Re: Question about great firewall of China

[Ryan Hamel <ryan () rkhtech org>]

On Mar 23 2018, at 12:28 am, Jean-Francois Mezei <jfmezei_nanog () vaxination ca> wrote:
> Asking in a sanity check context.
>
> As you may have heard, Bell Canada has gathered a group called Fairplay
> Canada to force all ISPs in Canada to block web sites Fairplay has
> decided infringe on copyright. (ironically, Fairplay is copyright by
> Apple, and used without permission :-)
>
> Canada has hundreds of separate ISPs, each using a combination of one or
> more transit providers (and there are many that have POPs in Canada).
>
> (so the following question makes it relevant to the NA in NAnog).
> 1-
> Does anyone have "big picture" details on how China implements its
> website blocks?
>
> Is this implemented in major trunks that enter China from the outside
> world? Is there a governmenmt onwed transit provider to whom any/all
> ISPs must connect (and thus that provider can implemnent the blocks), or
> are the blocks performed closer to the edges with ISPs in charge of
> implementing them ?
>
> I assume they are some blocked ports, and fake authoritative DNS zone
> files to redirect sites like bbc.co.uk to something else? Would DPI, on
> a national scale work to look at HTTP and HTTPS transactions to kill TCP
> sessione to IPs where the HTTP transaction has a banned work (such as
> "Host: www.bbc.co.uk"
The state owns China Unicom, China Telecom, and China Mobile, which is what everyone eventually connects into. PCCW is 
in Hong Kong and is not under the same scruitiny.
A lot of your questions about the great firewall of China can be answered by reading: 
https://en.wikipedia.org/wiki/Great_Firewall 
(https://link.getmailspring.com/link/local-56496eae-d14e-v1.1.4-22d9f20d@RKHTech-Laptop/0?redirect=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGreat_Firewall&recipient=Nanog%40nanog.org)
> 2-
> Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet
> to detect and slow bittorrent flows down to dialup speeds. When it
> started to upgrade its core network to support FTTH in 2010, the upgrade
> of the BRAS routers to 10GBPS ports would have required Bell buy a
> totally new fleet of DPI boxes and keep buying whenever there were
> capacity upgrades. The math favoured increasing capacity instead of
> limiting use via DPI throttling, especially since traffic growth was
> with youtube and netflix , not bittorrent.
>
>
> fast forward 7-8 years to today: Is the deployment of dedicated DPI,
> capable of wire speed control of individual flows be economically
> feasable for wireline internet services? (DOCSIS and FTTH speeds).
>
> When Rogers and Comcast wanted to slow Netflix, underprovisioning links
> from the Netflix appliances/CDN is much cheaper than deploying DPI. Just
> curious if there is still an apetite for DPI for wireline ISPs that
> deploy at modern DOCSIS/FTTH speeds.
>
>
> Does the rapid move from HTTP to HTTPS render DPI for wire speed live
> control useless? ( I realise that blind collection of netflow data to
> be batch processed into billing systems to implement zero rating schemes
> is possible with normal routers and may not require dedicated DPI.
DPI will be useless, but that doesn't mean traffic patterns can be observed in other ways, resulting in QoS policies 
being applied at border routers.
> 3-
> In the case of the USA with ISPs slated to become AOL-like information
> providers, is there an expectation of widespread deployment of DPI
> equipment to "manage" the provision of information, or is the
> expectation that the ISPs will focus more on using netflow to impact the
> billing system and usage limits?
Netflow is not the only way to get usage stats, one can also measure the tx/rx bit differentiation at client facing 
interface with set intervals.
> 4-
> Or is DPI being deployed anyways to protect the networks from DDOS
> attacks, so adding website blocking would be possible?

I am not sure of any ISP using DPI on inbound to block traffic outbound.