Session Initialization Protocol (SIP) and Deep Packet inspection (DPI) have become important to the Lawful Interception (LI) of Voice over IP (VoIP) communications. In standard PSTN, lawful intercepts were achieved using wire taps and butt sets. In VoIP networks it is required to identify the VoIP session related to the person of interest. As such, the ability to find the information of interest is often compared to finding a needle in a haystack. Deep packet inspection acts as a pre-filter to narrow down the packets of interest in order to route these packets to a LI point.
IP networks mostly use Layer 2/Layer 3 routers and switches. The application and service layers have little or no visibility. IP traffic is all classified as the same application or from the same service. Therefore, deep packet inspection at this level is usually performed by a fixed-string search within a packet. Obviously, with high speed connections, performing DPI in this manner would fail to maintain line speed. What is required is more intelligent DPI that inspects layers 2 through 7 and is application/protocol aware and understands the eventual flow of the data.
This is where application layer protocols such as SIP can be useful in filtering out the media streams of interest. Being able to establish correlation in the payloads and data flows can reveal useful information about a target. DPI of SIP messages allow the systems to identify the type of service of the target is using and the format in which it is packaged to correctly decode the packet. For VoIP sessions, DPI of SIP is essential for monitoring scenarios such as session re-negotiations and call forwarding.
SIP security will also be important in next generation networks because the framework for delivering IP multimedia services is the IP Multimedia Subsystem (IMS). IMS tries to make use of SIP wherever possible. In addition, SIP and DPI can be used as an upper level of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Since SIP has a well specified format in both send and receive direction, the SIP messages can be inspected for anomalies to identify possible intrusions.