re: Nation-level controls, the Sandvine report from Citizen Labs can add some context and real world examples: https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-depl... Also discusses http vs. https things. -- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal On Fri 2018-Mar-23 03:28:59 -0400, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
Asking in a sanity check context.
As you may have heard, Bell Canada has gathered a group called Fairplay Canada to force all ISPs in Canada to block web sites Fairplay has decided infringe on copyright. (ironically, Fairplay is copyright by Apple, and used without permission :-)
Canada has hundreds of separate ISPs, each using a combination of one or more transit providers (and there are many that have POPs in Canada).
(so the following question makes it relevant to the NA in NAnog).
1-
Does anyone have "big picture" details on how China implements its website blocks?
Is this implemented in major trunks that enter China from the outside world? Is there a governmenmt onwed transit provider to whom any/all ISPs must connect (and thus that provider can implemnent the blocks), or are the blocks performed closer to the edges with ISPs in charge of implementing them ?
I assume they are some blocked ports, and fake authoritative DNS zone files to redirect sites like bbc.co.uk to something else? Would DPI, on a national scale work to look at HTTP and HTTPS transactions to kill TCP sessione to IPs where the HTTP transaction has a banned work (such as "Host: www.bbc.co.uk"
2-
Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet to detect and slow bittorrent flows down to dialup speeds. When it started to upgrade its core network to support FTTH in 2010, the upgrade of the BRAS routers to 10GBPS ports would have required Bell buy a totally new fleet of DPI boxes and keep buying whenever there were capacity upgrades. The math favoured increasing capacity instead of limiting use via DPI throttling, especially since traffic growth was with youtube and netflix , not bittorrent.
fast forward 7-8 years to today: Is the deployment of dedicated DPI, capable of wire speed control of individual flows be economically feasable for wireline internet services? (DOCSIS and FTTH speeds).
When Rogers and Comcast wanted to slow Netflix, underprovisioning links from the Netflix appliances/CDN is much cheaper than deploying DPI. Just curious if there is still an apetite for DPI for wireline ISPs that deploy at modern DOCSIS/FTTH speeds.
Does the rapid move from HTTP to HTTPS render DPI for wire speed live control useless? ( I realise that blind collection of netflow data to be batch processed into billing systems to implement zero rating schemes is possible with normal routers and may not require dedicated DPI.
3-
In the case of the USA with ISPs slated to become AOL-like information providers, is there an expectation of widespread deployment of DPI equipment to "manage" the provision of information, or is the expectation that the ISPs will focus more on using netflow to impact the billing system and usage limits?
4-
Or is DPI being deployed anyways to protect the networks from DDOS attacks, so adding website blocking would be possible?