VPN traffic profiling

Using a properly secured VPN, this should not be possible (unless they degrade VPN's in general, of course).

What SB is saying is that you can look at the shape of the VPN traffic and determine with some level of certainty that it's a voice stream, not an e-mail. The VoIP codecs use 20ms or 30ms frames. I'm sure a steady stream of such packets, even encrypted, is detectable. Seeing as the VoIP codecs are sensitive to loss or delay, it's pretty easy to muck up the calls without affecting any other incorrectly shaped traffic much.

Clearwire is very good at killing P2P, so I don't think your encrypted P2P theory is correct either.

But I don't think Vodafone would worry too much about VoIP over VPN in any event. That would be a very marginal threat to them. And tunnelling is not going to do the voice quality any favours plus we're talking NLOS wireless technology which is hardly an ideal backdrop for VoIP quality in the first place.

I know from having talked to senior Vodafone people that they're very worried about VoIP, for obvious reasons. This is why they've delayed flat rate data access for so long. Perhaps they've found a good traffic shaping solution now.

bk wrote:

From what you guys are saying, it seems I'm wrong and VPN wasn't designed to avoid this problem. I therefore consider VPN broken. This is very worrying as I know lots of big companies, banks and even militaries around the world use VPN.

A VPN is a concept so you can't really say they are broken, you could say they are a bad idea but since they are popular and prevalent that would also seem unlikely. You could say a VPN implementation was broken and there are probably some of those around.

As with everything in IT there are different kinds of VPNs, http://en.wikipedia.org/wiki/VPN, but in this discussion the main focus is on one that can provide data confidentiality to stop a traffic carrier from being able to detect a certain class of traffic. As mentioned previously in the thread no VPN worth it's salt is going to be feasible for a carrier to decrypt so this means the carrier will have to rely on using statistical or other means to identify traffic, this was also previously mentioned.

In my opinion using "other means" to identify traffic is not that easy (except for just blocking IP addresses but that could cause legal problems). Sure if you were in a lab monitoring traffic between two routers with Ethereal and some fancy analysis tools you could probably do it. If you're a carrier concerned about getting vast amounts of data across your network I suspect that the expense, expertise and even technology to do the same thing with large traffic volumes is going to make it a big headeache if it is even possible. As an aside the traffic profile of things like gaming, webcams, netmeeting etc. would all look very similar to VoIP so filtering one could block innocent traffic resulting in an increase in support calls which can be could be an even bigger cost. The technology is definitely there to filter high volume plaintext traffic and in fact it can be as easy as dropping undesireable SIP INVITE requests to stop a big portion of VoIP traffic but to do the same thing with encrypted traffic I'm not so sure.

If I had to choose between detecting and filtering certain types of traffic on a VPN or working out mechanisms to get the traffic through undetected I would choose the latter as being the easier task.

Aaron

brilliant stuff lads...makes great reading