On Mar 23 2018, at 12:28 am, Jean-Francois Mezei <jfmezei_na...@vaxination.ca> wrote: > > Asking in a sanity check context. > > As you may have heard, Bell Canada has gathered a group called Fairplay > Canada to force all ISPs in Canada to block web sites Fairplay has > decided infringe on copyright. (ironically, Fairplay is copyright by > Apple, and used without permission :-) > > Canada has hundreds of separate ISPs, each using a combination of one or > more transit providers (and there are many that have POPs in Canada). > > (so the following question makes it relevant to the NA in NAnog). > 1- > Does anyone have "big picture" details on how China implements its > website blocks? > > Is this implemented in major trunks that enter China from the outside > world? Is there a governmenmt onwed transit provider to whom any/all > ISPs must connect (and thus that provider can implemnent the blocks), or > are the blocks performed closer to the edges with ISPs in charge of > implementing them ? > > I assume they are some blocked ports, and fake authoritative DNS zone > files to redirect sites like bbc.co.uk to something else? Would DPI, on > a national scale work to look at HTTP and HTTPS transactions to kill TCP > sessione to IPs where the HTTP transaction has a banned work (such as > "Host: www.bbc.co.uk" > The state owns China Unicom, China Telecom, and China Mobile, which is what everyone eventually connects into. PCCW is in Hong Kong and is not under the same scruitiny. A lot of your questions about the great firewall of China can be answered by reading: https://en.wikipedia.org/wiki/Great_Firewall (https://link.getmailspring.com/link/local-56496eae-d14e-v1.1.4-22d9f20d@RKHTech-Laptop/0?redirect=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGreat_Firewall&recipient=Nanog%40nanog.org) > > 2- > Bell Canada used to use DPI on 1gbps Ellacoya on its wireline Internet > to detect and slow bittorrent flows down to dialup speeds. When it > started to upgrade its core network to support FTTH in 2010, the upgrade > of the BRAS routers to 10GBPS ports would have required Bell buy a > totally new fleet of DPI boxes and keep buying whenever there were > capacity upgrades. The math favoured increasing capacity instead of > limiting use via DPI throttling, especially since traffic growth was > with youtube and netflix , not bittorrent. > > > fast forward 7-8 years to today: Is the deployment of dedicated DPI, > capable of wire speed control of individual flows be economically > feasable for wireline internet services? (DOCSIS and FTTH speeds). > > When Rogers and Comcast wanted to slow Netflix, underprovisioning links > from the Netflix appliances/CDN is much cheaper than deploying DPI. Just > curious if there is still an apetite for DPI for wireline ISPs that > deploy at modern DOCSIS/FTTH speeds. > > > Does the rapid move from HTTP to HTTPS render DPI for wire speed live > control useless? ( I realise that blind collection of netflow data to > be batch processed into billing systems to implement zero rating schemes > is possible with normal routers and may not require dedicated DPI. > > DPI will be useless, but that doesn't mean traffic patterns can be observed in other ways, resulting in QoS policies being applied at border routers. > 3- > In the case of the USA with ISPs slated to become AOL-like information > providers, is there an expectation of widespread deployment of DPI > equipment to "manage" the provision of information, or is the > expectation that the ISPs will focus more on using netflow to impact the > billing system and usage limits? > Netflow is not the only way to get usage stats, one can also measure the tx/rx bit differentiation at client facing interface with set intervals. > 4- > Or is DPI being deployed anyways to protect the networks from DDOS > attacks, so adding website blocking would be possible? >
I am not sure of any ISP using DPI on inbound to block traffic outbound.