Hmm - just introduce some jitter into your network, and add random delay to the short packets - and no VoIP in your company -:). Other way - block ALL outbound connections (including DNS and HTTPS) and require using proxy, or better do not allow external IP addresses. -:) (I should not be very optimistic about this). ----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com> To: "Irwin Lazar" <ilazar@burtongroup.com> Cc: "Joe Shen" <joe_hznm@yahoo.com.sg>; "NANOG" <nanog@merit.edu> Sent: Thursday, November 11, 2004 9:01 AM Subject: Re: How to Blocking VoIP ( H.323) ?
On Thu, 11 Nov 2004, Irwin Lazar wrote:
The following resources may be helpful for H.323:
IP Ports and Protocols used by H.323 Devices http://www.teamsolutions.co.uk/tsfirewall.html
The Problems and Pitfalls of Getting H.323 Safely Through Firewalls http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html
there is probably some traction to be had in reviewing other folks' attempts at this very thing as well. Check out Panama, for instance, their incumbent carrier (C&W as I recall) forced the federal regulators to ban VOIP through all ISP's in Panama, this turned out to be quite unworkable even in the short term. I believe a few other folks have attempted similar regulations with similar success rates :(
VOIP, like IM runs, or can be run, across several ports/protocols with and without consistency in even the individual applications. For many things like this, if they are required via legislation in your local area, you might have better luck scoping the regulation's expectations, then using some metrics to show success/failure and WHY those metrics are the way they are.
In the end though: "Good luck!" (Also, reference Ito-Jun's message from the IAB about wide scale filtering policies and their effects on the end-to-end nature of the Internet as a whole).