[72585] in North American Network Operators' Group
Re: Regional differences in P2P
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Sun Jul 18 09:44:18 2004
Date: Sun, 18 Jul 2004 14:43:38 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Walter De Smedt <wdesmedt@telenet.be>
Cc: Jared Mauch <jared@puck.nether.net>,
Michel Py <michel@arneill-py.sacramento.ca.us>,
Petri Helenius <pete@he.iki.fi>, <nanog@merit.edu>
In-Reply-To: <20040718123116.GA74797@robin.isa-geek.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 18 Jul 2004, Walter De Smedt wrote:
> How are ISPs monitoring P2P traffic these days? Monitoring based on
> Netflow/cflowd data and fixed port numbers for application
> classification doesn't seem to do the trick anymore as more P2P
> applications use random port numbers or even use port 80, with the
> purpose of circumventing potential ISP policies or accounting.
> With Netflow/fixed port nrs the amount of 'unknown traffic' is
> increasing steadily.
>
> The next step in P2P recognition seems to be deep packet inspection with
> signature based detection. The major problem here is scalability - I
> don't see some device analyzing 1G, the typical uplink capacity of
> Internet gateways in a medium SP network, of traffic at layer 7.
> If this should be feasable, what if P2P applications would employ
> encryption schemes (e.g. IPSec) - this would render signature-based
> recognition useless.
you can also be fairly accurate from the flow data.. eg genuine web traffic is
short small transfers, P2P is long-lived flows of continous high usage
Steve
