Upload
ita
View
44
Download
0
Embed Size (px)
DESCRIPTION
An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol. Salman Baset and Henning Schulzrinne April 27, 2006. Agenda. What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions - PowerPoint PPT Presentation
Citation preview
An Analysis of the Skype Peer-An Analysis of the Skype Peer-to-Peer Internet Telephony to-Peer Internet Telephony ProtocolProtocol
Salman Baset and Henning SchulzrinneApril 27, 2006
2
AgendaAgenda What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions Skype, MSN, Yahoo and Google Talk Skype super nodes
3
What is Skype?What is Skype? Peer-to-peer, pc-to-pc, pc-to-phone, phone-to-pc
VoIP and IM client Developed by people who created KaZaa SkypeOut (pc-to-phone)
SkypeOut terms of service: governed by the laws of Luxembourg
SkypeIn (phone-to-pc), voicemail Supported OS: Windows, Linux, MacOS, PocketPC A p2p illusion
Login server Buddy-list server Servers for SkypeOut and SkypeIn Anonymous call minutes statistic gathering
4
What problems does it What problems does it solve?solve?
NAT and firewall traversal Nielsen September 2005 ratings
61.3% of US home internet users use broadband(http://www.nielsen-netratings.com/pr/pr_050928.pdf)
‘Most’ users have some kind of NAT
Phone-to-pc calling, SkypeIn Configuration-less connectivity
5
The Skype NetworkThe Skype NetworkSkype login
server
Message exchangewith the login serverduring login
ordinary host (SC)
super node (SN)
neighbor relationships in the Skype network
6
The Skype Network (contd…)The Skype Network (contd…) Ordinary host (OH)
A Skype client Super nodes (SN)
A Skype client Has public IP address, ‘sufficient’ bandwidth, CPU
and memory Login server
Stores Skype id’s, passwords, and buddy lists Used at login for authentication Version 1.4.0.84: 212.72.49.141 and
195.215.8.141
7
Skype ComponentsSkype Components Ports
No default listening port Randomly chooses a port (P1) on installation Opens TCP and UDP listener sockets at P1 Opens TCP listener sockets at port 80
(HTTP) and port 443 (HTTPS)
8
Skype Components (contd…)Skype Components (contd…) Host cache (HC)
IP address and port number of online Skype nodes (SNs)
Maximum size: 200 entries Liang, Kumar and Ross. Understanding KaZaA
200 entries for ordinary nodes (ON) Login server IP address and port number HC Windows location
C:\Documents and Settings\All Users\Application Data\Skype
9
Skype HCSkype HC
10
Skype Components Skype Components (Contd…)(Contd…) Codecs (GlobalIPSound)
Wide band codecs (50-8,000 Hz) iLBC (packet size: 20 and 30 ms bitrate: 15.2 kbps and 13.3
kbps) iSAC (packet size: 30-60 ms bitrate: 10-32 kbps) G.729 for SkypeOut?
Buddy list Stored in ‘config.xml’ file
C:\Documents and Settings\<XP user>\Application Data\Skype\<skype user id>
<CentralStorage> <LastBackoff>0</LastBackoff> <LastFailure>0</LastFailure> <LastSync>1120325519</LastSync> <NeedSync>0</NeedSync> <SyncSet> <u> <skypebuddy1>f384d3a0:1</skypebuddy1> <skypebuddy2>7d1dafc4:1</skypebuddy2>
11
AgendaAgenda What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions Skype, MSN, Yahoo and Google Talk Skype super nodes
12
Experimental SetupExperimental Setup We have NOT reverse engineered Skype executable
but it can be done (Biondi and Desclaux) Skype version: Linux v1.2, Windows v1.4.0.84 Experiments performed between June-July and
Nov-Dec 2005 Tools Used
Ethereal (for packet capture) NetPeeker (for tuning per process bandwidth) NCH Tone generator (for generating tones of various
frequencies) APIMonitor (for monitoring the system calls) LD_PRELOAD: Linux shared library and system call
interception Skype fails to run with ltrace and strace
13
Overloaded strcpy() functionOverloaded strcpy() functionchar* strcpy(char* dest, const char* src) {
void *handle = NULL;double (*mystrcpy)(char* dest, const char* src);long temp;
handle = dlopen("/lib/libc.so.6", RTLD_LAZY);mystrcpy = dlsym(handle, "strcpy");temp = (*mystrcpy)(dest, src);dlclose(handle);
return dest;}
14
Experimental Setup Experimental Setup (Contd…)(Contd…)
INTERNET
A (public IP) B (public IP)
INTERNET
A (private IP) B (public IP)port-restricted NAT
INTERNET
A (private IP address) B (private IP address)port-restricted NAT
UDP-blocking firewallport-restricted NAT
UDP-blocking firewall
Public
NAT
Firewall
15
Port-restricted NATPort-restricted NAT
NAT HostIP_private
Public HostIP_public
NAT
IP_private:P1:IP_public:Port1
IP_private:P1:IP_public:Port2
16
Skype FunctionsSkype Functions Startup Login User search Call establishment Media transfer Keep-alive NAT and firewall traversal Conferencing
17
Skype Functions: STARTUPSkype Functions: STARTUP
First time startup GET /ui/0/97/en/installed HTTP/1.1
Normal startup GET /ui/0/97/en/getlatestversion?ver=0.97.0.6 HTTP/1.1
18
Skype Functions: LOGINSkype Functions: LOGIN Establishes a TCP connection with SN Authenticates with the login server and gets a certified public
key Bootstrap super nodes Hard-coded in Skype
IP address:port Reverse lookup result Authority section
66.235.180.9:33033 sss1.skype.net ns1.hopone.net
66.235.181.9:33033 No PTR result ns1.hopone.net
212.72.49.143:33033 No PTR result ns07.customer.eu.level3.net
195.215.8.145:33033 No PTR result ns3.DK.net
64.246.49.60:33033 rs-64-246-49-60.ev1.net ns2.ev1.net
64.246.49.61:33033 rs-64-246-49-61.ev1.net ns2.ev1.net
64.246.48.23:33033 ev1s-64-246-48-23.ev1servers.net
ns1.ev1.net
19
Skype Functions: LOGINSkype Functions: LOGIN
Send UDP packets to seven bootstrap SNs at
port 33033
Response within 6 seconds
TCP connection attempts with seven bootstrap SN IP addresses and port 33033
No
Connected
Success
Yes
No
Start
Wait for 6 seconds
Yes
20
Skype Functions: LOGINSkype Functions: LOGIN Public, NAT
Establishes a TCP connection with the SN Authenticates with the login server Announces arrival on the network
(controlled flooding?) Determines NAT type?
Firewall Establishes a TCP connection with the SN Authenticates with the login server
21
UDPUDP
195.215.8.145:33033 (Bootstrap node)41B64B
TCPTCP
SN: (IP address not shown for privacy reasons)
357B4032B
TCPTCP
5B (1)5B (2)
TCPTCP
413B (3)222B (4)
TCP:SYN195.215.8.141:33033 (login server)
SC
SC
SC
TCP:ACK
UDPUDP
18B18B
SC
Skype Functions: LOGINSkype Functions: LOGIN
16 3 1 0 0
17 3 1 0 0
16 3 1 0 0 . . . .
17 3 1 0 0 len . . . .
SSL: client_key_exchange
SSL: version
22
Skype Functions: USER Skype Functions: USER SEARCHSEARCH From the Skype website
Guaranteed to find a user it exists and logged in the last 72 hours
Search results are cached at intermediate nodes Unable to trace messages beyond SN Cannot force a node to become a SN
Host cache is used for connection establishment and not for SN selection
User does not exist. How does search terminate? Skype contacts login server for failed searches
SN searches for a user behind UDP-restricted firewall Same wildcard (sal*) search query from two different
machines initiated at the same time gives different results
23
Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Call signaling always carried over TCP and goes e2e Calls to non buddies=search+call Initial exchange checks for blocked users Public-public call
Caller SC establishes a TCP connection with callee SC Public-NAT
Caller SC is behind port-restricted NAT Caller---->Skype node (SN?) ----> Callee TCP connection established between caller, callee, and more
than one Skype nodes Unknown: How a node is selected to route calls from caller to
callee? Perhaps determined at login
Firewall-firewall call Same as public-NAT but no in-UDP packets
24
Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Caller is behind port-restricted NAT and callee has a public IP
addressUDPUDP
Caller (NAT)271B221B
TCPTCP
Caller SN184B
1269B
Voice packet size is between 70 and 100 bytes.
TCPTCP
Caller Other265B77B
TCPTCP
Caller Callee1554B1176B
Callee
UDPUDP
Caller748B
3287B
Other
Caller
Media: UDP
Callee
(6)(6)
(5)(7)
(20)(20)
(12)(6)
(9)(8)
No of messages
25
Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Caller and callee are behind port-restricted NAT and UDP-
blocking firewall
TCPTCP
Caller (NAT+firewall) SN713B
3464B
Relay
Media:TCPCaller
Media:TCPRelay Callee
TCPCaller N1, N2, N3
TCPTCP
Callee
TCP
19B19B
19B19B
Caller and callee on the average exchange 3 msg/s over TCP with N1, N2 and N3 after call has been established.
TCPTCP
Caller124B45B
Callee (NAT+firewall)TCPTCP
51B117B
(7)(8)
(4)(4)
(4)(3)
26
Skype Functions: SummarySkype Functions: Summary
Public NAT Firewall
Login 10 KB 11 KB 7 KB
Search 1-2 KB 1-2 KB 5-7 KB
Call establishment
6 KB 8 KB 8 KB
Public NAT Firewall
Login 3-7 seconds
3-7 seconds 30-35 seconds
Search 3-4 seconds
5-6 seconds 10-15 seconds
27
Skype Functions: MEDIA Skype Functions: MEDIA TRANSFERTRANSFER
Public-public
NAT-public Firewall-firewall
Packet size 40-120 bytes 40-110 bytes
30-90 bytes
Stream bw 5 kilobytes/s 5 kilobytes/s 5.5 kilobytes/s
Transport UDP UDP TCP
10/100 Mbps Ethernet iSAC codec was used (adaptive bit-rate)
28
Skype Functions: MEDIA Skype Functions: MEDIA TRANSFERTRANSFER No silence suppression Silence packets are used to
play background noise at the peer maintain UDP NAT binding avoid drop in the TCP congestion window
Putting a call on hold 1 packet/3 seconds to call-peer or Skype node same reasons as above
Codec frequency range 50-8,000 Hz (total bw of 3 kilobytes/s)
Reasonable call quality at (4 kilobytes/s)
29
Skype Functions: KEEP ALIVESkype Functions: KEEP ALIVE
Refresh message over TCP to SN every 120 seconds
Refresh message size: 2 bytes
30
Skype Functions: Skype Functions: CONFERENCINGCONFERENCING A, B, and C have public IP addresses
1: B-A Call
A: 1.6 GHz Pentium4, 512 MB RAM
B: 3 GHz Pentium4, 1 GB
C: 3 GHz Pentium4, 1 GB
31
Skype Functions: Skype Functions: CONFERENCINGCONFERENCING
A: 1.6 GHz Pentium4, 512 MB RAM
B: 3 GHz Pentium4, 1 GB
A, B, and C have public IP addresses
1: B-A Call
2: B-C Call
C: 3 GHz Pentium4, 1 GB
32
Skype Functions: Skype Functions: CONFERENCINGCONFERENCING A, B, and C have public IP addresses
1: B-A Call
2: B-C Call
B decides to initiate a conference
A: 1.6 GHz Pentium4, 512 MB RAM
B: 3 GHz Pentium4, 1 GB
C: 3 GHz Pentium4, 1 GB
33
Skype Functions: Skype Functions: CONFERENCINGCONFERENCING A, B, and C have public IP addresses
B
C A+B
A+C
A: 1.6 GHz Pentium4, 512 MB RAM
B: 3 GHz Pentium4, 1 GB
C: 3 GHz Pentium4, 1 GB
34
Skype, MSN, Yahoo and TalkSkype, MSN, Yahoo and TalkApplication version
Memory usage before call (caller, callee)
Memory usage after call (caller, callee)
Process priority before call
Process priority during call
Mouth-to-ear latency
Skype
1.4.0.84 19 MB, 19 MB
21 MB, 27 MB
Normal High 96ms
MSN 7.5 25 MB, 22 MB
34 MB, 31 MB
Normal Normal 184ms
Yahoo
7.0 beta 38 MB, 34 MB
43 MB, 42 MB
Normal Normal 152ms
GTalk 1.0.0.80 9 MB, 9 MB 13 MB, 13 MB
Normal Normal 109ms
35
Mouth-to-ear latency setupMouth-to-ear latency setup
36
Mouth-to-ear latencyMouth-to-ear latency
37
Skype Super NodesSkype Super Nodes Skype super node: A node with which a
Skype establishes a TCP connection at login 8,153 successful login attempts over four
days 35% hostnames had a .edu suffix
102 universities 894 unique super nodes Unique SN IP distribution:
US 83.7%, Asia 8.9%, Europe 7.1% Top 20 nodes received 43.8% of the total
connections Top 100 nodes: 70.5%
38
Skype Super NodesSkype Super Nodes
Unique SNs per day
Cumulative unique SNs
Common SNs between previous and current day
Day1 224 224
Day2 371 553 42
Day3 202 699 98
Day4 246 898 103
39
Skype Super Node MapSkype Super Node Map
40
ConclusionConclusion Selfish application
Uses best CPU and bandwidth resources Evades blocking Change application priority to ‘High’ after call establishment No application configuration to prevent machine from
becoming a super node. Possible by limiting per-process bandwidth
Code obfuscation, runtime decryption Login server and super nodes, not strictly peer-to-peer STUN and TURN equivalent functionality Combination of hashing and controlled flooding Multiple paths for ‘in-time’ switching incase of failures Search falls back to login server
41
Questions?Questions?