Re: SECURITY Digest - 25 Oct 2006 (Policy around IP Phones, Skype)

[Cal Frye <cjf () CALFRYE COM>]

 Jeff Uebele ventured to comment, at 10/26/06 8:25 AM:
> Cal,
>
> I have recently removed Skype classes from our P2P folder on the
> PacketShaper in an effort to appease students and faculty that use this
> software. However, I am now seeing these users become SuperNodes with a
> large number of flows, particularly SkypeCommand.
>
> I am curious how you "limit the number of connections a Skype user can
> create and consume." I have previously experimented with flow limits (back
> in version 6.x) but found it created more problems than it solved.
>
> Are you using "policy flowlimit?" If so, what are your settings for maximum
> client-fpm and server-fpm for the classes SkypeCommand and SkypeData?
>
> Thanks for any advice you can provide.

We have most of our ResNet traffic in dynamic partitions. Ahead of that,
however, there are two large classes, one to squelch, the other to assist.
Skype is in the latter. The Telephony class as a group has a 0-1.5Mb/s
partition. Within that, along with Ventrilo, H.323, etc, I have two skype
classes, SkypeCommand has a priority 5 policy, and SkypeData which has a 48k
Rate policy at priority 5.

Truthfully, I think it's the limited partition and the individual rate limits
that keep it in check. I've not seen the Telephony partition reach it's limit
very frequently, and we've had no complaints. I realize, now that you make me
look at the configuration again, our focus was on making it workable, not
explicitly confining it. I misspoke about the absolute limitation of
supernodes; I can't claim there are none. Should we have a time where Skype
dominates the Telephony class, I would try dynamic partitioning by IP, I
think, to keep most folks communicating in there.

Rather than tinker with the default flowlimits, I'm gradually gaining
experience with adaptive response and intend to place the really busy clients
in a penalty box.

For reference, we have 2800 students, and we all share a DS3. Hope this helps.
I copy the list again, since I have to eat some of my words here...
--
-- Cal Frye, Network Administrator, Oberlin College
    www.ouuf.org,  www.calfrye.com,  www.pitalabs.com


"Irreverence is another person's disrespect to your god; there isn't any word
that tells what your disrespect to his god is."