p2pnet - rss feed: Does Skype invite viruses?
p2pnet.net News Feature:- Last week Faultline carried its thoughts and impressions from the VON (voice over networks) conference in London and focused on the difference between the instantaneous gratification of Skype for private individuals and the safe and efficient enterprise wide VoIP implementations, reliant mostly on the SIP protocol.
Swapping emails subsequently with Rohan Mahy, co-chair IETF SIP and SIPPING Working Groups, he took issue with some of the things that Niklas Zennstrom of Skype and Kazaa fame said at the conference, and although enterprise VoIP isn’t a central technology to Faultline, it is a valid and radical cost pressure on telcos and an opportunity for various vendors.
Much of the irritation that Mahy showed at the VON conference relates to the Zennstrom view that SIP is a poor protocol because of its inability to handle firewall and NAT traversal. So in Mahy’s own words we thought we’d offer the other side of the argument. ‘There are very few people in the VoIP industry who understand firewall and NAT traversal well. Lots of people in the VoIP industry think that they have some technique which is new and good.
Unfortunately the parts that are new are rarely good and the parts that are good are usually not new. Explaining to these people what is technically broken with their proposals and why is an extremely time consuming process, and is repeated every time a handful of new companies start to go into the operational phase. As a result, the folks who understand these issues either go on a holy war each time a “new great NAT solution” crops or just ignore the new folks quietly.
‘Implementers want a one-size fits-all solution where one does not exist. I can describe significant limitations with every approach, but by implementing a handful of these tools and applying the best tool for the situation, you can do much better than just implementing one. When an implementer comes to me or Jonathan Rosenberg, or Jon Peterson and asks how to do NAT or Firewall traversal, most of them are frankly not willing to invest the attention and energy needed to implement real solutions to this problem for VoIP (not for SIP, but for VoIP).
I believe that Niklas [Zennstrom of Skype] is in this category. He is not willing to admit that his solution is completely broken by firewalls that try to block p2p music sharing, that the algorithms which gives his product good sound quality can be implemented on any product, and that the supernode model not so occasionally results in very bizarre routing (example: a call within Europe going through Australia)
‘As with anybody who has technical problems with IETF protocols, I invite them to write a description of what problem they are trying to solve which they feel is not addressed by existing protocols and provide some motivation. Zennstrom has not provided any rigorous analysis or even detailed explanation of these alleged technical problems. ‘The traditional telecom folks want to reproduce an environment which is familiar to them. SIP does things differently, but many folks generally stop there and don’t try very hard to understand how to accomplish their goals ‘the-SIP-way’.
‘I believe that Zennstrom has a different motivation. He is providing a packaged service and I believe that he is afraid of the idea of open services and open protocols, because these things directly threaten his business model.’
Mahy thinks that eventually Skype will have to be connected to SIP, otherwise Skype users will be let unable to talk to the rest of the world.
‘Sure, he ‘could’ use something else, but that would be economic suicide. When asked how he would get PSTN numbers assigned he said he would use partners who are telecom operators to provide these. These providers are already using SIP or H.323 and have no economic incentive to ‘each’ build a native-Skype interface on the thin margins that Skype is hoping to garner from its customers.’ So Faultline asked why doesn’t Mahy write a connection to Skype, using the APIs that Skype is intending to publish, after all he has 13 million users? ‘He doesn’t have 13 million ‘active’ users, far from it, so it is really not worth my time. I would rather spend my energy writing a free client with more functionality that is fully open.’
So does Skype need to talk to SIP clients one day or can it just talk to the PSTN and then route back out to SIP clients?
‘That’s missing the point, don’t you think? Say a Skype user in India wants to communicate with me in California on a SIP network. He can make a basic call through 2 gateways with international toll charges.
Its unlikely that I will see his correct caller ID, and dead certain that we can’t exchange IM, video, presence status, or do file transfers. A pair of implementations using SIP could do this for free over the public Internet.’
Talk then turned to the security that Zennstrom says exists in Skype that doesn’t exist in SIP. Mahy thinks the Skype approach is inviting viruses, Zennstrom says this is not possible. According to Zennstrom there is little danger of a call through Skype resulting in a route for a virus because the recipient is told there is a call for him and is asked to call out to meet it.
Mahy tells us that there are rapidly appearing firewalls that are deliberately eliminating use of Peer to peer networks, including the one Skype sits on, because of security issues.
‘Once my machine is infected with a virus, that virus can do lots of rude things with the Skype API. The virus could call a PSTN toll or international service from my account and leave it up for days. The virus could spam call my entire buddy list a few times an hour. The virus could turn my computer into a remote-control microphone. These are the kinds of issues that IT administrators are concerned about. Also, many administrators want to block p2p to prevent liability from the RIAA and similar groups. With at least one product the side effect is no Skype.
Peter White - Faultline, UK
June 22nd, 2004 at 3:20 pm
Sounds like Mr White is just jealous because Skype’s success is largely down to the fact that it does handle firewalls successfully, where other VoIP apps don’t.
Can he show us one other freely downloadable application that works out of the box like Skype does, and which doesn’t require any special configuration even when you are using it behind a firewall?
Of course he can’t, because there isn’t, and that is why Skype is so successful.
The last paragraph is particularly silly, it talks about all the terrible things a virus can do AFTER it has got on your machine. Well duh! Of course viruses can do lots of horrible things once you are infected, the question was whether Skype increases your vulnerability to viruses in the first place. The answer is that Microsoft Outlook is infinitely more dangerous than Skype when it comes to being infected by viruses.
June 22nd, 2004 at 4:36 pm
Sadly the Register doesn’t allow comments. So here’s the email I sent them.
Rohan makes some good points but he’s still got his head in the sand.
Skype “just works” and every SIP client and service I’ve used “just doesn’t work”. Until SIP and the SIP client industry understand that, Skype will continue to eat their market. So one day soon, the question will be “When is SIP going to link to the Skype network”, not the other way round.
With my technical hat on, I’m very interested in the technical issues surrounding NAT, Firewalls, directory routing, potential virus infection paths and so on. But as a private individual I just want the damn thing to work. I don’t want to have to involve a sysadmin, especially when the sysadmin is me. The great unwashed really couldn’t care less. If Skype works they’ll use it, until something better comes along.
June 22nd, 2004 at 9:58 pm
Peter.
I’d really like to see you do a review of Firefly Softphone.
www.freshtel.net
craig