Will China start blocking SD-WAN traffic…today?

More than a decade ago, I launched the forerunner to SD-WAN Experts, MPLS Experts, on a project to China. Back then finding out telecom services in another country, let alone another continent, seemed like a mission impossible. China was among the most difficult.

Much has changed in our industry. MPLS has given way to SD-WAN, but some things remain the same. We still need global connectivity and China continues to remain a mystery. My story about China blocking VPN traffic – and potentially SD-WAN traffic – caused quite a stir in the industry, in large part because, like so many things when dealing with China, concrete information remains scarce (particularly for non-native speakers).

To recap: According to a notice China Telecom send to one of my customers, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic.

“I’ve also seen similar notices from China Telecom circulated on social media,” Yuan Yang, the Beijing correspondent for the Financial Times, wrote to me in an email.  Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.  

Now, we know that China policy blocks some traffic. That’s not new. In June of 2017, several sources reported that China would be blocking consumer VPN traffic. There would be crackdowns on accessing the Internet beyond the Great Firewall – the world’s most sophisticated state-censorship operation, which employs at least 2 million online censors.

What’s new here are the specifics. China Telecom will be blocking traffic from commercial users starting today. What exactly is a commercial user? What’s the scope of the regulation?

The focus on “commercial users” is particularly important. There are some who’ve suggested that the notice is only targeting external use —  companies who sell internet-based services. The Chinese regs (thank you Google Translate) discuss how Internet information service providers (which are different from Internet service providers) must register or else be blocked by their ISPs.

The notice I found is effective January 1, 2018. Close to, but not quite the February 1 deadline. (I’m hardly a Chinese telecom lawyer and am the first to admit that my reading of this regulation might be wrong.)

Yang suspects the same. “The Shanghai Telecom notice you forwarded me lightly suggests the same, since it asks companies to provide their ICP license – only internet companies would usually consider applying for an ICP license. But it’s not conclusive as to who it’s addressed at,” she says.

If indeed only “Internet companies” are being targeted – and by that we mean companies selling goods and services to online customers – then IT managers may be able to breathe a sigh of relief. I’m still uncertain how many companies who don’t sell anything online, but if the description is accurate, at least as far as SD-WAN systems are concerned, IT operations should remain unaffected in most cases.

SD-WAN appliances are typically used within companies, which would put them outside of regulatory scope. That’s good, since they rely on Internet access to some degree, blocking 443 (and certainly port 80 and 8080) would most likely disrupt many SD-WAN solutions.

Even hybrid WANs that mix MPLS and Internet could be impacted, at least indirectly.  They’ll work fine for those applications running across the private data service, but will be disrupted when failing over to the Internet or sending traffic across the encrypted Internet tunnel as the primary traffic driver. If the regulations do not target internal use, though, then SD-WANs site-to-site VPNs run by companies should not face a problem.

Sounds good, right? But here’s the rub: my customer isn’t an “internet” company. It’s also not unique in receiving such as notice. “I have also heard of non-internet companies that have been affected,” wrote Yang.

As it turns out there are cases when “non-internet” companies have registered their VPNs. As I was finishing up on this blog, Yang wrote back with the following:

“I spoke to a western multinational in Beijing (a professional services firm not an internet/tech-related company) who had successfully registered their company-internal VPN with the authorities a couple of years ago, when the regulations over VPNs first came out. The registration process was NOT the same as the ICP licensing process. So, it is possible to register your company-internal VPN.”

A bit lost? You’re not alone. “I have spoken to tech lawyers in Beijing who have also said their clients are confused.”  So am I, to be honest.

And there’s more. Is the regulation only blocking those ports within China or will traffic exiting China on those ports also be subject to the regulations? Difficult to say. One way around the issue would seem to use private data service, such as a leased line or MPLS circuit. China Telecom (not surprisingly) offers such a service.

But that’s hardly a solution. MPLS services are expensive, cumbersome to deploy, and the Chinese government still has the right to inspect your traffic.  The whole point for SD-WAN is to move away from private data services not adopt them. Besides, it’ll probably take you longer to get your MPLS circuit deployed than it will to find out the scope of the regulation.

In my last article, I recommended you check with your provider. I still think that’s sound advice. And sit tight for now before racing off for a technology decision that might constrain you going forward.

The mystery should start clearing up very soon.