ISP/VPN's to China?
Alexander Harrowell
a.harrowell at gmail.com
Thu Oct 22 12:14:19 UTC 2009
On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
> On Thu, 22 Oct 2009, Alex Balashov wrote:
> | Understood. I guess the angle I was going more for was: Is this
> | actually practical to do in a country with almost as many Internet users
> | as the US has people?
> |
> | I had always assumed that broad policies and ACLs work in China, but most
> | forms of DPI and traffic pattern analysis aren't practical simply for
> | computational feasibility reasons. Not unless the system were highly
> | distributed.
>
> Perhaps they only need make an example of a few, and thus introduce an
> element of fear for everyone else.
I had always assumed that the Gt. Firewall, and especially the fake RST
element of it, existed precisely to let the geeks and weirdos stand out of the
naive traffic so they could be subjected to special treatment.
Similarly, this is the approach the Iranians seem to have taken after their
disputed election - although there isn't a telco monopoly, there's a wholesale
transit monopoly, and they just had the transit provider rate-limit everyone.
My understanding of this was that "normal" users would give up and do
something else, and only people who really wanted to reach the outside world
or each other - i.e. potential subversives - would keep trying. Therefore,
not only would the volume of traffic to DPI, proxy etc be lower, but the
concentration of suspect traffic in it would be higher.
From this point of view, I suppose there's some value in using an IPSec or SSL
VPN, because that's what corporate traveller applications tend to use and
they'll therefore never cut it off. I mean, are you suggesting that the
assistant party secretary of Wuhan won't be able to log into CommunistSpace
(Iike Facebook with Chinese characteristics) while he's on the road?
Unthinkable!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091022/6133bad5/attachment.sig>
More information about the NANOG
mailing list