| The recent surge in Internet VoIP carriers such | | | | others is that you could see a very predictable |
| as Skype, Vonage, and Net2phone, has fueled a | | | | human readable information exchange between |
| political debate unforeseen as recently as five | | | | two endpoints just prior to the actual phone call. |
| years ago. This controversy presents a new plot | | | | This is what is commonly referred to “call set |
| twist in the ever-unfolding soap opera of | | | | up.” Before a voice phone call commenced it |
| government deregulation and who has rights to | | | | was common for the two phone systems to |
| the last mile of customer wire. | | | | exchange data that mimicked a human |
| Traditional CLEC providers make most of their | | | | conversation: |
| money from residential phone and DSL lines. Now | | | | Computer A: “Hey buddy, I am about to send |
| they are seeing competition from non-traditional | | | | you a call.” |
| carriers running VoIP services on the very DSL | | | | Computer B response: “Not now, I am |
| lines funded by the traditional CLECs and cable | | | | busy.” |
| providers. These third parties pipe phone service | | | | These call setup formalities are sent back and |
| down their wires without a penny of revenue to | | | | forth inside IP packets as very human readable |
| the CLECs that provided that infrastructure. | | | | text streams. Although perhaps it might not be as |
| If you are a savvy reader that keeps up to date | | | | comprehensible as “Hey Buddy, I am about to |
| with the trade mags, you are likely aware that | | | | call you,” it is often clear just by reading the |
| this controversy has all the human voyeuristic | | | | text what is going on. |
| interest normally reserved for tabloids. The | | | | Meanwhile, there are various automated devices |
| players don't have names like Pitt and Hilton, but | | | | engineered by commercial companies that |
| instead Skype, Qwest, Comcast and Vonage. You | | | | specialize in detecting all sorts of Internet traffic |
| likely have seen various editorials and | | | | including voice. Some corporations purchase these |
| commentaries on two or more sides beating this | | | | devices intent on stopping streaming audio, or |
| subject to death. | | | | perhaps to give priority to Citrix traffic. |
| For now, I am going to leave the debate alone. | | | | The list of types of things and reasons for |
| Let's just focus on the operational strategy: How | | | | detecting and giving special treatment to various |
| to deal with specific traffic on a data line and how | | | | data streams of traffic is endless, and would be |
| this can be applied to the special case of Skype. | | | | an interesting subject in itself, but for now let's |
| As CTO of APconnections, a company that | | | | get back to detecting voice and the special case |
| specializes in bandwidth control and traffic shaping, | | | | of Skype traffic. |
| I am well informed on the subject of carriers | | | | Scenario 1: Direct End Point to End Point VoIP |
| blocking competitor's traffic on their data | | | | If you recall, with voice calls, once the call is up |
| networks. I am often asked if we can come up | | | | and in progress, the data payload looks like |
| with a solution to block (insert evil music here) | | | | garbled goop and that is not specifically identifiable |
| “Skype” traffic. Skype and Vonage have | | | | as a call in progress. Thus, it is important to see |
| become the scourge of ISP service providers | | | | the set up in action. The set up of the call |
| who are looking to offer phone service for a fee | | | | between two IP phones is easily detectable. By |
| bundled with their data services. The obvious | | | | remembering the IP addresses involved in the |
| conclusion for the owner of the data line is to just | | | | setup, you can safely assume that future traffic |
| block these hobos altogether and be done with it. | | | | between the two IP addresses is a phone call and |
| While blocking most data traffic is easily | | | | block traffic between the two. |
| accomplished, I must confess up front I have | | | | Scenario 2: Centralized VoIP Source |
| feigned a few efforts at blocking Skype only to | | | | The previous scenario assumes two IP end points |
| retreat to fight another day after being soundly | | | | talking to each other. Another version of VoIP |
| defeated. What follows is a short tutorial on | | | | phone service uses a VoIP PBX. In this scenario all |
| traffic blocking, made simple for the casual reader | | | | phone calls emanate from a common PBX which |
| of technology. After we cover the general case | | | | has a well-known IP address, so it is just a |
| of traffic blocking we'll cover the special case of | | | | matter of blocking any traffic to or from that IP |
| why blocking Skype traffic is a different animal. | | | | address of the PBX if you want to stop voice |
| Diving right into the mechanics of traffic shaping | | | | traffic. Watching a network of this type will yield |
| by application, the first lesson involves how to | | | | one common IP address that always seems to |
| recognize traffic on a network. As you are likely | | | | be sending common identifiable call setup |
| aware, all traffic on the Internet travels around in | | | | messages to other IP addresses. Once you know |
| what is called an IP packet. An IP packet can | | | | this, you only need to remember the IP address |
| very simply be thought of as a string of | | | | of one party (the PBX) and you can take care of |
| characters moving from Computer A to | | | | future calls. |
| Computer B. The string of characters is called the | | | | Scenario 3: Centralized Broker |
| “payload,” much like the freight inside a | | | | In a third scenario a centralized broker is used to |
| railroad car. On the outside of this payload, or | | | | set up phone calls. This would typically involve a |
| data, is the address where it is being sent. These | | | | form of PBX that arranges a contract between |
| two elements, the address and the payload, | | | | two VoIP phones to talk directly to one another. |
| comprise the complete IP packet. | | | | The centralized PBX is contacted by one of the |
| In the case of different applications on the | | | | parties wishing to make a call. It then contacts |
| Internet we would expect to see different kinds | | | | the destination party to arrange the call. During |
| of payloads. For example, let's take the example | | | | this brokered set up process one could see the |
| of a skyscraper being transported from New | | | | setup communication of the broker within the IP |
| York to Los Angeles. How could this be done by | | | | packets. The conversation would go something |
| using a freight train? Common sense suggests | | | | like: |
| that one would disassemble the office tower, | | | | Computer A to broker: “Hi, I'd like to call my |
| stuff it into as many freight cars as it takes to | | | | friend in Miami but all I have is his name. Can you |
| transport it, and then when the train arrived in | | | | arrange an IP call for me?” |
| Los Angeles hopefully the workers on the other | | | | Broker to Computer A: “Yes, just a second, |
| end would have the instructions on how to | | | | I'll look him up.” |
| reassemble the tower. | | | | Broker to Computer B: “Hey Miami, a phone in |
| Well, this analogy works with almost anything that | | | | Los Angeles would like to make a phone call . . . |
| is sent across the Internet, only the payload is | | | | “ |
| some form of data, not a physical hunk of bricks, | | | | Well, you get the idea. The final phone call would |
| metal and wires. If we were sending a Word | | | | again be a stream of garbled goop, but by |
| document as an e-mail attachment, guess what, | | | | listening to the context of the setup one could |
| the contents of the document would be | | | | determine both IP addresses about to engage in a |
| disassembled into a bunch of IP packets and sent | | | | phone call and block the call plus future traffic |
| to the receiving e-mail client where it would be | | | | between the two of them. |
| re-assembled. If I looked at the payload of each | | | | So now you know my entire library of knowledge |
| Internet packet in transit, I could actually see | | | | and secrets about detecting VoIP traffic. It is |
| snippets of the document in each packet and | | | | time to move on to what I don't know about |
| could quite easily read the words as they went | | | | Skype. |
| by. | | | | Skype calls appear to talk point-to-point when a |
| This is the basis of traffic blocking: Look inside | | | | call is finally set up and active. This activity I can |
| Internet packets and see if you can tell what | | | | see by setting up Skype calls in my laboratory. Of |
| they are. Conceptually, there is really nothing | | | | course I know beforehand what the two |
| more to it. | | | | endpoints are, and therefore I can see the Skype |
| Now moving beyond the simple case of sending a | | | | traffic whizzing by on my sniffer. However, when |
| Word file, let's suppose that we are sending a | | | | examining the stream I failed to see any human |
| phone call from user A to user B. How does that | | | | discernible call set up, so without prior knowledge |
| work in a traditional sense? Perhaps you have | | | | of a call being made, I could never be certain if |
| heard of SIP or H323 as common VoIP protocols. | | | | what I was seeing was a Skype call. |
| We need to make a small conceptual hop from | | | | Skype setup appears to take place with a |
| the e-mail attachment example to a live phone call | | | | common broker, however the set up appears to |
| moving across the Internet, but I can assure you | | | | have no intelligible human readable pattern. The |
| this is quite painless. When sending a live a stream | | | | setup portion of a Skype appears as just garbled |
| of voice data using the Internet you need to | | | | goop. |
| stuff pieces of the digitized phone call into a series | | | | It appears that Skype uses a distributed topology |
| of IP packets. Special equipment on the front end | | | | where calls are set up from a number of various |
| of the phone call digitizes the voice data and | | | | ever-changing brokers. If Skype used a common |
| stuffs it into an IP packet, it is sent, and at the | | | | broker I could learn the IP address of that broker |
| other side it's reassembled into comprehensible | | | | and hence I would know anybody talking to it is |
| voice emulation. | | | | setting up a Skype call. But without a well-known |
| It is possible for an appliance to monitor the data | | | | common broker, there is no generic way I can |
| going across the lines, categorize it and display it. | | | | look for contact to a broker. |
| Digitized voice data is much different than a Word | | | | To date, all my common tricks for determining |
| file in transport because digitized voice when | | | | VoIP traffic on the Internet have been thwarted |
| displayed as ASCII characters looks like a mess | | | | by the Skype designers. I have no idea if this |
| of garbled goop. It is conspicuously random, so | | | | result was a deliberate attempt to thwart |
| much so that there is no easily discernible pattern | | | | detection or just an unintended side effect of |
| and you can forget about human readable words. | | | | their design. Perhaps a reader with inside |
| So how would one tell that the data going over | | | | knowledge will step forward and answer this and |
| an Internet connection is a voice call? | | | | other questions. For now I have plenty on my |
| Before the invention of Skype, things were quite | | | | plate, so I'll leave the mystery of Skype detection |
| simple. One nice thing about all these standard | | | | to my contemporaries. |
| VoIP solutions from Avaya, Toshiba, Cisco, and | | | | |