Slashdot Mirror
An Analysis of the Skype Protocol
zib writes "Ever felt a need to peek under the hood of your Skype client? This paper (PDF) explains all the details. Among other issues, it focuses on the NAT capabilities of Skype and audio compression."
← Back to Stories (view on slashdot.org)
What is the deal with supernodes, isn't there a peer to peer protocol that doesn't revolve around supernodes? I don't like the idea of somebody setting up a high-bandwidth machine and routing enough packets to get the entire phone call I'm making and then in their spare time decrypting my phone call.
We need a a VoIP method that uses bit torrent and duplicates what you are saying many times, which wastes bandwidth but makes up for the slowness factor. And even still, we need a bit torrent less reliant on supernodes... could a VoIP network function on a P2P network meant to work without supernodes?
Somebody know more details about what the difficulties are in making a P2P network without supernodes? (Assuming there are lots of people on the network).
Privacy issues?
So does Skype do things any differently than the other VOIP providers?
Does this info also apply to Vonage? Broadvoice? Callvantage?
Or do they all have their own proprietary protocols?
I believe the NAT traversal is done by routing via super-nodes which are not behind a NAT or firewall. Is this a valid assumption for the future? In other words, what if every host is behind a NAT or firewall -- it seems that way, given the increased security conciousness of hardware and software makers, that sometime in the near future, firewalling will be the norm and default, not the exception?
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
You can get in on the existing conversation about this paper Here
Do you really want to be running Skype or let it onto your network? At my university Skype has been banned. Here is the reasoning:
Skype Peer to Peer Telephony software is now also prohibited. Skype is a
free application that facilitates free telephone calls through the use of
an internet connection.
Calls made using the system are directed through 'Supernodes', which can be
ordinary PC's with Skype installed. Machines on fast and well connected
Internet feeds like the $Network are likely to automatically become
'Supernodes' and forward a considerable amount of traffic.
This allows Skype to route other peoples Voice over IP calls using your
machine and the university internet connection. This is in breach of the
Acceptable Use Policy and could potentially put the university's network
and core business at risk.
Finally, the Skype End User License Agreement (EULA) grants Skype permission
to install and use 3rd party software on computers running Skype. This could
include an array of spyware and adware that is likely to threaten the
privacy of anyone installing this software.
Beep beep.
Strange, I have it installed on my linux machine... and it doesn't have a windows registry... guess I dont have the capability of storing a buddy list.
~/.sig: No such file or directory
let me put a boot in ya sorry ass to hasten your departure
Protocol analysis? I'll analyze that linking to a PDF will give us a chance to analyze a slashdotting.
The real litigious bastards...
Where is the cell phone that utilizes this technology to replace international satellite phones? I noticed Skype needs 2kb u/d for "reasonable quality"... BTW - How can we be sure this would be used for Good and not Evil?
Keep up the great work in the fight for freedom. Crush your liberal enemies.
Okay, I understand the whole AUP piece. I understand that it could be a problem for the network.
What I'm not sure I understand, is how a simple program could "put the University's core business at risk". If that is a publically funded University, I really object to that statement (it's not a business, a public service. It's nice if it's self funding, but the objective it not to turn a profit), if it's a private University I suppose it is in fact a business. I really don't see how this will in any way interfere with teaching students and colleting fees. While I suppose the degradation of internet service and the raising of ISP charges would affect the bottom line, it surely doesn't affect the ability of the facaulty to interact with students.
Kirby
What the f*** is this bullshiat doing on Slashdot?
The program can automatically elevate itself to a Supernode and start chewing bandwidth. Not only that, but it alerts your friendly University system administrator that you may be "sharing copyrighted materials with Kazaa" and you have them frowning at them (and randomly shutting off your port because they believe you have been "hacked") Just use a different free Internet Telephony application.
Wouldn't a series of router hops generaly be the most direct route?
FYI, if you want to look at the "registry" info for Skype on Linux, it's in $HOME/.Skype/shared.xml.
Proprietary or not, it works and its easy to use. Skype does a lot of things differently than SIP. 256 bit AES encryption is strong enough to protect your data well into the near future.
It uses very little bandwidth and those Universities who are banning the software are just kneejerking to a new technology, just showing how far from the academic mission of research and experimentation most colleges have gone. Even more telling is how most Colleges charge exorbitant fees for local and long distance phone calls from student dorm phones. Why would they want to allow a technology onto their network that will mean less money going into their pockets.
As to the bandwidth issues, I think they greatly exaggerate the bandwidth use of a Skype supernode in order to justify their kneejerk reaction to any new technology on their network that does not come with a 3 year agreement with Dell and Microsoft.
Tada:
Google's HTML version
NAT tranversal is great, and Skype is nice an solid. We're adding this to our next product. Does anyone know where I could find more documents like this?
Did anyone else notice that their test machines were 200 Mhz Pentiums running Windows 2000.
I bet they couldn't only see 5kbytes of traffic because that's all those poor machines could pump out!
Any organization that want to "manage" their network infrastructure will make policy decisions about what is and isn't an acceptable use.
Bandwidth costs money, period, and you have to prioritize if you have a fixed budget. For Universities, the goals are research and education. That's what the network is there for. Are you learning anything by using Skype? No. Is it advancing research? No.
It's not YOUR network, get over it.
They don't have 'em in now but the EULA's allow this going forward.
These are the same guys who wrote Kazaa which installed 3rd party software which basically stole money from mom & pop websites in affiliate networks.
2 years and no mod points. Join reddit. Because openness is good.
Every gateway may have different timeouts for NAT UDP port binding, right?
The PDF doesn't explain how it's done, but it's rather simple, and is explained in the STUN RFC:
1. Open a socket, and tell the server, hi, i'm here, reply to the same address you received this message from, and tell me what that address is (let's call this address REF_ADDRESS_A).
2. Sleep for some time...
3. Open a second socket, and say, hi, i'm here, reply to the same address you received this message from AND to the old address(REF_ADDRESS_A)
If the first opened socket receives the message as well, this means the binding is still valid.
Increase the timeout and try again.
Otherwise, decrease the timeout and try again.
Eventually, it finds the right timeout for the binding.
Having said that, a proper app should really run this routine periodically, because network elements may change.
I love burekas in the morning
Day-pass is required to read.
n augural_satire/index.html
http://www.salon.com/opinion/feature/2005/01/20/i
Thanks to distributed hash tables, it is possible to build scalable flat P2P networks.
Supernodes (aka relays) are required as the last resort to get through bad NATs/firewalls.
... is that people don't factor in that computers increase in speed by almost a factor of 2 each 18 months or so. So basically, that's like removing 1 bit from your encryption key every 18 months. Factor that in, and you begin to see cracking time numbers orders of magnitude smaller then before.
So basically, public key encryption should still only be used for things that are time sensitive that no one will care about in 5 years. If that's not the case, then you should think about using extremely large keys, like 4000bit, or use quantum encryption.
There is not such thing as absolute security/secrecy.
I "discovered" Skype, discovered that it was Linux friendly, and tested it sufficiently to find that it was quite adequate to meet my minimal requirements. So, I asked our technical guru to install it in the office where all the machines also use linux and have a look. I work from home, and since we spend a lot of time on the phone I figured we had the potential to save some money.
He muttered that he'd get around to it sometime, so next time I was in the office I installed it myself, and using the USB VOIP handset he had bought about a year ago for this precise purpose we had a little testing session and found it very useable (we also found out that with our wireless lan my laptop could become the most expensive portable phone ever).
So, next day, at home, I go to call him up and find his skype username offline. I mail him and ask him to log back on, to which he replies that he's not going to, he's experimenting with a SIP based solution, and since that's the protocol Skype must use anyway (no amount of arguement to the contrary got through) he could set up an improved solution.
We experimented for a week with an asterix server and KPhone. It sucked. He bought winmodems to get us external phone access on the system, faffed about for a while, and guess what, many months on, we're still using the phone network and running up the bills.
Now, I'm not arguing that an open source self-managed SIP solution is not the superior option, it almost certainly is. But Skype JUST WORKS.
Oh, yeah, does anyone know the correct pronounciation of Skype? It reads in my head as SKIPE, but a friend of mine insists it's correctly pronounced SKIPPY.
"The dew has clearly fallen with a particularly sickening thud this morning"
I am not saying that they have or will do this. I object to the open-endedness of the agreement. I'm all for free, ubiquitous communication, but I would like to have a vague idea of what will be done to my PC in the process.
Basically, any software that they want to incorporate into Skype they can add without your additional consent. This provision does not explicitly allow them to add software automatically though. That's in Article 2.5 below... If they want to later distribute Skype with Super Duper Toolbar that they don't deem to be party of 2.4(a) or (b) then you will see an agreement for Skype and an agreement for Super Duper Toolbar. You agree that you won't sue Skype when they bundle Super Duper Toolbar, privacy laws change, and you want to sue someone for tracking your activities online and associating it with your name and address in order to sell you [insert performance enhancing substance here.] This is where they reserve the right to change what's on your computer at any time. I don't understand why people enter into this type of agreement for a non-essential product with a company that they have no control over.This concludes your IANAL lesson today. Thanks for joining us.
I would like to see an Skype Asterix extension.0 skype
http://voip-info.org/tiki-index.php?page=bounty%2
That would be the real killer POTs killer app.
Can any reverse engineering pro give a hand ?
Skype (http://www.skype.com) or FWD (http://www.freeworlddialup.com/)?
Is this enough reverse engineering that we can code a Skype/SIP protocol gateway component for an Asterisk server? I'm just referring to all the popular VoIP systems like Vonage as "SIP". The important question is can the Skype protocol network be piggybacked to terminate calls initiated by SIP clients like KPhone or Linphone?
--
make install -not war
read about it here: VoIPHigh-SKYPEoverSatelliteDec132004
In related news, The Soros Foundations recently commissioned a study of Skype's security features with an eye towards using the software in civil society sectors. An interesting read: http://www.soros.org/initiatives/information/artic les_publications/articles/security_20050107/
Nice link. This is a quote from the article: "A CIA nightmare Conversation over SKYPE and RBGAN is at present considered impossible to eavesdrop. Thus it is a very cheap way to get a high-level security for military and business purposes, but the same is unfortunately also true for terrorists and criminals. SKYPE uses AES 256-bit encryption which is impossible to crack with present computer technology. The encryption keys are unique for each transfer and not stored by SKYPE. But beware if you are using SKYPE to call a normal landline or a cell phone - that phone can of course be tapped by others. " Hmmmm, I knew I smelled Trouble!
So what is the difference between BitWise (http://www.bitwisechat.com/) and Skype, apart from the fact that BW is a direct-connect chat/voice application and Skype has the potential to node your comp? Does it have the same problems? Is it lame that with BitWise you have to open a port or two?
Speaking of which, has anyone written a howto for SIP on Linux? I spent ages trying to get it working, and in the end, succeeded (the results are here: http://richardneill.org/voip.html ), but my setup has since broken and I don't know why. I also can't get it working properly from behind NAT.
skype is not the only voip provider. Some of them actually support standards (sip? iax?). Asterix supports those.
Don't thank God, thank a doctor!
http://shit.slashdot.org/article.pl?sid=05/01/20/1 653217
Skype uses end-to-end cryptography on all calls, up to 2048-bit RSA for the public key exchange and 256-bit AES thereafter.
Skype offers probably the highest strength seamless encryption around.
NAT is a real menace
Yes, but true peer to peer is still possible in many
cases with a little help from a routable 3rd party -
Meet the mediated peer-to-peer a.k.a. hamachi
3.243F6A8885A308D313
You know you can just change the expiration date on the day pass cookie and the day pass will never expire?
It's probably illegal, or something, but it's still funny.
Maybe so, but Skype is the only voip provider that has a free softphone that Just Works cross-platform.
And offers an API.
-I like my women like I like my tea: green-
SN should really stand for "sucker node" ... 90% of these are going to be machines without a firewall, the owners of which are clueless (like, say, my grandma), that are being suckered into forwarding everyone elses traffic.
anyone remember reading this (why was it modded flamebait?) and this a couple of days ago?
Step 5: ???
Step 6: Realize you'll never Profit from this utter Offtopic crap.
You can hold down the "B" button for continuous firing.