Question about great firewall of China

Ryan Hamel ryan at rkhtech.org
Fri Mar 23 08:15:42 UTC 2018


On Mar 23 2018, at 12:28 am, Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> wrote:
>
> Asking in a sanity check context.
>
> As you may have heard, Bell Canada has gathered a group called Fairplay
> Canada to force all ISPs in Canada to block web sites Fairplay has
> decided infringe on copyright. (ironically, Fairplay is copyright by
> Apple, and used without permission :-)
>
> Canada has hundreds of separate ISPs, each using a combination of one or
> more transit providers (and there are many that have POPs in Canada).
>
> (so the following question makes it relevant to the NA in NAnog).
> 1-
> Does anyone have "big picture" details on how China implements its
> website blocks?
>
> Is this implemented in major trunks that enter China from the outside
> world? Is there a governmenmt onwed transit provider to whom any/all
> ISPs must connect (and thus that provider can implemnent the blocks), or
> are the blocks performed closer to the edges with ISPs in charge of
> implementing them ?
>
> I assume they are some blocked ports, and fake authoritative DNS zone
> files to redirect sites like bbc.co.uk to something else? Would DPI, on
> a national scale work to look at HTTP and HTTPS transactions to kill TCP
> sessione to IPs where the HTTP transaction has a banned work (such as
> "Host: www.bbc.co.uk"
>
The state owns China Unicom, China Telecom, and China Mobile, which is what everyone eventually connects into. PCCW is in Hong Kong and is not under the same scruitiny.
A lot of your questions about the great firewall of China can be answered by reading: https://en.wikipedia.org/wiki/Great_Firewall (https://link.getmailspring.com/link/[email protected]/0?redirect=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGreat_Firewall&recipient=Nanog%40nanog.org)
>
> 2-
> Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet
> to detect and slow bittorrent flows down to dialup speeds. When it
> started to upgrade its core network to support FTTH in 2010, the upgrade
> of the BRAS routers to 10GBPS ports would have required Bell buy a
> totally new fleet of DPI boxes and keep buying whenever there were
> capacity upgrades. The math favoured increasing capacity instead of
> limiting use via DPI throttling, especially since traffic growth was
> with youtube and netflix , not bittorrent.
>
>
> fast forward 7-8 years to today: Is the deployment of dedicated DPI,
> capable of wire speed control of individual flows be economically
> feasable for wireline internet services? (DOCSIS and FTTH speeds).
>
> When Rogers and Comcast wanted to slow Netflix, underprovisioning links
> from the Netflix appliances/CDN is much cheaper than deploying DPI. Just
> curious if there is still an apetite for DPI for wireline ISPs that
> deploy at modern DOCSIS/FTTH speeds.
>
>
> Does the rapid move from HTTP to HTTPS render DPI for wire speed live
> control useless? ( I realise that blind collection of netflow data to
> be batch processed into billing systems to implement zero rating schemes
> is possible with normal routers and may not require dedicated DPI.
>
>
DPI will be useless, but that doesn't mean traffic patterns can be observed in other ways, resulting in QoS policies being applied at border routers.
> 3-
> In the case of the USA with ISPs slated to become AOL-like information
> providers, is there an expectation of widespread deployment of DPI
> equipment to "manage" the provision of information, or is the
> expectation that the ISPs will focus more on using netflow to impact the
> billing system and usage limits?
>
Netflow is not the only way to get usage stats, one can also measure the tx/rx bit differentiation at client facing interface with set intervals.
> 4-
> Or is DPI being deployed anyways to protect the networks from DDOS
> attacks, so adding website blocking would be possible?
>

I am not sure of any ISP using DPI on inbound to block traffic outbound.


More information about the NANOG mailing list