US-Securenet Forum

Is Skype VOIP? Can it be blocked?

2011-06-17T07:49:38-05:00

In earlier topics, we have looked at VOIP and how it works. Is Skype also VOIP?

Well I can make this a short topic by giving the answer immediately: yes, it is, and no, it isn’t. Except that that is not an answer. OK, it has to be the long version then.

The term VOIP in general stands for Voice Over IP. This basically means that voice data is carried over IP networks such as the Internet. Obviously in that sense Skype is VOIP—it allows to you call and speak to other people via the Internet. But on the other hand, VOIP is generally used to refer to implementations of the SIP protocol. And this is exactly what Skype does not do. It does not use the standard VOIP protocols, but relies on their own standards. The Skype software is closed-source, so it is not possible to find out how the voice communication actually takes place.

Is this bad? Well, yes and no, again. Of course any company developing software is free to choose if they do that under an open source or a closed source license. But the closed source heritage of Skype means that it is difficult to understand the protocol and make it work under special circumstances. As you may have guessed, the BGAN network is such a special circumstance…

First of all, the cost of data traffic on BGAN is high. And there is no such thing as a fully unmetered, unlimited BGAN connection, contrary to your ADSL or cable at home. The closed source Skype application has been designed to grab as much bandwidth as it can, with a good goal: to make the call as clear (and the sound quality as high) as possible. But BGAN users generally do not want this as they pay per megabyte. It is almost impossible to tell Skype to use less bandwidth. This is one of the reasons that there are alternatives for use on satellite networks; Sea Secure is such an alternative.

Secondly, the Skype application has been designed to try and find holes in firewalls where it can. Do you want your users to be unable to use Skype? Try to block it in your firewall—it cannot be done. Skype will find a hole and the application will work. Again, a good thing for Skype users in homes and offices worldwide, as they do not have to worry that they may not be reachable on Skype—but a bad thing for our average BGAN customer who wants to limit the traffic. This is the reason why US Securenet has recently launched and is currently testing with some customers a content-filtering firewall: a firewall that actually looks into the data to find what application it is, and then allows or denies based on the kind of application, instead of on IP address or port number as we are used. The firewalls do this by silently allowing Skype’s “hacking” to find firewall holes and actually offering it such a hole to use—and then, when the Skype application has accepted to use the connection, promptly close it. True magic indeed!

As you see, applications that we depend on in our office or at home, may give us headaches when used in a BGAN environment. Keeps life challenging!

Next time, we will take a deeper look into the technical architecture of Skype. We will see how it communicates between hosts and how the security is arranged. Without telling too much, it is interesting to know that when you happen to connect your computer to a network without NAT (so your computer has a public IP address) and you happen to have a reasonably fast connection, Skype may make your computer a ‘supernode’ and use it to relay calls through it from people you don’t even know!

What is WiFi and how does it work?

2011-05-06T07:05:21-05:00

Chances are almost 100% that you are using WiFi—wireless ethernet. Not just on your laptop, but also on your phone, fridge, etc.!

Well, fridge, maybe not yet. But it will not take long any more. In this and the next topic, we will look at how WiFi actually works—it is everywhere. And it is also called “WLAN” (Wireless Local Area Network) or more technically, the IEEE 802.11 standard.

With a WiFi “access point”, a local area network or LAN can be made wireless. The access point provides a “bridge” between the wired network and the wireless devices on that network. A WiFi access point, or hotspot, can be a small indoor device that is simply connected to the existing, wired network, or it can be a bigger box with an external antenna, that can provide a larger coverage area.
In addition, it is also possible to use WiFi without access point at all—any WiFi device can act as its own access point, to create a network between just two devices called an ad hoc network. This kind of wireless network is used in the controller of game consoles, for instance; they use WiFi to connect to the ‘base’ of the console.

As we are dealing with a wireless network, radio waves come into play, and planning of the frequencies used is required. This planning is different depending on the region or country that the WiFi device is in. All WiFi devices work in the 2.4 GHz band (which falls into the S-band, while our satellite signals are usually in Ku, K or Ka band). A new WiFi standard is emerging that uses a 5 GHz frequency (which is C-band) but this is not very widespread yet.

In the US, from the 2.4 GHz band only channels 1-11 can be used, in Europe it’s channels 1-13, and in Japan channels 1-14. From these channel numbers, only channel numbers that are five apart will be non-overlapping; so if you use channel 1 in your house, your neighbor may have trouble using channel 3 or 4. In practice, it can be said that channels 1, 6 and 11 are certain to be non-overlapping and are the only combination possible if you want three channels to operate on. This is why these channels are usually chosen automatically by your WiFi device.
The range of the 2.4 GHz signal with standard hardware is about 30 meters indoors, depending on the kind of structure (concrete of course blocks the radio waves). With directional antennas, a WiFi signal can travel multiple kilometers, but in France and Italy this is not allowed as there, a WiFi signal must stay inside the building.

The overlapping of channels, and standard usage of channels 1, 6 and 11 means that the signal cannot travel as far as your access point ‘pushes’ the neighbor’s away. Finally: as we are talking about radio waves, care must be taken: all data is essentially ‘broadcast’ through the air and can be intercepted (read and/or modified) by anybody. This is an inherent insecurity of any wireless technology, including our satellite connections. Next week, we will look at encryption on WiFi, and see how we can secure the communications.

The AS path decides how we route traffic on the Internet

2011-04-14T11:19:14-05:00

Very recently, a customer question was received

Circuit Switched or Packet Switched—what’s the difference?

2011-04-13T03:40:12-05:00

You will have heard the terms ‘circuit switched’ and ‘packet switched’ when dealing with BGAN. What are they?

The terms ‘circuit switched’ and ‘packet switched’ refer to the way the connections are built. But in practice, what it turns out to be is: ‘circuit switched means voice, and packet switched means data.
On circuit switched connections, there is a dedicated connection built between point A and point B. This connection is called a ‘circuit’. The circuit can only be used to exchange data between A and B, and A and B will have this connection for their private use as long as the connection is there. Also, the connection stays the same all the time—it does not change, it cannot go and follow a different route suddenly. The two systems, A and B, appear to be directly connected with an electrical wire. You will recognize this from the telephone; by dialing a number, you are requesting a circuit to be set up from your telephone to another phone. Once this has been done, your phone and the other phone are directly connected to each other using a wire, and it is just you two on the connection. Nobody else can use your line at the same time until you stop the call (and break the circuit).

With packet switched, a lot of things are different. First of all, the data that you send will be chopped up in little pieces. These pieces are the packets. Each packet has a label containing the source and the destination of the packet, and based on that label, the packet is sent across the network. On a packet switched network, there are no permanent connections set up, and for each packet received, a router decides where to send it, based on the label. The route that a stream of packets follows may change during the transmission of the stream—let’s say you are transferring a file, and in the middle of the transfer a router fails and is replaced by another router—then the packets just start flowing through the backup router from the moment the failure occurred. From the description you will recognize that the Internet is a packet switched network.

Now the fun starts when circuit switched networks and packet switched networks are mixed. The connections between routers of a packet switched network, are usually circuit switched: for instance between our POPs in New York and Amsterdam we have two dedicated circuits that run only from New York and Amsterdam and cannot be used by other people at the same time. They are circuit switched. But the data we put across those (the service we build on them) is packet switched: our routers talk IP to each other and can send the packets via different routes, perhaps the packets of a single file transfer go along two different routes.

Now as a thought experiment for the weekend: would it also be possible to set up a circuit switched connection across a packet switched network? Think about what would be needed, and don’t be shy to think in ‘virtual’ terms!

DNSSEC: The New, Secure Way Of Doing DNS

2011-04-01T06:54:58-05:00

Apart from IPv6, another major Internet infrastructure change is going on right now. It’s called DNSSEC.

After a few updates here about DNS, you know that it is a very important system on the Internet. Without it, you would have to remember IP addresses of all web sites you wanted to visit. And you would not be able to send any e-mail to anyone because there would be no publication possible of what e-mail server handles e-mail for what domain. And that’s just the start. The interesting thing is that DNS was never designed with security in mind. DNSSEC has come to life to resolve this.

With a DNS resolver, such as the servers we have at 195.3.164.19 and 195.3.164.35 (there will be another one next week on 195.3.164.84 by the way) it is very easy to insert “fake” data into it. With one of the most impressive technical terms, this is called “DNS Cache Poisoning”. What happens, is that in a DNS reply, you can put additional data, and a DNS server will then store that data happily.
This means that for instance, if I am a hacker, I can set up a “mean” DNS server for the domain hacker.com. Then I ask a DNS resolver about the IP address for http://www.hacker.com. My “mean” DNS server will answer: the IP address for http://www.hacker.com is 123.45.67.89, and by the way, the address for http://www.bigbank.com is 12.34.56.78. The DNS resolver will happily accept the information about http://www.bigbank.com, and when someone else happens to ask it about http://www.bigbank.com later, it will return the wrong IP address based on my hacking—indeed ‘poisoning’ of the DNS. With this, I could possibly have someone go to a fake bank web site, instead of the real one, and steal all their money…!

With DNSSEC, this kind of thing (which happens more often than you think) is not possible any more. Every zone (a file containing the DNS data for a certain domain) is signed with an encryption key. This encryption key is used by DNS servers to find out if the data is authentic. Only if it turns out that the reply is indeed “true”, the data is used by the resolver. Note well that although there is a digital signature, the data is not encrypted when it travels over the Internet—so the signature doesn’t make the data invisible. The signature is only there to provide confidentiality about the origin.

A DNSSEC-protected zone has a key in it that provide the possibility to prove that the zone’s data can be trusted. This key has a certain validity coming with it: it is not valid forever. Keeping track of how long a key is still valid, is a major task. Apart from the keys that prove the validity of the zone as a whole, there is also a time given with every answer that certifies that the answer is valid for a certain time.

In all, DNSSEC is important to the security of the Internet as a whole, but there are complications. Extra processing power is needed on the DNS servers, for one, and in our satellite environment the extra data that is needed to exchange keys and check the validity of data is not too attractive to our users either. All in the name of security!

VOIP: data flows on the network

2011-03-07T07:43:51-05:00

In the previous topic we saw what VOIP is and how it can be used on our network. Now, some of the technical stuff.

VOIP data using the SIP protocol consists of two parts: signalling and the actual data. Signalling takes care of the connection setup—it makes the phone ring when someone calls, it shows you the number of the person who calls, etc. The data is the sound of the actual voice of you and the person you are talking to.

The signalling is text-based and it looks quite a bit like HTTP—the way that web pages are served from a web server to your web browser. It can be using TCP (with error correction), UDP (faster, but without error correction) or SCTP (not widely used). The SIP text messages are usually exchanged on port 5060 and they can be of the type REGISTER (where a phone tells its IP address to the VOIP switch), INVITE (to set up a call between two phones), ACK (to confirm that messages have been exchanged reliably), CANCEL (to abort an earlier request), BYE (to stop a call) and OPTIONS (which more or less performs a “dummy” call, where no voice data is exchanged, but the call setup is tested). All these messages are exchanged in clear text. An encrypted VOIP port (5061) has been defined, but is not widely used.

The data is sent using a codec (coder-decoder). This is because an analog signal, such as voice, cannot travel directly over a digital medium, such as the Internet. The voice needs to be translated to a digital form. The codec does this translation from analog to digital and back. The way in which this translation is done, influences the sound quality and the amount of data used to transfer the sound.
A type of codec we see good results with on the network is G.729a. It was developed by a number of big telecommunications companies, including France Telecom and NTT (Japan). It uses a fixed bit rate of 8 kbit/sec and delivers very reasonable speech quality. There are codecs that use more data and deliver a higher sound quality, and of course there are also codecs that use less data, but then the sound will be very bad. In case of VOIP phones on desks, used within offices, a codec like G.722 delivers a far higher sound quality, but the data rate is so high that a customer using it on BGAN would be bankrupt in a day…

What can we do to make VOIP usable? Well, it is important to make sure that packets arrive in the right order, and that there is no packet loss. In the case of packet re-ordering or packet loss on the satellite segment, there is not much we can do. A possible advice could be to use streaming, but obviously this makes the call more expensive (possible even more expensive than making the same call via the voice channel).

The End Game Has Started

2011-02-18T06:18:38-05:00

On Thursday 3 February 2011, the last of the IPv4 address blocks were given to the RIRs by IANA.

Yes, I know you will have read about this subject before on this forum, but it remains important and interesting for the future—each step in the process of completely using up IPv4 will result in a new topic here…
Earlier, my prediction was that we would be at this point in March 2011, but the day has come a little sooner. At the end of January, APNIC requested two more /8 blocks from IANA because they could demonstrate that they needed them for further re-distribution to their members (you will remember the structure of IANA holding all IP addresses, then the Regional Internet Registries or RIRs holding large /8 blocks, and then the Local Internet Registries such as US Securenet who get smaller address blocks from the RIRs).

The assignment of these two blocks from IANA to APNIC meant that there were only five more /8 blocks free. As there are also five RIRs, the so-called “End Game” was started: each RIR got one last /8 block for their members.

They were distributed as follows:

- all addresses starting with 102 go to AfriNIC for Africa;
- all addresses starting with 103 go to APNIC for the Asia/Pacific region;
- all addresses starting with 104 go to ARIN for North America;
- all addresses starting with 179 go to LACNIC for South America; and
- all addresses starting with 185 go to the RIPE NCC for Europe, including the whole of Russia.

This means that the ‘top of the tree,’ IANA, now has absolutely no public IPv4 addresses free any more. Any RIR running out of public IPv4 addresses cannot go to IANA any more for new ones. That means that each RIR will have to continue with what they have in distribution to their members (the LIRs, such as US Securenet). Each RIR will reserve a block of public IPv4 addresses for newcomers in the market after the beginning of 2012; these will be able to get a /24 (256 public IPv4 addresses) to build their network and offer services, but no more.

As a regular reader of this forum, you will know that this runout of IPv4 may seem a challenge, but it is not like nothing has been done yet—for more than 10 years, people have been deploying IP version 6 already and convincing others to do likewise. All ways have been tried, including performance of a song at the RIPE55 meeting in Amsterdam in 2007, called “The Day The Routers Died”, exactly about this day. You can see and hear it at http://www.youtube.com/watch?v=_y36fG2Oba0 .

What changes for you, our customers? Well, nothing right now. US Securenet has plenty of public IPv4 addresses still available. The Internet as a whole will also still work as it used to. And you can be sure US Securenet is working on getting IPv6 on the road!

VOIP: The History and Basics

2011-02-18T06:17:19-05:00

Some of our customers use VOIP to call via BGAN and we also use it in some offices. What is it?

In the basis, VOIP (or VoIP) just means that a speech signal is transported over an IP network. This IP network can be an internal network (such as the office network) or the Internet. However in casual usage of the term VOIP, it has become more or less synonymous with “cheap calling” as that is what VOIP has basically brought to the world.

As early as in the 1980s, using an IP network to transport voice calls was done. Several programs were created to make calls, some of them even had voicemail. But they had one thing in common: if you used program A, you could only make calls to other users of program A, and not to users with programs B, C or D. So, somebody using Skype would only be able to call another person who uses Skype.
Of course this was not very workable. VOIP programs started to interface with the regular phone network (called POTS, which stands for Plain Old Telephone System, or PSTN, which stands for Public Shared Telephone Network). Using special computers called gateways that are connected to both the POTS network and the IP network, it is possible to make calls from one network to another.

The term “VOIP” just describes a concept; not the protocol used. The most used protocol these days is SIP: Session Initiation Protocol. Using SIP, on a SIP phone (hardware) or a softphone (software) you can make calls to other SIP phones around the world. Your phone number is tied to your username and password, so as long as your phone or computer has some form of Internet connectivity, you can be reached on the same number. SIP also has the capability of using something that resembles an e-mail address as the phone number, but this does not see very widespread usage yet.
Operators of SIP exchanges can use the Internet to connect to each other. For instance, a SIP operator in The Netherlands could set up a connection (‘peering’) with a SIP operator in the USA to exchange SIP calls. A call made from the USA to The Netherlands would then travel over the Internet between the two SIP exchanges, and only the local part would have to go through the PSTN—suddenly making the call a local call instead of an international one, for one or both parties on the call, and possibly even totally free if both parties have a SIP phone connected to their local SIP exchange. This is how VOIP has brought cheap voice calls to the world.

Many companies are employing VOIP using the SIP protocol to lower their communication costs. Most telcos use SIP to deliver international calls, even without telling you. If the party you’re calling reports that they see a strange number in their display when you call, it is probably because the call runs over VOIP somewhere.
However VOIP is not always suitable for use by our customers as a method to lower the costs. The cost for data may be higher than the cost for the same call over the voice channel. Next time we’ll look at how we do VOIP on the US Securenet network.

test21

2011-01-13T08:30:50-05:00

testtt

2011-01-12T13:33:30-05:00

test