blocking skype - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>EmergingNetworking - 热门网络技术

blocking skype

blocking skype# EmergingNetworking - 热门网络技术

l*y2006-01-13 08:01

1 楼

imho blocking skype is easy for enterprise, but not easy for ISP. skype uses
udp
extensively, with a stun-like protocol. so ISPs will have a problem. for
enterprise, out going traffic will be blocked anyway, and http/web access are
proxied. so as long as your web proxy (such as bluecoat) blocks non-http
traffic going over 80/443 port, skype will not work. (contrary to lots of
popular magazine says)

z*r2006-01-13 08:01

2 楼

One good thing is, more and more traffic management box can easiely block
those p2p traffic based on the traffic pattern instead of packet header

behind,
can
prevent

m*t2006-01-13 08:01

3 楼

good detail in the paper. I guess to block skype, block its login server
connection should do since that is centralized.

【在 z**r 的大作中提到】

: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent

l*y2006-01-13 08:01

4 楼

got a link for the columbia paper?
my ethereal cap shows the skype client sending to a bunch of IPs via udp the
moment it started, and it does wait for the first to respond before it sends
the next one. so, i'm guessing it has some super-node hard-coded in the
installer/app, but there is a functionality to update the list of super-nodes,
based on feedback.
btw, to become a super-node you'll have to satisfy some criteria. i don't
think a pc behind NAT or firewall can ever become a super-node. tha

【在 z**r 的大作中提到】

: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent

z*r2006-01-13 08:01

5 楼

I think the UDP traffic you saw is the STUN detecting traffic? the link is,
arxiv.org/pdf/cs.NI/0412017

nodes,

【在 l***y 的大作中提到】

: got a link for the columbia paper?
: my ethereal cap shows the skype client sending to a bunch of IPs via udp the
: moment it started, and it does wait for the first to respond before it sends
: the next one. so, i'm guessing it has some super-node hard-coded in the
: installer/app, but there is a functionality to update the list of super-nodes,
: based on feedback.
: btw, to become a super-node you'll have to satisfy some criteria. i don't
: think a pc behind NAT or firewall can ever become a super-node. tha

z*r2006-01-13 08:01

6 楼

Not all enterprises use proxies

are

【在 l***y 的大作中提到】

: imho blocking skype is easy for enterprise, but not easy for ISP. skype uses
: udp
: extensively, with a stun-like protocol. so ISPs will have a problem. for
: enterprise, out going traffic will be blocked anyway, and http/web access are
: proxied. so as long as your web proxy (such as bluecoat) blocks non-http
: traffic going over 80/443 port, skype will not work. (contrary to lots of
: popular magazine says)

m*t2006-01-13 08:01

7 楼

interesting, are you saying Skype run over TCP port 80 ? or even worse if it
is 443 encrypted, i guess it is very difficult to tell? However how Skype do
the call control/signaling? Isn't skype using at least a signaling server?

are

【在 l***y 的大作中提到】

z*r2006-01-13 08:01

8 楼

skype p2p engine randomly selects the port number upon installation in
addition to 80/443. And it encrypts the data using AES.
skype uses STUN and TURN to determin the type of NAT and firewall it's behind,
so it works pretty well in this situation.
However, if the gateway is a proxy, I am not clear about how STUN and TURN can
work with the proxy.
Normally the reason to block skype is about the security, skype cannot prevent
itself becoming a Super Node, that's why a lot of ppl don't like it

s

【在 l***y 的大作中提到】

l*y2006-01-13 08:01

9 楼

call control is encrypted. and it can use port 80/443 for that. however, it's
not riding http and it's not TLS. our enterprise proxy actually drop them on
the floor.

it
do

【在 m**t 的大作中提到】

: interesting, are you saying Skype run over TCP port 80 ? or even worse if it
: is 443 encrypted, i guess it is very difficult to tell? However how Skype do
: the call control/signaling? Isn't skype using at least a signaling server?
:
: are

z*r2006-01-13 08:01

10 楼

One good thing is, more and more traffic management box can easiely block
those p2p traffic based on the traffic pattern instead of packet header

behind,
can
prevent

【在 z**r 的大作中提到】

: skype p2p engine randomly selects the port number upon installation in
: addition to 80/443. And it encrypts the data using AES.
: skype uses STUN and TURN to determin the type of NAT and firewall it's behind,
: so it works pretty well in this situation.
: However, if the gateway is a proxy, I am not clear about how STUN and TURN can
: work with the proxy.
: Normally the reason to block skype is about the security, skype cannot prevent
: itself becoming a Super Node, that's why a lot of ppl don't like it
:
: s

m*t2006-01-13 08:01

11 楼

Reading into skype's homepage http://www.skype.com/products/explained.html
It is very vague. i am not P2P expert, don't understand how the initial
directory or "super nodes" get located/published for a skype user to start up

【在 z**r 的大作中提到】

: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent