Hi,
How could it be done to block VoIP at access router?
I've thought about using ACL to block UDP port
1719,but this could be overcome by modifying protocol
port number.
regards
Joe
Tcp/1719 is part of the H323 Gatekeeper default ports (which can be changed)
Tcp/1720 is the H.225 call setup port, and I haven't heard of this being a
configurable port.
HTH,
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist, CISSP
CCSI #21903
swm@emanon.com
I don't imainge that most voip is h.323 anymore.
The following resources may be helpful for H.323:
IP Ports and Protocols used by H.323 Devices
http://www.teamsolutions.co.uk/tsfirewall.html
The Problems and Pitfalls of Getting H.323 Safely Through Firewalls
http://www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html
SIP uses TCP port 5060 for signaling, however voice data traffic is carried
on random high ports. Some SIP-based VoIP providers route voice data
traffic back to a proxy server (I believe Vonage functions in this way), so
it may be easier to restrict.
Skype requires outbound TCP access to either ports above 1024, or port 80,
and they also recommend outbound UDP access to ports above 1024 (as well as
in-bound replies), so good luck blocking it. 
And then there is VoIP as part of IM services (e.g. Apple iChatAV, AOL IM,
or Yahoo Messenger), all of which function differently.
irwin
there is probably some traction to be had in reviewing other folks'
attempts at this very thing as well. Check out Panama, for instance, their
incumbent carrier (C&W as I recall) forced the federal regulators to ban
VOIP through all ISP's in Panama, this turned out to be quite unworkable
even in the short term. I believe a few other folks have attempted similar
regulations with similar success rates
VOIP, like IM runs, or can be run, across several ports/protocols with and
without consistency in even the individual applications. For many things
like this, if they are required via legislation in your local area, you
might have better luck scoping the regulation's expectations, then using
some metrics to show success/failure and WHY those metrics are the way
they are.
In the end though: "Good luck!" (Also, reference Ito-Jun's message from
the IAB about wide scale filtering policies and their effects on the
end-to-end nature of the Internet as a whole).
SkyPE was designed to work thru any firewalls (except, of course, if you
block all outbound connections and require using HTTP proxy) -:).
Hmm - just introduce some jitter into your network, and add random delay to
the short packets - and no VoIP in your company -:).
Other way - block ALL outbound connections (including DNS and HTTPS) and
require using proxy, or better do not allow external IP addresses.
-
(I should not be very optimistic about this).
What business issue/problem are you trying to address by
blocking VoIP? Since there's so many different things out
there (H.323, Skype, the various IM software), a "proper"
solution probably depends on what you're actually trying
to accomplish. Consider:
1) Your problem is a wonky broken H.323 that dies when it
gets a connection from outside.
2) Your problem is "corporate insider uses VoIP to call a
competitor and leak trade secrets".
3) Your problem is "VoIP users bypassing billing for telephone calls".
All three will require different solutions, and there's probably
other scenarios as well.....
Alexei:
How exactly then would anyone implement this, without screwing-up the
overall performance elements in the network?
To Joe Shen:
Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP
traffic other than freeing bandwidth and CPU churnings?
In the grand scheme of things, and in an evolutionary context certainly,
many apps are likely to be proposed in the future, and worse still (in the
eyes of many) - IMPLEMENTED, which will likely compel network owners and
operators to adjust organizational and infrastructure strategies to meet
objectives. As with the introduction of any service or app into the mix,
accommodating something means a REQUISITE adjustment in existing
operational practices.
But WRT VoIP, Consider that by JUST ONE account, the IP telephony market
is expected to be a US$1.4 billion business by 2008 - up from $934 million
in 2002. This market is expected to experience a annual growth rate of
7.5% through 2008.
Again, what is the point.. is it that you wish to block VoIP to in order
to DELAY/BUY MORE TIME toward implementing organizational change
(slow-rolling, if you are going to be rolling at all), or is it to
prohibit without reservation, any VoIP traffic over your netspace? Just
curious..
Best,
Robert.
What business issue/problem are you trying to address by
blocking VoIP?
an incumbent telco which also has the monopoly on ip might
want to prevent bypass. welcome to singapore, and remember
to try the chili crab.
randy
Me I'm trying the IPsec+SIP.
Joe might want to try NewPort Networks who claim to be able to find,
remove, capture and otherwise prevent bypass using VoIP. I'll be interest
to see what they do with the above without breaking VPNs. No
recommendation, just read their blurb. They are at:
http://www.newport-networks.com/
Alex
reference panamanian gov'ts choice to protect legacy/incumbant carrier
business by blocking voip. no one said it was 'smart' just that it was
what the gov't wanted. Perhaps Joe lives in a similar situation?
Hi Chris:
Indeed.... hegemonic tendencies/behaviour by telcos aside, I was
attempting to understand if there were 'some' ORGANIZATIONAL dyscrasias
that prohibited 'operationlizing' of VoIP. To be brief, I would humbly
submit that any malady in this area is worthy of greater exploration IF
ONLY to expedite and effectuate the alignment of org-to-org operational
instruments and their respective interfaces.
Best,
Robert.
After reading your kindly reply, I got following
list for blocking VoIP at edge router:
1. block traffic on port 1719, 1720 (both tcp/udp),
but this could not deal with those who modified
signaling port;
2. content filtering by using some special euqipment;
, very expensive
3. legismation by gov., well I don't think this could
be a method possible
4. ??? for IM with voice ability
5. change QoS level for marked packets,
(how could it be done with no QoS network, RED ?)
here goes my further question:
a) Could WRED be applied with current network for VoIP
packets selectively? ( I means RTP packets carrying
unwanted VoIP )
b) Is there anyway to cache those equipment modifying
signaling port number?
c) any better way ? any experience?
regards
Joe
--- Robert Mathews <mathews@hawaii.edu> wrote:
Robert Mathews writes:
If someone want to be insane - allow him to do it; what's the problem? Is
this question coming from Panamian government? -
This is internet - if I have 10 Mbit connection and 100msec latency, I can
use it for Voice, no way to block me; if it is 19200bits/second and 2 second
latency, I can not. That's all. Other methods can provide temporary reliefe
only.
> Date: Thu, 11 Nov 2004 09:38:00 -0800
> From: Alexei Roudnev <alex@relcom.net>
> To: Christopher L. Morrow <christopher.morrow@mci.com>,
> Irwin Lazar <ilazar@burtongroup.com>
> Cc: Joe Shen <joe_hznm@yahoo.com.sg>, NANOG <nanog@merit.edu>
> Subject: Re: How to Blocking VoIP ( H.323) ?
>
>
> Hmm - just introduce some jitter into your network, and add random delay
to
> the short packets - and no VoIP in your company -:).
Alexei:
How exactly then would anyone implement this, without screwing-up the
overall performance elements in the network?
Not too easy, but I can imagine few alghoritms doing it. Remember that VoIP
uses short packets, and you cam always recognize Ack and Tcp packets which
should not be disrupted. Jitter does not slow down network, except if it
interacts with RTT calculartion in TCP/IP.
Joe Shen wrote:
How could it be done to block VoIP at access router?
"I urge all my competitors to do this."
jc
If someone want to be insane - allow him to do it; what's the problem? Is
this question coming from Panamian government? -
when you have to comply with some insane gov't ruling at penalty of
legal (possibly felony type actions) you will also squeal like the virtual
pig...
This is internet - if I have 10 Mbit connection and 100msec latency, I can
use it for Voice, no way to block me; if it is 19200bits/second and 2 second
latency, I can not. That's all. Other methods can provide temporary reliefe
only.
true, this was the arguement put forth to the folks at the time, they
still insisted on their backwards, telco-minded thinking... Fortunately
after a few months they saw the light and removed the requirement.
Joe might not be that lucky, or he might be able to show precedent to
others about why it's bad to try to block the voip.
How exactly then would anyone implement this, without screwing-up the
overall performance elements in the network?
Ask PBI, they've got the first part down at least.
--matt@snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke