|
|
|
|
|
|
by walrus01
2084 days ago
|
|
|
While all of the above is correct, it doesn't stop the GFW from implementing per flow based DPI that drops traffic, or throttles it to a throughput that is so slow as to be unusable, based on detection of consistent encrypted flows between an IP that is outside of China, and domestically within China. The one thing TLS1.3 with ESNI is not is hard to detect. It's a consistent traffic pattern if you throw a sufficient amount of CPU and RAM resources at doing DPI on each and every user's flows. In an ordinary non censored ISP environment the ratio at which you export netflow data to a collector adjacent to the router is quite low. And not a great deal of CPU and RAM resources are put into doing detailed analysis of it, other than for basic things like figuring out who you should be peering with that you aren't peering already, and identifying percentages of traffic patterns (eg: at 10pm every night we see this much traffic from our on-net locally hosted netflix cache boxes going towards the residential GPON customers). If you are a Chinese entity with access to the router-design people at Huawei and ZTE, and sufficient motivation to do so, there's no reason why you couldn't crank up the ratio greatly and (on a middle mile and per POP basis) export netflow by a dedicated 100Gbps link to a set of directly-adjacent high performance x86-64 servers, running custom flow analysis and DPI inspection software. |
|
|