[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about great firewall of China

Asking in a sanity check context.

As you may have heard, Bell Canada has gathered a group called Fairplay
Canada to force all ISPs in Canada to block web sites Fairplay has
decided infringe on copyright.   (ironically, Fairplay is copyright by
Apple, and used without permission :-)

Canada has hundreds of separate ISPs, each using a combination of one or
more transit providers (and there are many that have POPs in Canada).

(so the following question makes it relevant to the NA in NAnog).


Does anyone have "big picture" details on how China implements its
website blocks?

Is this implemented in major trunks that enter China from the outside
world?  Is there a governmenmt onwed transit provider to whom any/all
ISPs must connect (and thus that provider can implemnent the blocks), or
are the blocks performed closer to the edges with ISPs in charge of
implementing them ?

I assume they are some blocked ports, and fake authoritative DNS zone
files to redirect sites like bbc.co.uk to something else?  Would DPI, on
a national scale work to look at HTTP and HTTPS transactions to kill TCP
sessione to IPs where the HTTP transaction has a banned work (such as
"Host: www.bbc.co.uk"


Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet
to detect and slow bittorrent flows down to dialup speeds. When it
started to upgrade its core network to support FTTH in 2010, the upgrade
of the BRAS routers to 10GBPS ports would have required Bell buy a
totally new fleet of DPI boxes and keep buying whenever there were
capacity upgrades. The math favoured increasing capacity instead of
limiting use via DPI throttling, especially since traffic growth was
with youtube and netflix , not bittorrent.

fast forward 7-8 years to today: Is the deployment of dedicated DPI,
capable of wire speed control of individual flows be economically
feasable for wireline internet services? (DOCSIS and FTTH speeds).

When Rogers and Comcast wanted to slow Netflix, underprovisioning links
from the Netflix appliances/CDN is much cheaper than deploying DPI. Just
curious if there is still an apetite for DPI for wireline ISPs that
deploy at modern DOCSIS/FTTH speeds.

Does the rapid move from HTTP to HTTPS render DPI for wire speed live
control useless?  ( I realise that blind collection of netflow data to
be batch processed into billing systems to implement zero rating schemes
is possible with normal routers and may not require dedicated DPI.


In the case of the USA with ISPs slated to become AOL-like information
providers, is there an expectation of widespread deployment of DPI
equipment to "manage" the provision of information, or is the
expectation that the ISPs will focus more on using netflow to impact the
billing system and usage limits?


Or is DPI being deployed anyways to protect the networks from DDOS
attacks, so adding website blocking would be possible?