“A new Chinese policy going into effect this week (11 Jan., 2018 – This Thursday), will have profound impact on businesses relying on Internet VPN or SD-WAN access within China.”
According to a notice from China Telecom obtained by SD-WAN Experts, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic. Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.
The news, first reported by Bloomberg July, was expected to be implemented by February, 2018. This is the first time a specific date has been provided for the action.
Millions of Internet users relied on virtual private networks (VPNs) to circumvent the Chinese censorship system, dubbed the Great Firewall of China. In the past, VPNs have worked intermittently but were invariably blocked, forcing users to jump to another VPN. The new regulations will block VPN access to unregistered services.
Crackdowns on accessing the Internet beyond the Great Firewall — the world’s most sophisticated state-censorship operation, employs at least 2 million online censors. But this news highlights how the world’s second largest economy is struggling to balance authoritarianism with its business leadership aspirations. In addition, a strict new cybersecurity law came into effect in June. In July China Telecom, the nation’s biggest Internet service provider, sent a letter to corporate clients that said in future, VPNs would only be allowed to connect to a company’s headquarters abroad.
For SD-WAN users, the regulations could have significant impact. Site-to-site connectivity across MPLS or private line will be unaffected, but site-to-site VPNs will be affected, if businesses do not register with their ISPs. This means hybrid WANs, for example, will work fine for those applications running across the private data service, but will be disrupted when failing over to the Internet or sending traffic across the encrypted Internet tunnel as the primary traffic driver. There are many SD-WAN and meshed VPN installations in China today that leverage the lower internet costs within China, using a lesser number of MPLS circuits to reach data centers outside of the country. These circuits will fail to pass traffic on January 10th, unless the enterprise register with their local ISPs.
Of the SD-WAN service providers most likely to be impacted by these changes, Aryaka comes to mind. SD-WAN providers generally provide appliances that rely on the provided transport. If they use the Internet, then they’ll be blocked. If they use MPLS they won’t be impacted.