[118471] in North American Network Operators' Group
Re: ISP/VPN's to China?
daemon@ATHENA.MIT.EDU (Alexander Harrowell)
Thu Oct 22 08:17:07 2009
From: Alexander Harrowell <a.harrowell@gmail.com>
To: nanog@nanog.org
Date: Thu, 22 Oct 2009 13:14:19 +0100
In-Reply-To: <Pine.SOC.4.64.0910221236100.20354@bowling.cent.gla.ac.uk>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart2398655.2zRJMxSXgM
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
> On Thu, 22 Oct 2009, Alex Balashov wrote:
> | Understood. I guess the angle I was going more for was: Is this
> | actually practical to do in a country with almost as many Internet users
> | as the US has people?
> |
> | I had always assumed that broad policies and ACLs work in China, but mo=
st
> | forms of DPI and traffic pattern analysis aren't practical simply for
> | computational feasibility reasons. Not unless the system were highly
> | distributed.
>
> Perhaps they only need make an example of a few, and thus introduce an
> element of fear for everyone else.
I had always assumed that the Gt. Firewall, and especially the fake RST=20
element of it, existed precisely to let the geeks and weirdos stand out of =
the=20
naive traffic so they could be subjected to special treatment.=20
Similarly, this is the approach the Iranians seem to have taken after their=
=20
disputed election - although there isn't a telco monopoly, there's a wholes=
ale=20
transit monopoly, and they just had the transit provider rate-limit everyon=
e.=20
My understanding of this was that "normal" users would give up and do=20
something else, and only people who really wanted to reach the outside worl=
d=20
or each other - i.e. potential subversives - would keep trying. Therefore,=
=20
not only would the volume of traffic to DPI, proxy etc be lower, but the=20
concentration of suspect traffic in it would be higher.
=46rom this point of view, I suppose there's some value in using an IPSec o=
r SSL=20
VPN, because that's what corporate traveller applications tend to use and=20
they'll therefore never cut it off. I mean, are you suggesting that the=20
assistant party secretary of Wuhan won't be able to log into CommunistSpace=
=20
(Iike Facebook with Chinese characteristics) while he's on the road?=20
Unthinkable!
--nextPart2398655.2zRJMxSXgM
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQBK4Eyi0c69vkueJcQRAqXhAKCZhg+3S7HVgHLMgvFYfK7hgS31UQCfSpv1
1aPvAERdFNGGPM/pAKG5+qU=
=fFuW
-----END PGP SIGNATURE-----
--nextPart2398655.2zRJMxSXgM--
