Asymmetric routing and campus firewall

the problem

Despite Zhejiang University having a clear university-wide policy on domain registration, a Haining campus Information Technology Services (ITS) officer Z told me the campus has its own policy that refuses to follow due to 'security concern'. In other words, the Haining campus refuses to assist with University domain reverse proxy, such that any user who wants to have an Internet-accessible server will have to have its server located elsewhere. In my situation, it means an extra ¥2200/year cost to rent a VPS from ZJU main campus.

The actual scenario is, the Haining campus has internal connections with other ZJU campuses. In my situation, with the service still deployed on a local server, with a forwarded proxy from main campus VPS, any security breach would still happen locally, meaning the 'security concern' is nothing but a poorly made excuse.

Well, since the administrative board is not responsible for users in a typical Chinese-style organization, I will have to fix this issue by myself.

Interestingly, the reverse proxy can be actually configured from the main campus alone, and it should work without problem. So I circumvent the Haining campus ITS and registered a domain reverse proxy directly with the main campus.

The result is, strange. I noticed the server is indeed Internet accessible when applying for an HTTPS certificate, but local tests show that it can not be accessed from within China. In other words, it is accessible only from abroad.

the cause

I spent an entire afternoon trying to figure out why, and with hints from the main campus IT support and traceroute output, I finally discovered that the problem lies in asymmetric routing.

More detailly, all outgoing traffic from the Haining campus is redirected according to its destination. Traffic going abroad is going through the main campus exit, while others directly through the local campus exit. Now since the incoming traffic is all from the main campus entrance, this path is symmetrically routed, and the other one is not. The asymmetric routing will be blocked by the firewall due to DDOS attack prevention.

the fix

Now that I know the cause of the problem, the dillema arises that I still need Haining campus ITS's assistance to fix the issue. I need to make sure even those administrative roles like Z saw my request, they would not understand my true purpose. Considering Z's earlier response, she was either in an administrative position, or is really rookie in the network engineering field, both case I bet she would not want, or be designated to look into some issues too technical to understand.

A ticket is then sent to the Haining campus ITS to request all outgoing traffic of a specific ip to go through the main campus network gateway 'due to asymmetric routing' for 'research purpose, and to avoid incidental firewall block', together with some specified gateway ip I got from traceroute log. It turned out Z was not designated to the ticket.

Now that this is an existed routing, they accepted the reqest 'after requesting superior instruction'. Problem solved.

the bureaucracy

The is a typical bureaucracy 'there are policies and measures to counter' incident.

It turned out, I got lucky because incompetent officer like Z is indeed, incompetent. But this also means tragedy for all those who can not conceive a counter, and thus have to live with trash policies made by those incompetent officers.

On the other hand, trash policy actually works because not enough people know how to counter it, so the incompetent officer can remain in position.

To knowledge.