Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

An Analysis of the Skype Protocol

Posted by michael on Thu Jan 20, 2005 12:50 PM
from the past-the-firewall-nothing-but-net dept.
Communications Encryption Security Software The Internet
zib writes "Ever felt a need to peek under the hood of your Skype client? This paper (PDF) explains all the details. Among other issues, it focuses on the NAT capabilities of Skype and audio compression."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

An Analysis of the Skype Protocol 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Supernodes? (Score:3, Interesting)

    by gaber1187 (681071) * on Thursday January 20 2005, @12:51PM (#11421541)
    Interesting paper.

    What is the deal with supernodes, isn't there a peer to peer protocol that doesn't revolve around supernodes? I don't like the idea of somebody setting up a high-bandwidth machine and routing enough packets to get the entire phone call I'm making and then in their spare time decrypting my phone call.

    We need a a VoIP method that uses bit torrent and duplicates what you are saying many times, which wastes bandwidth but makes up for the slowness factor. And even still, we need a bit torrent less reliant on supernodes... could a VoIP network function on a P2P network meant to work without supernodes?

    Somebody know more details about what the difficulties are in making a P2P network without supernodes? (Assuming there are lots of people on the network).

    Privacy issues?

    • I don't like the idea of somebody setting up a high-bandwidth machine and routing enough packets to get the entire phone call I'm making and then in their spare time decrypting my phone call.

      Well, I can't read the paper, because I don't have a pdf reader available, but I think they've done the crypto-stuff good enough, so that it's almost impossible to decrypt.
      What is the point of decrypting something if it takes >100.000 years?

    • Re:Supernodes? (Score:2, Funny)

      by Anonymous Coward
      You're going to need a pretty super node to decrypt 256-bit AES.

    • isn't there a peer to peer protocol that doesn't revolve around supernodes?

      Several. Freenet [freenetproject.org] doesn't require supernodes, it is entirely decentralised, the same is true of Dijjer [dijjer.org]. Generally, a P2P application can use a Distributed Hashtable [wikipedia.org] to find information without relying on a centralised server (neither Freenet nor Dijjer use a DHT, although their approach is vaguely similar).

    • I don't think that your phone call data goes through the supernode. From what I understand, the supernode is used to facilitate the connection between two clients which are behind NAT or a firewall. After the supernode hooks you up, it is a direct connection between the two clients, without the supernode involved.

      • In a scenario with two Skype(tm) clients behind NAT firewall/router/whatever that blocks UDP (ie. only allows TCP) I'd really like to hear how you set up a direct connection between the two clients.

        At the very least; In the connection setup the third-party (ie supernode) has to open a server socket that both clients connect to using client sockets. The supernode then forwards information between the two.

        Now what type of magic is used to hook up a direct connection between the two clients ? TCP connecti

        • Re:Supernodes? (Score:3, Informative)

          by drew (2081)
          i've seen someone experimenting with this before. it's actually not too difficult to do once you have two computers that are both trying to set up the connection. how to alert the second computer that the first wants to initiate a connection is the challenge. in this case the supernode seems to be responsible for that aspect.

          basically each computer attempts to initiate a connection to the other computer on a port that has been agreed to in advance. the first computer to attempt will fail, due to the fi
          • however, his firewall will now be expecting return traffic originating from the port that his computer attempted to connect to. therefore, the second connection attempt, from the other computer, will succeed

            Interesting, but I wouldn't expect this technique to defeat anything else than trivial "personal firewalls". Any NAT between the two computers would alter the calling ports and break your assumptions.

            Has anyone actually tried this ?

        • Not necessarily. There exist ways to get through a double NAT environment. We developed one such system for an engineering thesis; for documentation on another see the "STUN" RFC

    • Re:Supernodes? (Score:5, Informative)

      by kuwan (443684) on Thursday January 20 2005, @01:06PM (#11421747) Homepage
      What is the deal with supernodes, isn't there a peer to peer protocol that doesn't revolve around supernodes?

      Because this type of tiered network is what works and scales well to thousands and millions of clients. The original Gnutella protocol was designed not to use "supernodes" or a tiered network structure and it was a miserable failure. The bandwidth and large latency required for all of the clients to communicate with each other (especially ones using 56K modems) easily overcame the usefulness of the network. The current Gnutella protocol now uses a tiered (layered) network where clients can become supernodes and this version actually works with tens to hundreds of thousands of people connected.

      When creating a large, scalable network this type of protocol is what has been proven to work.

      --
      Join the Pyramid - Free Mini Mac [freeminimacs.com]
      • Man, I know it... I used the original gnutella, and man it was soooooo slowwwww... I agree... I think what somebody else said above is possibly correct that the nodes are only used to make the connections, once data starts flowing, it all goes through the normal ip routes...
      • Supernodes aren't the only way, though. I like the concept of a Kademlia-style network. If you have a definitive routing order, you don't have the problem with requests looping back and staying within a small group of peers like they did on Gnutella. That, more than anything, was its fundamental flaw. To try and overcome this, you have to increase the number of hops; this, combined with the latency, is disastrous.

        I've proposed a modification of the basic concept to the kenosis group; we'll have to see

    • Re:Supernodes? (Score:5, Informative)

      by jd (1658) <[moc.oohay] [ta] [kapimi]> on Thursday January 20 2005, @01:15PM (#11421844) Homepage Journal
      The problen with loading the network up is that you increase the latency (spare packets have to be processed enough to know to drop them) and you increase the packet loss overall (because if everyone does this, packet collisions will increase exponentially).


      There are other solutions which'll do essentially what you want. One option is to have connections rotate round-robin style, rather than by bandwidth. That way, if you can go by 5 paths, each path gets 1/5th of the traffic, making it much harder for evesdroppers.


      A second option is to use kernel or userland IPSec, so that all connections are secure. IPSec is pretty solid and it is doubtful anyone would be able to break into such traffic.


      Supernodes are just a load-balancing mechanism. Not a very good one, because it's a two-state system, but it works. Networks have developed routing and QoS protocols to handle exactly the kind of information P2P is approximating with the supernode scheme. It would seem to make much more sense to use mechanisms people have worked on for much longer to get right.

      • The problem is that QoS-aware protocols are not universally deployed, so you can't count on them. Additionally most of the router-based QoS protocols suck. Adding "smarts" to the network infrastructure goes against the original Internet design principles, which dicatated that the network should be as dumb as possible and add the smarts to the end hosts.
    • Yes you could build one without supernodes, but this is a bad approach. To build the best P2P network you need to build the best overlay network (a logical network that operates on top of the physical one). The best way to do this is to assign nodes addresses based on their resource availability, primarily we're concerned with processing power and bandwidth and, depending on the application, latency to other nodes. If you properly address all nodes things turn out great. You can then use distributed rou
    • "Somebody know more details about what the difficulties are in making a P2P network without supernodes?"

      It's not difficult, but the issue is scalability. To have a P2P network scale, you have to have some efficient network structure for shunting data around. Efficient is a relative term; robustness might be the goal here with supernodes.

      For implementations of distributed hash tables, bandwidth certainly isn't the main concern, so those are logically constructed generally without any concept of a supernode

  • How future proof is this? (Score:3, Insightful)

    by Samir Gupta (623651) on Thursday January 20 2005, @12:56PM (#11421601) Homepage
    I believe the NAT traversal is done by routing via super-nodes which are not behind a NAT or firewall. Is this a valid assumption for the future? In other words, what if every host is behind a NAT or firewall -- it seems that way, given the increased security conciousness of hardware and software makers, that sometime in the near future, firewalling will be the norm and default, not the exception?

  • Bad start (Score:5, Informative)

    by Sanity (1431) on Thursday January 20 2005, @12:58PM (#11421633) Homepage Journal
    Skype is a peer-to-peer VoIP client developed by KaZaa...
    KaZaa isn't a company, it is a piece of software. Skype was developed by the same guys that were behind the KaZaa software, but not (to the best of my knowledge) by the company that now owns KaZaa.

  • Skype Banned (Score:5, Interesting)

    by Realistic_Dragon (655151) on Thursday January 20 2005, @12:59PM (#11421655) Homepage
    Do you really want to be running Skype or let it onto your network? At my university Skype has been banned. Here is the reasoning:

    Skype Peer to Peer Telephony software is now also prohibited. Skype is a
    free application that facilitates free telephone calls through the use of
    an internet connection.

    Calls made using the system are directed through 'Supernodes', which can be
    ordinary PC's with Skype installed. Machines on fast and well connected
    Internet feeds like the $Network are likely to automatically become
    'Supernodes' and forward a considerable amount of traffic.

    This allows Skype to route other peoples Voice over IP calls using your
    machine and the university internet connection. This is in breach of the
    Acceptable Use Policy and could potentially put the university's network
    and core business at risk.

    Finally, the Skype End User License Agreement (EULA) grants Skype permission
    to install and use 3rd party software on computers running Skype. This could
    include an array of spyware and adware that is likely to threaten the
    privacy of anyone installing this software.

    • Re:Skype Banned (Score:5, Informative)

      by JJahn (657100) on Thursday January 20 2005, @01:14PM (#11421831)
      I checked out Skype's EULA as found on their website.

      The only thing relating to third party software that I found was this:

      2.4 Third Parties. You acknowledge and agree that the Skype Software may be incorporated into, and may incorporate itself, software and other technology owned and controlled by third parties. Skype emphasizes that it will only incorporate such third party software or technology for the purpose of (a) adding new or additional functionality or (b) improving the technical performance of the Skype Software. Any such third party software or technology that is incorporated in the Skype Software falls under the scope of this Agreement. Any and all other third party software or technology that may be distributed together with the Skype Software will be subject to you explicitly accepting a license agreement with that third party. You acknowledge and agree that you will not enter into a contractual relationship with Skype or its Affiliates regarding such third party software or technology and you will look solely to the applicable third party and not to Skype or its Affiliates to enforce any of your rights.

      Basically, you have to explicitly accept a license agreement with the third party. They say nothing in here about installing and using 3rd party software on your computer without your consent.

    • This is in breach of the Acceptable Use Policy and could potentially put the university's network and core business at risk.

      Okay, I understand the whole AUP piece. I understand that it could be a problem for the network.

      What I'm not sure I understand, is how a simple program could "put the University's core business at risk". If that is a publically funded University, I really object to that statement (it's not a business, a public service. It's nice if it's self funding, but the objective it not

      • A univerity's other core business is performing research in various fields of knowledge, many of this research requires internet/network connections.
        Skype could concievably interfere with the relability and speed of these connections
    • Yeah, but you don't understand what network topology means if you think peers' nodes will be used to relay data.

      Generally speaking, end users are at the very bottom of a long hierarchy of ISPs and pipes. For example: UUNET -> AT&T -> Your local ISP -> You. As such, generally speaking, you are a leaf on a very large tree that may span several classes of IP networks. If a peer were to be used as a super node, it would mean that the data send from A to C would travel like this: A -> ISP -

      • Re:Skype Banned (Score:4, Informative)

        by WolfWithoutAClause (162946) on Thursday January 20 2005, @01:31PM (#11422037) Homepage
        It makes no sense

        Um, actually RTFA.

        In most cases the voice packets go direct leaf node to leaf node.

        However if both are behind NAT firewalls then they can't directly talk to each other, and the Skype protocol seems to pick another Skype users machine (picked by some scheme that probably isn't publically described anywhere) and route the packets through them.

        There's no security problem with doing this (the packets are end-end encrypted), it just takes longer and is more likely to congest, and it takes up bandwidth at the extra users network.

        Really, IMNHO, NAT is a real menace. I'm really looking forward to IPv6 which doesn't have all this garbage; should be here by 2100 I reckon.

      • Yes, it would be nice if you didn't have to go down into the leaves, however, UUNET does not have Skype installed. Nor does the telco or your ISP. Only Skype users have the skype supernode software installed and so only they can act as supernodes.

        This is horribly inefficient, however it is only used if you are behind a firewall or NAT and don't have have the necissary ports open. If you (or the person you are talking to) is on a publically routable IP address then Skype will just make a direct P2P connecti
        • This is teh best explanation of this I can see. I was not aware of the Supernode issue. BUT I can see where this would be a hassle. I wonder if one can change the firewall to only allow outbound coms on the skype ports. That way you would not be useable as a supernode. Also, it seems, to me, that they should make that as a setting in Skype to NOT allow yourself to be a supernode. That should only be allowable if you don't have to use supernodes (ie your ports are open properly).
    • a troll a day keeps the insanity away.. ?

      • Not when you're constructing a P2P overlay which reduces the amount of duplicated packets sent.

        When multicasting data, you reduce the number of packets sent by building a distribution tree between nodes, which either all users share, or have one rooted at each source in the conference. There are many, many ways of doing this, but the end-result is the same. This tree is on the overlay level -- the routers have no knowledge of it. To forward packets across the overlay, they have to be pulled up to the appli
  • Skype stores its buddy information in teh Windows Registry. Buddy list is digitally singed and encrypted.....

    Strange, I have it installed on my linux machine... and it doesn't have a windows registry... guess I dont have the capability of storing a buddy list.

  • Worst thing about Skype. . . (Score:4, Interesting)

    by aarku (151823) on Thursday January 20 2005, @01:17PM (#11421879) Journal
    The program can automatically elevate itself to a Supernode and start chewing bandwidth. Not only that, but it alerts your friendly University system administrator that you may be "sharing copyrighted materials with Kazaa" and you have them frowning at them (and randomly shutting off your port because they believe you have been "hacked") Just use a different free Internet Telephony application.

    • Re:Worst thing about Skype. . . (Score:4, Informative)

      by alirano (793558) on Thursday January 20 2005, @02:01PM (#11422483)
      You can easily avoid becoming a Supernode by not permitting incoming connections to the port Skype has opened for itself. The downside to this is that your calls will now be routed to another supernode, but if you're paying for bandwidth, there may be no way around that. You can still place and receive calls, and the added latency is not worth mentioning in most cases.

      If you run Skype on Linux or Mac OS X, it is reduced to using high ports anyway, so it's easy to block. An example iptables command line would be

      iptables -A INPUT -p tcp --dport 1024: --syn -j DROP
      (Caveat: Check your local servers, use passive FTP, modify this if you actually want to use P2P, etc.)

  • Non-Windows stuff (Score:5, Informative)

    by JohnQPublic (158027) on Thursday January 20 2005, @01:19PM (#11421905)
    FYI, if you want to look at the "registry" info for Skype on Linux, it's in $HOME/.Skype/shared.xml.

  • Don't knock it. (Score:4, Interesting)

    by Facekhan (445017) on Thursday January 20 2005, @01:20PM (#11421914)
    Proprietary or not, it works and its easy to use. Skype does a lot of things differently than SIP. 256 bit AES encryption is strong enough to protect your data well into the near future.

    It uses very little bandwidth and those Universities who are banning the software are just kneejerking to a new technology, just showing how far from the academic mission of research and experimentation most colleges have gone. Even more telling is how most Colleges charge exorbitant fees for local and long distance phone calls from student dorm phones. Why would they want to allow a technology onto their network that will mean less money going into their pockets.

    As to the bandwidth issues, I think they greatly exaggerate the bandwidth use of a Skype supernode in order to justify their kneejerk reaction to any new technology on their network that does not come with a 3 year agreement with Dell and Microsoft.
    • I've seen one Skype supernode in action and was pretty impressed by the bandwidth it was using. It was getting more than 15000 connections an hour, coming close to saturating its 100 mbps pipe. Which is kind of okay if you're paying a flat rate for access, but if you're paying by volume, I suggest that you take measures to avoid becoming a supernode. It's easy enough to do so. (On Linux, just block the high ports you're not using yourself. On OS X, activate that firewall.)
      • I hear this argument all the time and I have heard it when I worked on a .edu network. I always say the same thing. The students pay for internet access in their housing fees and technology fees. It is not something the school provides for free. The mission of the school's network is for academic and research use which includes the free exchange of ideas outside of the classroom and with those outside of the University. So if a University provides a communications medium for which the students pay for as th
      • No in a public university it IS your network. My thing is you should have 2 internet connections through 2 different ISP's. One which BUSINESS happens on and another for the student machines. That way data going in and out of the main administrative and firewalled and vlanned to hell network would not be impacted by student activities and the students can be almost free. You'd still want somethings banned, but most ports should be open (IE, ban NETBIOS and other traffic that some of the worms use).
      • As to the bandwidth costing money. Traditional VOIP does not use very much bandwidth and neither does Skype. It uses less than the client of a multiplayer game. What VOIP does require though is fast, consistent delivery of packets. I have a suspicion that one of the issues that College network administrators are concerned about is that VOIP will expose how inefficient and poorly managed many .edu networks are mostly by virtue of the fact that the higher ups in the .edu tech departments are always people who
      • Are you learning anything by using Skype? No. Is it advancing research? No.

        I use Skype all the time to practice and learn foreign languages, and to collaborate with people located in different regions of the world. I would definately say there are many educational applications for Skype, and banning this software from a network is most probably due to a lack of understanding.

  • Any more docs like this? (Score:3, Funny)

    by PetoskeyGuy (648788) on Thursday January 20 2005, @01:32PM (#11422057)
    NAT tranversal is great, and Skype is nice an solid. We're adding this to our next product. Does anyone know where I could find more documents like this?

  • 200 Mhz (Score:2, Insightful)

    by fist (178568)
    Did anyone else notice that their test machines were 200 Mhz Pentiums running Windows 2000.

    I bet they couldn't only see 5kbytes of traffic because that's all those poor machines could pump out!
  • They don't have 'em in now but the EULA's allow this going forward.

    These are the same guys who wrote Kazaa which installed 3rd party software which basically stole money from mom & pop websites in affiliate networks.
  • Every gateway may have different timeouts for NAT UDP port binding, right?
    The PDF doesn't explain how it's done, but it's rather simple, and is explained in the STUN RFC:
    1. Open a socket, and tell the server, hi, i'm here, reply to the same address you received this message from, and tell me what that address is (let's call this address REF_ADDRESS_A).
    2. Sleep for some time...
    3. Open a second socket, and say, hi, i'm here, reply to the same address you received this message from AND to the old address(REF_A
    • They all run at least SIP. But with them, there is very little reason to try to work on a peer to peer connection since 95% of their traffic is going to terminate over the PSTN, not to another IP phone.

      But, even with that, there is a feature in SIP called "REINVITE" in which two SIP endpoints can renegotiate their media stream paths to send their audio directly to each other and only send call progress messages to the original server (for billing purposes, mainly). Reinvite really only works well if both
      • I do think your wrong about it being tripe and useless. Skype will will succeed, and be around for quite a while.

        Simply because it is so damn easy to use, It has clients for Windows, Mac OS X and Linux, and all you need is the ID of anyone you want to call. No screwing around.

        I ain't no fan boy, but after using SIP and Skype, I know which the majority of users are going to find easier to use.

        Also check out http://www.ilbcfreeware.org/ [ilbcfreeware.org] for the codec.
        • Agreed. I'll believe in SIP when I see a free client for it that's anywhere near as good as Skype. Skype is the only "just works" cross-platform voip solution I've ever seen. Hell, even MSN voicechat is unusable on older versions of Windows since only new versions of windows support the newer versinos of MSN that have NAT traversal.
      • However, what most VoIP solutions seem to lack is the idea that you can install them and 'phone' an IP address. You still need a number, it still traverses over POTS for the most part, and it usually costs. Skype just works over existing networks, and whilst I'm no fan of locking people into one solution Skype does actually work.
      • I "discovered" Skype, discovered that it was Linux friendly, and tested it sufficiently to find that it was quite adequate to meet my minimal requirements. So, I asked our technical guru to install it in the office where all the machines also use linux and have a look. I work from home, and since we spend a lot of time on the phone I figured we had the potential to save some money.

        He muttered that he'd get around to it sometime, so next time I was in the office I installed it myself, and using the USB VOIP

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.