This reading group thread is a bit special. It is a translation of an old research paper from Chinese to English. Like #251, #275, and #282, this paper is written from the point of view of implementing censorship, rather than defeating it. The difference is that those other papers were originally published in English, while this one was published in Chinese. This paper is historically significant, as we will discuss, and it has not been available to read in English before now.
一种基于路由扩散的大规模网络控管方法
A route propagation–based access control method for large-scale networks
刘刚 (Liu Gang), 云晓春 (Yun Xiaochun), 方滨兴 (Fang Binxing), 胡铭曾 (Hu Mingzeng)
Archived journal homepage
Original Chinese PDF
Online English HTML
English PDF
This is an early paper on the use of null routing, or blackhole routing, to enforce restrictions on access to IP addresses. To block an IP address, you could, for example, configure a firewall to drop packets that have a certain destination address. But a firewall is too slow, the authors say, for large-scale networks (tens or hundreds of Gbit/s). Instead, this paper says you should use the ordinary function of IP routers. To block an IP address, you override its normal routing and configure a special route that leads to a "blackhole server". Not only is this style of blocking fast, because routers are already optimized for high performance, you can use ordinary routing protocols such as BGP and OSPF as a management tool, configuring a route in one place and having it automatically propagated out to egress/ingress routers. The paper itself, as well as other contemporary reports, say that this technique was in use in China as early as 2002.
Figure 1: Network architecture for route propagation–based network access control in an ISP
The core of the technique is outlined in Section 2.1 and Figure 1. The goal is to get special overriding routes installed at "egress/ingress routers" (or) at the border of the network. You start by attaching a new "control network" to the network you want to control. The control network contains a "sample server" (ss), which is where the network administrator sits and configures which IP addresses are to be blocked. The sample server sends commands to a "sample router" (sr), which is in contact with the other routers in the network over dynamic routing protocols. The sample router sets a static route for each IP address to be blocked, with a "next hop" that points to the IP address of a "blackhole server" (fs) adjacent to the sample router. From the sample router, the static routs are propagated outwards to the egress/ingress routers, passing through zero or more "propagation routers" (kr) on the way. The authors say that route propagation may use special dedicated lines, or may be over encrypted tunnels on public networks (virtual links).
A packet with a blocked destination IP address that reaches an egress/ingress router will be routed to the blackhole server. The blackhole server can simply ignore the packets it receives, or it may compile statistics, which can inform a future unblocking decision:
2)通过对黑洞服务器获取的数据进行统计和分析,按照一定的原则将结果反馈给样本服务器,帮助样本服务器决定对网络地址的施控或者解控,具有智能性的优点;
2) By compiling statistics on and analyzing the data obtained by the blackhole server and feeding the results back to the sample server according to certain principles, it helps the sample server decide to control or de-control the network address, so it has the advantage of intelligence;
Compare the network setup to the similar setup of "Implementation of an IP access control technology" from 2001. The sample router sr is there called the "configuration router" R0. The roles of both the sample server ss and the blackhole server fs are played by the "configuration host" H0. Instead of the configuration host sending commands to the configuration router, instructing it to install static routes, the configuration host simply claims an IP address as its own, which causes a static route to propagate automatically. (In effect, using RIP as the command interface.)
The choice of which dynamic routing protocol to use depends on how the network is set up. When the sample router is itself part of every AS that needs to be controlled (Figure 2), the authors recommend using OSPF. When the ASes to be controlled are separate from the AS containing the sample router (Figure 3), use BGP.
The blackhole routing technique only works for packets that originate inside the controlled networks. Those packets will be turned around and directed to the blackhole server. Packets from a blocked external IP address will still be delivered correctly to addresses inside the controlled network. This is nevertheless effective, of course, as most protocols require packet delivery in both directions.
The declared goal of the IP address blocking mechanism is to "prevent the spread of all kinds of harmful information on the network" and "stop the spread of cyber attacks or viruses". The authors emphasize a need for high performance and not affecting ordinary traffic. The final paragraph says the system is already in use, with tens of thousands of blocking rules:
本文所提出的方法在多个 ISP 的实践中表明,基于路由扩散的访问控制方法可以在大规模网络上实现控管,能配置高过上万条的访问控制规则,不影响核心路由器的高速数据交换,整个系统工作稳定。
The practice of several ISPs has shown that the route propagation–based access control method presented in this paper can implement access control for large-scale networks, and can configure up to tens of thousands of access control rules without affecting the high-speed data exchange between core routers, with the whole system working stably.
This reading group thread is a bit special. It is a translation of an old research paper from Chinese to English. Like #251, #275, and #282, this paper is written from the point of view of implementing censorship, rather than defeating it. The difference is that those other papers were originally published in English, while this one was published in Chinese. This paper is historically significant, as we will discuss, and it has not been available to read in English before now.
一种基于路由扩散的大规模网络控管方法
A route propagation–based access control method for large-scale networks
刘刚 (Liu Gang), 云晓春 (Yun Xiaochun), 方滨兴 (Fang Binxing), 胡铭曾 (Hu Mingzeng)
Archived journal homepage
Original Chinese PDF
Online English HTML
English PDF
This is an early paper on the use of null routing, or blackhole routing, to enforce restrictions on access to IP addresses. To block an IP address, you could, for example, configure a firewall to drop packets that have a certain destination address. But a firewall is too slow, the authors say, for large-scale networks (tens or hundreds of Gbit/s). Instead, this paper says you should use the ordinary function of IP routers. To block an IP address, you override its normal routing and configure a special route that leads to a "blackhole server". Not only is this style of blocking fast, because routers are already optimized for high performance, you can use ordinary routing protocols such as BGP and OSPF as a management tool, configuring a route in one place and having it automatically propagated out to egress/ingress routers. The paper itself, as well as other contemporary reports, say that this technique was in use in China as early as 2002.
Figure 1: Network architecture for route propagation–based network access control in an ISP
The core of the technique is outlined in Section 2.1 and Figure 1. The goal is to get special overriding routes installed at "egress/ingress routers" (or) at the border of the network. You start by attaching a new "control network" to the network you want to control. The control network contains a "sample server" (ss), which is where the network administrator sits and configures which IP addresses are to be blocked. The sample server sends commands to a "sample router" (sr), which is in contact with the other routers in the network over dynamic routing protocols. The sample router sets a static route for each IP address to be blocked, with a "next hop" that points to the IP address of a "blackhole server" (fs) adjacent to the sample router. From the sample router, the static routs are propagated outwards to the egress/ingress routers, passing through zero or more "propagation routers" (kr) on the way. The authors say that route propagation may use special dedicated lines, or may be over encrypted tunnels on public networks (virtual links).
A packet with a blocked destination IP address that reaches an egress/ingress router will be routed to the blackhole server. The blackhole server can simply ignore the packets it receives, or it may compile statistics, which can inform a future unblocking decision:
Compare the network setup to the similar setup of "Implementation of an IP access control technology" from 2001. The sample router sr is there called the "configuration router" R0. The roles of both the sample server ss and the blackhole server fs are played by the "configuration host" H0. Instead of the configuration host sending commands to the configuration router, instructing it to install static routes, the configuration host simply claims an IP address as its own, which causes a static route to propagate automatically. (In effect, using RIP as the command interface.)
The choice of which dynamic routing protocol to use depends on how the network is set up. When the sample router is itself part of every AS that needs to be controlled (Figure 2), the authors recommend using OSPF. When the ASes to be controlled are separate from the AS containing the sample router (Figure 3), use BGP.
The blackhole routing technique only works for packets that originate inside the controlled networks. Those packets will be turned around and directed to the blackhole server. Packets from a blocked external IP address will still be delivered correctly to addresses inside the controlled network. This is nevertheless effective, of course, as most protocols require packet delivery in both directions.
The declared goal of the IP address blocking mechanism is to "prevent the spread of all kinds of harmful information on the network" and "stop the spread of cyber attacks or viruses". The authors emphasize a need for high performance and not affecting ordinary traffic. The final paragraph says the system is already in use, with tens of thousands of blocking rules: