China & Cisco



Wired reports the latest on the Cisco-China-gate and mention ONI:

A report from the OpenNet Initiative watchdog group last April singled out Cisco for allegedly enabling the Chinese government’s notorious “Great Firewall,” a filtering system that prevents Chinese netizens from visiting websites that criticize the government.

Cisco’s routers, the report noted, form the backbone of China’s internet access, and include the power to identify and filter packets based on keyword matches — a tool typically used for fighting viruses and denial-of-service attacks that also makes internet censorship easier for repressive governments.

Rebecca has also been covering this story and has a detailed account of her conversation with a Cisco Rep generating, as noted, a lot of debate and criticism.

I think that there are two issues here, related for sure, but likely somewhat seperate: filtering and monitoring. We know that filtering is occuring on multiple levels and monitoring would follow that same pattern. Like filtering, the location at which the monitoring is taking place affects the usabilty of the data collected. It also affects the processing and response capability.

Take for example this account of a reporters experience in a Shanghai Internet cafe:

Each incoming user must give a name and address, then hand over identification to a clerk. Closed-circuit TV cameras monitor from overhead. Every computer terminal is loaded with software to track all activity. If a user heads toward a prohibited Web site, cafe employees know right away.

”A blinking light goes off,” said Lin Fusheng, owner of the sprawling Shigong Network cafe, off Shanghai’s main pedestrian walkway.

The software also alerts authorities at a Shanghai municipal security post across town, and inspectors eventually may drop in to check on the infractions.

Regardless of whether a light actually blinks (I’m a skeptic) domestic firms in China have developed Internet filtering software — many of these companies have specific products for Internet cafe’s. The behaviour described above fits nicely with descriptions of Net110 (here and here). It is quite clear that the cafe owners (and adminstrators for the same software designed for schools, libraries, businesses etc..) can monitor users and that the results can be sent, automatically, to the cyber police. This level of access is ideal for monitoring and filtering with the ISP level being the next best. The further upstream it goes, the harder it is.

As the article suggests, in reaction to such infraction the cyber police “eventually may drop in”. It is not a rapid reaction force. (The cyber police also solicit reports/tips from the public.)

Unlike products such as Net110, which are official approved by the cyber police and are connected to their infrastructure, its unclear how Cisco’s backbone routers would be used in this way. For filtering its quite simple — the routers are updated with filtering rules. These routers could also log IP’s that trigger the filtering behaviour; these could be stored somewhere but they would not contain all ones email and surfing etc… just that a specific IP address (which could be traced to a location/account) triggered the filtering rule. This would not be a rapid response situation, even less so that cafe level reporting.

With data interception — the type required to monitor and collect web traffic, email traffic etc… (btw, even if collected encrypted traffic could not be read) — the best location is as close to the target as possible. That is, if you are a target for some reason already, then it will be easier to set up a tap and monitor you. This is where I believe the Cisco technology described here comes into play. If police are using such equipment to monitor a suspect they would deploy taps at the ISP level (or as close to the suspect as possible) and intercept and collect the suspects Internet traffic, much like law enforement officials do all over the world.

The thing is, this type of data collection does not scale well. And it does not happen after the fact.

China has 103,000,000 Internet users and 82,617 Mbit/s international bandwidth. At maximum capacity that would be roughly 10 gigabytes per second, or 600 gigabytes per minute, or 35 terabytes an hour, or 840 terrabytes per day. The ” largest data warehouse on record” was 92.7 terrabytes (this was in 2002 so it is likely larger by now, but you get the picture). Now, to store 3 months worth of data and process that data to check a particular users traffic would be quite a chore, if not impossible.

Post a comment.