Tuesday, April 27, 2010

Is it Possible to Block Skype with DPI ?

My recent Skype-related posts ("Skype to EU Carriers: "The Network is not Yours" - here and "Skype Rising Usage - Best Example for the Net Neutrality Fight" - here) may lead the reader to think that blocking Skype is possible - using DPI technology.

Just add a DPI element (standalone or integrated in some other device) and it will detect Skype (and other Over-The-Top VoIP traffic which compete with the carrier voice revenues) and will block it per the pre-defined policies. Some operators will block it for everybody, some will allow it for some subscribers (line the Orange France case) and block for others.

However, blocking Skype (even if the traffic is accurately detected) is not that easy! A recent VoIP-VoIP.org blog entry from Art Reisman, CTO of APconnections ("Blocking Skype Won’t be Easy" - here) explains "the special case of why blocking Skype traffic is a different animal".

The main issue  is the continues fight - DPI vs. Skype. It is a never-ending engineering challenge. Once a reliable method for detecting and blocking Skype is discovered by DPI engineers - Skype engineers add a new way to bypass it. Since distributing a new client is an easy and quick process, detecting and blocking significant percent of Skype (90-95%), over a long period of time, is a huge challenge.

1 comment:

  1. Here's a helpful resource for blocking Skype and other social media apps on the enterprise network. It's a whitepaper called To Block or Not. Is that the question?”


    It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, SharePoint, etc.)