Home > Uncategorized > Blocking least cost routing of packets for Skype

Blocking least cost routing of packets for Skype

Skype architecture then and now:
We have two international offices conferencing over Skype, and occasionally the call quality is quite low. Skype routes packets through from peer-to-supernode-to-supernode-to-peer. This creats a path of least latency and least hops for packets to traverse between Skype peers. Since MSFT congregated all the Skype SuperNodes under their control, the network architecture of Skype changed a bit, they control all the SuperNodes, so it is possible that the network can be more over taxed than it was before, although I’m sure they will scale to accommodate the network. MSFT utilizes Akamai for Windows Update distribution, and I’m sure they also leverage their global data centers for Skype SuperNodes. There is still some direct peer-to-peer activity occurring with chat, voice, and video and this is what we’re going to block.

Skype client packet routing:
The Skype client uses an algorithm to determine how to route packets between peers. One consideration the client’s algorithm seems to make is a heavy preference to route packets over the least cost route, determined external to the Skype client. For instance, we have a VPN between two of our international offices, and the default gateway routers at these offices both have the subnet of the other office in their routing table. The Skype client must understand that the clients are accessible directly via least cost routes (one hop), versus over the internet (> one hop). So, if you are communicating to another Skype peer via a least cost route, say an IPsec VPN, then your encrypted Skype packets will traverse the VPN, IPsec overhead and all.

The packets must (not) flow:
The method I determined that would be best to handle this situation was to leverage the local Windows firewall on each peer to stop target packets from flowing. To direct the Skype client to use specific ports to connect to peers, you can configure a few registry keys:

Configure the client to utilize port 80 and 443 set the following:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone /v ListenHTTPPorts /t REG_DWORD /d 0
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone /v ListenPort /t REG_DWORD /d 1 /f

Add firewall rules on both sides:
on Windows XP:

ipseccmd.exe -x -w reg -p "BlockSkype_80_443" -r "Block 80 and 443 to 192.168.100.10" -f 0:*=192.168.100.10/255.255.255.0:80:TCP 0:*=192.168.100.10/255.255.255.255:80:UDP 0:*=192.168.100.10/255.255.255.0:443:TCP 0:*=192.168.100.10/255.255.255.255:443:UDP

On Windows 7+:

netsh ipsec static add policy "BlockSkype_80_443" assign=yes
netsh ipsec static add filterlist "Skype Targets"
netsh ipsec static add filter filterlist="Skype Targets" srcaddr=me srcport=0 dstaddr=192.168.100.10 dstmask=32 dstport=80 protocol=UDP
netsh ipsec static add filter filterlist="Skype Targets" srcaddr=me srcport=0 dstaddr=192.168.100.10 dstmask=32 dstport=443 protocol=UDP
netsh ipsec static add filter filterlist="Skype Targets" srcaddr=me srcport=0 dstaddr=192.168.100.10 dstmask=32 dstport=80 protocol=TCP
netsh ipsec static add filter filterlist="Skype Targets" srcaddr=me srcport=0 dstaddr=192.168.100.10 dstmask=32 dstport=443 protocol=TCP
netsh ipsec static add filteraction name="Block" action=block
netsh ipsec static add rule "Block 80 and 443 to 192.168.100.10" policy="BlockSkype_80_443" filterlist="Skype Targets" filteraction="Block"

Disable firewall policy:
on Windows XP:

ipseccmd.exe -y -w reg -p "BlockSkype_80_443"

On Windows 7+:

netsh ipsec static add policy "BlockSkype_80_443" assign=no

Remove firewall policy:
on Windows XP:

ipseccmd.exe -o -w reg -p "BlockSkype_80_443"

On Windows 7+:

netsh ipsec statis delete rule "Block 80 and 443 to 192.168.100.10"
netsh ipsec static delete filterlist "Skype Targets"
netsh ipsec static delete policy "BlockSkype_80_443"

Remove Skype client settings:
Skype client changes:

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone /v ListenHTTPPorts /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone /v ListenPort /f
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: