Skype VoIP Software & Service Reviewed

securitas writes "The Atlantic Monthly's James Fallows reviews Skype VoIP software and the SkypeOut paid Internet telephony service in today's New York Times. Fallows almost raves about the software and service, writing, 'Skype, a made-up term that rhymes with "tripe," is the most popular and sexiest application of VoIP'. But he acknowledges that 'There is one huge drawback: Skype works best from a fully connected computer, which runs counter to the whole trend of ever more mobile communication.' Fallows interviewed Skype's CEO Niklas Zennstrom, who discussed company plans for 'partnerships with manufacturers of cellphones and personal digital assistants,' to address Skype's mobile limitations - it's currently restricted to Pocket PC. Fallows concludes with a provocative thought about Internet telephony when he writes, 'there are also questions about whether this new form of instant access could become as oppressively intrusive as e-mail often seems.' (Mirror at Taipei Times). Slashdot previously covered reviews of VoIP services Vonage, Packet8 and VoicePulse and profiled Skype."

Skype will kill itself

[anti-NAT]

From an email I just sent to somebody. I could be wrong about the NAT issue, I looked into it about 3 or 4 months ago.

NAT screws up point to point protocols, in particular when both participating end-points are behind NAT boxes. Skype gets around that by bouncing the phone call off of a third "peer" that has a public IP address.

There are a number of drawbacks with this "solution" to NAT problems

(a) your phone call, between NATted peers A and B, relies on a third party C with a public IP address. If C fails, the phone call fails, even though peers A and B still have connectivity, and there may (still) be a direct network path between peers A and B.

(b) C bears a cost of carrying this phone call, yet never receives any benefits. Traffic goes from A to C to B and from B to C to A. C ends up paying (in either $ terms, or reduced bandwidth availablity), yet C isn't part of the converstation. A and B, due to being behind NAT, can never recipricate the role they were provided with by C. In fact, it might appear that A, B and C are peers, but A and B are not. _peer_ means an equal. A and B are not equals when it comes to the value they contribute to the network, so they aren't peers of C. Wind the clock forward a few years, and if NAT deployment continues, these "peer to peer" networks will have more and more "As and Bs", and less and less "Cs". The Cs will continue to have to bare an increased costs without receiving any benefits. That is a disincentive for the Cs to continue to exist. Cs will turn NAT on so they don't suffer any more. Eventually there won't be any Cs. IOW, NAT is going to eventually destroy the Skype "peer to peer" VoIP network... or maybe Skype is relying on that, and eventually will provide a paid "Cs" service. Hmm, that's a nice conspiracy theory.

(c) Even if Skype implements encryption protocols, unless adequate measures are taken (eg, trading _independently verified_ public keys), man-in-the-middle type attacks are possible. Of course, that is possible on the Internet anyway, even with a true "peer to peer" or two party protocol. However, it does require access to the "infrastructure" of the Internet, eg routers, firewals etc, and this access is relatively rare. Bare in mind that both public / private key protocols like RSA, and other key exchange protocols, like Diffie-Hellman, are naturally vulnerable to MITM attacks, which is why the parties have to be independantly verified, outside of the key exchange protocols themselves.

The Skype "anti-NAT" solution actually architects in a "man-in-the-middle" ie. C in the example above. If people don't independantly and properly verify _public keys_, and they usually won't, because it is complicated, and hard to understand what value it adds (which are typical of most security eg, most people don't pick good passwords), all the "Cs" are in ideal positions to listen in on phone calls. Just wait till a proof of concept is announced on Bugtraq, and then see how many script kiddies start disabling NAT so they can listen in on Skype phone calls.

(d) And then there is the whole "proprietory product / customer lock-in problem". Why else would Skype create their own proprietory VoIP solution, when perfectly good ones existed that were open standards, developed via the IETF ?

Making a Firewall-busting VPN

[lkcl]

the principle of skype's [pieyer-teuuuw-pieeeyer] connectivity is this:

1) make a random outgoing connection to 50 or more other machines (not behind firewalls)

2) route incoming traffic BACK down one of those random connections

3) during a call, check whether one of the other random connections has better connectivity, and if so, switch to it.

this is the sort of functionality that needs to be available in open source VPN software.

reason: SIP is pathetic in comparison to Skype.
98% of users don't give a flying fuck about NAT and firewalls (or updates. or anti-virus software. or anti-spam software).

also it's literally impossible for telecoms to cut Skype's VoIP traffic out of the internet to disrupt them from taking money from AT&T, France Telecom, BT etc. by contrast, blocking the SIP port "oops it's so hard to keep good VoIP software running these days"