNECT feature to share real-time data collected by its platforms with third-party systems.
  
  
• SmartVISION [see "Vasona Adds Cell-Level Analytics" - here] Daily Dashboard feature that provides regular network performance and user experience reporting". 

See "Vasona Networks Tackles Congestion Management Issues Caused By Rise Of Encrypted Traffic On Mobile Networks" - here.

Flash Networks Accelerates Encrypted Traffic; Increases D/W Speed by 50%

Flash Networks announces the "..release of Harmony 7.5, its Mobile Internet Services Gateway. A key differentiator of this new version is the ability to accelerate and optimize encrypted data without violating user privacy. Based on operator trials, Flash Networks has successfully demonstrated the ability to self-detect congestion in real-time and increase download speeds by 50% for all types of traffic, including encrypted traffic. The system can also be deployed as a virtual network function (VNF) and can be integrated into software defined networks (SDN).

Flash Networks' Harmony 

..Harmony 7.5 includes smart optimization, which boosts downloads and browsing speeds for all networks, including 300 mbps LTE-A networks .. . Harmony 7.5 has been successfully used to optimize traffic in a live trial as part of an SDN topology, integrated into existing network functions and sharing the same hardware".

  

See "Flash Networks Announces New Congestion-Based Optimization and Acceleration for Encrypted Mobile Traffic" - here.

DDoS Announcements: Radware Adds SSL Support

 

Radware announced that " its Attack Mitigation System (AMS) is the first solution of its kind that detects and mitigates denial of service (DoS) and distributed denial of service (DDoS) attacks that are SSL encrypted .. Today's anti-DoS security solutions do not effectively mitigate HTTP-encrypted DoS and DDoS attacks. Through patent-pending technology, Radware's AMS is the only network security solution with the ability to protect against high rate, SSL-based, Web-encrypted DoS and DDoS attacks, in both symmetric and asymmetrical network traffic environments that typify today's anti-DoS scrubbing and cleaning centers".

Avi Chesla (pictured), Radware's CTO, said: "Recently, we have seen some powerful DoS and DDoS attacks that took advantage of the encrypted SSL traffic, targeting firms that depend on secured online transactions such as financial institutions, government agencies, social networking companies and others. Any organization that relies on SSL-based traffic without a proper decryption engine working in synch with an attack mitigation solution is exposing itself to great risk".

See "Radware's Attack Mitigation System Protects Online Businesses Against Encrypted DoS & DDoS Attacks" - here.

Sandvine's CTO: Video Optimization might not Work for you!

 
Up until recently, DPI/traffic shaping vendors and video optimization vendors worked on a partnership basis, mainly based on joint opportunities, the need to add one solution on top of an existing one, etc. DPI vendors usually emphasized the synergy of joint solutions (such as redirecting identified video traffic to the optimization device, saving resources), and were ready to work with any vendor. The "partners" web pages of DPI vendors shows usually a number of video optimization partners (Allot, Procera, Sandvine), and some announcements were made (Procera-Ortiva, Sandvine-Mobixell/Ortiva/Vantrix).
 
Recently these opportunistic relations took the next level and turned into a strategic direction. Bytemobile announced an integrated DPI/optimization solution (here) and Allot acquired Ortiva Wireless, a small player in the optimization space (see "Allot: Cost of Ortiva Acquisition - Less than $17M, in Cash" - here).
 
Analysts predict that Procera is also looking for an acquisition following it recent public offering, maybe also in the optimization space (see "Procera Builds M&A War Chest" - here).
 
On the other hand, Sandvine's CTO, Don Bowman (pictured), issued a "public warning" about the ability of current video optimization solutions to support the real-life video traffic.
 
In a recent blog post, Don says "buyers beware! Not all video optimization techniques are able to achieve the network savings that operators are seeking and the quality of experience that subscribers are demanding"
  
"From our Internet Phenomena report, we know that Netflix and YouTube are the top two contributors of video traffic volume in mobile and fixed networks. After these big two, there is still a fair amount of traffic from numerous other video content providers, but it is a very long tail so the net value of optimizing such traffic goes down substantially (i.e. lots of effort/processing with little gain). Netflix encrypts its video traffic using Digital Rights Management (DRM) techniques, so that data stream cannot be modified. On the other hand, YouTube today is transmitted using HTTP (in the clear); however, there is a movement towards encryption using HTTPS, and Google has announced it will begin implementing HTTPS as default for its searches"
 
Don suggests that ".. when selecting a video optimization provider, the investment needs to provide a secure foundation for continuing value-add services for the operator , such as: content caching .. the ability to splice in advertisements for incremental revenue .. content filtering capacity to perform optimization at the high scale needed in growing mobile networks".
 
See "The Need to Optimize Video Optimization" - here.

OpenVPN vs. DPI

  

Someone posted to the Anonyproz site a knowledgebase item on "Deep Packet Inspection and OpenVPN".

"A new internet traffic monitoring technology known as Deep Packet Inspection (DPI) has been proven to successfully block OpenVPN traffic regardless of the port used whether 80 or 443. Anyone who uses the Internet needs to be aware of Deep Packet Inspection .. It is important to understand that OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL applications does. So all the SSL packets from OpenVPN are encapsulated in a kind of OpenVPN container. Which is why some deep packet inspection firewalls might not allow OpenVPN traffic"

"One possible solution is to tunnel OpenVPN traffic over SSH. Using this method, some users on networks using DPI have been able to bypass. The method works in most cases because the initial SSH traffic is recognized by the DPI device as being “True HTTPS” traffic thereby allowing you to bypass and tunnel through".

See "Deep Packet Inspection and OpenVPN" - here.

[update] Does Netflix Replace P2P File Sharing?

 

A while ago I posted a Wired article that used data from Arbor Networks and Sandvine to analyze if Netflix replaces P2P file sharing as the most common way to consume Internet video (here). The information from the two DPI vendors showed very different levels of P2P file sharing (19.2% according to Sandvine and 8% as reported by Arbor).

Now Sandvine tries to explain why its data is more reliable.  Matt Tooley (picture), VP of Consulting Solutions, says in the company's Blog that the reason is Sandvine' ability to detect encrypted BitTorrent traffic.

Indeed, encryption was always the main challenge to DPI vendors when trying to identify P2P file sharing traffic, or other application that ISPs do not like (such as Skype). See "DPI Research: New Features are Needed (Encryption, User Profiling)" - here. 

  

"..  “BitTorrent (regular)” and “BitTorrent (UDP)” are trivial to identify, whereas the encrypted and uTP varieties require very sophisticated traffic identification techniques.  Perhaps this reality can explain the discrepancy between the numbers provided by Sandvine and those provided by other organizations. It’s possible that our P2P Filesharing numbers (which included all varieties of BitTorrent) were being compared against only the easily-detected protocols".

See "Sandvine’s Take on Netflix’s Impact on P2P File Sharing" - here.

DPI Research: New Features are Needed (Encryption, User Profiling)

A "Proposition de Sujets de These" by Pr. Guillaume Urvoy-Keller (picture), from the Université Nice Sophia Antipolis, looks for a "candidate should have a solid background in networking and programming" to research DPI. "This work will be partly carried out in cooperation with Orange Lab, Sophia-Antipolis".

See "Internet/Intranet Traffic classification" - here.

  

In a previous work, "Hybrid Traffic Identification" - here, Pr. Urvoy-Keller proposes ".. a framework, called Hybrid Traffic Identification (HTI) that enables to take advantage of the merits of different approaches. Any source of information (flow statistics, signatures, etc) is encoded as a feature; the actual classification is made by a machine learning algorithm. We demonstrated that HTI is not-dependent on a specific machine learning algorithm, and that any classification method can be incorporated to HTI as its decision could be encoded as a new feature". 

He concludes that "We heavily tested HTI using different ADSL traces and 3 different machine learning methods. We demonstrated that not only HTI outperforms the classical classification schemes, but, in addition, it is suitable for cross-site classification. We further reported on the use of an HTI instance that takes its decision on the fly for all the traffic generated by the customers of an ADSL platform"

In the new proposal ".. we aim at investigating new problems related to traffic identification:

• .. we want to further explore the process of adding features to the [above] classification tool . In addition to adding features, we would like to investigate new applications that might represent a minority of bytes when observing the overall traffic on the long run but might be considered as crucial by the ISP, e.g. streaming or social network traffic. Also, encrypted traffic is of high interest ...
   
• So far, all works that rely on statistical approaches use deep packet inspection tools for annotating the pre-labeled trace used to train the classifier. No study has considered the reverse problem of how results of statistical tools can help improving deep packet inspection tools.
   ..
• Traffic classification might be used to profile groups of users. It can also be used to inform anomaly detection, e.g., abnormal trends in a specific application. We started to investigate users profiling