[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about great firewall of China

re: Nation-level controls, the Sandvine report from Citizen Labs can add 
some context and real world examples:


Also discusses http vs. https things.

Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal

On Fri 2018-Mar-23 03:28:59 -0400, Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> wrote:

>Asking in a sanity check context.
>As you may have heard, Bell Canada has gathered a group called Fairplay
>Canada to force all ISPs in Canada to block web sites Fairplay has
>decided infringe on copyright.   (ironically, Fairplay is copyright by
>Apple, and used without permission :-)
>Canada has hundreds of separate ISPs, each using a combination of one or
>more transit providers (and there are many that have POPs in Canada).
>(so the following question makes it relevant to the NA in NAnog).
>Does anyone have "big picture" details on how China implements its
>website blocks?
>Is this implemented in major trunks that enter China from the outside
>world?  Is there a governmenmt onwed transit provider to whom any/all
>ISPs must connect (and thus that provider can implemnent the blocks), or
>are the blocks performed closer to the edges with ISPs in charge of
>implementing them ?
>I assume they are some blocked ports, and fake authoritative DNS zone
>files to redirect sites like bbc.co.uk to something else?  Would DPI, on
>a national scale work to look at HTTP and HTTPS transactions to kill TCP
>sessione to IPs where the HTTP transaction has a banned work (such as
>"Host: www.bbc.co.uk"
>Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet
>to detect and slow bittorrent flows down to dialup speeds. When it
>started to upgrade its core network to support FTTH in 2010, the upgrade
>of the BRAS routers to 10GBPS ports would have required Bell buy a
>totally new fleet of DPI boxes and keep buying whenever there were
>capacity upgrades. The math favoured increasing capacity instead of
>limiting use via DPI throttling, especially since traffic growth was
>with youtube and netflix , not bittorrent.
>fast forward 7-8 years to today: Is the deployment of dedicated DPI,
>capable of wire speed control of individual flows be economically
>feasable for wireline internet services? (DOCSIS and FTTH speeds).
>When Rogers and Comcast wanted to slow Netflix, underprovisioning links
>from the Netflix appliances/CDN is much cheaper than deploying DPI. Just
>curious if there is still an apetite for DPI for wireline ISPs that
>deploy at modern DOCSIS/FTTH speeds.
>Does the rapid move from HTTP to HTTPS render DPI for wire speed live
>control useless?  ( I realise that blind collection of netflow data to
>be batch processed into billing systems to implement zero rating schemes
>is possible with normal routers and may not require dedicated DPI.
>In the case of the USA with ISPs slated to become AOL-like information
>providers, is there an expectation of widespread deployment of DPI
>equipment to "manage" the provision of information, or is the
>expectation that the ISPs will focus more on using netflow to impact the
>billing system and usage limits?
>Or is DPI being deployed anyways to protect the networks from DDOS
>attacks, so adding website blocking would be possible?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180323/5b393aab/attachment.sig>