Very many people have claimed that one of the attractive aspects of Skype is that “it just works” behind almost all kinds of NATs and Firewalls. It was revealed more than a year ago that the scheme Skype uses is a standard UDP hole punching scheme and that it is no different than what others do using the “dreaded” Session Border Controllers. This was later confirmed by a more scholarly article. Not withstanding this, majority of articles treated as if Skype uses a secret technique. For example, as late as last month Bill Campbell insisted that since Skype has not revealed their method and since Skype claims that the supernodes do not consume more than 5 kbps, relay nodes are not used. Now Skype has released an official booklet where they describe their NAT traversal scheme, which is none other than UDP hole punching (pages 3 and 4). Now that it is settled, let me repeat an implication that could affect Skype.
It is well know that if the NAT/Firewall is not symmetric, then one can optimize and eliminate the relay node after initial exchange. I am sure Skype uses this and that is how it reduces the load on the supernodes and the relay nodes. But if the NAT/Firewall is symmetric then a relay node must be present in the direction of the traffic terminating at hat NAT/Firewall, for the duration of the session. This increases the amount of bandwidth consumed by the relay node. Since many claim that they just leave a Skype session on forever and given the fact that Skype does not do voice activity detection (to maintain the NAT/FW binding), eventually Skype users will device ways to avoid becoming a relay node. Of course a simple way is to place the Skype client behind a symmetric NAT. If this trend catches on, then Skype has to deploy their own relay nodes, breaking their cost structure. By the way, Skype’s plan to embed clients in the home routers is one way to counter this possibility.
Posted by aswath at April 26, 2005 01:53 AM
well, there is one extra thing that it seems to do. if it can't get through with udp it switches to tcp and it will do so on ports 80 and 443. because of this it's the only voip app that gets through our firewall at the bank, which is extremely restrictive.
regards, robert
Posted by: robert at April 28, 2005 05:49 AMAswath, hi First it seems you didn't read our patent right, now you can't read the document you yourself advertising:
+++++++++
However, if both parties to the call are behind restrictive fi rewalls, then neither party will be able to reach the other directly. This requires the call to be relayed by a third parties who are reachable by both parties to the call. To do this, a small number of Skype users are selected as relay hosts by the Global Index. In this case, both the caller’s and the called party’s computers establish a direct link to these relay computers, as shown in Step 3 of Figure 1-1. Once these connections are established, the caller and called party can communicate because the relay computer will pass data packets between the two parties. One important factor to consider is that even when calls are relayed by third parties, the entire contents of the call, including any voice conversations, text messages or fi le transfers, are encrypted between the caller and the called party.
++++++++++++
Since most of today firewalls are symmetrical - then here you go!
Posted by: Dmitry at April 29, 2005 08:31 PMThat’s funny! You just said that in the second section. So you do know to read articles! It's a design of a Blog to blame :)))
But isn't it what we said 7 months ago to everyone wanted to listen? Skype has a problem of deployment when 60%-40% paradigm changes in the opposite direction and that's very soon. But our monitoring data indicates they already deploying that sort of infrastructure. Now what is the difference between Skype and Mr. Bell?
Dmitry:
I am sorry I missed your statement from 7 months back. Can you please provide a reference? Thanks.
Posted by: Aswath at April 30, 2005 12:37 AMOn about every corner... Om Malik for example. It was a special report on his blog about it back on Summer 04...(he said I am trashing Skype - it is not true I am not at all, far from it actually) and dozens more. We even provided a snifer packet analisys explaining how unsecure for enterprises it is to use that type of FWT.
Posted by: Dmitry at April 30, 2005 09:10 AMOn about every corner... Om Malik for example. It was a special report on his blog about it back on Summer 04...(he said I am trashing Skype - it is not true I am not at all, far from it actually) and dozens more. We even provided a snifer packet analisys explaining how unsecure for enterprises it is to use that type of FWT.
Posted by: Dmitry at April 30, 2005 09:11 AM