An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

An Analysis of the Skype Peer-An Analysis of the Skype Peer-to-Peer Internet Telephony to-Peer Internet Telephony ProtocolProtocol

Salman Baset and Henning SchulzrinneApril 27, 2006

2

AgendaAgenda What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions Skype, MSN, Yahoo and Google Talk Skype super nodes

3

What is Skype?What is Skype? Peer-to-peer, pc-to-pc, pc-to-phone, phone-to-pc

VoIP and IM client Developed by people who created KaZaa SkypeOut (pc-to-phone)

SkypeOut terms of service: governed by the laws of Luxembourg

SkypeIn (phone-to-pc), voicemail Supported OS: Windows, Linux, MacOS, PocketPC A p2p illusion

Login server Buddy-list server Servers for SkypeOut and SkypeIn Anonymous call minutes statistic gathering

4

What problems does it What problems does it solve?solve?

NAT and firewall traversal Nielsen September 2005 ratings

61.3% of US home internet users use broadband(http://www.nielsen-netratings.com/pr/pr_050928.pdf)

‘Most’ users have some kind of NAT

Phone-to-pc calling, SkypeIn Configuration-less connectivity

5

The Skype NetworkThe Skype NetworkSkype login

server

Message exchangewith the login serverduring login

ordinary host (SC)

super node (SN)

neighbor relationships in the Skype network

6

The Skype Network (contd…)The Skype Network (contd…) Ordinary host (OH)

A Skype client Super nodes (SN)

A Skype client Has public IP address, ‘sufficient’ bandwidth, CPU

and memory Login server

Stores Skype id’s, passwords, and buddy lists Used at login for authentication Version 1.4.0.84: 212.72.49.141 and

195.215.8.141

7

Skype ComponentsSkype Components Ports

No default listening port Randomly chooses a port (P1) on installation Opens TCP and UDP listener sockets at P1 Opens TCP listener sockets at port 80

(HTTP) and port 443 (HTTPS)

8

Skype Components (contd…)Skype Components (contd…) Host cache (HC)

IP address and port number of online Skype nodes (SNs)

Maximum size: 200 entries Liang, Kumar and Ross. Understanding KaZaA

200 entries for ordinary nodes (ON) Login server IP address and port number HC Windows location

C:\Documents and Settings\All Users\Application Data\Skype

9

Skype HCSkype HC

10

Skype Components Skype Components (Contd…)(Contd…) Codecs (GlobalIPSound)

Wide band codecs (50-8,000 Hz) iLBC (packet size: 20 and 30 ms bitrate: 15.2 kbps and 13.3

kbps) iSAC (packet size: 30-60 ms bitrate: 10-32 kbps) G.729 for SkypeOut?

Buddy list Stored in ‘config.xml’ file

C:\Documents and Settings\<XP user>\Application Data\Skype\<skype user id>

<CentralStorage> <LastBackoff>0</LastBackoff> <LastFailure>0</LastFailure> <LastSync>1120325519</LastSync> <NeedSync>0</NeedSync> <SyncSet> <u> <skypebuddy1>f384d3a0:1</skypebuddy1> <skypebuddy2>7d1dafc4:1</skypebuddy2>

11

AgendaAgenda What is Skype? What problems does it solve? The Skype network The Skype software components Experimental setup The Skype functions Skype, MSN, Yahoo and Google Talk Skype super nodes

12

Experimental SetupExperimental Setup We have NOT reverse engineered Skype executable

but it can be done (Biondi and Desclaux) Skype version: Linux v1.2, Windows v1.4.0.84 Experiments performed between June-July and

Nov-Dec 2005 Tools Used

Ethereal (for packet capture) NetPeeker (for tuning per process bandwidth) NCH Tone generator (for generating tones of various

frequencies) APIMonitor (for monitoring the system calls) LD_PRELOAD: Linux shared library and system call

interception Skype fails to run with ltrace and strace

13

Overloaded strcpy() functionOverloaded strcpy() functionchar* strcpy(char* dest, const char* src) {

void *handle = NULL;double (*mystrcpy)(char* dest, const char* src);long temp;

handle = dlopen("/lib/libc.so.6", RTLD_LAZY);mystrcpy = dlsym(handle, "strcpy");temp = (*mystrcpy)(dest, src);dlclose(handle);

return dest;}

14

Experimental Setup Experimental Setup (Contd…)(Contd…)

INTERNET

A (public IP) B (public IP)

INTERNET

A (private IP) B (public IP)port-restricted NAT

INTERNET

A (private IP address) B (private IP address)port-restricted NAT

UDP-blocking firewallport-restricted NAT

UDP-blocking firewall

Public

NAT

Firewall

15

Port-restricted NATPort-restricted NAT

NAT HostIP_private

Public HostIP_public

NAT

IP_private:P1:IP_public:Port1

IP_private:P1:IP_public:Port2

16

Skype FunctionsSkype Functions Startup Login User search Call establishment Media transfer Keep-alive NAT and firewall traversal Conferencing

17

Skype Functions: STARTUPSkype Functions: STARTUP

First time startup GET /ui/0/97/en/installed HTTP/1.1

Normal startup GET /ui/0/97/en/getlatestversion?ver=0.97.0.6 HTTP/1.1

18

Skype Functions: LOGINSkype Functions: LOGIN Establishes a TCP connection with SN Authenticates with the login server and gets a certified public

key Bootstrap super nodes Hard-coded in Skype

IP address:port Reverse lookup result Authority section

66.235.180.9:33033 sss1.skype.net ns1.hopone.net

66.235.181.9:33033 No PTR result ns1.hopone.net

212.72.49.143:33033 No PTR result ns07.customer.eu.level3.net

195.215.8.145:33033 No PTR result ns3.DK.net

64.246.49.60:33033 rs-64-246-49-60.ev1.net ns2.ev1.net

64.246.49.61:33033 rs-64-246-49-61.ev1.net ns2.ev1.net

64.246.48.23:33033 ev1s-64-246-48-23.ev1servers.net

ns1.ev1.net

19

Skype Functions: LOGINSkype Functions: LOGIN

Send UDP packets to seven bootstrap SNs at

port 33033

Response within 6 seconds

TCP connection attempts with seven bootstrap SN IP addresses and port 33033

No

Connected

Success

Yes

No

Start

Wait for 6 seconds

Yes

20

Skype Functions: LOGINSkype Functions: LOGIN Public, NAT

Establishes a TCP connection with the SN Authenticates with the login server Announces arrival on the network

(controlled flooding?) Determines NAT type?

Firewall Establishes a TCP connection with the SN Authenticates with the login server

21

UDPUDP

195.215.8.145:33033 (Bootstrap node)41B64B

TCPTCP

SN: (IP address not shown for privacy reasons)

357B4032B

TCPTCP

5B (1)5B (2)

TCPTCP

413B (3)222B (4)

TCP:SYN195.215.8.141:33033 (login server)

SC

SC

SC

TCP:ACK

UDPUDP

18B18B

SC

Skype Functions: LOGINSkype Functions: LOGIN

16 3 1 0 0

17 3 1 0 0

16 3 1 0 0 . . . .

17 3 1 0 0 len . . . .

SSL: client_key_exchange

SSL: version

22

Skype Functions: USER Skype Functions: USER SEARCHSEARCH From the Skype website

Guaranteed to find a user it exists and logged in the last 72 hours

Search results are cached at intermediate nodes Unable to trace messages beyond SN Cannot force a node to become a SN

Host cache is used for connection establishment and not for SN selection

User does not exist. How does search terminate? Skype contacts login server for failed searches

SN searches for a user behind UDP-restricted firewall Same wildcard (sal*) search query from two different

machines initiated at the same time gives different results

23

Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Call signaling always carried over TCP and goes e2e Calls to non buddies=search+call Initial exchange checks for blocked users Public-public call

Caller SC establishes a TCP connection with callee SC Public-NAT

Caller SC is behind port-restricted NAT Caller---->Skype node (SN?) ----> Callee TCP connection established between caller, callee, and more

than one Skype nodes Unknown: How a node is selected to route calls from caller to

callee? Perhaps determined at login

Firewall-firewall call Same as public-NAT but no in-UDP packets

24

Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Caller is behind port-restricted NAT and callee has a public IP

addressUDPUDP

Caller (NAT)271B221B

TCPTCP

Caller SN184B

1269B

Voice packet size is between 70 and 100 bytes.

TCPTCP

Caller Other265B77B

TCPTCP

Caller Callee1554B1176B

Callee

UDPUDP

Caller748B

3287B

Other

Caller

Media: UDP

Callee

(6)(6)

(5)(7)

(20)(20)

(12)(6)

(9)(8)

No of messages

25

Skype Functions: CALL Skype Functions: CALL ESTABLISHMENTESTABLISHMENT Caller and callee are behind port-restricted NAT and UDP-

blocking firewall

TCPTCP

Caller (NAT+firewall) SN713B

3464B

Relay

Media:TCPCaller

Media:TCPRelay Callee

TCPCaller N1, N2, N3

TCPTCP

Callee

TCP

19B19B

19B19B

Caller and callee on the average exchange 3 msg/s over TCP with N1, N2 and N3 after call has been established.

TCPTCP

Caller124B45B

Callee (NAT+firewall)TCPTCP

51B117B

(7)(8)

(4)(4)

(4)(3)

26

Skype Functions: SummarySkype Functions: Summary

Public NAT Firewall

Login 10 KB 11 KB 7 KB

Search 1-2 KB 1-2 KB 5-7 KB

Call establishment

6 KB 8 KB 8 KB

Public NAT Firewall

Login 3-7 seconds

3-7 seconds 30-35 seconds

Search 3-4 seconds

5-6 seconds 10-15 seconds

27

Skype Functions: MEDIA Skype Functions: MEDIA TRANSFERTRANSFER

Public-public

NAT-public Firewall-firewall

Packet size 40-120 bytes 40-110 bytes

30-90 bytes

Stream bw 5 kilobytes/s 5 kilobytes/s 5.5 kilobytes/s

Transport UDP UDP TCP

10/100 Mbps Ethernet iSAC codec was used (adaptive bit-rate)

28

Skype Functions: MEDIA Skype Functions: MEDIA TRANSFERTRANSFER No silence suppression Silence packets are used to

play background noise at the peer maintain UDP NAT binding avoid drop in the TCP congestion window

Putting a call on hold 1 packet/3 seconds to call-peer or Skype node same reasons as above

Codec frequency range 50-8,000 Hz (total bw of 3 kilobytes/s)

Reasonable call quality at (4 kilobytes/s)

29

Skype Functions: KEEP ALIVESkype Functions: KEEP ALIVE

Refresh message over TCP to SN every 120 seconds

Refresh message size: 2 bytes

30

Skype Functions: Skype Functions: CONFERENCINGCONFERENCING A, B, and C have public IP addresses

1: B-A Call

A: 1.6 GHz Pentium4, 512 MB RAM

B: 3 GHz Pentium4, 1 GB

C: 3 GHz Pentium4, 1 GB

31

Skype Functions: Skype Functions: CONFERENCINGCONFERENCING



A, B, and C have public IP addresses

1: B-A Call

2: B-C Call


32


1: B-A Call

2: B-C Call

B decides to initiate a conference




33


B

C A+B

A+C




34

Skype, MSN, Yahoo and TalkSkype, MSN, Yahoo and TalkApplication version

Memory usage before call (caller, callee)

Memory usage after call (caller, callee)

Process priority before call

Process priority during call

Mouth-to-ear latency

Skype

1.4.0.84 19 MB, 19 MB

21 MB, 27 MB

Normal High 96ms

MSN 7.5 25 MB, 22 MB

34 MB, 31 MB

Normal Normal 184ms

Yahoo

7.0 beta 38 MB, 34 MB

43 MB, 42 MB

Normal Normal 152ms

GTalk 1.0.0.80 9 MB, 9 MB 13 MB, 13 MB

Normal Normal 109ms

35

Mouth-to-ear latency setupMouth-to-ear latency setup

36

Mouth-to-ear latencyMouth-to-ear latency

37

Skype Super NodesSkype Super Nodes Skype super node: A node with which a

Skype establishes a TCP connection at login 8,153 successful login attempts over four

days 35% hostnames had a .edu suffix

102 universities 894 unique super nodes Unique SN IP distribution:

US 83.7%, Asia 8.9%, Europe 7.1% Top 20 nodes received 43.8% of the total

connections Top 100 nodes: 70.5%

38

Skype Super NodesSkype Super Nodes

Unique SNs per day

Cumulative unique SNs

Common SNs between previous and current day

Day1 224 224

Day2 371 553 42

Day3 202 699 98

Day4 246 898 103

39

Skype Super Node MapSkype Super Node Map

40

ConclusionConclusion Selfish application

Uses best CPU and bandwidth resources Evades blocking Change application priority to ‘High’ after call establishment No application configuration to prevent machine from

becoming a super node. Possible by limiting per-process bandwidth

Code obfuscation, runtime decryption Login server and super nodes, not strictly peer-to-peer STUN and TURN equivalent functionality Combination of hashing and controlled flooding Multiple paths for ‘in-time’ switching incase of failures Search falls back to login server

41

Questions?Questions?