Article_006

Curbing Illegal VOIP: Is DPI a Panacea?

A. K. M. Habibur Rahman
akmhbib@btcl.net.bd


1. Introduction

Voice over Internet Protocol (VOIP) is a much-talked issue in the Information Communication Technology (ICT) sector especially in Bangladesh. It is generally believed that overseas call termination using VOIP started during 2000 when the use of VSAT was liberalized with the aim at promoting software export. Until Bangladesh Telecommunications Regulatory Commission (BTRC) formed in 2002, the regulatory functions of telecommunications sector had been overseen by the Ministry of Post and Telecommunications (MOPT). Under the guidance of MOPT, the then government operator BTTB led actions against illegal voice termination using VOIP.

After BTRC came into being, it has been hunting for the effective solution to curb overseas call termination using VOIP technology through employing foreign consultants, conducting workshops and dialogues with the stakeholders. But no consensus was made about legalizing overseas voice communication using VoIP which could be acceptable to all quarters. Through an initiative to open up VOIP in 2007, International Long Distance Telecommunications Service (ILDTS) Policy 2007 came in the telecommunications sector with a layered concept. A three-layer structure for voice communications namely International Gateway (IGW), Interconnection Exchange (ICX) and Access Network Service (ANS) operator and two-layer for data communications namely International Internet Gateway (IIG) and Internet Service Provider (ISP) operator are the outcomes of the ILDTS policy 2007. Three (in addition to BTTB, now BTCL) operators have been granted IGW licenses in the private sector and they are only allowed to exchange overseas voice using IP technology. One IIG has been allowed in the private sector, in addition to BTTB (BTCL) IIG and the IIGs have been instructed to take necessary measures to stop commercial voice communications through IIG gateways.

It was supposed that call termination using VOIP technology would be minimized once the IGWs in private sector have been established. But what has been experienced since the IGWs started operation? Despite measures taken by IIGs vis-à-vis vigilances conducted by BTRC’s VOIP Prevention Team and legal actions taken by BTRC, it is hard to say that the illegal activities of call terminations in grey routes have come under full control. Consequently, pressures mounted over IIGs to control voice termination through internet and an idea spread over all concerned that VOIP can be automatically stopped by installing Deep Packet Inspection (DPI) device in the IIGs. How far it is right?

2. Fighting Against Illegal VOIP: Technical Approach

There are various ways those were applied in the Internet Gateway to hinder voice communications. The ways worked temporarily but could not automatically stop voice transmission because illegal VOIP operators applied new techniques very quickly. The ways and means against VOIP are described below.

2.1 Port blocking
In computer networking, the protocols of the Transport Layer of the Internet Protocol Suite, most notably the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP), but also other protocols, use a numerical identifier for the data structures of the endpoints for host-to-host communications. Such an endpoint is known as a port and the identifier is the port number (Wikipedia). The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers for specific uses.

There are some standard ports which have been registered for protocols related to voice communication over IP network e.g. port number 5060 for SIP, 5005 for Real-time Transport Protocol control protocol, 1720 for h323hostcall, 1300 for H323 Host Call Secure etc. At one point of time, it was advised by different experts and by news media that VoIP can be stopped by blocking the ports related to voice communications. So, port blocking was the earliest measure applied in the Internet gateway since there were no facilities to capture, store, and analyze the gateway data traffic. Afterwards, it was clear to everybody that port block is not the way to fight against illegal VoIP. Voice packets can be passed through any port like 80 (used for Hyper Text Transfer Protocol i.e. for browsing) or even 25 (Simple Mail Transfer Protocol i.e. used for mail sending). Should these ports be blocked? The answer must be ‘NO’.

When standard ports were blocked, the VoIP operators refrained from using standard ports for voice protocols. They were to search for new techniques and the technological development always in favour of them finding the new way.

2.2 Traffic Monitoring
After all the private-sector IGWs and IIG came into operation, it was observed that the term DPI has become a buzzword to all concerned. Everybody was telling that DPI implementation is very crucial and without DPI implementation VOIP cannot be stopped. An idea was deep-seated among those concerned that DPI could automatically and effectively stop VOIP.

Deep Packet Inspection (DPI) is an advanced method of packet filtering that functions at the Application layer of the OSI (Open Systems Interconnection) reference model. The use of DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect. (Source: www.whatis.com)

DPI is generally used for the following purposes:
To detect the Distributed Denial of Service (DDoS) packets and filter them out.
To tighten network security by preventing viruses and spyware from either gaining entrance to a network or leaving it.
To apply network-access rules easily.
To make the network Lawful Interception (LI) compliant.
To enforce service-level agreements by ISPs.
To ensure quality of service by instigating traffic control and bandwidth allocation.
To detect illegal content

The operators use DPI for such applications which have the potential to give users a better internet experience.

DPI uses signature-matching technology i.e. it takes the incoming packets apart, examines the data, comparing with set criteria, and then re-assembles the packet. Based on pre-defined criteria, DPI makes a decision on whether or not to let the packet pass through.

When implemented, some positive performance has been observed but that lasted for a short time. Although DPI has been designed for exploiting various network benefits but it is being used only targeting voice communication. While the performance of DPI was evaluated, it was observed that the DPI can automatically stop those voice packets which uses standard voice protocols and matches the pre-defined rules implemented in the DPI. DPI cannot detect the voice traffic passing through it but using Virtual Private Network (VPN) technology. Most of the illegal voice traffics are passed through VPN tunnel using IPSec, GRE (Generic Route Encapsulation) or open-VPN protocols. These cannot be detected by DPI or cannot be decrypted without specific decrypting software. In this context, DPI can only be considered as the ‘first line of defense’ for fighting against illegal overseas voice transmission.

3.0 What’s Next?

Against DPI’s inability to detect voice packets passed through VPN tunneling, further inspection/analysis of data packets became necessary. There are various softwares which can capture, inspect and analyze the data packet and more detail information can be gathered from the analysis. Two of such application softwares are briefly described below.

Wireshark: This is free software that can intercept and log traffic passing over a data network. When data streams pass through the network, the software captures each packet, decodes & analyzes its content and presents lots of information. It can "understand" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. The important features of Wireshark are:

It can capture from a live network.
It can read from different types of network, including Ethernet, IEEE 802.11 etc,
It can display the captured data in tabular as well as different graphical modes.
It can display filtered data as per need.
It can create Plugins for dissecting new protocols

NetFlow: This is a network protocol analyzer developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting and analyzing IP traffic information. This is Cisco-proprietary application software but supported by platforms other than Cisco, such as Juniper. Netflow feature enabled Cisco routers generate netflow records in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets.

Others: Other vendors provide similar features for their routers but with different names- such as Jflow or cflowd for Juniper Networks, NetStream for Huawei Technology, Cflowd for Alcatel-Lucent etc.

Use of the network protocol analyzing software needs a set of resources:
a strong hardware platform for an IIG handling data traffic at the rate of more than 2 Gigabit per second.
a team of experienced and well-trained network engineers to capture, analyze the data and implement the policy. This should be done on continuous basis.

4. Post-analysis Activities

After analyzing the traffic, if suspected packet (voice) is detected what should be done? From the operator perspective, there is only one thing to do: block the source and destination IP addresses and report the addresses to the regulator. From the regulator perspective, the regulator can investigate the issue even by physically sending authorized personnel and take legal measures for breaching the terms and conditions of the license for designated service.

In this scenario, packet filtering has been becoming a complex task as call centers are allowed to do VoIP originating from and terminating to a specific IP address and video conferencing involves real time voice transmission.

It was observed that blocking IP addresses is also not the effective technical way because as soon as one or some IP addresses are blocked illegal voice operators can switch over to different IP addresses. They might have handsome numbers of IP addresses in their hand.

There are some other measures which might be helpful to some extent for curbing illegal voice communication over Internet but this could have adverse impact on the legitimate data traffic. The measures include: limiting excessive (also doubtful) packets (like DNS), protocol (UDP), application (GRE, IPSec, PPP encapsulated) traffic to some reasonable level, providing asymmetric bandwidth to the ISPs, etc

Commercial voice is termed as illegal voice whereas non-commercial voice is not illegal. As per regulatory guidelines, magnitude of non-commercial voice must be limited to a certain level and that level shall be determined by the regulator. As both commercial and non-commercial voice transmission over Internet use same technology, it is very difficult to distinguish between both from technical point of view. Limiting the non-commercial traffic means applying different policy implemented in the Gateway which may cause stopping or degrading the legal traffic.


5. Conclusion

In fact, there is no single solution which can AUTOMATICALLY stop all voice packets passing through an IP network. Continuous monitoring of traffic (almost 18 hours in a day) and applying policy in the network based on observations received from analysis, regular vigilances by the regulator may keep the magnitude of illegal voice communication at a minimum level. This will surely need a dedicated team having experienced and well-trained personnel equipped with effective software and high-end hardware platform at the operators’ end and assistance of law enforcing agencies as well as deployment of in-house expert personnel at the regulator end. .

Wednesday, June 3, 2009