A new Chinese policy to be implemented next week will have profound implications for businesses based on VPN or SD-WAN Internet access within China.
According to a China Telecom announcement obtained from SD-WAN experts, the Chinese government will require Chinese commercial operators to block TCP 80, 8080 and 443 ports by January 11, 2018. Port 80 is, of course, the commonly used TCP port to transfer HTTP traffic; 8080 and 443 are used to move HTTPS traffic. Commercial ISP customers interested in retaining access to these ports must register or apply to re-open the port through their local ISP.
The news, which was first reported by Bloomberg in July, is expected to be implemented by February 2018. This is the first time a specific date has been given for the action.
Millions of Internet users relied on virtual private networks (VPNs) to bypass the Chinese censorship system, dubbed China’s Great Wall of Fire. In the past, VPNs have worked with breaks but have always been blocked, forcing users to switch to another VPN. New regulations will prevent VPN access to unregistered services.
Fighting Internet access over the Great Wall – the most sophisticated state censorship in the world, employs at least 2 million electronic sensors. But this news shows that the world’s second-largest economy is struggling to balance authoritarianism with its business ambitions. Also, a harsh new cyber law came into force in June. In July, China Telecom, the nation’s largest internet service provider, sent a letter to corporate customers who said in the future that VPNs could connect only to the headquarters of the company abroad.
This means that hybrid WANs, for example, will work well for applications running through the private data service but will be disturbed when they fail on the Internet or transmit the traffic through the encrypted tunnel to the Internet as the primary traffic driver. There are many SD-WANs and VPNs in China that currently exploit the lowest internet cost within China, using a smaller number of MPLS circuits to access data centres outside the country. These channels will fail to pass traffic on January 10, unless the business enrols with local ISPs.
Of the SD-WAN service providers most likely affected by these changes, Aryaka comes to mind. SD-WAN providers provide devices based on the provided transport. If they use the Internet, they will be blocked. If they use MPLS, they will not be affected.
There’s been a great bit of chatter – and confusion – surrounding this news, which appears to reference China’s impending legislation to ban VPNs from the country (originally slated to take effect in February 2018). A further look at the details, however, reveals the article may not be talking about VPNs at all. Here is our take on the news:
- The most likely theory is that the Chinese government is forcing anyone operating a website in China to register with the government. Domestic Chinese VPN operators were required to register with the government back in October. Expanding this requirement to websites seems a logical expansion of the Chinese government’s efforts to further control the Internet within China. If this is the case, the news is not related to VPNs and is only applicable to local companies operating websites within China. Foreign VPN providers and foreign websites would not be affected.
- The second possibility is that China is blocking these outbound ports to limit access to websites outside of China, effectively blocking access to any non-China website. The Chinese have historically blocked access to specific websites, such as Google, and a move to block access to all foreign websites would cause major disruption. This scenario seems less likely.