Educause Security Discussion mailing list archives
Re: SECURITY Digest - 25 Oct 2006 (Policy around IP Phones, Skype)
From: Cal Frye <cjf () CALFRYE COM>
Date: Thu, 26 Oct 2006 09:08:34 -0400
Jeff Uebele ventured to comment, at 10/26/06 8:25 AM:
Cal, I have recently removed Skype classes from our P2P folder on the PacketShaper in an effort to appease students and faculty that use this software. However, I am now seeing these users become SuperNodes with a large number of flows, particularly SkypeCommand. I am curious how you "limit the number of connections a Skype user can create and consume." I have previously experimented with flow limits (back in version 6.x) but found it created more problems than it solved. Are you using "policy flowlimit?" If so, what are your settings for maximum client-fpm and server-fpm for the classes SkypeCommand and SkypeData? Thanks for any advice you can provide.
We have most of our ResNet traffic in dynamic partitions. Ahead of that, however, there are two large classes, one to squelch, the other to assist. Skype is in the latter. The Telephony class as a group has a 0-1.5Mb/s partition. Within that, along with Ventrilo, H.323, etc, I have two skype classes, SkypeCommand has a priority 5 policy, and SkypeData which has a 48k Rate policy at priority 5. Truthfully, I think it's the limited partition and the individual rate limits that keep it in check. I've not seen the Telephony partition reach it's limit very frequently, and we've had no complaints. I realize, now that you make me look at the configuration again, our focus was on making it workable, not explicitly confining it. I misspoke about the absolute limitation of supernodes; I can't claim there are none. Should we have a time where Skype dominates the Telephony class, I would try dynamic partitioning by IP, I think, to keep most folks communicating in there. Rather than tinker with the default flowlimits, I'm gradually gaining experience with adaptive response and intend to place the really busy clients in a penalty box. For reference, we have 2800 students, and we all share a DS3. Hope this helps. I copy the list again, since I have to eat some of my words here... -- -- Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com, www.pitalabs.com "Irreverence is another person's disrespect to your god; there isn't any word that tells what your disrespect to his god is."
Current thread:
- Re: SECURITY Digest - 25 Oct 2006 (Policy around IP Phones, Skype) Cal Frye (Oct 26)