I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'. I talked to a China Telcom rep in the US that says that the network congestion even in China makes VPN's difficult. From their website, I see that the majority of the country is using xDSL, or 2MB dedicated lines. Can anyone shed any light on this topic? Thanks! chris@chrisserafin.com
I travel to China at least once a year, often several times. I generally visit major cities like Shanghai and Beijing, but have been to a number of other cities. I generally use Cisco VPN (an IPsec VPN) to Cisco DMZs in Tokyo or Hong Kong for business purposes. As with hotels in other parts of the world, congestive interference depends a lot on the hotel and what the person you're competing with is doing. I can tell you a few horror stories if you're amused by them, but in recent years things have been improving. On Oct 21, 2009, at 10:56 AM, ChrisSerafin wrote:
I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'.
I talked to a China Telcom rep in the US that says that the network congestion even in China makes VPN's difficult. From their website, I see that the majority of the country is using xDSL, or 2MB dedicated lines.
Can anyone shed any light on this topic? Thanks!
chris@chrisserafin.com
At 02:16 PM 10/21/2009, Fred Baker wrote:
I travel to China at least once a year, often several times. I generally visit major cities like Shanghai and Beijing, but have been to a number of other cities. I generally use Cisco VPN (an IPsec VPN) to Cisco DMZs in Tokyo or Hong Kong for business purposes. As with hotels in other parts of the world, congestive interference depends a lot on the hotel and what the person you're competing with is doing. I can tell you a few horror stories if you're amused by them, but in recent years things have been improving.
I use the Cisco WebVPN (AnyConnect) client and I have yet to find a place in China where it doesn't work perfectly - even in rural areas, but not so rural that they don't have Internet access. However, if you try to do many "normal" things outside of the VPN connection - check certain news sites, logon to facebook or watch a video on YouTube, you won't be able to do so. -Robert Tellurian Networks - A Perot Systems Company http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
OpenVPN is ideal. It functions purely over application-level UDP transport (IP-IP) instead of using GRE/IPSec/other encapsulation protocols that could potentially be blocked by a protocol filter on a router. Route that traffic to a server outside of China and NAT it out to the rest of the Internet. The default port is UDP 1194, but can easily be changed. Anyone who wants to block it risks blocking any applications that use UDP in general, such as online games, Skype, etc. It is precisely because the traffic has no signature distinguishable from normal application traffic - aside from the fact that the payload is encrypted - that it makes a good fit. It's also open-source and free. -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
Fred Baker wrote:
On Oct 21, 2009, at 4:36 PM, Alex Balashov wrote:
It is precisely because the traffic has no signature distinguishable from normal application traffic
oh my goodness. You're behind on your reading...
I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number. -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
On Wed, Oct 21, 2009, Alex Balashov wrote:
oh my goodness. You're behind on your reading...
I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number.
You don't think that statistical analysis of traffic patterns of your UDP traffic wouldn't identify it as a likely tunnel? :) Adrian
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope. Tell me more? -- Sent from mobile device On Oct 21, 2009, at 9:27 PM, Adrian Chadd <adrian@creative.net.au> wrote:
On Wed, Oct 21, 2009, Alex Balashov wrote:
oh my goodness. You're behind on your reading...
I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number.
You don't think that statistical analysis of traffic patterns of your UDP traffic wouldn't identify it as a likely tunnel? :)
Adrian
On Wed, Oct 21, 2009, Alex Balashov wrote:
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope.
Tell me more?
It's been a while since I tinkered with this for fun, but a quick abuse of google gives one relatively useful starting paper: http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf Now, if you were getting multiple overlapping fingerprints inside a UDP packet stream you may conclude that it is a VPN tunnel of some sort. Just randomly padding the tunnel with a few bytes either side will probably just fuzz the classifier somewhat. Aggregating the packets up into larger packets may fuzz the classification methods but it certainly won't make the traffic look like "something else". It'll likely still stick out as being "different". :) Adrian
Adrian Chadd writes:
On Wed, Oct 21, 2009, Alex Balashov wrote:
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope.
Tell me more?
It's been a while since I tinkered with this for fun, but a quick abuse of google gives one relatively useful starting paper:
A lot of research papers on what is or isn't possible in traffic analysis are linked from http://freehaven.net/anonbib/topic.html#Traffic_20analysis This bibliography is updated periodically. It's a pretty big, complex topic, and the open literature could use lots more publications. -- Seth David Schoen <schoen@loyalty.org> | Qué empresa fácil no pensar en http://www.loyalty.org/~schoen/ | un tigre, reflexioné. http://vitanuova.loyalty.org/ | -- Borges, El Zahir
They exist and for certain applications are pretty effective. On Oct 21, 2009, at 6:47 PM, Alex Balashov wrote:
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope.
Tell me more?
-- Sent from mobile device
On Oct 21, 2009, at 9:27 PM, Adrian Chadd <adrian@creative.net.au> wrote:
On Wed, Oct 21, 2009, Alex Balashov wrote:
oh my goodness. You're behind on your reading...
I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number.
You don't think that statistical analysis of traffic patterns of your UDP traffic wouldn't identify it as a likely tunnel? :)
Adrian
On Wed, 21 Oct 2009, Alex Balashov wrote: | I was not aware that tools or techniques to do this are widespread or highly | functional in a way that would get them adopted in an Internet access control | application of a national scope. Doesn't necessarily have to be hugely accurate. The authorities could simply identify a few likely suspect tunnels, then knock-on-doors and ask you to explain what the traffic in question is...
Chris Edwards wrote:
Doesn't necessarily have to be hugely accurate. The authorities could simply identify a few likely suspect tunnels, then knock-on-doors and ask you to explain what the traffic in question is...
Understood. I guess the angle I was going more for was: Is this actually practical to do in a country with almost as many Internet users as the US has people? I had always assumed that broad policies and ACLs work in China, but most forms of DPI and traffic pattern analysis aren't practical simply for computational feasibility reasons. Not unless the system were highly distributed. -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671
On Thu, 22 Oct 2009, Alex Balashov wrote: | Understood. I guess the angle I was going more for was: Is this actually | practical to do in a country with almost as many Internet users as the US has | people? | | I had always assumed that broad policies and ACLs work in China, but most | forms of DPI and traffic pattern analysis aren't practical simply for | computational feasibility reasons. Not unless the system were highly | distributed. Perhaps they only need make an example of a few, and thus introduce an element of fear for everyone else.
On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
On Thu, 22 Oct 2009, Alex Balashov wrote: | Understood. I guess the angle I was going more for was: Is this | actually practical to do in a country with almost as many Internet users | as the US has people? | | I had always assumed that broad policies and ACLs work in China, but most | forms of DPI and traffic pattern analysis aren't practical simply for | computational feasibility reasons. Not unless the system were highly | distributed.
Perhaps they only need make an example of a few, and thus introduce an element of fear for everyone else.
I had always assumed that the Gt. Firewall, and especially the fake RST element of it, existed precisely to let the geeks and weirdos stand out of the naive traffic so they could be subjected to special treatment. Similarly, this is the approach the Iranians seem to have taken after their disputed election - although there isn't a telco monopoly, there's a wholesale transit monopoly, and they just had the transit provider rate-limit everyone. My understanding of this was that "normal" users would give up and do something else, and only people who really wanted to reach the outside world or each other - i.e. potential subversives - would keep trying. Therefore, not only would the volume of traffic to DPI, proxy etc be lower, but the concentration of suspect traffic in it would be higher. From this point of view, I suppose there's some value in using an IPSec or SSL VPN, because that's what corporate traveller applications tend to use and they'll therefore never cut it off. I mean, are you suggesting that the assistant party secretary of Wuhan won't be able to log into CommunistSpace (Iike Facebook with Chinese characteristics) while he's on the road? Unthinkable!
On Oct 22, 2009, at 8:14 AM, Alexander Harrowell wrote:
On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
On Thu, 22 Oct 2009, Alex Balashov wrote: | Understood. I guess the angle I was going more for was: Is this | actually practical to do in a country with almost as many Internet users | as the US has people? | | I had always assumed that broad policies and ACLs work in China, but most | forms of DPI and traffic pattern analysis aren't practical simply for | computational feasibility reasons. Not unless the system were highly | distributed.
Perhaps they only need make an example of a few, and thus introduce an element of fear for everyone else.
I had always assumed that the Gt. Firewall, and especially the fake RST element of it, existed precisely to let the geeks and weirdos stand out of the naive traffic so they could be subjected to special treatment.
Similarly, this is the approach the Iranians seem to have taken after their disputed election - although there isn't a telco monopoly, there's a wholesale transit monopoly, and they just had the transit provider rate-limit everyone. My understanding of this was that "normal" users would give up and do something else, and only people who really wanted to reach the outside world or each other - i.e. potential subversives - would keep trying. Therefore, not only would the volume of traffic to DPI, proxy etc be lower, but the concentration of suspect traffic in it would be higher.
From this point of view, I suppose there's some value in using an IPSec or SSL VPN, because that's what corporate traveller applications tend to use and they'll therefore never cut it off. I mean, are you suggesting that the assistant party secretary of Wuhan won't be able to log into CommunistSpace (Iike Facebook with Chinese characteristics) while he's on the road? Unthinkable!
Generally speaking, the definition of "corporate traveller applications" in such cases == "Whatever anyone tries to do from the following specific address ranges, which are known to be accessible exclusively inside certain international hotels, exclusively to users who are willing to pay the equivalent of 1-2 weeks of avg. local income for the privilege). TV
On Oct 22, 2009, at 7:38 AM, Chris Edwards wrote:
On Thu, 22 Oct 2009, Alex Balashov wrote:
| Understood. I guess the angle I was going more for was: Is this actually | practical to do in a country with almost as many Internet users as the US has | people? | | I had always assumed that broad policies and ACLs work in China, but most | forms of DPI and traffic pattern analysis aren't practical simply for | computational feasibility reasons. Not unless the system were highly | distributed.
Perhaps they only need make an example of a few, and thus introduce an element of fear for everyone else.
Not "a few," but rather quite a lot, albeit only infrequently, and at unpredictable intervals, with a very high inclusion/exclusion error rate -- an artifact of the absence clear and easily demonstrable line between compliance/non-compliance (which is itself an artifact of the 内部 [internally published only] nature of many of the related rules). http://www.usc.cuhk.edu.hk/wk_wzdetails.asp?id=2791 www.usc.cuhk.edu.hk/webmanager/wkfiles/2791_1_paper.pdf TV
Hi, if you're talking about Mainland China in general (not Hong Kong specifically), indeed IPSEC VPN may not provide desired level of service. During the time I spent there, we opted for: - CNC MPLS for 4 sites in China - Equant MPLS between Beijing and other worldwide sites - Then replaced at high price Equant by Verizon MPLS in order to connect worldwide sites through Pacific links instead of Suez Canal - Then replaced Verizon by higher bandwidth Equant MPLS because Verizon's service was seriously bad. Not the link, but the service around it. At that time, Verizon used China Telecom as contractor, and I think Equant used CNC. Not sure about that, though. Between each site (Beijing to three others in China, and Beijing to others worldwide), there was backup IPSEC VPN set up "just in case". Hopefully we didn't had to use them, because they was down from time to time and bandwidth was inconsistent. "Great Firewall buddy" is not to charge this time. ChrisSerafin a écrit :
I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'.
I talked to a China Telcom rep in the US that says that the network congestion even in China makes VPN's difficult. From their website, I see that the majority of the country is using xDSL, or 2MB dedicated lines.
Can anyone shed any light on this topic? Thanks!
chris@chrisserafin.com
Very interesting rundown of current infrastructure option -- thanks! On Oct 21, 2009, at 3:14 PM, Benjamin Billon wrote:
Hi,
if you're talking about Mainland China in general (not Hong Kong specifically), indeed IPSEC VPN may not provide desired level of service. During the time I spent there, we opted for: - CNC MPLS for 4 sites in China - Equant MPLS between Beijing and other worldwide sites - Then replaced at high price Equant by Verizon MPLS in order to connect worldwide sites through Pacific links instead of Suez Canal - Then replaced Verizon by higher bandwidth Equant MPLS because Verizon's service was seriously bad. Not the link, but the service around it.
At that time, Verizon used China Telecom as contractor, and I think Equant used CNC. Not sure about that, though.
Verizon = CT: also consistent with my memory (and an easy guess since there is no alternative) Equant = CNC: Perhaps you mean China Unicom =) TV
Between each site (Beijing to three others in China, and Beijing to others worldwide), there was backup IPSEC VPN set up "just in case". Hopefully we didn't had to use them, because they was down from time to time and bandwidth was inconsistent.
"Great Firewall buddy" is not to charge this time.
ChrisSerafin a écrit :
I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'.
I talked to a China Telcom rep in the US that says that the network congestion even in China makes VPN's difficult. From their website, I see that the majority of the country is using xDSL, or 2MB dedicated lines.
Can anyone shed any light on this topic? Thanks!
chris@chrisserafin.com
I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'.
If you want an IP-MPLS VPN, BT has PoPs in Beijing, Guangzhou, Shanghai and Hong Kong. Check the web for more details and contact info: <http://globalservices.bt.com/globalLocation.do?method=VIEW&country=cn> You won't run into any problems running IPSEC over the MPLS network if you still feel the need for encryption. You can also get Internet access over the VPN and that access is from a gateway outside the Great Firewall. I imagine we are not the only global network offering such connectivity in China. --Michael Dillon
participants (11)
-
Adrian Chadd
-
Alex Balashov
-
Alexander Harrowell
-
Benjamin Billon
-
Chris Edwards
-
ChrisSerafin
-
Fred Baker
-
Michael Dillon
-
Robert Boyle
-
Seth David Schoen
-
tvest@eyeconomics.com