[English translation] A route propagation–based access control method for large-scale networks (Journal on Communications 2003)

[wkrp]

This reading group thread is a bit special. It is a translation of an old research paper from Chinese to English. Like #251, #275, and #282, this paper is written from the point of view of implementing censorship, rather than defeating it. The difference is that those other papers were originally published in English, while this one was published in Chinese. This paper is historically significant, as we will discuss, and it has not been available to read in English before now.

---

A route propagation–based access control method for large-scale networks
刘刚 (Liu Gang), 云晓春 (Yun Xiaochun), 方滨兴 (Fang Binxing), 胡铭曾 (Hu Mingzeng)
Archived journal homepage
Original Chinese PDF ("一种基于路由扩散的大规模网络控管方法")
Online English HTML
English PDF

This is an early paper on the use of null routing, or blackhole routing, to enforce restrictions on access to IP addresses. To block an IP address, you could, for example, configure a firewall to drop packets that have a certain destination address. But a firewall is too slow, the authors say, for large-scale networks (tens or hundreds of Gbit/s). Instead, this paper says you should use the ordinary function of IP routers. To block an IP address, you override its normal routing and configure a special route that leads to a "blackhole server". Not only is this style of blocking fast, because routers are already optimized for high performance, you can use ordinary routing protocols such as BGP and OSPF as a management tool, configuring a route in one place and having it automatically propagated out to egress/ingress routers. The paper itself, as well as other contemporary reports, say that this technique was in use in China as early as 2002.

Figure 1: Network architecture for route propagation–based network access control in an ISP

The core of the technique is outlined in Section 2.1 and Figure 1. The goal is to get special overriding routes installed at "egress/ingress routers" (or) at the border of the network. You start by attaching a new "control network" to the network you want to control. The control network contains a "sample server" (ss), which is where the network administrator sits and configures which IP addresses are to be blocked. The sample server sends commands to a "sample router" (sr), which is in contact with the other routers in the network over dynamic routing protocols. The sample router sets a static route for each IP address to be blocked, with a "next hop" that points to the IP address of a "blackhole server" (fs) adjacent to the sample router. From the sample router, the static routs are propagated outwards to the egress/ingress routers, passing through zero or more "propagation routers" (kr) on the way. The authors say that route propagation may use special dedicated lines, or may be over encrypted tunnels on public networks (virtual links).

A packet with a blocked destination IP address that reaches an egress/ingress router will be routed to the blackhole server. The blackhole server can simply ignore the packets it receives, or it may compile statistics, which can inform a future unblocking decision:

2）通过对黑洞服务器获取的数据进行统计和分析，按照一定的原则将结果反馈给样本服务器，帮助样本服务器决定对网络地址的施控或者解控，具有智能性的优点；

2) By compiling statistics on and analyzing the data obtained by the blackhole server and feeding the results back to the sample server according to certain principles, it helps the sample server decide to control or de-control the network address, so it has the advantage of intelligence;

Compare the network setup to the similar setup of "Implementation of an IP access control technology" from 2001. The sample router sr is there called the "configuration router" R0. The roles of both the sample server ss and the blackhole server fs are played by the "configuration host" H0. Instead of the configuration host sending commands to the configuration router, instructing it to install static routes, the configuration host simply claims an IP address as its own, which causes a static route to propagate automatically. (In effect, using RIP as the command interface.)

The choice of which dynamic routing protocol to use depends on how the network is set up. When the sample router is itself part of every AS that needs to be controlled (Figure 2), the authors recommend using OSPF. When the ASes to be controlled are separate from the AS containing the sample router (Figure 3), use BGP.

The blackhole routing technique only works for packets that originate inside the controlled networks. Those packets will be turned around and directed to the blackhole server. Packets from a blocked external IP address will still be delivered correctly to addresses inside the controlled network. This is nevertheless effective, of course, as most protocols require packet delivery in both directions.

The declared goal of the IP address blocking mechanism is to "prevent the spread of all kinds of harmful information on the network" and "stop the spread of cyber attacks or viruses". The authors emphasize a need for high performance and not affecting ordinary traffic. The final paragraph says the system is already in use, with tens of thousands of blocking rules:

本文所提出的方法在多个 ISP 的实践中表明，基于路由扩散的访问控制方法可以在大规模网络上实现控管，能配置高过上万条的访问控制规则，不影响核心路由器的高速数据交换，整个系统工作稳定。

The practice of several ISPs has shown that the route propagation–based access control method presented in this paper can implement access control for large-scale networks, and can configure up to tens of thousands of access control rules without affecting the high-speed data exchange between core routers, with the whole system working stably.

[wkrp]

The paper is notable, in part, because of how it has been cited as a reference for the implementation of IP address blocking in China.

It is cited in "Splinternet Behind the Great Firewall of China" (2012):

According to a paper published by its designers, GFW relies on null routing (see figure 1) to block IP packets by blacklisting destination addresses.^[16] By peering with the gateway routers of all Chinese ISPs, GFW injects routing information into BGP (Border Gateway Protocol) and hijacks all traffic to blocked websites—such as twitter.com. Although null routing can block only the outbound traffic from China and permits inbound traffic, it is enough to block a Web site because most current Internet communication can be established only with two-way interaction.

This is a lightweight censorship solution: the government (through GFW) maintains a centralized blacklist without much involvement from ISPs, and so without much risk of leakage; null routing adds only a tiny load to the gateway router of ISPs; and no dedicated devices are needed. IP blocking is easy to circumvent, however, by setting up a proxy outside of China or moving the Web site to another IP address. If the Web site changes its IP address and keeps its domain name unchanged, then the user will always access it—whatever IP address it uses.

It is also mentioned in "Finding contributors to Great Firewall by their papers" ("通过分析论文挖掘防火长城(GFW)的技术人员") from 2013, an attempt to map out the network of researchers contributing to the Great Firewall, starting from 方滨兴 (Fang Binxing):

检测到不良信息接下来就是网络管控和阻断技术，比如利用协议欺骗[14]、DNS污染[15]、路由控制[16]等，相比之下，这些论文的水平不高。

Once undesirable information is detected, it requires network control and blocking techniques, such as the use of protocol spoofing [14], DNS pollution [15], routing control [16], etc., These papers are comparatively of not very high quality.

The paper (along with #435) was covered in the 2009 blog post 深入理解GFW：路由扩散技术 (Deeper Understanding of GFW: Route Propagation Techniques):

前面说了是“歪用”，正常的情况下静态路由是由管理员根据网络拓扑或是基于其他目的而给出的一条路由，这条路由最起码要是正确的，可以引导路由器把报文转发到正确的目的地。而GFW的路由扩散技术中使用的静态路由其实是一条错误的路由，而且是有意配置错误的。其目的就是为了把本来是发往某个IP地址的报文统统引导到一个“黑洞服务器”上，而不是把它们转发到正确目的地。这个黑洞服务器上可以什么也不做，这样报文就被无声无息地丢掉了。更多地，可以在服务器上对这些报文进行分析和统计，获取更多的信息，甚至可以做一个虚假的回应。

As I said before, it is "misused". Under normal circumstances, a static route is a route given by the administrator based on the network topology or for other purposes. This route should at least be correct, and it can guide the router to forward the message to the correct destination. The static route used in GFW's route propagation technique is actually a wrong route, and it is intentionally misconfigured. Its purpose is to direct all messages destined for a certain IP address to a "blackhole server" instead of forwarding them to the correct destination. Nothing can be done on the blackhole server so that messages are dropped silently. More often, the messages can be analyzed and counted on the server to get more information, or even to make a false response.

[wkrp]

Studies contemporary to this paper (2002) find strong evidence of exactly this style of blackhole routing being used to block IP addresses in China. They both identify the IP address of a blackhole server: 202.97.33.2.

The Project C (r. 1.0) report by Nart Villeneuve in 2002 presents evidence that is consistent with a routing-based blocking technique. It discovers a blackhole IP address 202.97.33.2. The address is responsive to port scans and looks like a Cisco device. (The use of Cisco equipment in China at the time is further supported by a citation, in the paper of this thread, of the book Advanced IP Routing in Cisco Networks.)

Figure 1 is a screenshot of a visual traceroute request from a server on CHINANET to the website of Human Rights Watch (www.hrw.org). The request originating in China is routed through various regional routers from CHINANET's Beijing province network but the request is finally blocked at the CHINANET backbone network.

Scans of the offending router, in this case p-1-0-0-r1-i-bjbj-1.cn.net (202.97.33.2), indicate that that the router is manufactured by Cisco, an American company that does considerable business with China. An nmap scan shows that ports indicative of a Cisco router are open and connections to the open ports display a typical Cisco login prompt.

Port     State    Service
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
2001/tcp open     dc
4001/tcp open     unknown
6001/tcp open     X11:1
9001/tcp open     unknown

"The Great Firewall Revealed", also from 2002, finds the same blackhole IP address.

We tested this mechanism using test computers inside China, and use the standard networking utilities such as ping and traceroute (tracert on Windows) to trace the paths an IP packet would take from within China to various overseas websites. Our tests showed that, an IP packet destined to various blocked website would first go through a few area routers, then would be forwarded by some of these routers, and it would eventually forwarded to the following international-level router,

p-0-0-0-r1-I-bjbj-1.cn.net (202.97.33.2)

at which all the IP packets would be dropped. This observation agrees with the results in [6]. On the other hand, for unblocked websites, an IP packet will take various paths, depending on the desitination, first going through a few area-level routers, then one or two national-level routers, one international-level router, then hopping into the overseas network, and eventually arriving at these websites. These unblocked IP packets will not have a chance to go through the blocking router (202.97.33.2) at all.

[wkrp]

Let's take a closer look at the authors.

刘刚 (Liu Gang) (b. 1975), according to the bio in the paper itself, was a PhD student at the Harbin Institute of Technology at the time the paper was written.

刘刚 (Liu Gang) (1975–), male, from Shenyang, Liaoning, Ph.D. student of Harbin Institute of Technology. His main research interest is cybersecurity.

云晓春 (Yun Xiaochun) (b. 1971) is a senior researcher. To judge by the email address on his homepage, he is now affiliated with Zhongguancun Laboratory. In 2016, as Deputy Director and Chief Engineer of CNCERT/CC, he was recognized as an outstanding talent by the Cyberspace Administration of China:

2007年起，云晓春同志作为总师坚持探索创新网络安全技术，主持研制了国家网络安全系列平台，使我国具备了国家级网络安全防御能力，并在历次国家重大活动的安全保障中发挥了不可替代的作用。

Since 2007, Comrade Yun Xiaochun, as the Chief Engineer, has persisted in exploring and innovating network security technologies. He led the development of the national network security platform series, enabling China to possess national-level cyber defense capabilities. His contributions have been irreplaceable in ensuring security during major national events.

He continues to do censorship-relevant research even to the present day, as evidenced by titles such as "Encrypted TLS Traffic Classification on Cloud Platforms" in his CV.

• 云晓春 (Yun Xiaochun) homepage
• 云晓春 (Yun Xiaochun) dblp
• 云晓春 (Yun Xiaochun) IEEE profile
• 云晓春 (Yun Xiaochun) Baidu Baike

方滨兴 (Fang Binxing) (b. 1960) hardly needs an introduction. Known as the "Father of the Great Firewall", he was heavily involved in the early stages of Internet censorship in China and continues to be instrumental. He has many academic and industry affiliations, and even a research foundation under his name. Fang is a founder and Chief Scientist of Geedge Networks, covered in #369.

• 方滨兴 (Fang Binxing) homepage
• 方滨兴 (Fang Binxing) English Wikipedia
• 方滨兴 (Fang Binxing) Chinese Wikipedia
• 方滨兴 (Fang Binxing) Baidu Baike
• 方滨兴 (Fang Binxing) Baidu Scholar profile
• 方滨兴 (Fang Binxing) IEEE profile
• 方滨兴 (Fang Binxing) ACM profile

胡铭曾 (Hu Mingzeng) (b. 1935) is by far the most senior researcher on the paper. In 2003 he would have been 67 or 68 years old. Hu was a teacher and mentor to Fang Binxing at the Harbin Institute of Technology. In 2018, Fang wrote an article in which he says it was Hu that convinced him to return to HIT to be a teacher after getting a degree.

在硕士毕业前，卢主任和我的恩师胡铭曾教授又到清华大学找我，动员我回哈工大当老师。那时大学生包分配，因大学三年级时我家已搬迁到天津，所以我被分配到了天津大学，但那时已经说好回到哈工大任教，正好有位分配到黑龙江省的毕业生不愿回去，我们俩就对调了一下。

Before graduating from a master's degree, Director Lu and my teacher, Professor Hu Mingzeng, went to Tsinghua University to find me to mobilize me back to the Harbin Institute of Technology. At that time, the college student bag was allocated. Because my family had moved to Tianjin in the third grade of the university, I was assigned to Tianjin University, but at that time, I had said that I would return to the Harbin Institute of Technology to teach. The two of us were right.

• 胡铭曾 (Hu Mingzeng) dblp
• 胡铭曾 (Hu Mingzeng) Baidu Scholar profile
• 胡铭曾 (Hu Mingzeng) IEEE profile
• 胡铭曾 (Hu Mingzeng) ACM profile