An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

1
An Analysis of the Skype Peer-to-Peer Internet
Telephony Protocol

• Salman Baset and Henning Schulzrinne
• April 27, 2006

2
Agenda

• What is Skype?
• What problems does it solve?
• The Skype network
• The Skype software components
• Experimental setup
• The Skype functions
• Skype, MSN, Yahoo and Google Talk
• Skype super nodes

3
What is Skype?

• Peer-to-peer, pc-to-pc, pc-to-phone, phone-to-pc
  VoIP and IM client
• Developed by people who created KaZaa
• SkypeOut (pc-to-phone)
• SkypeOut terms of service governed by the laws
  of Luxembourg
• SkypeIn (phone-to-pc), voicemail
• Supported OS Windows, Linux, MacOS, PocketPC
• A p2p illusion
• Login server
• Buddy-list server
• Servers for SkypeOut and SkypeIn
• Anonymous call minutes statistic gathering

4
What problems does it solve?

• NAT and firewall traversal
• Nielsen September 2005 ratings
• 61.3 of US home internet users use broadband
• (http//www.nielsen-netratings.com/pr/pr_050928.p
  df)
• Most users have some kind of NAT
• Phone-to-pc calling, SkypeIn
• Configuration-less connectivity

5
The Skype Network
6
The Skype Network (contd)

• Ordinary host (OH)
• A Skype client
• Super nodes (SN)
• A Skype client
• Has public IP address, sufficient bandwidth,
  CPU and memory
• Login server
• Stores Skype ids, passwords, and buddy lists
• Used at login for authentication
• Version 1.4.0.84 212.72.49.141 and 195.215.8.141

7
Skype Components

• Ports
• No default listening port
• Randomly chooses a port (P1) on installation
• Opens TCP and UDP listener sockets at P1
• Opens TCP listener sockets at port 80 (HTTP) and
  port 443 (HTTPS)

8
Skype Components (contd)

• Host cache (HC)
• IP address and port number of online Skype nodes
  (SNs)
• Maximum size 200 entries
• Liang, Kumar and Ross. Understanding KaZaA
• 200 entries for ordinary nodes (ON)
• Login server IP address and port number
• HC Windows location
• C\Documents and Settings\All Users\Application
  Data\Skype

9
Skype HC
10
Skype Components (Contd)

• Codecs (GlobalIPSound)
• Wide band codecs (50-8,000 Hz)
• iLBC (packet size 20 and 30 ms bitrate 15.2
  kbps and 13.3 kbps)
• iSAC (packet size 30-60 ms bitrate 10-32 kbps)
• G.729 for SkypeOut?
• Buddy list
• Stored in config.xml file
• C\Documents and Settings\ltXP usergt\Application
  Data\Skype\ltskype user idgt
• ltCentralStoragegt ltLastBackoffgt0lt/LastBackoffgt
  ltLastFailuregt0lt/LastFailuregt
  ltLastSyncgt1120325519lt/LastSyncgt
  ltNeedSyncgt0lt/NeedSyncgt ltSyncSetgt ltugt
  ltskypebuddy1gtf384d3a01lt/skypebuddy1gt
  ltskypebuddy2gt7d1dafc41lt/skypebuddy2gt

11
Agenda

• What is Skype?
• What problems does it solve?
• The Skype network
• The Skype software components
• Experimental setup
• The Skype functions
• Skype, MSN, Yahoo and Google Talk
• Skype super nodes

12
Experimental Setup

• We have NOT reverse engineered Skype executable
  but it can be done (Biondi and Desclaux)
• Skype version Linux v1.2, Windows v1.4.0.84
• Experiments performed between June-July and
  Nov-Dec 2005
• Tools Used
• Ethereal (for packet capture)
• NetPeeker (for tuning per process bandwidth)
• NCH Tone generator (for generating tones of
  various frequencies)
• APIMonitor (for monitoring the system calls)
• LD_PRELOAD Linux shared library and system call
  interception
• Skype fails to run with ltrace and strace

13
Overloaded strcpy() function

• char strcpy(char dest, const char src)
• void handle NULL
• double (mystrcpy)(char dest, const char src)
• long temp
• handle dlopen("/lib/libc.so.6", RTLD_LAZY)
• mystrcpy dlsym(handle, "strcpy")
• temp (mystrcpy)(dest, src)
• dlclose(handle)
• return dest

14
Experimental Setup (Contd)
Public
NAT
Firewall
15
Port-restricted NAT
16
Skype Functions

• Startup
• Login
• User search
• Call establishment
• Media transfer
• Keep-alive
• NAT and firewall traversal
• Conferencing

17
Skype Functions STARTUP

• First time startup
• GET /ui/0/97/en/installed HTTP/1.1
• Normal startup
• GET /ui/0/97/en/getlatestversion?ver0.97.0.6
  HTTP/1.1

18
Skype Functions LOGIN

• Establishes a TCP connection with SN
• Authenticates with the login server and gets a
  certified public key
• Bootstrap super nodes
• Hard-coded in Skype

IP addressport Reverse lookup result Authority section
66.235.180.933033 sss1.skype.net ns1.hopone.net
66.235.181.933033 No PTR result ns1.hopone.net
212.72.49.14333033 No PTR result ns07.customer.eu.level3.net
195.215.8.14533033 No PTR result ns3.DK.net
64.246.49.6033033 rs-64-246-49-60.ev1.net ns2.ev1.net
64.246.49.6133033 rs-64-246-49-61.ev1.net ns2.ev1.net
64.246.48.2333033 ev1s-64-246-48-23.ev1servers.net ns1.ev1.net
19
Skype Functions LOGIN
20
Skype Functions LOGIN

• Public, NAT
• Establishes a TCP connection with the SN
• Authenticates with the login server
• Announces arrival on the network (controlled
  flooding?)
• Determines NAT type?
• Firewall
• Establishes a TCP connection with the SN
• Authenticates with the login server

21
Skype Functions LOGIN
SSL client_key_exchange
SSL version
16 3 1 0 0
17 3 1 0 0
16 3 1 0 0 . . . .
17 3 1 0 0 len . . . .
22
Skype Functions USER SEARCH

• From the Skype website
• Guaranteed to find a user it exists and logged in
  the last 72 hours
• Search results are cached at intermediate nodes
• Unable to trace messages beyond SN
• Cannot force a node to become a SN
• Host cache is used for connection establishment
  and not for SN selection
• User does not exist. How does search terminate?
• Skype contacts login server for failed searches
• SN searches for a user behind UDP-restricted
  firewall
• Same wildcard (sal) search query from two
  different machines initiated at the same time
  gives different results

23
Skype Functions CALL ESTABLISHMENT

• Call signaling always carried over TCP and goes
  e2e
• Calls to non buddiessearchcall
• Initial exchange checks for blocked users
• Public-public call
• Caller SC establishes a TCP connection with
  callee SC
• Public-NAT
• Caller SC is behind port-restricted NAT
• Caller----gtSkype node (SN?) ----gt Callee
• TCP connection established between caller,
  callee, and more than one Skype nodes
• Unknown How a node is selected to route calls
  from caller to callee?
• Perhaps determined at login
• Firewall-firewall call
• Same as public-NAT but no in-UDP packets

24
Skype Functions CALL ESTABLISHMENT

• Caller is behind port-restricted NAT and callee
  has a public IP address

25
Skype Functions CALL ESTABLISHMENT

• Caller and callee are behind port-restricted NAT
  and UDP-blocking firewall

26
Skype Functions Summary
Public NAT Firewall
Login 10 KB 11 KB 7 KB
Search 1-2 KB 1-2 KB 5-7 KB
Call establishment 6 KB 8 KB 8 KB
Public NAT Firewall
Login 3-7 seconds 3-7 seconds 30-35 seconds
Search 3-4 seconds 5-6 seconds 10-15 seconds
27
Skype Functions MEDIA TRANSFER

• 10/100 Mbps Ethernet
• iSAC codec was used (adaptive bit-rate)

Public-public NAT-public Firewall-firewall
Packet size 40-120 bytes 40-110 bytes 30-90 bytes
Stream bw 5 kilobytes/s 5 kilobytes/s 5.5 kilobytes/s
Transport UDP UDP TCP
28
Skype Functions MEDIA TRANSFER

• No silence suppression
• Silence packets are used to
• play background noise at the peer
• maintain UDP NAT binding
• avoid drop in the TCP congestion window
• Putting a call on hold
• 1 packet/3 seconds to call-peer or Skype node
• same reasons as above
• Codec frequency range
• 50-8,000 Hz (total bw of 3 kilobytes/s)
• Reasonable call quality at (4 kilobytes/s)

29
Skype Functions KEEP ALIVE

• Refresh message over TCP to SN every 120 seconds
• Refresh message size 2 bytes

30
Skype Functions CONFERENCING

• A, B, and C have public IP addresses

A 1.6 GHz Pentium4, 512 MB RAM
1 B-A Call
B 3 GHz Pentium4, 1 GB
C 3 GHz Pentium4, 1 GB
31
Skype Functions CONFERENCING

• A, B, and C have public IP addresses

A 1.6 GHz Pentium4, 512 MB RAM
1 B-A Call
B 3 GHz Pentium4, 1 GB
2 B-C Call
C 3 GHz Pentium4, 1 GB
32
Skype Functions CONFERENCING

• A, B, and C have public IP addresses

A 1.6 GHz Pentium4, 512 MB RAM
1 B-A Call
B 3 GHz Pentium4, 1 GB
B decides to initiate a conference
2 B-C Call
C 3 GHz Pentium4, 1 GB
33
Skype Functions CONFERENCING

• A, B, and C have public IP addresses

A 1.6 GHz Pentium4, 512 MB RAM
B
AC
C
AB
B 3 GHz Pentium4, 1 GB
C 3 GHz Pentium4, 1 GB
34
Skype, MSN, Yahoo and Talk
Application version Memory usage before call (caller, callee) Memory usage after call (caller, callee) Process priority before call Process priority during call Mouth-to-ear latency
Skype 1.4.0.84 19 MB, 19 MB 21 MB, 27 MB Normal High 96ms
MSN 7.5 25 MB, 22 MB 34 MB, 31 MB Normal Normal 184ms
Yahoo 7.0 beta 38 MB, 34 MB 43 MB, 42 MB Normal Normal 152ms
GTalk 1.0.0.80 9 MB, 9 MB 13 MB, 13 MB Normal Normal 109ms
35
Mouth-to-ear latency setup
36
Mouth-to-ear latency
37
Skype Super Nodes

• Skype super node A node with which a Skype
  establishes a TCP connection at login
• 8,153 successful login attempts over four days
• 35 hostnames had a .edu suffix
• 102 universities
• 894 unique super nodes
• Unique SN IP distribution
• US 83.7, Asia 8.9, Europe 7.1
• Top 20 nodes received 43.8 of the total
  connections
• Top 100 nodes 70.5

38
Skype Super Nodes
Unique SNs per day Cumulative unique SNs Common SNs between previous and current day
Day1 224 224
Day2 371 553 42
Day3 202 699 98
Day4 246 898 103
39
Skype Super Node Map
40
Conclusion

• Selfish application
• Uses best CPU and bandwidth resources
• Evades blocking
• Change application priority to High after call
  establishment
• No application configuration to prevent machine
  from becoming a super node. Possible by limiting
  per-process bandwidth
• Code obfuscation, runtime decryption
• Login server and super nodes, not strictly
  peer-to-peer
• STUN and TURN equivalent functionality
• Combination of hashing and controlled flooding
• Multiple paths for in-time switching incase of
  failures
• Search falls back to login server

41
Questions?