Re: ISP/VPN's to China?

[Alexander Harrowell]

On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
> On Thu, 22 Oct 2009, Alex Balashov wrote:
> | Understood.  I guess the angle I was going more for was:  Is this
> | actually practical to do in a country with almost as many Internet users
> | as the US has people?
> |
> | I had always assumed that broad policies and ACLs work in China, but most
> | forms of DPI and traffic pattern analysis aren't practical simply for
> | computational feasibility reasons.  Not unless the system were highly
> | distributed.
>
> Perhaps they only need make an example of a few, and thus introduce an
> element of fear for everyone else.

I had always assumed that the Gt. Firewall, and especially the fake RST 
element of it, existed precisely to let the geeks and weirdos stand out of the 
naive traffic so they could be subjected to special treatment. 

Similarly, this is the approach the Iranians seem to have taken after their 
disputed election - although there isn't a telco monopoly, there's a wholesale 
transit monopoly, and they just had the transit provider rate-limit everyone. 
My understanding of this was that "normal" users would give up and do 
something else, and only people who really wanted to reach the outside world 
or each other  - i.e. potential subversives - would keep trying. Therefore, 
not only would the volume of traffic to DPI, proxy etc be lower, but the 
concentration of suspect traffic in it would be higher.

From this point of view, I suppose there's some value in using an IPSec or SSL 
VPN, because that's what corporate traveller applications tend to use and 
they'll therefore never cut it off. I mean, are you suggesting that the 
assistant party secretary of Wuhan won't be able to log into CommunistSpace 
(Iike Facebook with Chinese characteristics) while he's on the road? 
Unthinkable!

Attachment: signature.asc
Description: This is a digitally signed message part.