Referring to my previous post (http://goo.gl/wqxvL) on why individuals and businesses should use Voice Over IP services, there has been talk that the telco’s along with the regulators may be considering blocking VOIP services such as skype, googletalk, or other SIP providers.
Sure, from dhiraagu’s and wataniya’s point of view they have “invested so much” in the infrastructure and services that it is losing so much money from voip which effectively bypasses their systems. While I have no figures on how big a component international calls are for them I’m guessing it would be a significant portion of the pie.
But as an internet services subscriber it enrages me that it the current less than the best service that we have might further be crippled by corporate profit maximization. I understand fully it’s hearsay at the moment but why not have a think about what we would do would it were true?
Come to think of it.. it may be in dhiraagu’s interest to block VOIP but what has ROL got to lose? They don’t provide an alternative competing service. This might be a good time to ROL to jump in and say, ‘hey we don’t block voip’ come register with us….
Fig 1 – Basic Voip diagram… internet or other data network is used to transfer voice to a final destination that may be IP or standard telephones.
Assuming it is true, that the telco’s are considering blocking or limiting VOIP services. How would they go about doing it.. from a technical standpoint? A few come to mind…
1. Host Blocking: I guess the easiest in the bunch.. if a service provider has a specific hosts which sets up the call and is easily identifiable or static eg: if SIP registrar address is always ‘sip.voipservice.com’ then the ISP can block this URL and related IP from any communication… Solution: while this may work for service providers who use a specific IP or host all the time it is beatable… refer to ‘when all else fails’ below….
2. Port Blocking: Some VOIP services default to specific ports which are easily identifiable as VOIP service. So the ISP can be relatively confident that if a communication is happening on a certain port that it is probably VOIP (eg SIP defaults to 5060). Not very hard to do. Fortunately not very hard to get around a block either Solution: most service providers such as SIP providers do provide alternate ports on request if you tell them your default port has been blocked. They will tell you to connect on port 5123 instead of 5060 for example. Some voip clients now have special settings which allow you to use port 80 (which will never be blocked by the ISP as it is the same port used for normal web browsing)
3. DNS modification: if the ISP controls the DNS servers they can modify the DNS records (unlikely they will do so but a possibility) to point to somewhere else than your VOIP provider. Eg: if you ask dhiraagu DNS Server where sip.voipservice.com is it can tell you in a modified query that it is for example “127.0.0.1” which would mean your computer. This would result in you not being able to communicate with the actual service provider server. Solution use the IP instead of the URL or switch to a more reliable DNS. Opendns and google public DNS comes to mind.
4. Protocol Blocking: some voip protocols behave in a predictable and defined way, packets they send can be identified, tagged and blocked by the ISP. For example SIP protocol. Generally this can be a good thing as QoS can be setup to give higher priority as it is a latency sensitive service. The same thing can be used against the protocol to block or de-prioritize traffic. Solution encryption. Services such as skype are notoriously hard to block as it is encrypted. Secure SIP can be used for SIP services, and refer to ‘when all else fails’ below….
5. Throttling: while not technically blocking a connection… an ISP may choose to restrict (sometimes to the point of being unusable) a certain host or type of traffic in this case VIOP to a very low speed. This would result in extremely slow and unusable stream which one might hope would discourage the users from using the service and I guess sometimes users end up blaming it on the VOIP provider instead of the ISP who throttles the traffic. Because in such cases other browsing would appear to be properly functional while VOIP services seem crappy. Solution refer to ‘when all else fails’ below….
I’m sure there are tons more ways to block it but if there’s a way to block it I’m sure there’s a way to get around it..
Note on skype: the way skype works with super-nodes, clients and servers, the distributed methodology and the encrypted communications using ports 80 and 443 which are generally always open by the ISP means it is really hard to block. hard being the operative word.. but with deep packet inspection firewalls… and even in skype there is a centralized login/authentication server it seems… it won’t be impossible to block
When All else fails
If nothing else seems to work there are probable solution has been around for a long time. Two solutions comes to mind
Proxy servers: let’s assume for example voipservice.com has been blocked. The ISP’s servers will detect all connections made to this domain and not allow any traffic to be communicated to the domain which will result in service being blocked. Proxy servers work around this by acting as a middle man in between you and voipservice.com. Which means the ISP will no longer be able to tell if you are talking to voipservice.com. it will only see you talking to proxyserver.com for example. So unless proxyserver.com is also blocked you can get around the block. Thankfully there are way more proxies around paid and free than which can realistically be blocked by any ISP. Illustrative example below.
Above: without a proxy ISP can block your connectivity to voipserver.com
Above : with proxy server ISP sees you trying to connect to Proxyserver which is not blocked and they cannot see you trying to connect to voipserver.com through the proxy server. The connection will be allowed.
The proxy method isn’t foolproof as a sophisticated firewall on the ISP side can identify at a deeper level that you are in fact communicating with voipserver.com but if you use a secure voip protocol the ISP sees the data as random garbage and cannot identify it as VOIP.
Full (at least past your ISP) Encryption: Encrypting your whole connection… making sure ISP’s cannot see what you are transmitting or receiving at all… once you get this up and running theoretically the ISP will have NO way of knowing what you are transmitting or receiving, data or voice or video or whatever else… as far as the ISP can see its all a huge jumbled mess… a number of ways to achieve this
VPN’s and encrypted tunnels: there are a number of free and paid VPN service providers out there.. they provide a way to encrypt the connection from your house to their servers with industrial strength and not so industrial strength encryption anything from pptp to ipsec to openvpn.
There are also services like TOR (The onion router) and Gtunnel amongst others which creates an encrypted connections off your computer to a network of computers which works as effectively as a VPN but provides the additional benefit of dynamically routing your data which makes it hard to trace back to you. or to even see a proper pattern... check out https://www.torproject.org/about/overview.html.en
i might also have a look at http://www.boundip.com/ but i can't speak for it as i haven't used it yet...
ISP's cannot look into a properly encrypted VPN connection. thereby enabling you to bypass any controls they have placed on normal traffic. which allows connectivity to VOIP server.
the downside of using VPN's or Proxies is that unless you have a good vpn or proxy server the added latency due to to the routing and encryption via an additional point might make the quality of the calls a bit worse than it would be if it were a direct connection. but i guess if it comes to that beggars can't be choosers as they say :D..
but on the bright side.. a good VPN will get you past almost any restrictions the ISP has placed on you.. (erm.. blocked websites, security from prying eyes.... etc) ahem....
anyhow i think i've gone on way longer than i wanted to.... its a bit more technical then i wanted it to be but i just wanted to outline the basic workings.... if i've made a mistake or if anyone wants to add something pls do let me know by leaving a comment or dropping me an email. i'll try to attend to it asap.
as i've mentioned before the whole VOIP blocking thing is for now at least theoretical... if it does eventually happen i'd be sure to provide some guidance as far as i can... cheers!
------
reading material :
http://disi.unitn.it/locigno/didattica/AdNet/10-11/05-3_VoIP-Skype_H.pdf
https://www.torproject.org/about/overview.html.en
http://gardennetworks.org/products
http://www.boundip.com/
