l***y
发帖数: 791 | 1 imho blocking skype is easy for enterprise, but not easy for ISP. skype uses
udp
extensively, with a stun-like protocol. so ISPs will have a problem. for
enterprise, out going traffic will be blocked anyway, and http/web access are
proxied. so as long as your web proxy (such as bluecoat) blocks non-http
traffic going over 80/443 port, skype will not work. (contrary to lots of
popular magazine says) | z**r
发帖数: 17771 | 2 One good thing is, more and more traffic management box can easiely block
those p2p traffic based on the traffic pattern instead of packet header
behind,
can
prevent | m**t
发帖数: 1292 | 3 good detail in the paper. I guess to block skype, block its login server
connection should do since that is centralized.
【在 z**r 的大作中提到】
: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent
| l***y
发帖数: 791 | 4 got a link for the columbia paper?
my ethereal cap shows the skype client sending to a bunch of IPs via udp the
moment it started, and it does wait for the first to respond before it sends
the next one. so, i'm guessing it has some super-node hard-coded in the
installer/app, but there is a functionality to update the list of super-nodes,
based on feedback.
btw, to become a super-node you'll have to satisfy some criteria. i don't
think a pc behind NAT or firewall can ever become a super-node. tha
【在 z**r 的大作中提到】
: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent
| z**r
发帖数: 17771 | 5 I think the UDP traffic you saw is the STUN detecting traffic? the link is,
arxiv.org/pdf/cs.NI/0412017
nodes,
【在 l***y 的大作中提到】
: got a link for the columbia paper?
: my ethereal cap shows the skype client sending to a bunch of IPs via udp the
: moment it started, and it does wait for the first to respond before it sends
: the next one. so, i'm guessing it has some super-node hard-coded in the
: installer/app, but there is a functionality to update the list of super-nodes,
: based on feedback.
: btw, to become a super-node you'll have to satisfy some criteria. i don't
: think a pc behind NAT or firewall can ever become a super-node. tha
| z**r
发帖数: 17771 | 6 Not all enterprises use proxies
are
【在 l***y 的大作中提到】
: imho blocking skype is easy for enterprise, but not easy for ISP. skype uses
: udp
: extensively, with a stun-like protocol. so ISPs will have a problem. for
: enterprise, out going traffic will be blocked anyway, and http/web access are
: proxied. so as long as your web proxy (such as bluecoat) blocks non-http
: traffic going over 80/443 port, skype will not work. (contrary to lots of
: popular magazine says)
| m**t
发帖数: 1292 | 7 interesting, are you saying Skype run over TCP port 80 ? or even worse if it
is 443 encrypted, i guess it is very difficult to tell? However how Skype do
the call control/signaling? Isn't skype using at least a signaling server?
are
【在 l***y 的大作中提到】
: imho blocking skype is easy for enterprise, but not easy for ISP. skype uses
: udp
: extensively, with a stun-like protocol. so ISPs will have a problem. for
: enterprise, out going traffic will be blocked anyway, and http/web access are
: proxied. so as long as your web proxy (such as bluecoat) blocks non-http
: traffic going over 80/443 port, skype will not work. (contrary to lots of
: popular magazine says)
| z**r
发帖数: 17771 | 8 skype p2p engine randomly selects the port number upon installation in
addition to 80/443. And it encrypts the data using AES.
skype uses STUN and TURN to determin the type of NAT and firewall it's behind,
so it works pretty well in this situation.
However, if the gateway is a proxy, I am not clear about how STUN and TURN can
work with the proxy.
Normally the reason to block skype is about the security, skype cannot prevent
itself becoming a Super Node, that's why a lot of ppl don't like it
s
【在 l***y 的大作中提到】
: got a link for the columbia paper?
: my ethereal cap shows the skype client sending to a bunch of IPs via udp the
: moment it started, and it does wait for the first to respond before it sends
: the next one. so, i'm guessing it has some super-node hard-coded in the
: installer/app, but there is a functionality to update the list of super-nodes,
: based on feedback.
: btw, to become a super-node you'll have to satisfy some criteria. i don't
: think a pc behind NAT or firewall can ever become a super-node. tha
| l***y
发帖数: 791 | 9 call control is encrypted. and it can use port 80/443 for that. however, it's
not riding http and it's not TLS. our enterprise proxy actually drop them on
the floor.
it
do
【在 m**t 的大作中提到】
: interesting, are you saying Skype run over TCP port 80 ? or even worse if it
: is 443 encrypted, i guess it is very difficult to tell? However how Skype do
: the call control/signaling? Isn't skype using at least a signaling server?
:
: are
| z**r
发帖数: 17771 | 10 One good thing is, more and more traffic management box can easiely block
those p2p traffic based on the traffic pattern instead of packet header
behind,
can
prevent
【在 z**r 的大作中提到】
: skype p2p engine randomly selects the port number upon installation in
: addition to 80/443. And it encrypts the data using AES.
: skype uses STUN and TURN to determin the type of NAT and firewall it's behind,
: so it works pretty well in this situation.
: However, if the gateway is a proxy, I am not clear about how STUN and TURN can
: work with the proxy.
: Normally the reason to block skype is about the security, skype cannot prevent
: itself becoming a Super Node, that's why a lot of ppl don't like it
:
: s
| m**t
发帖数: 1292 | 11 Reading into skype's homepage http://www.skype.com/products/explained.html
It is very vague. i am not P2P expert, don't understand how the initial
directory or "super nodes" get located/published for a skype user to start up
【在 z**r 的大作中提到】
: One good thing is, more and more traffic management box can easiely block
: those p2p traffic based on the traffic pattern instead of packet header
:
: behind,
: can
: prevent
|
|
