Re: ISP/VPN's to China?

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: ISP/VPN's to China?

From: tvest
Date: Thu Oct 22 08:54:39 2009

List-archive: <http://mailman.nanog.org/mailman/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

On Oct 22, 2009, at 8:14 AM, Alexander Harrowell wrote:

On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
On Thu, 22 Oct 2009, Alex Balashov wrote:
| Understood. I guess the angle I was going more for was: Is this
| actually practical to do in a country with almost as many Internet users
| as the US has people?
|
| I had always assumed that broad policies and ACLs work in China, but most
| forms of DPI and traffic pattern analysis aren't practical simply for
| computational feasibility reasons. Not unless the system were highly
| distributed.

Perhaps they only need make an example of a few, and thus introduce an
element of fear for everyone else.

I had always assumed that the Gt. Firewall, and especially the fake RST
element of it, existed precisely to let the geeks and weirdos stand out of the
naive traffic so they could be subjected to special treatment.

Similarly, this is the approach the Iranians seem to have taken after their
disputed election - although there isn't a telco monopoly, there's a wholesale
transit monopoly, and they just had the transit provider rate-limit everyone.
My understanding of this was that "normal" users would give up and do
something else, and only people who really wanted to reach the outside world
or each other - i.e. potential subversives - would keep trying. Therefore,
not only would the volume of traffic to DPI, proxy etc be lower, but the
concentration of suspect traffic in it would be higher.

From this point of view, I suppose there's some value in using an IPSec or SSL
VPN, because that's what corporate traveller applications tend to use and
they'll therefore never cut it off. I mean, are you suggesting that the
assistant party secretary of Wuhan won't be able to log into CommunistSpace
(Iike Facebook with Chinese characteristics) while he's on the road?
Unthinkable!

Generally speaking, the definition of "corporate traveller applications" in such cases ==
"Whatever anyone tries to do from the following specific address ranges, which are known to be accessible exclusively inside certain international hotels, exclusively to users who are willing to pay the equivalent of 1-2 weeks of avg. local income for the privilege).

TV

References:
- ISP/VPN's to China? ChrisSerafin
- Re: ISP/VPN's to China? Alex Balashov
- Re: ISP/VPN's to China? Chris Edwards
- Re: ISP/VPN's to China? Alexander Harrowell

Prev by Date: Re: IPv6 Deployment for the LAN
Next by Date: =?GB2312?B?V2UgcHJvdmlkZSBQaG90byBFZGl0aW5nIFNlcnZpY2VzIC0gUGhvdG8gQ3V0IE91dA==?=
Date Index
Thread Index
Author Index
Historical