Hi, How could it be done to block VoIP at access router? I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number. regards Joe __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Tcp/1719 is part of the H323 Gatekeeper default ports (which can be changed) Tcp/1720 is the H.225 call setup port, and I haven't heard of this being a configurable port. HTH, Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP Telephony Support Specialist, IP Telephony Design Specialist, CISSP CCSI #21903 swm@emanon.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Shen Sent: Thursday, November 11, 2004 6:40 AM To: NANGO Subject: How to Blocking VoIP ( H.323) ? Hi, How could it be done to block VoIP at access router? I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number. regards Joe __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
I don't imainge that most voip is h.323 anymore. On Thu, 11 Nov 2004, Joe Shen wrote:
Hi,
How could it be done to block VoIP at access router?
I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number.
regards
Joe
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
The following resources may be helpful for H.323: IP Ports and Protocols used by H.323 Devices http://www.teamsolutions.co.uk/tsfirewall.html The Problems and Pitfalls of Getting H.323 Safely Through Firewalls http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html SIP uses TCP port 5060 for signaling, however voice data traffic is carried on random high ports. Some SIP-based VoIP providers route voice data traffic back to a proxy server (I believe Vonage functions in this way), so it may be easier to restrict. Skype requires outbound TCP access to either ports above 1024, or port 80, and they also recommend outbound UDP access to ports above 1024 (as well as in-bound replies), so good luck blocking it. :-( And then there is VoIP as part of IM services (e.g. Apple iChatAV, AOL IM, or Yahoo Messenger), all of which function differently. irwin
Hi,
How could it be done to block VoIP at access router?
I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number.
regards
Joe
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Thu, 11 Nov 2004, Irwin Lazar wrote:
The following resources may be helpful for H.323:
IP Ports and Protocols used by H.323 Devices http://www.teamsolutions.co.uk/tsfirewall.html
The Problems and Pitfalls of Getting H.323 Safely Through Firewalls http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html
there is probably some traction to be had in reviewing other folks' attempts at this very thing as well. Check out Panama, for instance, their incumbent carrier (C&W as I recall) forced the federal regulators to ban VOIP through all ISP's in Panama, this turned out to be quite unworkable even in the short term. I believe a few other folks have attempted similar regulations with similar success rates :( VOIP, like IM runs, or can be run, across several ports/protocols with and without consistency in even the individual applications. For many things like this, if they are required via legislation in your local area, you might have better luck scoping the regulation's expectations, then using some metrics to show success/failure and WHY those metrics are the way they are. In the end though: "Good luck!" (Also, reference Ito-Jun's message from the IAB about wide scale filtering policies and their effects on the end-to-end nature of the Internet as a whole).
Hmm - just introduce some jitter into your network, and add random delay to the short packets - and no VoIP in your company -:). Other way - block ALL outbound connections (including DNS and HTTPS) and require using proxy, or better do not allow external IP addresses. -:) (I should not be very optimistic about this). ----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com> To: "Irwin Lazar" <ilazar@burtongroup.com> Cc: "Joe Shen" <joe_hznm@yahoo.com.sg>; "NANOG" <nanog@merit.edu> Sent: Thursday, November 11, 2004 9:01 AM Subject: Re: How to Blocking VoIP ( H.323) ?
On Thu, 11 Nov 2004, Irwin Lazar wrote:
The following resources may be helpful for H.323:
IP Ports and Protocols used by H.323 Devices http://www.teamsolutions.co.uk/tsfirewall.html
The Problems and Pitfalls of Getting H.323 Safely Through Firewalls http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html
there is probably some traction to be had in reviewing other folks' attempts at this very thing as well. Check out Panama, for instance, their incumbent carrier (C&W as I recall) forced the federal regulators to ban VOIP through all ISP's in Panama, this turned out to be quite unworkable even in the short term. I believe a few other folks have attempted similar regulations with similar success rates :(
VOIP, like IM runs, or can be run, across several ports/protocols with and without consistency in even the individual applications. For many things like this, if they are required via legislation in your local area, you might have better luck scoping the regulation's expectations, then using some metrics to show success/failure and WHY those metrics are the way they are.
In the end though: "Good luck!" (Also, reference Ito-Jun's message from the IAB about wide scale filtering policies and their effects on the end-to-end nature of the Internet as a whole).
On Thu, 11 Nov 2004, Alexei Roudnev wrote:
Date: Thu, 11 Nov 2004 09:38:00 -0800 From: Alexei Roudnev <alex@relcom.net> To: Christopher L. Morrow <christopher.morrow@mci.com>, Irwin Lazar <ilazar@burtongroup.com> Cc: Joe Shen <joe_hznm@yahoo.com.sg>, NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
Hmm - just introduce some jitter into your network, and add random delay to the short packets - and no VoIP in your company -:).
Alexei: How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :) To Joe Shen: Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings? In the grand scheme of things, and in an evolutionary context certainly, many apps are likely to be proposed in the future, and worse still (in the eyes of many) - IMPLEMENTED, which will likely compel network owners and operators to adjust organizational and infrastructure strategies to meet objectives. As with the introduction of any service or app into the mix, accommodating something means a REQUISITE adjustment in existing operational practices. But WRT VoIP, Consider that by JUST ONE account, the IP telephony market is expected to be a US$1.4 billion business by 2008 - up from $934 million in 2002. This market is expected to experience a annual growth rate of 7.5% through 2008. Again, what is the point.. is it that you wish to block VoIP to in order to DELAY/BUY MORE TIME toward implementing organizational change (slow-rolling, if you are going to be rolling at all), or is it to prohibit without reservation, any VoIP traffic over your netspace? Just curious.. Best, Robert. -------
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
On Thu, 11 Nov 2004, Christopher L. Morrow wrote:
Date: Thu, 11 Nov 2004 19:49:10 +0000 (GMT) From: Christopher L. Morrow <christopher.morrow@mci.com> To: Robert Mathews <mathews@hawaii.edu> Cc: NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
Hi Chris: Indeed.... hegemonic tendencies/behaviour by telcos aside, I was attempting to understand if there were 'some' ORGANIZATIONAL dyscrasias that prohibited 'operationlizing' of VoIP. To be brief, I would humbly submit that any malady in this area is worthy of greater exploration IF ONLY to expedite and effectuate the alignment of org-to-org operational instruments and their respective interfaces. Best, Robert. -------
After reading your kindly reply, I got following list for blocking VoIP at edge router: 1. block traffic on port 1719, 1720 (both tcp/udp), but this could not deal with those who modified signaling port; 2. content filtering by using some special euqipment; , very expensive 3. legismation by gov., well I don't think this could be a method possible 4. ???? for IM with voice ability 5. change QoS level for marked packets, (how could it be done with no QoS network, RED ?) here goes my further question: a) Could WRED be applied with current network for VoIP packets selectively? ( I means RTP packets carrying unwanted VoIP ) b) Is there anyway to cache those equipment modifying signaling port number? c) any better way ? any experience? regards Joe --- Robert Mathews <mathews@hawaii.edu> wrote:
On Thu, 11 Nov 2004, Christopher L. Morrow wrote:
Date: Thu, 11 Nov 2004 19:49:10 +0000 (GMT) From: Christopher L. Morrow <christopher.morrow@mci.com> To: Robert Mathews <mathews@hawaii.edu> Cc: NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can
be gained by blocking VoIP
traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
Hi Chris:
Indeed.... hegemonic tendencies/behaviour by telcos aside, I was attempting to understand if there were 'some' ORGANIZATIONAL dyscrasias that prohibited 'operationlizing' of VoIP. To be brief, I would humbly submit that any malady in this area is worthy of greater exploration IF ONLY to expedite and effectuate the alignment of org-to-org operational instruments and their respective interfaces.
Best, Robert. -------
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
If someone want to be insane - allow him to do it; what's the problem? Is this question coming from Panamian government? -:) This is internet - if I have 10 Mbit connection and 100msec latency, I can use it for Voice, no way to block me; if it is 19200bits/second and 2 second latency, I can not. That's all. Other methods can provide temporary reliefe only. ----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com> To: "Robert Mathews" <mathews@hawaii.edu> Cc: "NANOG" <nanog@merit.edu> Sent: Thursday, November 11, 2004 11:49 AM Subject: Re: How to Blocking VoIP ( H.323) ?
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking
VoIP
traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
If someone want to be insane - allow him to do it; what's the problem? Is this question coming from Panamian government? -:)
when you have to comply with some insane gov't ruling at penalty of legal (possibly felony type actions) you will also squeal like the virtual pig...
This is internet - if I have 10 Mbit connection and 100msec latency, I can use it for Voice, no way to block me; if it is 19200bits/second and 2 second latency, I can not. That's all. Other methods can provide temporary reliefe only.
true, this was the arguement put forth to the folks at the time, they still insisted on their backwards, telco-minded thinking... Fortunately after a few months they saw the light and removed the requirement. Joe might not be that lucky, or he might be able to show precedent to others about why it's bad to try to block the voip.
----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com>
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
If someone want to be insane - allow him to do it; what's the problem?
Is
this question coming from Panamian government? -:)
when you have to comply with some insane gov't ruling at penalty of legal (possibly felony type actions) you will also squeal like the virtual pig... To comply with government, it is enough to SHOW blocking - block SIP and H323 standar ports. It is not your concern, if SkyPE can make a tricks.
But I believe, that to comply with anything in Panama you need just to give a $$$, not to set up acll lists.
This is internet - if I have 10 Mbit connection and 100msec latency, I
can
use it for Voice, no way to block me; if it is 19200bits/second and 2 second latency, I can not. That's all. Other methods can provide temporary reliefe only.
true, this was the arguement put forth to the folks at the time, they still insisted on their backwards, telco-minded thinking... Fortunately after a few months they saw the light and removed the requirement.
Joe might not be that lucky, or he might be able to show precedent to others about why it's bad to try to block the voip.
----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com>
On Thu, 11 Nov 2004, Robert Mathews wrote:
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings?
reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation?
On Sat, 13 Nov 2004, Alexei Roudnev wrote:
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
If someone want to be insane - allow him to do it; what's the problem?
Is
this question coming from Panamian government? -:)
when you have to comply with some insane gov't ruling at penalty of legal (possibly felony type actions) you will also squeal like the virtual pig...
To comply with government, it is enough to SHOW blocking - block SIP and H323 standar ports. It is not your concern, if SkyPE can make a tricks.
actually you have to block it... after long conversations with them about how it's impossible to block you STILL have to block the traffic, then you hope they get the message when calls still go through and they audit your configurations.
But I believe, that to comply with anything in Panama you need just to give a $$$, not to set up acll lists.
as an american company we try (atleast the internet portion did/does) to uphold the law... bribery is probably even illegal in panama (not a lawyer so I'm not qualified to answer)
On Fri, 12 Nov 2004, Christopher L. Morrow wrote:
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
If someone want to be insane - allow him to do it; what's the problem? Is this question coming from Panamian government? -:)
when you have to comply with some insane gov't ruling at penalty of legal (possibly felony type actions) you will also squeal like the virtual pig...
This is internet - if I have 10 Mbit connection and 100msec latency, I can use it for Voice, no way to block me; if it is 19200bits/second and 2 second latency, I can not. That's all. Other methods can provide temporary reliefe only.
true, this was the arguement put forth to the folks at the time, they still insisted on their backwards, telco-minded thinking... Fortunately after a few months they saw the light and removed the requirement.
Joe might not be that lucky, or he might be able to show precedent to others about why it's bad to try to block the voip.
Chris: Kindly permit me to make one brief related comment regarding your observations. Broadly, whether it is social/economic/governmental policy **INSERT your favourite mandate here** [CALEA and such, to content censoring] that require carriers/providers to make operational adjustments, a catalogue of the ramifications, and in the large - the economic/performance impact [among other effects] on services and subscribers does deserve greater perlustration. Best, Robert. -------
Robert Mathews writes:
On Thu, 11 Nov 2004, Alexei Roudnev wrote:
Hmm - just introduce some jitter into your network, and add random delay to the short packets - and no VoIP in your company -:).
Alexei:
How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :)
Yeah, no jitter for HTTP please (otherwise users will complain when they tunnel their VoIP traffic over TCP port 80 :-). Note that Skype already uses TCP port 80 and 443, at least for control traffic. -- Simon.
On Thu, 11 Nov 2004, Alexei Roudnev wrote:
Date: Thu, 11 Nov 2004 09:38:00 -0800 From: Alexei Roudnev <alex@relcom.net> To: Christopher L. Morrow <christopher.morrow@mci.com>, Irwin Lazar <ilazar@burtongroup.com> Cc: Joe Shen <joe_hznm@yahoo.com.sg>, NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
Hmm - just introduce some jitter into your network, and add random delay
to
the short packets - and no VoIP in your company -:).
Alexei:
How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :) Not too easy, but I can imagine few alghoritms doing it. Remember that VoIP uses short packets, and you cam always recognize Ack and Tcp packets which should not be disrupted. Jitter does not slow down network, except if it interacts with RTT calculartion in TCP/IP.
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings?
In the grand scheme of things, and in an evolutionary context certainly, many apps are likely to be proposed in the future, and worse still (in the eyes of many) - IMPLEMENTED, which will likely compel network owners and operators to adjust organizational and infrastructure strategies to meet objectives. As with the introduction of any service or app into the mix, accommodating something means a REQUISITE adjustment in existing operational practices.
But WRT VoIP, Consider that by JUST ONE account, the IP telephony market is expected to be a US$1.4 billion business by 2008 - up from $934 million in 2002. This market is expected to experience a annual growth rate of 7.5% through 2008.
Again, what is the point.. is it that you wish to block VoIP to in order to DELAY/BUY MORE TIME toward implementing organizational change (slow-rolling, if you are going to be rolling at all), or is it to prohibit without reservation, any VoIP traffic over your netspace? Just curious..
Best, Robert. -------
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
Date: Fri, 12 Nov 2004 09:46:15 -0800 From: Alexei Roudnev <alex@relcom.net> To: Robert Mathews <mathews@hawaii.edu>, NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
Alexei:
How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :)
Not too easy, but I can imagine few alghoritms doing it. Remember that VoIP uses short packets, and you cam always recognize Ack and Tcp packets which should not be disrupted. Jitter does not slow down network, except if it interacts with RTT calculartion in TCP/IP.
Alexei: Apologize for the delay in getting a reply to you. Regarding your comment on jitter, FLATLY or more generally, if introducing jitter is likely to complicate operational matters elsewhere in the network [whether this complication manifests within one's own network or in another - to which one is inter-connected] I would be inclined to say this effects the overall performance... I did not mean to take more of your time on this. But, I wanted to merely clarify. Best, Robert. -------
I agree with Robert. But if you deal with some super tricked protocols (like SpyPE) and you really want to block VoIP (not show that you comply to regulations, but REALLY block it) - disruption looks as the only real opportunity. For any filterig, I can always create a protocol which will ignore your filters. ----- Original Message ----- From: "Robert Mathews" <mathews@hawaii.edu> To: "NANOG" <nanog@merit.edu> Sent: Saturday, November 13, 2004 11:12 AM Subject: Re: How to Blocking VoIP ( H.323) ?
On Fri, 12 Nov 2004, Alexei Roudnev wrote:
Date: Fri, 12 Nov 2004 09:46:15 -0800 From: Alexei Roudnev <alex@relcom.net> To: Robert Mathews <mathews@hawaii.edu>, NANOG <nanog@merit.edu> Subject: Re: How to Blocking VoIP ( H.323) ?
Alexei:
How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :)
Not too easy, but I can imagine few alghoritms doing it. Remember that
VoIP
uses short packets, and you cam always recognize Ack and Tcp packets which should not be disrupted. Jitter does not slow down network, except if it interacts with RTT calculartion in TCP/IP.
Alexei:
Apologize for the delay in getting a reply to you.
Regarding your comment on jitter, FLATLY or more generally, if introducing jitter is likely to complicate operational matters elsewhere in the network [whether this complication manifests within one's own network or in another - to which one is inter-connected] I would be inclined to say this effects the overall performance...
I did not mean to take more of your time on this. But, I wanted to merely clarify.
Best, Robert. -------
On (13/11/04 12:53), Alexei Roudnev wrote:
I agree with Robert. But if you deal with some super tricked protocols (like SpyPE) and you really want to block VoIP (not show that you comply to regulations, but REALLY block it) - disruption looks as the only real opportunity. For any filterig, I can always create a protocol which will ignore your filters.
no need to create a new protocol, just use an existing one to tunnel the traffic - gre/ip in ip/ipsec/ssl...if someone wants to bypass the filtering badly enough, it is trivial to do and they will likely be willing to put the beefier hardware in place to account for any extra processing overhead. i've also heard of satellite links being used to bypass the filtering...a cheap local phone (or six) can be kept hidden from the authorities for as long as the bribes are paid and/or it doesn't cut too deeply into the ptt's monopoly /joshua -- **** END NANOG CENSORSHIP **** FREE RAS **** FREE WILCO
joshua sahala [13/11/04 19:40 -0500]:
i've also heard of satellite links being used to bypass the filtering...a cheap local phone (or six) can be kept hidden from the authorities for as long as the bribes are paid and/or it doesn't cut too deeply into the ptt's monopoly
Goes on all the time .. just about every "call Asia cheap" phone card you find at ethnic grocery stores stateside uses one of these ... Another way to get cheaper international calls below - that's hitting the headlines in India. Not VOIP based though. Basically - terminating international calls in India, and then changing the CLI on the call to show the call as a local call, saving on settlement charges. BSNL operates most of the fixed line phones in India, and is a government owned telco. Reliance, besides being one of India's largest petrochemical companies, is also a facilities based CLEC, with a rather popular CDMA mobile phone service, and as they now own FLAG, they're an ISP as well ... Two articles should help ... http://sify.com/finance/equity/quarterly_results/fullstory.php?id=13594309 BSNL slaps notice on Reliance Infocomm Wednesday, 20 October , 2004, 14:36 Bharat Sanchar Nigam Limited (BSNL) has said that Reliance Infocomm has to pay more than Rs 120 crore for allegedly routing illegal telephone calls as local calls and slapped recovery notices to the private telecom operator. ''We have issued recovery notices to the company,'' BSNL CMD A K Sinha said. Talking to UNI, Sinha said the amount due would be more than Rs 120 crore. Sinha said Reliance had paid Rs 58 crore as an ''interim arrangement'' to the state-owned company. BSNL had issued the Ambani-owned company a deadline till October 14 to make the payment or face disconnection of points of interconnections (PoIs). Sinha said at 125 PoIs with Reliance, ILD calls were made to look as local or STD calls. Reliance has about 400 PoIs with BSNL. BSNL had alleged that Reliance had tampered with the calling line identification (CLI). He said the recoverable amount from Reliance could amount to over 120 crore, based on methodology in network interconnect agreements phone firms sign with one another so that Reliance subscribers, for instance, can talk to subscribers of other operators like Airtel or BSNL/MTNL and vice versa. These agreements entail payments to one another as IUC, and a payment to BSNL as ADC, paid by private telecom firms, cellular landline or ISD services. ISD operators have to pay Rs 4.25 per minute as ADC (access deficit charge) to BSNL for carrying calls on its nationwide STD network. For local and STD traffic, rates are less about 30 paise to Rs 1.10 a minute. Reliance, as an ISD operator, saves crores of rupees by passing off international calls as local or STD calls. While BSNL has been crying foul saying Reliance's move was a case of illegal termination of incoming ISD calls, Reliance officials maintain affair was no more than a commercial dispute between two operators and a matter of interpretation of rules. Reliance officials are believed to have taken stand that whole thing was a part of its ''home country direct service'', something on lines of a collect call operation. BSNL maintains that such a service requires a tripartite agreement, which should include it besides Reliance and foreign operator(s) and that has not been the case. As ILD operator, Reliance has a firm in US. Therefore, it has been able to bring all its international calls as ISD service provider to its three international gateways in the country, Chennai, Kolkata, Mumbai and from there on changing global CLI into local/STD number. A Reliance spokesperson said so far none of the services have been affected. ----------------- and the aftermath ... http://autofeed.msn.co.in/pandorav3/output/Technology/1aaed735-28d4-4b08-89f... Reliance gets stay on BSNL blackout Business Standard New Delhi, Nov 6: A Division Bench of the Delhi High Court has asked Bharat Sanchar Nigam Ltd (BSNL) to maintain status quo on the interconnect agreement with Reliance Infocomm. The matter will be taken up for hearing on November 30. The Division Bench, comprising Justice Vijender Jain and Justice Anil Kumar, also directed Reliance Infocomm to deposit Rs 40 crore with BSNL by Monday as an interim payment. [INR 40 crore - INR 400 million - ~ 9 million USD --srs] The Division Bench was hearing an appeal by Reliance Infocomm against Thursday's order by a single-judge Bench dismissing its petition seeking to stop disconnection by BSNL for violating the interconnect agreement between the two. It asked BSNL to file its reply to the private telecom operator's appeal and posted the matter for further hearing on November 30. The court also directed Reliance to file an affidavit confirming that it had stopped misrouting of international calls as local calls into the BSNL network. When contacted, BSNL Chairman and Managing Director AK Sinha Sinha said, "We will abide by the court order. We will examine the court judgment and then decide our next course of action." A BSNL official said Reliance continued with its misrouting even in October though it had given an undertaking saying it had stopped such activities from September 16, 2004. BSNL on Thursday disconnected some points of interconnections in Bangalore and Nasik. "This connection was due to some other dispute in payments," an official said. In its first media statement, Reliance today said, " We had filed an appeal before the Division Bench of Delhi High Court against the order of single judge refusing interim relief. The division bench of Delhi High Court has directed BSNL to maintain status-quo and directed Reliance to deposit a further amount of Rs 40 crores. The matter is sub-judice." The private operator had approached the court saying that BSNL should be restrained from disconnecting the points of interconnections as it would cause troubles for its 9 million subscribers. The single judge court had dismissed Reliance's petition saying the manner in which the private operator had conducted its business activities was in dishonest breach of interconnect agreement. Reliance had also appealed for the appointment of arbitrators by the two parties to settle the dues, which the court rejected. The private operator had said that the Home Country Direct service (HCDS) started by it in the US five months ago should be treated differently from the general international long distance calls. In case of ILD calls, the private operator has to pay BSNL Rs 4.25 a minute as access deficit charge for every call terminated in to the latter's network. Reliance said that the HCDS calls should attract the access deficit charge paid in case of a local call as per the interconnection agreement. It claimed HCD was in line with the prevailing international practice and also satisfied the norms set by the International Telecom Union (ITU). In its letter to BSNL, Reliance had proposed the appointment of former Chief Justice of India Justice SP Bharucha as the arbitrator on its behalf. The private operator had also claimed that the total relevant access deficit charges for the traffic terminated on BSNL network as well as other private operators, amounted to Rs 29 crore, which it had already paid to BSNL.
At 9:46 AM -0800 11/12/04, Alexei Roudnev wrote:
Not too easy, but I can imagine few alghoritms doing it. Remember that VoIP uses short packets, and you cam always recognize Ack and Tcp packets which should not be disrupted. Jitter does not slow down network, except if it interacts with RTT calculartion in TCP/IP.
Agreed; presuming you could find a friendly vendor to code such a feature and who has the reasonable hardware to support (as intentional jitter would make for amusing buffer activity on any high speed links). However, attempting to deploy such in the presence of any competitive market would likely result in widespread customer migration. A government or assured monopoly could deploy it, though, and then charge a premium for those who want it removed (i.e. "premium data service") which conveniently happens to match their current voice tariffs... /John
Below, please: s/such/VoIP filtering/ and it will be true. It do not depends of alghoritm you are using. Moreover, if you deploy such service, someone else can deploy VoIP which uses https tunnel to it, and you will not have any chances than to block total https traffic. It (such thing) can be more practical in corporate network (on gateway) or, yep, in case if third force (gov.) requires it and you really want to comply (not to show a compliance). But I just dropped an idea, not the whole solution.
However, attempting to deploy such in the presence of any competitive market would likely result in widespread customer migration. A government or assured monopoly could deploy it, though, and then charge a premium for those who want it removed (i.e. "premium data service") which conveniently happens to match their current voice tariffs...
/John
On Thu, 11 Nov 2004, Robert Mathews wrote: On Thu, 11 Nov 2004, Alexei Roudnev wrote:
Hmm - just introduce some jitter into your network, and add random delay to the short packets - and no VoIP in your company -:).
How exactly then would anyone implement this, without screwing-up the overall performance elements in the network? :) Ask PBI, they've got the first part down at least. --matt@snark.net------------------------------------------<darwin>< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
SkyPE was designed to work thru any firewalls (except, of course, if you block all outbound connections and require using HTTP proxy) -:). ----- Original Message ----- From: "Irwin Lazar" <ilazar@burtongroup.com> To: "Joe Shen" <joe_hznm@yahoo.com.sg> Cc: "NANOG" <nanog@merit.edu> Sent: Thursday, November 11, 2004 8:16 AM Subject: Re: How to Blocking VoIP ( H.323) ?
The following resources may be helpful for H.323:
IP Ports and Protocols used by H.323 Devices http://www.teamsolutions.co.uk/tsfirewall.html
The Problems and Pitfalls of Getting H.323 Safely Through Firewalls http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html
SIP uses TCP port 5060 for signaling, however voice data traffic is
carried
on random high ports. Some SIP-based VoIP providers route voice data traffic back to a proxy server (I believe Vonage functions in this way), so it may be easier to restrict.
Skype requires outbound TCP access to either ports above 1024, or port 80, and they also recommend outbound UDP access to ports above 1024 (as well as in-bound replies), so good luck blocking it. :-(
And then there is VoIP as part of IM services (e.g. Apple iChatAV, AOL IM, or Yahoo Messenger), all of which function differently.
irwin
Hi,
How could it be done to block VoIP at access router?
I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number.
regards
Joe
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
--
--------------------------------------------------------------------------
Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Thu, 11 Nov 2004 19:40:29 +0800, Joe Shen said:
How could it be done to block VoIP at access router?
What business issue/problem are you trying to address by blocking VoIP? Since there's so many different things out there (H.323, Skype, the various IM software), a "proper" solution probably depends on what you're actually trying to accomplish. Consider: 1) Your problem is a wonky broken H.323 that dies when it gets a connection from outside. 2) Your problem is "corporate insider uses VoIP to call a competitor and leak trade secrets". 3) Your problem is "VoIP users bypassing billing for telephone calls". All three will require different solutions, and there's probably other scenarios as well.....
--On 11 November 2004 10:46 -0800 Randy Bush <randy@psg.com> wrote:
What business issue/problem are you trying to address by blocking VoIP?
an incumbent telco which also has the monopoly on ip might want to prevent bypass. welcome to singapore, and remember to try the chili crab.
Me I'm trying the IPsec+SIP. Joe might want to try NewPort Networks who claim to be able to find, remove, capture and otherwise prevent bypass using VoIP. I'll be interest to see what they do with the above without breaking VPNs. No recommendation, just read their blurb. They are at: http://www.newport-networks.com/ Alex
participants (16)
-
Alex Bligh -
Alexei Roudnev -
Christopher L. Morrow -
Irwin Lazar -
JC Dill -
Joe Shen -
Joel Jaeggli -
John Curran -
joshua sahala -
just me -
Randy Bush -
Robert Mathews -
Scott Morris -
Simon Leinen -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu