Mailing List Archive: NANOG: users

ISP/VPN's to China?

Index | Next | Previous | View Threaded

chris at chrisserafin

Oct 21, 2009, 10:56 AM

Post #1 of 20 (925 views)
Permalink

ISP/VPN's to China?

I have a client in the US looking to connect up an office in China and
I'm wondering what type of connections are avilable and wether IPSEC
VPNs can be established through the 'Great firewall of China'.

I talked to a China Telcom rep in the US that says that the network
congestion even in China makes VPN's difficult. From their website, I
see that the majority of the country is using xDSL, or 2MB dedicated lines.

Can anyone shed any light on this topic? Thanks!

chris [at] chrisserafin

fred at cisco

Oct 21, 2009, 11:16 AM

Post #2 of 20 (919 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

I travel to China at least once a year, often several times. I
generally visit major cities like Shanghai and Beijing, but have been
to a number of other cities. I generally use Cisco VPN (an IPsec VPN)
to Cisco DMZs in Tokyo or Hong Kong for business purposes. As with
hotels in other parts of the world, congestive interference depends a
lot on the hotel and what the person you're competing with is doing. I
can tell you a few horror stories if you're amused by them, but in
recent years things have been improving.

On Oct 21, 2009, at 10:56 AM, ChrisSerafin wrote:

> I have a client in the US looking to connect up an office in China
> and I'm wondering what type of connections are avilable and wether
> IPSEC VPNs can be established through the 'Great firewall of China'.
>
> I talked to a China Telcom rep in the US that says that the network
> congestion even in China makes VPN's difficult. From their website,
> I see that the majority of the country is using xDSL, or 2MB
> dedicated lines.
>
> Can anyone shed any light on this topic? Thanks!
>
> chris [at] chrisserafin
>

bbillon-ml at splio

Oct 21, 2009, 12:14 PM

Post #3 of 20 (917 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

Hi,

if you're talking about Mainland China in general (not Hong Kong
specifically), indeed IPSEC VPN may not provide desired level of service.
During the time I spent there, we opted for:
- CNC MPLS for 4 sites in China
- Equant MPLS between Beijing and other worldwide sites
- Then replaced at high price Equant by Verizon MPLS in order to connect
worldwide sites through Pacific links instead of Suez Canal
- Then replaced Verizon by higher bandwidth Equant MPLS because
Verizon's service was seriously bad. Not the link, but the service
around it.

At that time, Verizon used China Telecom as contractor, and I think
Equant used CNC. Not sure about that, though.

Between each site (Beijing to three others in China, and Beijing to
others worldwide), there was backup IPSEC VPN set up "just in case".
Hopefully we didn't had to use them, because they was down from time to
time and bandwidth was inconsistent.

"Great Firewall buddy" is not to charge this time.

ChrisSerafin a écrit :
> I have a client in the US looking to connect up an office in China and
> I'm wondering what type of connections are avilable and wether IPSEC
> VPNs can be established through the 'Great firewall of China'.
>
> I talked to a China Telcom rep in the US that says that the network
> congestion even in China makes VPN's difficult. From their website, I
> see that the majority of the country is using xDSL, or 2MB dedicated
> lines.
>
> Can anyone shed any light on this topic? Thanks!
>
> chris [at] chrisserafin
>

tvest at eyeconomics

Oct 21, 2009, 12:56 PM

Post #4 of 20 (916 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

Very interesting rundown of current infrastructure option -- thanks!

On Oct 21, 2009, at 3:14 PM, Benjamin Billon wrote:

> Hi,
>
> if you're talking about Mainland China in general (not Hong Kong
> specifically), indeed IPSEC VPN may not provide desired level of
> service.
> During the time I spent there, we opted for:
> - CNC MPLS for 4 sites in China
> - Equant MPLS between Beijing and other worldwide sites
> - Then replaced at high price Equant by Verizon MPLS in order to
> connect worldwide sites through Pacific links instead of Suez Canal
> - Then replaced Verizon by higher bandwidth Equant MPLS because
> Verizon's service was seriously bad. Not the link, but the service
> around it.
>
> At that time, Verizon used China Telecom as contractor, and I think
> Equant used CNC. Not sure about that, though.

Verizon = CT: also consistent with my memory (and an easy guess since
there is no alternative)

Equant = CNC: Perhaps you mean China Unicom =)

TV

> Between each site (Beijing to three others in China, and Beijing to
> others worldwide), there was backup IPSEC VPN set up "just in case".
> Hopefully we didn't had to use them, because they was down from time
> to time and bandwidth was inconsistent.
>
> "Great Firewall buddy" is not to charge this time.
>
> ChrisSerafin a écrit :
>> I have a client in the US looking to connect up an office in China
>> and I'm wondering what type of connections are avilable and wether
>> IPSEC VPNs can be established through the 'Great firewall of China'.
>>
>> I talked to a China Telcom rep in the US that says that the network
>> congestion even in China makes VPN's difficult. From their website,
>> I see that the majority of the country is using xDSL, or 2MB
>> dedicated lines.
>>
>> Can anyone shed any light on this topic? Thanks!
>>
>> chris [at] chrisserafin
>>
>

robert at tellurian

Oct 21, 2009, 4:27 PM

Post #5 of 20 (906 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

At 02:16 PM 10/21/2009, Fred Baker wrote:
>I travel to China at least once a year, often several times. I
>generally visit major cities like Shanghai and Beijing, but have been
>to a number of other cities. I generally use Cisco VPN (an IPsec VPN)
>to Cisco DMZs in Tokyo or Hong Kong for business purposes. As with
>hotels in other parts of the world, congestive interference depends a
>lot on the hotel and what the person you're competing with is doing. I
>can tell you a few horror stories if you're amused by them, but in
>recent years things have been improving.

I use the Cisco WebVPN (AnyConnect) client and I have yet to find a
place in China where it doesn't work perfectly - even in rural areas,
but not so rural that they don't have Internet access. However, if
you try to do many "normal" things outside of the VPN connection -
check certain news sites, logon to facebook or watch a video on
YouTube, you won't be able to do so.

-Robert

Tellurian Networks - A Perot Systems Company
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

abalashov at evaristesys

Oct 21, 2009, 4:36 PM

Post #6 of 20 (904 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

OpenVPN is ideal. It functions purely over application-level UDP
transport (IP-IP) instead of using GRE/IPSec/other encapsulation
protocols that could potentially be blocked by a protocol filter on a
router. Route that traffic to a server outside of China and NAT it
out to the rest of the Internet.

The default port is UDP 1194, but can easily be changed.

Anyone who wants to block it risks blocking any applications that use
UDP in general, such as online games, Skype, etc.

It is precisely because the traffic has no signature distinguishable
from normal application traffic - aside from the fact that the payload
is encrypted - that it makes a good fit.

It's also open-source and free.

--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671

fred at cisco

Oct 21, 2009, 4:59 PM

Post #7 of 20 (905 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Oct 21, 2009, at 4:36 PM, Alex Balashov wrote:

> It is precisely because the traffic has no signature distinguishable
> from normal application traffic

oh my goodness. You're behind on your reading...

abalashov at evaristesys

Oct 21, 2009, 5:00 PM

Post #8 of 20 (902 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

Fred Baker wrote:
>
> On Oct 21, 2009, at 4:36 PM, Alex Balashov wrote:
>
>> It is precisely because the traffic has no signature distinguishable
>> from normal application traffic
>
> oh my goodness. You're behind on your reading...

I didn't mean DPI. I meant in a way that can be inferred from the
headers themselves, and aside from the port number.

--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671

adrian at creative

Oct 21, 2009, 6:27 PM

Post #9 of 20 (904 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Wed, Oct 21, 2009, Alex Balashov wrote:

> >oh my goodness. You're behind on your reading...
>
> I didn't mean DPI. I meant in a way that can be inferred from the
> headers themselves, and aside from the port number.

You don't think that statistical analysis of traffic patterns
of your UDP traffic wouldn't identify it as a likely tunnel? :)

Adrian

abalashov at evaristesys

Oct 21, 2009, 6:47 PM

Post #10 of 20 (907 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

I was not aware that tools or techniques to do this are widespread or
highly functional in a way that would get them adopted in an Internet
access control application of a national scope.

Tell me more?

--
Sent from mobile device

On Oct 21, 2009, at 9:27 PM, Adrian Chadd <adrian [at] creative>
wrote:

> On Wed, Oct 21, 2009, Alex Balashov wrote:
>
>>> oh my goodness. You're behind on your reading...
>>
>> I didn't mean DPI. I meant in a way that can be inferred from the
>> headers themselves, and aside from the port number.
>
> You don't think that statistical analysis of traffic patterns
> of your UDP traffic wouldn't identify it as a likely tunnel? :)
>
>
>
> Adrian
>

adrian at creative

Oct 21, 2009, 6:56 PM

Post #11 of 20 (908 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Wed, Oct 21, 2009, Alex Balashov wrote:
> I was not aware that tools or techniques to do this are widespread or
> highly functional in a way that would get them adopted in an Internet
> access control application of a national scope.
>
> Tell me more?

It's been a while since I tinkered with this for fun, but a quick abuse
of google gives one relatively useful starting paper:

http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf

Now, if you were getting multiple overlapping fingerprints inside a
UDP packet stream you may conclude that it is a VPN tunnel of some
sort.

Just randomly padding the tunnel with a few bytes either side will
probably just fuzz the classifier somewhat. Aggregating the packets
up into larger packets may fuzz the classification methods but it
certainly won't make the traffic look like "something else".
It'll likely still stick out as being "different". :)

Adrian

fred at cisco

Oct 21, 2009, 11:09 PM

Post #12 of 20 (901 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

They exist and for certain applications are pretty effective.

On Oct 21, 2009, at 6:47 PM, Alex Balashov wrote:

> I was not aware that tools or techniques to do this are widespread
> or highly functional in a way that would get them adopted in an
> Internet access control application of a national scope.
>
> Tell me more?
>
> --
> Sent from mobile device
>
> On Oct 21, 2009, at 9:27 PM, Adrian Chadd <adrian [at] creative>
> wrote:
>
>> On Wed, Oct 21, 2009, Alex Balashov wrote:
>>
>>>> oh my goodness. You're behind on your reading...
>>>
>>> I didn't mean DPI. I meant in a way that can be inferred from the
>>> headers themselves, and aside from the port number.
>>
>> You don't think that statistical analysis of traffic patterns
>> of your UDP traffic wouldn't identify it as a likely tunnel? :)
>>
>>
>>
>> Adrian
>>

schoen at loyalty

Oct 21, 2009, 11:59 PM

Post #13 of 20 (897 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

Adrian Chadd writes:

> On Wed, Oct 21, 2009, Alex Balashov wrote:
> > I was not aware that tools or techniques to do this are widespread or
> > highly functional in a way that would get them adopted in an Internet
> > access control application of a national scope.
> >
> > Tell me more?
>
> It's been a while since I tinkered with this for fun, but a quick abuse
> of google gives one relatively useful starting paper:
>
> http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf

A lot of research papers on what is or isn't possible in traffic
analysis are linked from

http://freehaven.net/anonbib/topic.html#Traffic_20analysis

This bibliography is updated periodically. It's a pretty big, complex
topic, and the open literature could use lots more publications.

--
Seth David Schoen <schoen [at] loyalty> | Qué empresa fácil no pensar en
http://www.loyalty.org/~schoen/ | un tigre, reflexioné.
http://vitanuova.loyalty.org/ | -- Borges, El Zahir

chris at eng

Oct 22, 2009, 2:19 AM

Post #14 of 20 (895 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Wed, 21 Oct 2009, Alex Balashov wrote:

| I was not aware that tools or techniques to do this are widespread or highly
| functional in a way that would get them adopted in an Internet access control
| application of a national scope.

Doesn't necessarily have to be hugely accurate. The authorities could
simply identify a few likely suspect tunnels, then knock-on-doors and ask
you to explain what the traffic in question is...

abalashov at evaristesys

Oct 22, 2009, 2:38 AM

Post #15 of 20 (888 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

Chris Edwards wrote:

> Doesn't necessarily have to be hugely accurate. The authorities could
> simply identify a few likely suspect tunnels, then knock-on-doors and ask
> you to explain what the traffic in question is...

Understood. I guess the angle I was going more for was: Is this
actually practical to do in a country with almost as many Internet
users as the US has people?

I had always assumed that broad policies and ACLs work in China, but
most forms of DPI and traffic pattern analysis aren't practical simply
for computational feasibility reasons. Not unless the system were
highly distributed.

--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671

chris at eng

Oct 22, 2009, 4:38 AM

Post #16 of 20 (891 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Thu, 22 Oct 2009, Alex Balashov wrote:

| Understood. I guess the angle I was going more for was: Is this actually
| practical to do in a country with almost as many Internet users as the US has
| people?
|
| I had always assumed that broad policies and ACLs work in China, but most
| forms of DPI and traffic pattern analysis aren't practical simply for
| computational feasibility reasons. Not unless the system were highly
| distributed.

Perhaps they only need make an example of a few, and thus introduce an
element of fear for everyone else.

a.harrowell at gmail

Oct 22, 2009, 5:14 AM

Post #17 of 20 (891 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
> On Thu, 22 Oct 2009, Alex Balashov wrote:
> | Understood. I guess the angle I was going more for was: Is this
> | actually practical to do in a country with almost as many Internet users
> | as the US has people?
> |
> | I had always assumed that broad policies and ACLs work in China, but most
> | forms of DPI and traffic pattern analysis aren't practical simply for
> | computational feasibility reasons. Not unless the system were highly
> | distributed.
>
> Perhaps they only need make an example of a few, and thus introduce an
> element of fear for everyone else.

I had always assumed that the Gt. Firewall, and especially the fake RST
element of it, existed precisely to let the geeks and weirdos stand out of the
naive traffic so they could be subjected to special treatment.

Similarly, this is the approach the Iranians seem to have taken after their
disputed election - although there isn't a telco monopoly, there's a wholesale
transit monopoly, and they just had the transit provider rate-limit everyone.
My understanding of this was that "normal" users would give up and do
something else, and only people who really wanted to reach the outside world
or each other - i.e. potential subversives - would keep trying. Therefore,
not only would the volume of traffic to DPI, proxy etc be lower, but the
concentration of suspect traffic in it would be higher.

From this point of view, I suppose there's some value in using an IPSec or SSL
VPN, because that's what corporate traveller applications tend to use and
they'll therefore never cut it off. I mean, are you suggesting that the
assistant party secretary of Wuhan won't be able to log into CommunistSpace
(Iike Facebook with Chinese characteristics) while he's on the road?
Unthinkable!

Attachments:

signature.asc (0.19 KB)

tvest at eyeconomics

Oct 22, 2009, 5:33 AM

Post #18 of 20 (896 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Oct 22, 2009, at 7:38 AM, Chris Edwards wrote:

> On Thu, 22 Oct 2009, Alex Balashov wrote:
>
> | Understood. I guess the angle I was going more for was: Is this
> actually
> | practical to do in a country with almost as many Internet users as
> the US has
> | people?
> |
> | I had always assumed that broad policies and ACLs work in China,
> but most
> | forms of DPI and traffic pattern analysis aren't practical simply
> for
> | computational feasibility reasons. Not unless the system were
> highly
> | distributed.
>
> Perhaps they only need make an example of a few, and thus introduce an
> element of fear for everyone else.

Not "a few," but rather quite a lot, albeit only infrequently, and at
unpredictable intervals, with a very high inclusion/exclusion error
rate -- an artifact of the absence clear and easily demonstrable line
between compliance/non-compliance (which is itself an artifact of the
å†…éƒ¨ [internally published only] nature of many of the related rules).

http://www.usc.cuhk.edu.hk/wk_wzdetails.asp?id=2791
www.usc.cuhk.edu.hk/webmanager/wkfiles/2791_1_paper.pdf

TV

tvest at eyeconomics

Oct 22, 2009, 5:54 AM

Post #19 of 20 (892 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

On Oct 22, 2009, at 8:14 AM, Alexander Harrowell wrote:

> On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
>> On Thu, 22 Oct 2009, Alex Balashov wrote:
>> | Understood. I guess the angle I was going more for was: Is this
>> | actually practical to do in a country with almost as many
>> Internet users
>> | as the US has people?
>> |
>> | I had always assumed that broad policies and ACLs work in China,
>> but most
>> | forms of DPI and traffic pattern analysis aren't practical simply
>> for
>> | computational feasibility reasons. Not unless the system were
>> highly
>> | distributed.
>>
>> Perhaps they only need make an example of a few, and thus introduce
>> an
>> element of fear for everyone else.
>
> I had always assumed that the Gt. Firewall, and especially the fake
> RST
> element of it, existed precisely to let the geeks and weirdos stand
> out of the
> naive traffic so they could be subjected to special treatment.
>
> Similarly, this is the approach the Iranians seem to have taken
> after their
> disputed election - although there isn't a telco monopoly, there's a
> wholesale
> transit monopoly, and they just had the transit provider rate-limit
> everyone.
> My understanding of this was that "normal" users would give up and do
> something else, and only people who really wanted to reach the
> outside world
> or each other - i.e. potential subversives - would keep trying.
> Therefore,
> not only would the volume of traffic to DPI, proxy etc be lower, but
> the
> concentration of suspect traffic in it would be higher.
>
> From this point of view, I suppose there's some value in using an
> IPSec or SSL
> VPN, because that's what corporate traveller applications tend to
> use and
> they'll therefore never cut it off. I mean, are you suggesting that
> the
> assistant party secretary of Wuhan won't be able to log into
> CommunistSpace
> (Iike Facebook with Chinese characteristics) while he's on the road?
> Unthinkable!

Generally speaking, the definition of "corporate traveller
applications" in such cases ==
"Whatever anyone tries to do from the following specific address
ranges, which are known to be accessible exclusively inside certain
international hotels, exclusively to users who are willing to pay the
equivalent of 1-2 weeks of avg. local income for the privilege).

TV

wavetossed at googlemail

Oct 27, 2009, 5:05 AM

Post #20 of 20 (806 views)
Permalink

Re: ISP/VPN's to China? [In reply to]

> I have a client in the US looking to connect up an office in China and I'm
> wondering what type of connections are avilable and wether IPSEC VPNs can be
> established through the 'Great firewall of China'.

If you want an IP-MPLS VPN, BT has PoPs in Beijing, Guangzhou,
Shanghai and Hong Kong.
Check the web for more details and contact info:
<http://globalservices.bt.com/globalLocation.do?method=VIEW&country=cn>

You won't run into any problems running IPSEC over the MPLS network if
you still feel the need for encryption. You can also get Internet
access over the VPN and that access is from a gateway outside the
Great Firewall.

I imagine we are not the only global network offering such
connectivity in China.

--Michael Dillon

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads