Like many websites particularly those in the media sector, the French TV site M6 Replay is only accessible from domestic connections. If you access from inside France then you’ll have no problem at all but if you are in a different country and try to access M6 Replay then you’ll get blocked from most of the video streams.
These sites often block access or filter their content for a variety of reasons. Much of it is to do with copyright issues, that their programmes are only licensed for a specific country or region. Other reasons are usually focused on maximizing profit by selling broadcasting rights separately to other organisations or media companies. If you access any media site in any country you’ll normally find that the functionality is restricted primarily to it’s home market.
The method for enforcing these restrictions are however usually very similar and involve determining the location of the connection. This is normally done by looking up the IP address of the incoming connection and looking up the country of origin. These can be determined from vast databases which map all registered IP addresses to their corresponding countries. So a connection from Canada would be mapped to a Canadian IP address and so on.
This is the standard method for controlling, filtering and restricting access – often known as geotargeting or geoblocking. It means that in order to bypass these blocks and gain access to these sites irrespective of your actual location then you need to gain some control of your IP address. Unfortunately it’s not actually possible to change your address as this is allocated directly from the ISP where connect to the internet. These are always locked to the specific country, so you’ll get the address based on the country you’re connecting from.
There is a method though which can unlock any website irrespective of your location – here’s a demonstration:
As you can see the way to bypass these checks is to hide your real IP address by using an intermediate server to route the connection. So to access the M6 Replay site from outside France you need to relay your connection through a French proxy server.
As long as the server is configured properly then the website will only see the IP address of the proxy server and not the actual client. Developments in this areas have included the use of VPN (Virtual private Networks) which are even more difficult to detect than proxies. Furthermore the VPN connection is encrypted so it’s more secure than using a simple proxy server.
There are many ways to configure the way TCP/IP operates on specific networks. Some of these parameters are rarely used but when you’re running fast Gigabit networks with a wide variety of network hardware and infrastructure some options are extremely useful. One of those is the Windows Scale option which can be used to modify the definition of the TCP Window from it’s default of 16 bits.
For example in some environments it may be appropriate to increase the size of the TCP windows to 32 bits. What actually happens is that instead of changing the size of the header to allow the larger windows, the header still holds a 16-bit value. However an option allows a scaling parameter to be applied to the value which allows TCP to maintain the actual value of 32 bits internally.
The option for scaling can only appear in the SYN segment of the transaction which means that the scaling value by definition will be fixed in both directions when the connection is initially established. In order for window scaling to be enable both ends of the connection must include the option in their SYN segments. It should be noted thought that the scale option can be different in each direction.
There are methods for allowing suitable communication between different levels of hardware. For example the scaling factor can be reduced by sending a non zero scale factor which cancels the scaling if a windows scaling option is not received in the return SYN. This behaviour is specified in the relevant RFC which specifies that TCP must accept these options in any segment. This includes all sorts of of connection remember these can be across wide areas, imagine a US IP address connecting to a Netflix server on super fast hardware. However it should also be noted that TCP/IP will always ignore any option that it doesn’t understand.
For illustration, if the windows scale option is being used with a shift count of X for sending and Y for receiving. This would mean that every 16 bit window which is advertised would be left shifted by Y bits to obtain the real advertised window. So every time a windows advertisement is sent then we’d also take the 32 bit windows size and right shift by X bit to discover the real 16 bit value which is in the TCP header.
Any shift count is automatically controlled by TCP, which is because the size of the receiving buffer is important and cannot be controlled by the other size of the connection.
LAN in networking terms stands for Local Area Network and it refers to a shared communication system that many computers and other devices are attached. The distinction between this and other networks is that a LAN is a network limited to a local area.
The first recorded use of LANs where in the 1970s, where they grew from the very first basic networking setups. These consisted of two devices connected by a single network wire much like a child’s string and paper cup model designed to mimic the telephone. Computer scientists started to think why limit to two devices when the same cable could theoretically connect multiple devices. There were complications though, and possibly the most basic was finding a mechanism that ensured that multiple devices didn’t use the cable at the same time.
The methods used to ensure that use of the cables are shared properly are called ‘medium access controls’ for self explanatory reasons. There are a variety of these ranging from allowing workstations to announce their communications to a central device which controls access and allocates bandwidth as required. In some senses in the same way an individual may buy uk proxy access in order to route their connection privately whilst hiding their own IP address.
Although LANs are normally restricted to a smaller geographical location there are actually different topologies. The simplest and originally was the most common is the liner bus and the star configuration. The linear bus involves a cable laid throughout a building from one workstation to another. Whereas the star configuration has each workstation attached to a central location or hub connected by it’s own specific cable. There are pros and cons to each configuration and in fact if you use the most popular networking medium ethernet you can use either topology.
A local Area Network is actually a connectionless networking configuration. That definition is important and actually means that once a device is ready to use the network to transmit data it simply releases the data onto the cable and ‘hopes’ that it reaches it’s destination. In this basic setup, no initial process involves ensuring that the data reaches it’s recipient nor is there any check to see whether it has been received.
When data is transmitted across the LAN it is packaged into ‘frames’ before being dispatched. At the basic hardware level, each frame is transmitted as a bit stream across the wire. Every single device connected to this network will listed to the transmission although only the intended recipient will actually receive the data. Normally this is the case but it is possible to transmit on a multicast address which specifies that all devices on the LAN should receive the data. Other higher level protocols will actually package the data further into datagrams examples of these are IP or IPX.
There is no doubt that TCP/IP has transformed our computer networks and played a pivotal role in the expansion of the world wide web, however it is far from perfect. RSVP is an Internet protocol designed to alleviate some of the issues with TCP/IP particularly regarding delivering data on time and in the right order. This has been always one of TCP/IP’s biggest shortcomings – it’s ‘best effort’ IP delivery service has no guarantees. Whereas TCP which is connection orientated does guarantee delivery but gives no assurances on the time it takes.
Guaranteed on time delivery is essential in many of the modern day applications particularly over the internet – especially those including voice and video delivery. Indeed most web sites involve large amounts of video and voice data which require fast, reliable and timely delivery whenever possible. If anyone has tried streaming or downloading from applications like the BBC iPlayer like this for example they will know how frustrating slow speeds and missing data packets can be.
The issues are well known and RSVP is an attempt to provide a suitable quality of service for video and voice delivery particularly across the internet and other large TCP/IP based networks. The way RSVP works is to reserve bandwidth across router connected networks. It does this by asking each router to keep some of it’s bandwidth allocated to particular traffic flow. In some senses it is an attempt to add some of the quality features of ATM to TCP/IP in order to facilitate the changing requirements of modern day networks.
RSVP is one of the first attempts to introduce a quality service to TCP/IP but many vendors are looking at introducing many other options too. Most of them focus like RSVP on reserving bandwidth however this isn’t always an ideal situation. The obvious issue is that if you reserve network capacity for specific traffic or connection then the amount is reduced for all other users and applications. Some of this issue has been mitigated by the increase in capacity of both corporate networks and the connections for individual users to the internet.
RSVP works by establishing and maintain bandwidth reservations on a specific network so it’s not a WAN or wide area solution normally. The protocol works from router to router setting up a reservation from each end of the system. It is primarily a signalling protocol not specifically a routing protocol. If a specific router along the connection cannot provide the requested bandwidth then RSVP will look for an alternative route. Obviously this only works if the routers have RSVP enabled which many currently do to support this process. Applications can also use this feature by making similar requests.
Any computer that has network connectivity usually offers services to users both remotely and locally. Typically the computer will offer these services by running a number of locally hosted services. In a TCP/IP network, the services are usually available via ports on the local computer. When a computer connects to access a particular service and end-to-end connection is normally established and a socket set up at each end of the connection. In simple terms you can think of the socket as a telephone at each end of a line and the port is a specific telephone number.
Most of the common services are usually found at a predetermined port number, in fact they can act as an identifier of the service. It’s important to remember that although these port number assignments are normally followed there is no strict enforcement of these standards. Although it is likely that an FTP server is listening on Port 21 there is no actual guarantee that this is true. These predetermined port assignments are commonly followed though and it is usually considered best practice. In some senses it can make network management functions much simpler than if non-standard ports are used which makes identifying roles and services harder.
For instance most people would expect a service running on port 80 would be a HTTP server although there is nothing to stop some other service using it.
Republished from archive of Thomas Riemer’s Port Numbers page
The Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users.
Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. While the IANA can not control uses of these ports it does register or list uses of these ports as a convienence to the community.
To the extent possible, these same port assignments are used with the UDP [RFC768].
afs3-callback 7001/tcp callbacks to cache managers
afs3-callback 7001/udp callbacks to cache managers
afs3-prserver 7002/tcp users & groups database
afs3-prserver 7002/udp users & groups database
afs3-vlserver 7003/tcp volume location database
afs3-vlserver 7003/udp volume location database
afs3-kaserver 7004/tcp AFS/Kerberos authentication service
afs3-kaserver 7004/udp AFS/Kerberos authentication service
afs3-volser 7005/tcp volume managment server
afs3-volser 7005/udp volume managment server
afs3-errors 7006/tcp error interpretation service
afs3-errors 7006/udp error interpretation service
afs3-bos 7007/tcp basic overseer process
afs3-bos 7007/udp basic overseer process
afs3-update 7008/tcp server-to-server updater
afs3-update 7008/udp server-to-server updater
afs3-rmtsys 7009/tcp remote cache manager service
afs3-rmtsys 7009/udp remote cache manager service
ups-onlinet 7010/tcp onlinet uninterruptable power supplies
ups-onlinet 7010/udp onlinet uninterruptable power supplies
font-service 7100/tcp X Font Service
font-service 7100/udp X Font Service
fodms 7200/tcp FODMS FLIP
fodms 7200/udp FODMS FLIP
sd 9876/tcp Session Director
sd 9876/udp Session Director
biimenu 18000/tcp Beckman Instruments, Inc.
biimenu 18000/udp Beckman Instruments, Inc.
dbbrowse 47557/tcp Databeam Corporation
dbbrowse 47557/udp Databeam Corporation
[RFC768] Postel, J., “User Datagram Protocol”, STD 6, RFC 768, USC/Information Sciences Institute, August 1980.[RFC793]Postel, J., ed., “Transmission Control Protocol – DARPA Internet Program Protocol Specification”, STD 7, RFC 793, USC/Information Sciences Institute, September 1981.
There are actually quite a lot of reverse proxy servers in use through large corporate networks performing a variety of purposes. However there are two distinct roles for which they are commonly used –
replicating Content to geographically dispersed areas
replicating content for load balancing
It’s a function that is not always considered for proxies, however content distribution is a logical function for any proxy server. In fact a reverse proxy server can even be used to establish multiple replica servers of a single master to diverse locations. Take for example if you have a multinational company with offices in countries all over the world.
It would be difficult for a single server with company wide data like templates, policies and procedures to server the entire company yet it is imperative that the integrity of any ‘copy’ is maintained. The reverse proxies could be set up in each branch server with a slightly different address, perhaps including location in name. These reverse proxies would pull their data from the master ensuring they were all identical.
This is quite an efficient use of the proxy in reducing bandwidth requirements across the network. However the reverse proxies must be configured to pull changes from the master very frequently in order to ensure any changes are replicated quickly. In fact it would be usually safer for the master server to push changes to the reverse proxies in order to ensure this.
The configuration can be complete by updating specific DNS entries in each zone. This would mean that you could resolve – www.master.com from all of the physical locations. That is to resolve london.master.com to point at the master server instead.
As mentioned the main issue is ensuring that changes are replicated efficiently and accurately. In fact replication is perhaps a little too advanced a term as really the proxies are merely caching information and updating them. So the master server has some modification to it’s content then it would push out the changes to any of the proxies online. So messages would be sent to the uk online proxy here, then to the asian proxy and so on.
THe other main use is of course load balancing for something like a heavily loaded web server. Any request received from a client will be distributed back to the multiple reverse proxies by using methods like DNS round robin. This ensure that the requests are spread out evenly and one of the reverse proxies doesn’t become overloaded with requests too. This often happened if static lists were used in rotation as the same proxy servers would be receiving the requests too frequently.
John Severn often sneaks off work to travel somewhere hot. After all he just needs to change ip address to United Kingdom and no-one will notice his emails are coming from the Costa del Sol next to a pool.
For years people have used VPNs for all sorts of reasons, but it’s origin lay quite simply in the security they provided. International companies will normally insist that their employees use VPN services when remotely connecting back to their servers using the internet. It makes sense, otherwise important information and credentials would be trusted to the owners of coffee shop wifi or the administrator of your local Premier Lodge or hotel chain.
The concept is simple, create an encrypted tunnel which ensures that all the data which normally is passed in clear text instead is encrypted and unreadable. Of course, this security means that as well as being safe from computer criminals and identity thieves – it’s also secure from intelligence services and state controlled snoopers too. It should come as no surprise that anyone who opposes free speech generally hates VPNs and the protection that they give.
So when we hear stories about different organisations and companies from the Netflix to the Chinese Government trying to block VPNs what are they doing. Well it depends, obviously the situation that leads to thousands of BBC iPlayer VPN not working is going to be slightly different to the Chinese throwing billions at the great firewall of China. However the general techniques are basically the same as a small company want to achieve the same thing.
One of the most common options is to block the ports used by these services. Most VPN tunnelling protocols operate on standard ports, e.g using PPTP or LTP. They need to establish these connections to transfer and receive data, without them the service won’t function. Other methods include identifying and blocking specific IP addresses or ranges which are being used by VPN services. It is these two methods that are mostly used by the big media companies like Hulu and the BBC.
These methods can be time consuming though and it’s possible to switch address and some services allow you to configure alternative ports too. The Chinese Government as you would expect have gone one step forward and use more sophisticated techniques like deep packet inspection. These involved looking at the data itself to identify if a VPN is being used to transport it. For example if you are unable to read any data because none of it’s in clear text then there is the likelihood that it is being encrypted. Of course, there are other methods which encrypt data like SSL so you need to be careful that you don’t block other traffic, it’s a risk that the Chinese would probably be happy to take however.
Even these methods are not foolproof and VPN companies can scramble things like the meta data to make identifying the use of a VPN even harder. It is worthwhile noting that many people in China still use VPNs routinely and so if the huge resources available to the Chinese State can’t block their use – we should be ok to have a BBC VPN like this for the foreseeable future.