Question about great firewall of China
Asking in a sanity check context. As you may have heard, Bell Canada has gathered a group called Fairplay Canada to force all ISPs in Canada to block web sites Fairplay has decided infringe on copyright. (ironically, Fairplay is copyright by Apple, and used without permission :-) Canada has hundreds of separate ISPs, each using a combination of one or more transit providers (and there are many that have POPs in Canada). (so the following question makes it relevant to the NA in NAnog). 1- Does anyone have "big picture" details on how China implements its website blocks? Is this implemented in major trunks that enter China from the outside world? Is there a governmenmt onwed transit provider to whom any/all ISPs must connect (and thus that provider can implemnent the blocks), or are the blocks performed closer to the edges with ISPs in charge of implementing them ? I assume they are some blocked ports, and fake authoritative DNS zone files to redirect sites like bbc.co.uk to something else? Would DPI, on a national scale work to look at HTTP and HTTPS transactions to kill TCP sessione to IPs where the HTTP transaction has a banned work (such as "Host: www.bbc.co.uk" 2- Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet to detect and slow bittorrent flows down to dialup speeds. When it started to upgrade its core network to support FTTH in 2010, the upgrade of the BRAS routers to 10GBPS ports would have required Bell buy a totally new fleet of DPI boxes and keep buying whenever there were capacity upgrades. The math favoured increasing capacity instead of limiting use via DPI throttling, especially since traffic growth was with youtube and netflix , not bittorrent. fast forward 7-8 years to today: Is the deployment of dedicated DPI, capable of wire speed control of individual flows be economically feasable for wireline internet services? (DOCSIS and FTTH speeds). When Rogers and Comcast wanted to slow Netflix, underprovisioning links from the Netflix appliances/CDN is much cheaper than deploying DPI. Just curious if there is still an apetite for DPI for wireline ISPs that deploy at modern DOCSIS/FTTH speeds. Does the rapid move from HTTP to HTTPS render DPI for wire speed live control useless? ( I realise that blind collection of netflow data to be batch processed into billing systems to implement zero rating schemes is possible with normal routers and may not require dedicated DPI. 3- In the case of the USA with ISPs slated to become AOL-like information providers, is there an expectation of widespread deployment of DPI equipment to "manage" the provision of information, or is the expectation that the ISPs will focus more on using netflow to impact the billing system and usage limits? 4- Or is DPI being deployed anyways to protect the networks from DDOS attacks, so adding website blocking would be possible?
On Mar 23 2018, at 12:28 am, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
Asking in a sanity check context.
As you may have heard, Bell Canada has gathered a group called Fairplay Canada to force all ISPs in Canada to block web sites Fairplay has decided infringe on copyright. (ironically, Fairplay is copyright by Apple, and used without permission :-)
Canada has hundreds of separate ISPs, each using a combination of one or more transit providers (and there are many that have POPs in Canada).
(so the following question makes it relevant to the NA in NAnog). 1- Does anyone have "big picture" details on how China implements its website blocks?
Is this implemented in major trunks that enter China from the outside world? Is there a governmenmt onwed transit provider to whom any/all ISPs must connect (and thus that provider can implemnent the blocks), or are the blocks performed closer to the edges with ISPs in charge of implementing them ?
I assume they are some blocked ports, and fake authoritative DNS zone files to redirect sites like bbc.co.uk to something else? Would DPI, on a national scale work to look at HTTP and HTTPS transactions to kill TCP sessione to IPs where the HTTP transaction has a banned work (such as "Host: www.bbc.co.uk"
The state owns China Unicom, China Telecom, and China Mobile, which is what everyone eventually connects into. PCCW is in Hong Kong and is not under the same scruitiny. A lot of your questions about the great firewall of China can be answered by reading: https://en.wikipedia.org/wiki/Great_Firewall (https://link.getmailspring.com/link/local-56496eae-d14e-v1.1.4-22d9f20d@RKHTech-Laptop/0?redirect=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGreat_Firewall&recipient=Nanog%40nanog.org)
2- Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet to detect and slow bittorrent flows down to dialup speeds. When it started to upgrade its core network to support FTTH in 2010, the upgrade of the BRAS routers to 10GBPS ports would have required Bell buy a totally new fleet of DPI boxes and keep buying whenever there were capacity upgrades. The math favoured increasing capacity instead of limiting use via DPI throttling, especially since traffic growth was with youtube and netflix , not bittorrent.
fast forward 7-8 years to today: Is the deployment of dedicated DPI, capable of wire speed control of individual flows be economically feasable for wireline internet services? (DOCSIS and FTTH speeds).
When Rogers and Comcast wanted to slow Netflix, underprovisioning links from the Netflix appliances/CDN is much cheaper than deploying DPI. Just curious if there is still an apetite for DPI for wireline ISPs that deploy at modern DOCSIS/FTTH speeds.
Does the rapid move from HTTP to HTTPS render DPI for wire speed live control useless? ( I realise that blind collection of netflow data to be batch processed into billing systems to implement zero rating schemes is possible with normal routers and may not require dedicated DPI.
DPI will be useless, but that doesn't mean traffic patterns can be observed in other ways, resulting in QoS policies being applied at border routers.
3- In the case of the USA with ISPs slated to become AOL-like information providers, is there an expectation of widespread deployment of DPI equipment to "manage" the provision of information, or is the expectation that the ISPs will focus more on using netflow to impact the billing system and usage limits?
Netflow is not the only way to get usage stats, one can also measure the tx/rx bit differentiation at client facing interface with set intervals.
4- Or is DPI being deployed anyways to protect the networks from DDOS attacks, so adding website blocking would be possible?
I am not sure of any ISP using DPI on inbound to block traffic outbound.
3-
In the case of the USA with ISPs slated to become AOL-like information providers, is there an expectation of widespread deployment of DPI equipment to "manage" the provision of information, or is the expectation that the ISPs will focus more on using netflow to impact the billing system and usage limits?
No
4-
Or is DPI being deployed anyways to protect the networks from DDOS attacks, so adding website blocking would be possible?
Also, no.
re: Nation-level controls, the Sandvine report from Citizen Labs can add some context and real world examples: https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-depl... Also discusses http vs. https things. -- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal On Fri 2018-Mar-23 03:28:59 -0400, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
Asking in a sanity check context.
As you may have heard, Bell Canada has gathered a group called Fairplay Canada to force all ISPs in Canada to block web sites Fairplay has decided infringe on copyright. (ironically, Fairplay is copyright by Apple, and used without permission :-)
Canada has hundreds of separate ISPs, each using a combination of one or more transit providers (and there are many that have POPs in Canada).
(so the following question makes it relevant to the NA in NAnog).
1-
Does anyone have "big picture" details on how China implements its website blocks?
Is this implemented in major trunks that enter China from the outside world? Is there a governmenmt onwed transit provider to whom any/all ISPs must connect (and thus that provider can implemnent the blocks), or are the blocks performed closer to the edges with ISPs in charge of implementing them ?
I assume they are some blocked ports, and fake authoritative DNS zone files to redirect sites like bbc.co.uk to something else? Would DPI, on a national scale work to look at HTTP and HTTPS transactions to kill TCP sessione to IPs where the HTTP transaction has a banned work (such as "Host: www.bbc.co.uk"
2-
Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet to detect and slow bittorrent flows down to dialup speeds. When it started to upgrade its core network to support FTTH in 2010, the upgrade of the BRAS routers to 10GBPS ports would have required Bell buy a totally new fleet of DPI boxes and keep buying whenever there were capacity upgrades. The math favoured increasing capacity instead of limiting use via DPI throttling, especially since traffic growth was with youtube and netflix , not bittorrent.
fast forward 7-8 years to today: Is the deployment of dedicated DPI, capable of wire speed control of individual flows be economically feasable for wireline internet services? (DOCSIS and FTTH speeds).
When Rogers and Comcast wanted to slow Netflix, underprovisioning links from the Netflix appliances/CDN is much cheaper than deploying DPI. Just curious if there is still an apetite for DPI for wireline ISPs that deploy at modern DOCSIS/FTTH speeds.
Does the rapid move from HTTP to HTTPS render DPI for wire speed live control useless? ( I realise that blind collection of netflow data to be batch processed into billing systems to implement zero rating schemes is possible with normal routers and may not require dedicated DPI.
3-
In the case of the USA with ISPs slated to become AOL-like information providers, is there an expectation of widespread deployment of DPI equipment to "manage" the provision of information, or is the expectation that the ISPs will focus more on using netflow to impact the billing system and usage limits?
4-
Or is DPI being deployed anyways to protect the networks from DDOS attacks, so adding website blocking would be possible?
participants (4)
-
Ca By
-
Hugo Slabbert
-
Jean-Francois Mezei
-
Ryan Hamel