A new Chinese policy going into effect next week, will have profound impact on businesses relying on Internet VPN or SD-WAN access within China.
According to a notice from China Telecom obtained by SD-WAN Experts, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic. Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.
The news, first reported by Bloomberg July, was expected to be implemented by February, 2018. This is the first time a specific date has been provided for the action.
Millions of Internet users relied on virtual private networks (VPNs) to circumvent the Chinese censorship system, dubbed the Great Firewall of China. In the past, VPNs have worked intermittently but were invariably blocked, forcing users to jump to another VPN. The new regulations will block VPN access to unregistered services.
Crackdowns on accessing the Internet beyond the Great Firewall — the world’s most sophisticated state-censorship operation, employs at least 2 million online censors. But this news highlights how the world’s second largest economy is struggling to balance authoritarianism with its business leadership aspirations. In addition, a strict new cybersecurity law came into effect in June. In July China Telecom, the nation’s biggest Internet service provider, sent a letter to corporate clients that said in future, VPNs would only be allowed to connect to a company’s headquarters abroad.
For SD-WAN users, the regulations could have significant impact. Site-to-site connectivity across MPLS or private line will be unaffected, but site-to-site VPNs will be affected, if businesses do not register with their ISPs. This means hybrid WANs, for example, will work fine for those applications running across the private data service, but will be disrupted when failing over to the Internet or sending traffic across the encrypted Internet tunnel as the primary traffic driver. There are many SD-WAN and meshed VPN installations in China today that leverage the lower internet costs within China, using a lesser number of MPLS circuits to reach data centers outside of the country. These circuits will fail to pass traffic on January 10th, unless the enterprise register with their local ISPs.
Of the SD-WAN service providers most likely to be impacted by these changes, Aryaka and Cato Networks come to mind. SD-WAN providers generally provide appliances that rely on the provided transport. If they use the Internet, then they’ll be blocked. If they use MPLS they won’t be impacted.
But Aryaka and Cato Networks provide the middle-mile, using their own backbones to move traffic into and out of China. Businesses connect to their PoPs in China using Internet for the last-mile. Aryaka also provides leased line, last-mile access through local carriers, as an option. If you’re using or considering Aryaka or Cato be sure that you are registered with your ISPs. But all SD-WAN providers will face the same impact on their customer networks, though they will not have the clear insight into tunnel failure due to this regulation, unless the customer is using a managed service provider.
Here’s a translation of the text from Chinese government describing the policy:
Electronics Co., Ltd.
Hello, Annex is not opened 80 8080 port fixed IP line list, if your company to use the 443 port, please January 2018 January 10 to complete the relevant filing, so as not to be closed 443 port, thank you.
China Telecom Xiamen FTA division of corporate customers
Tel: 0592-5512875 phone: 18059800252
Mailing Address: Lake Avenue 15, Building 102 telecommunications complex
Business please mail before the 25th of each month, thank you!
And the original Chinese:
As noted in Bloomberg:
“This seems to impact individuals” most immediately, said Jake Parker, Beijing-based vice president of the US-China Business Council. “VPNs are incredibly important for companies trying to access global services outside of China,” he said. “In the past, any effort to cut off internal corporate VPNs has been enough to make a company think about closing or reducing operations in China. It’s that big a deal,” he added.
The take-away from this story: if you have facilities in China, be sure you address this VPN registration issue, if it hasn’t been addressed already.
This article is published as part of the IDG Contributor Network. Want to Join?