Skype - how not to be a supernode

As I have discussed before there are issues with running Skype on the University Network. The main issue is the the supernode traffic, remove the supernode issue and Skype is acceptable. So this is where the ability to ‘turn off’ the supernode function in Skype v3.x is a good thing, the problem is that the ‘how to’ is buried in the network admin documentation.
(Thanks to Brian for the heads-up about this setting)

How can we prevent our network from hosting supernodes?

Skype uses peer-to-peer communications in order to allow users to find one another. Consequently, a small percentage of our users will hold a record reflecting the online presence of other users. When one user holds a record concerning the presence of other users, the former is called a “supernode”, or directory node.

Even though the traffic sent to supernodes is negligible, some institutions are interested in preventing users on their network from becoming supernodes and, thereby, answering directory enquiries for other users.

There are several ways to prevent Skype from becoming a supernode:

• Beginning with Skype 3.0, an explicit switch is provided in the registry settings to allow the disabling of supernode functionality.
• Any computer hosted on a network that is behind a network address translation (NAT) device or restrictive firewall will disable supernode functionality.
• Skype clients behind an HTTP or SOCKS5 proxy will not serve as supernodes.

Enterprises typically opt for using the registry setting technique for turning off supernode functionality, simply because it is very straightforward to deploy a Windows GPO that contains the appropriate registry key setting. However, universities often find this more problematic because the computers may not be owned or operated by the host institution, making it difficult or impossible to ensure that registry keys are set properly.

In these cases, it may be more useful to set up a SOCKS5 proxy. Skype can be configured to use a SOCKS5 proxy, regardless of whether the client finds itself on a network with a public IP address or on one with a private IP address.

While the use of a SOCKS5 proxy still requires manual intervention by the user, the use of a proxy allows the economical “shaping” of Skype traffic. It has the additional positive side-effect of reducing supernodes on the network, reducing false-positive intrusion prevention system alarms and allowing for accurate measurement of Skype usage on the proxied network. — Skype [4]

From the Guide for network admins – Skype 3.0 Beta [5] we find the actual registry key where this is set;

HKEY_LOCAL_MACHINE\Software\Policies\Skype\Phone, DisableSupernode, REG_DWORD = {0,1}

0 = supernode enabled
1 = supernode disabled

In a REG file this is;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
"DisableSupernode"=dword:00000001


Now this solves our supernode issue.

We also recommend that the business version of Skype is used for our environment.

Business friendly features
* Includes Windows Installer (commonly known as MSI).
* Increased security for business users.
* Easy deployment to multiple machines in your company.
* More control for IT administrators.

Now for a solution for our Mac OSX clients … ?

[1] Skype End User License Agreement [Skype]
[2] How to be or not to be a skype supernode? (2006-Oct-14) [VOIP IP Telephony]
[3] skype supernode, Skype and Firewalls, updated information (2007-Jul-25) [VOIP IP Telephony]
[4] Universities section [Skype]
[5] Guide for network admins – Skype 3.0 Beta (PDF) [Skype]
[6] Skype Configuration and Security [University of Waterloo]

About these ads