PeerToPeerp2p

back to http://scratchpad.wikia.com/wiki/Sasecurity

I have been using the wiana system for separating client bandwidth capabilities for a while now, however the number of classifications will not be enough to complete the full design of the system. Is there any way to incorporate a station which will allow customised bandwidth control from each client, on a MAC-address based control. I'd say a packet filter prioritizing http, smtp, pop ftp over p2p would be a better approach towards customers.

In an ideal world, that's true. However, it's becoming increasingly difficult to define the traffic flows used by p2p apps.

At present, we use a combination approach of port ranges and deep-packet inspection to deal with p2p apps; this technique obviously has a limited lifespan as p2p protocols evolve. Picture a p2p app that communicates with its peers via https - there would be no way (by means of traffic inspection) to distinguish p2p traffic from legitimate https traffic (since it's encrypted and using a well-known port), thus thwarting any prioritisation schemes you have in mind.

If you wanted to do anything about this, you'd have to resort to analysing the volume of traffic and the destination IP addresses. IMO, this would lead to many false positives and negatives, leading to some "lucky" p2p users and some "unlucky" https users.

We've used the iptables approach in the past as a last resort. We run a free, open access community network that must be used in a community-minded manner for it to be of use to anyone. Bandwidth hoggers who have defeated our combination filters (by whatever means) are temporarily blocked from connecting by iptables; it's the only thing left to do!