The MVS Group

Is Skype VOIP? Can it be blocked?

2011-06-17T07:48:34-05:00

In earlier topics, we have looked at VOIP and how it works. Is Skype also VOIP?

Well I can make this a short topic by giving the answer immediately: yes, it is, and no, it isn’t. Except that that is not an answer. OK, it has to be the long version then.

The term VOIP in general stands for Voice Over IP. This basically means that voice data is carried over IP networks such as the Internet. Obviously in that sense Skype is VOIP—it allows to you call and speak to other people via the Internet. But on the other hand, VOIP is generally used to refer to implementations of the SIP protocol. And this is exactly what Skype does not do. It does not use the standard VOIP protocols, but relies on their own standards. The Skype software is closed-source, so it is not possible to find out how the voice communication actually takes place.

Is this bad? Well, yes and no, again. Of course any company developing software is free to choose if they do that under an open source or a closed source license. But the closed source heritage of Skype means that it is difficult to understand the protocol and make it work under special circumstances. As you may have guessed, the BGAN network is such a special circumstance…

First of all, the cost of data traffic on BGAN is high. And there is no such thing as a fully unmetered, unlimited BGAN connection, contrary to your ADSL or cable at home. The closed source Skype application has been designed to grab as much bandwidth as it can, with a good goal: to make the call as clear (and the sound quality as high) as possible. But BGAN users generally do not want this as they pay per megabyte. It is almost impossible to tell Skype to use less bandwidth. This is one of the reasons that there are alternatives for use on satellite networks; Sea Secure is such an alternative.

Secondly, the Skype application has been designed to try and find holes in firewalls where it can. Do you want your users to be unable to use Skype? Try to block it in your firewall—it cannot be done. Skype will find a hole and the application will work. Again, a good thing for Skype users in homes and offices worldwide, as they do not have to worry that they may not be reachable on Skype—but a bad thing for our average BGAN customer who wants to limit the traffic. This is the reason why MVS has recently launched and is currently testing with some customers a content-filtering firewall: a firewall that actually looks into the data to find what application it is, and then allows or denies based on the kind of application, instead of on IP address or port number as we are used. The firewalls do this by silently allowing Skype’s “hacking” to find firewall holes and actually offering it such a hole to use—and then, when the Skype application has accepted to use the connection, promptly close it. True magic indeed!

As you see, applications that we depend on in our office or at home, may give us headaches when used in a BGAN environment. Keeps life challenging!

Next time, we will take a deeper look into the technical architecture of Skype. We will see how it communicates between hosts and how the security is arranged. Without telling too much, it is interesting to know that when you happen to connect your computer to a network without NAT (so your computer has a public IP address) and you happen to have a reasonably fast connection, Skype may make your computer a ‘supernode’ and use it to relay calls through it from people you don’t even know!

What is WiFi and how does it work?

2011-05-06T07:02:59-05:00

Chances are almost 100% that you are using WiFi—wireless ethernet. Not just on your laptop, but also on your phone, fridge, etc.!

Well, fridge, maybe not yet. But it will not take long any more. In this and the next topic, we will look at how WiFi actually works—it is everywhere. And it is also called “WLAN” (Wireless Local Area Network) or more technically, the IEEE 802.11 standard.

With a WiFi “access point”, a local area network or LAN can be made wireless. The access point provides a “bridge” between the wired network and the wireless devices on that network. A WiFi access point, or hotspot, can be a small indoor device that is simply connected to the existing, wired network, or it can be a bigger box with an external antenna, that can provide a larger coverage area.
In addition, it is also possible to use WiFi without access point at all—any WiFi device can act as its own access point, to create a network between just two devices called an ad hoc network. This kind of wireless network is used in the controller of game consoles, for instance; they use WiFi to connect to the ‘base’ of the console.

As we are dealing with a wireless network, radio waves come into play, and planning of the frequencies used is required. This planning is different depending on the region or country that the WiFi device is in. All WiFi devices work in the 2.4 GHz band (which falls into the S-band, while our satellite signals are usually in Ku, K or Ka band). A new WiFi standard is emerging that uses a 5 GHz frequency (which is C-band) but this is not very widespread yet.

In the US, from the 2.4 GHz band only channels 1-11 can be used, in Europe it’s channels 1-13, and in Japan channels 1-14. From these channel numbers, only channel numbers that are five apart will be non-overlapping; so if you use channel 1 in your house, your neighbor may have trouble using channel 3 or 4. In practice, it can be said that channels 1, 6 and 11 are certain to be non-overlapping and are the only combination possible if you want three channels to operate on. This is why these channels are usually chosen automatically by your WiFi device.
The range of the 2.4 GHz signal with standard hardware is about 30 meters indoors, depending on the kind of structure (concrete of course blocks the radio waves). With directional antennas, a WiFi signal can travel multiple kilometers, but in France and Italy this is not allowed as there, a WiFi signal must stay inside the building.

The overlapping of channels, and standard usage of channels 1, 6 and 11 means that the signal cannot travel as far as your access point ‘pushes’ the neighbor’s away. Finally: as we are talking about radio waves, care must be taken: all data is essentially ‘broadcast’ through the air and can be intercepted (read and/or modified) by anybody. This is an inherent insecurity of any wireless technology, including our satellite connections. Next week, we will look at encryption on WiFi, and see how we can secure the communications.

The AS path decides where we route traffic on the Internet

2011-04-14T10:57:18-05:00

Very recently, a customer question was received saying that a certain IP address was not reachable. What can we do?

In earlier topics, we have seen how the routing protocol BGP makes sure that all networks in the world can talk to each other. This is done by “announcing” a “prefix” to other ISPs. In our case, we announce for instance the prefix 94.229.0.0/21 (i.e. all IP addresses between 94.229.0.0 and 94.229.15.255) to two other ISPs: Telia Sonera and Peer1. On this announcement, an AS number is used. AS stands for “Autonomous System”, in other words, a network that can stand on its own and has a unique routing policy. Our AS number is 41458, so it is said that we “announce the prefix 94.229.0.0/21 from AS 41458”.

Upon receiving a prefix from another ISP, an ISP puts their own AS number in front when telling yet other ISPs about the prefix. For instance, we announce our prefix to Telia Sonera (AS 1299) and Peer1 (AS 13768). These two other ISPs take care of all our Internet connectivity for us. They do that, by announcing our prefix to yet other ISPs, with their own AS number in front. So when Telia Sonera tells, for instance, Level(3) about our prefix, they do so by saying “1299 41458”. This is called the AS path: the number of networks that traffic has to pass to get to the destination. (Note: this is not the same as the number of routers that you see in a traceroute! A network shown in an AS path can be as short as a single router, or as long as a few dozen when seen in a traceroute.)

Now what is important to realize is that the length of the AS path decides which route is best. Our core routers in the POPs look at the AS paths they learn, and the shortest route—i.e. the one with the smallest number of ASs in it—is preferred. Let’s say that Telia Sonera announces to us the prefix 10.199.0.0/16 with an AS path of 1299 65001, and Peer1 announces to us the same prefix with an AS path of 13768 3549 65001, then our routers will prefer to send the traffic to Telia Sonera because they “teach” us the shortest path.

The AS path as seen by our routers can be an interesting troubleshooting tool. In many cases, a traceroute to a certain IP address will not work, but the AS path as displayed by the routers will show what networks the traffic should traverse. It is then a matter of aligning the traceroute with the known AS path, and it is a bit easier to say in whose network the trouble might be.

A final thing to keep in mind: much communication on the Internet is bi-directional, meaning that it does not just go from A to B, but there is also traffic from B to A at the same time. It could very well be that under normal circumstances, traffic travels from A to B via a different path than the traffic from B to A. This is not a problem, but something to take into account when troubleshooting. When asking a customer for a traceroute from A to B to make a problem clear, be sure to also ask for a traceroute from B to A and the full picture will be much easier to see!

As the concept of AS paths and announcing prefixes to each other shows, a company can have complete and full Internet connectivity by connecting to one or two random ISPs and announcing their prefixes. There is not one big “core network” that every ISP has to connect to—far from it, the Internet consists of interconnections between ISPs of all shapes and sizes, and they all exchange traffic, without a “backbone”.

One of the coolest things to see about this is the Opte project, see: http://www.opte.org/maps/ . They create maps that show the paths between two IP addresses. Very artistic!

Circuit Switched or Packet Switched—what’s the difference?

2011-04-08T09:23:47-05:00

You will have heard the terms ‘circuit switched’ and ‘packet switched’ when dealing with BGAN. What are they?

The terms ‘circuit switched’ and ‘packet switched’ refer to the way the connections are built. But in practice, what it turns out to be is: ‘circuit switched means voice, and packet switched means data.
On circuit switched connections, there is a dedicated connection built between point A and point B. This connection is called a ‘circuit’. The circuit can only be used to exchange data between A and B, and A and B will have this connection for their private use as long as the connection is there. Also, the connection stays the same all the time—it does not change, it cannot go and follow a different route suddenly. The two systems, A and B, appear to be directly connected with an electrical wire. You will recognize this from the telephone; by dialing a number, you are requesting a circuit to be set up from your telephone to another phone. Once this has been done, your phone and the other phone are directly connected to each other using a wire, and it is just you two on the connection. Nobody else can use your line at the same time until you stop the call (and break the circuit).

With packet switched, a lot of things are different. First of all, the data that you send will be chopped up in little pieces. These pieces are the packets. Each packet has a label containing the source and the destination of the packet, and based on that label, the packet is sent across the network. On a packet switched network, there are no permanent connections set up, and for each packet received, a router decides where to send it, based on the label. The route that a stream of packets follows may change during the transmission of the stream—let’s say you are transferring a file, and in the middle of the transfer a router fails and is replaced by another router—then the packets just start flowing through the backup router from the moment the failure occurred. From the description you will recognize that the Internet is a packet switched network.

Now the fun starts when circuit switched networks and packet switched networks are mixed. The connections between routers of a packet switched network, are usually circuit switched: for instance between our POPs in New York and Amsterdam we have two dedicated circuits that run only from New York and Amsterdam and cannot be used by other people at the same time. They are circuit switched. But the data we put across those (the service we build on them) is packet switched: our routers talk IP to each other and can send the packets via different routes, perhaps the packets of a single file transfer go along two different routes.

Now as a thought experiment for the weekend: would it also be possible to set up a circuit switched connection across a packet switched network? Think about what would be needed, and don’t be shy to think in ‘virtual’ terms

DNSSEC: The New, Secure Way Of Doing DNS

2011-04-01T06:53:41-05:00

Apart from IPv6, another major Internet infrastructure change is going on right now. It’s called DNSSEC.

After a few updates here about DNS, you know that it is a very important system on the Internet. Without it, you would have to remember IP addresses of all web sites you wanted to visit. And you would not be able to send any e-mail to anyone because there would be no publication possible of what e-mail server handles e-mail for what domain. And that’s just the start. The interesting thing is that DNS was never designed with security in mind. DNSSEC has come to life to resolve this.

With a DNS resolver, such as the servers we have at 195.3.164.19 and 195.3.164.35 (there will be another one next week on 195.3.164.84 by the way) it is very easy to insert “fake” data into it. With one of the most impressive technical terms, this is called “DNS Cache Poisoning”. What happens, is that in a DNS reply, you can put additional data, and a DNS server will then store that data happily.
This means that for instance, if I am a hacker, I can set up a “mean” DNS server for the domain hacker.com. Then I ask a DNS resolver about the IP address for http://www.hacker.com. My “mean” DNS server will answer: the IP address for http://www.hacker.com is 123.45.67.89, and by the way, the address for http://www.bigbank.com is 12.34.56.78. The DNS resolver will happily accept the information about http://www.bigbank.com, and when someone else happens to ask it about http://www.bigbank.com later, it will return the wrong IP address based on my hacking—indeed ‘poisoning’ of the DNS. With this, I could possibly have someone go to a fake bank web site, instead of the real one, and steal all their money…!

With DNSSEC, this kind of thing (which happens more often than you think) is not possible any more. Every zone (a file containing the DNS data for a certain domain) is signed with an encryption key. This encryption key is used by DNS servers to find out if the data is authentic. Only if it turns out that the reply is indeed “true”, the data is used by the resolver. Note well that although there is a digital signature, the data is not encrypted when it travels over the Internet—so the signature doesn’t make the data invisible. The signature is only there to provide confidentiality about the origin.

A DNSSEC-protected zone has a key in it that provide the possibility to prove that the zone’s data can be trusted. This key has a certain validity coming with it: it is not valid forever. Keeping track of how long a key is still valid, is a major task. Apart from the keys that prove the validity of the zone as a whole, there is also a time given with every answer that certifies that the answer is valid for a certain time.

In all, DNSSEC is important to the security of the Internet as a whole, but there are complications. Extra processing power is needed on the DNS servers, for one, and in our satellite environment the extra data that is needed to exchange keys and check the validity of data is not too attractive to our users either. But it’s all in the name of security!

VOIP: data flows on the network

2011-03-07T07:43:04-05:00

In the previous topic we saw what VOIP is and how it can be used on our network. Now, some of the technical stuff.

VOIP data using the SIP protocol consists of two parts: signalling and the actual data. Signalling takes care of the connection setup—it makes the phone ring when someone calls, it shows you the number of the person who calls, etc. The data is the sound of the actual voice of you and the person you are talking to.

The signalling is text-based and it looks quite a bit like HTTP—the way that web pages are served from a web server to your web browser. It can be using TCP (with error correction), UDP (faster, but without error correction) or SCTP (not widely used). The SIP text messages are usually exchanged on port 5060 and they can be of the type REGISTER (where a phone tells its IP address to the VOIP switch), INVITE (to set up a call between two phones), ACK (to confirm that messages have been exchanged reliably), CANCEL (to abort an earlier request), BYE (to stop a call) and OPTIONS (which more or less performs a “dummy” call, where no voice data is exchanged, but the call setup is tested). All these messages are exchanged in clear text. An encrypted VOIP port (5061) has been defined, but is not widely used.

The data is sent using a codec (coder-decoder). This is because an analog signal, such as voice, cannot travel directly over a digital medium, such as the Internet. The voice needs to be translated to a digital form. The codec does this translation from analog to digital and back. The way in which this translation is done, influences the sound quality and the amount of data used to transfer the sound.
A type of codec we see good results with on the network is G.729a. It was developed by a number of big telecommunications companies, including France Telecom and NTT (Japan). It uses a fixed bit rate of 8 kbit/sec and delivers very reasonable speech quality. There are codecs that use more data and deliver a higher sound quality, and of course there are also codecs that use less data, but then the sound will be very bad. In case of VOIP phones on desks, used within offices, a codec like G.722 delivers a far higher sound quality, but the data rate is so high that a customer using it on BGAN would be bankrupt in a day…

What can we do to make VOIP usable? Well, it is important to make sure that packets arrive in the right order, and that there is no packet loss. In the case of packet re-ordering or packet loss on the satellite segment, there is not much we can do. A possible advice could be to use streaming, but obviously this makes the call more expensive (possible even more expensive than making the same call via the voice channel).

VOIP: The History and Basics

2011-02-17T09:37:51-05:00

Some of our customers use VOIP to call via BGAN and we also use it in some offices. What is it?

In the basis, VOIP (or VoIP) just means that a speech signal is transported over an IP network. This IP network can be an internal network (such as the office network) or the Internet. However in casual usage of the term VOIP, it has become more or less synonymous with “cheap calling” as that is what VOIP has basically brought to the world.

As early as in the 1980s, using an IP network to transport voice calls was done. Several programs were created to make calls, some of them even had voicemail. But they had one thing in common: if you used program A, you could only make calls to other users of program A, and not to users with programs B, C or D. So, somebody using Skype would only be able to call another person who uses Skype.
Of course this was not very workable. VOIP programs started to interface with the regular phone network (called POTS, which stands for Plain Old Telephone System, or PSTN, which stands for Public Shared Telephone Network). Using special computers called gateways that are connected to both the POTS network and the IP network, it is possible to make calls from one network to another.

The term “VOIP” just describes a concept; not the protocol used. The most used protocol these days is SIP: Session Initiation Protocol. Using SIP, on a SIP phone (hardware) or a softphone (software) you can make calls to other SIP phones around the world. Your phone number is tied to your username and password, so as long as your phone or computer has some form of Internet connectivity, you can be reached on the same number. SIP also has the capability of using something that resembles an e-mail address as the phone number, but this does not see very widespread usage yet.
Operators of SIP exchanges can use the Internet to connect to each other. For instance, a SIP operator in The Netherlands could set up a connection (‘peering’) with a SIP operator in the USA to exchange SIP calls. A call made from the USA to The Netherlands would then travel over the Internet between the two SIP exchanges, and only the local part would have to go through the PSTN—suddenly making the call a local call instead of an international one, for one or both parties on the call, and possibly even totally free if both parties have a SIP phone connected to their local SIP exchange. This is how VOIP has brought cheap voice calls to the world.

Many companies are employing VOIP using the SIP protocol to lower their communication costs. Most telcos use SIP to deliver international calls, even without telling you. If the party you’re calling reports that they see a strange number in their display when you call, it is probably because the call runs over VOIP somewhere.
However VOIP is not always suitable for use by our customers as a method to lower the costs. The cost for data may be higher than the cost for the same call over the voice channel. Next time we’ll look at how we do VOIP on the MVS network.

APN: The Access Point Name in a 3G Network

2011-02-16T03:06:55-05:00

As a user of BGAN, you will have heard the key term “APN”. What is it?

An easy explanation is “an APN is a list of attributes that a customer needs to log into the network”. That is true, but the technical background is a little more complicated.

The APN—Access Point Name—is something unique to a 3G network. It identifies the IP network that a customer wants to connect to. When a customer has their terminal ready for use, you know that they have a choice where to log in; that could be on the Inmarsat shared APN (bgan.inmarsat.com) for instance, or on an MVS APN (mvs.bgan.inmarsat.com). Both will result in different network properties for the customer; on bgan.inmarsat.com there are only public IP addresses and no firewall, while on mvs.bgan.inmarsat.com the customer can also have private IP addresses and firewall rules. The BGAN network is the same—it transports the data—but the APN defines where the data is going, which could be to any DP connected to the BGAN.

Inside the GGSN, the APN also has a number of other settings. On the Inmarsat GGSNs for instance, it is also defined what the RADIUS servers are for our customers. If somebody tries to attach to the mvs.bgan.inmarsat.com APN, the GGSN knows that it should ask our RADIUS servers if this user is allowed to connect.

Sometimes, the customer is not actually connected to the APN they requested. This is the case in forced routing. On login, the location of the customer is also transmitted to the Inmarsat network, and it decides based on that location whether the customer is in a force routed area. For instance when a customer is in Australia, and the customer selects mvs.bgan.inmarsat.com, the network actually connects the user to the Australian force routed APN. This is done without the user’s knowledge. Everything for such a force routed APN is the same as for the regular APN—except that the traffic comes out in a different place of the GGSN to go to Australia first before going to the DP network.

The End Game Has Started

2011-02-16T03:00:10-05:00

On Thursday 3 February 2011, the last of the IPv4 address blocks were given to the RIRs by IANA.

Yes, I know you will have read about this subject before on this forum, but it remains important and interesting for the future—each step in the process of completely using up IPv4 will result in a new topic here…
Earlier, my prediction was that we would be at this point in March 2011, but the day has come a little sooner. At the end of January, APNIC requested two more /8 blocks from IANA because they could demonstrate that they needed them for further re-distribution to their members (you will remember the structure of IANA holding all IP addresses, then the Regional Internet Registries or RIRs holding large /8 blocks, and then the Local Internet Registries such as MVS who get smaller address blocks from the RIRs).

The assignment of these two blocks from IANA to APNIC meant that there were only five more /8 blocks free. As there are also five RIRs, the so-called “End Game” was started: each RIR got one last /8 block for their members.

They were distributed as follows:

- all addresses starting with 102 go to AfriNIC for Africa;
- all addresses starting with 103 go to APNIC for the Asia/Pacific region;
- all addresses starting with 104 go to ARIN for North America;
- all addresses starting with 179 go to LACNIC for South America; and
- all addresses starting with 185 go to the RIPE NCC for Europe, including the whole of Russia.

This means that the ‘top of the tree,’ IANA, now has absolutely no public IPv4 addresses free any more. Any RIR running out of public IPv4 addresses cannot go to IANA any more for new ones. That means that each RIR will have to continue with what they have in distribution to their members (the LIRs, such as MVS). Each RIR will reserve a block of public IPv4 addresses for newcomers in the market after the beginning of 2012; these will be able to get a /24 (256 public IPv4 addresses) to build their network and offer services, but no more.

As a regular reader of this forum, you will know that this runout of IPv4 may seem a challenge, but it is not like nothing has been done yet—for more than 10 years, people have been deploying IP version 6 already and convincing others to do likewise. All ways have been tried, including performance of a song at the RIPE55 meeting in Amsterdam in 2007, called “The Day The Routers Died”, exactly about this day. You can see and hear it at http://www.youtube.com/watch?v=_y36fG2Oba0 .

What changes for you, our customers? Well, nothing right now. MVS has plenty of public IPv4 addresses still available. The Internet as a whole will also still work as it used to. And you can be sure MVS is working on getting IPv6 on the road!

Packet loss: how to see what you don’t see

2011-02-15T09:48:17-05:00

Users of the network may sometimes describe a problem in terms that they’re seeing ‘packet loss’. What is it?

Data travels over the Internet in packets. Each packet has a header (let’s say: the envelope) which contains the sender and destination address, and content (let’s say the actual letter inside the envelope). As we have seen before, routers transport these packets across the Internet by looking only at the header, and firewalls can block these packets by looking at the header. For TCP communications, he header does not just contain the source and destination address though—there is more.

TCP stands for “Transmission Control Protocol”. It is one of the communication protocols in use on IP networks, and is used for e-mail, web pages, FTP etc. TCP uses the three-way handshake that we have seen before (which makes sure that your computer can talk to a server) but one of the other things it does is that it numbers all packets. This number is in the header of each packet. The reason is that sometimes packets may get re-ordered: they do not arrive in the same order as they were sent. Your computer will then have to put the data back together in the right order. As you can understand, the packet number also helps in finding out if all packets have arrived: the packet number should rise with each packet sent.

Now there are circumstances in which not all packets may arrive. This is called ‘packet loss’. Thanks to the TCP packet number, the computers can see that not all packets have arrived. The receiver can then request from the sender to send some packets again. When this is done, it is called ‘re-transmission’. Thanks to re-transmission, all information arrives eventually—but as you can see, the re-transmission takes time, and that means a lower transfer speed. In general, if there is packet loss, you will notice it because you do not achieve the normal, full speed. Packet loss may for instance occur if the network is overloaded—people send more data to it than it can handle. It may also occur because of packet corruption (e.g. ‘a loose wire’ somewhere) but I have not seen that in the last ten years.
For UDP (used for example for Voice over IP) there is no such scheme. Packets that are lost, are just lost. There is no error recovery. For VoIP, that is on purpose: it doesn’t really matter if one or two packets disappear, the voice will be intelligible still. Should VoIP use TCP communications and it would see packet loss, the retransmissions would lead to huge and unworkable delays, and the phone call would be useless.

As you see, packet loss can be a tricky issue. As it stands now, the MVS network is grossly overdimensioned and can easily handle all data that our customers and ourselves throw at it—so I would be amazed if there was any packet loss anywhere owing to a capacity issue on MVS side. There will be another topic on how to measure this!