Colleague Ted Wallingford posted some thoughts last Friday that have taken me a while to digest and muddle through. His post, Could P2P end 2tier before it even starts? shares Ted's thoughts after reading some thoughts by another colleague, Bob Frankston on Skype as the Future of the Connectivity.

I admit that I'd read Bob's article when he first posted in a couple of weeks back. Read it, but not fully absorbed it. At that point, I had anticipated maybe getting to the Freedom2Connect conference that just concluded in DC. Bob and I were sort of headed to the same dinner. If I'd made it, I really wanted to talk through his thoughts with him.

Let me share the conclusions Ted and Bob seem to have reached first, then I'll share my own thoughts.

Ted says:

But what if we were to start tunnelling data THROUGH Skype endpoints? Not just a VPN, mind you--Skype endpoints are entirely mobile and use a peer-to-peer routing scheme that operates at the application layer. So data tunneled through them isn't subject to the same logistical restrictions as that which is tunneled through a VPN. Plus, unlike a VPN, Skype's protocol is very sticky to block.

Sounds like a great way around this whole two-tier Internet messery. Of course, the analogy is sort of like driving a ten ton truck in the fast lane. Once you get the truck in that fast lane, how do you make it go FAST?  

Bob's write-up presents several key thoughts, and he points to http://www.secdev.org/conf/skype_BHEU06.handout.pdf for people looking to either figure out or understand how Skype works. This work by Phillipe Biondi and Fabrice Desclaux has gotten quite a bit of attention since Blackhat Europe in March. If it's an area of interest for you, I encourage you to read it over.

Bob's thoughts triggered Ted's, so let me share a couple of excerpts using bullets just to separate the distinct thoughts:

• This edge approach can also allow the Internet itself to be simplified since the IP address can be used to facilitate routing rather than being overly constrained by having to also serve the role of stable (and dynamic) identifier. Since the identifiers are stable you don't need a mechanism like the DNS to provide stability. Unlike the DNS, the Skype directory is a directory though it also maps identifiers into handles to facilitate rendezvous.
• If the applications themselves are able to participate in finding dynamic paths we can start to move beyond the current Internet's single omniscient backbone that interconnects local LANs. The applications would find a path through a network consisting of way stations. Unlike a router a way station can be a visible transit point or an invisible.
• The Skype approach doesn't solve all problems of edge relationships. For example, how do you know the JohnSmith you are trying to reach is the one you think it is? Of course you have the same problem in the real world in recognizing friend vs foe so we must tolerate surprises.

So where's the problem? What's the dilemma? I put my corporate enterprise hat on and I see major security risk. I see risk that's very hard to mitigate. I see danger for P2P access into my corporate network from users who have no clue how to manage enterprise security. I see breach, and I see it as a nasty mess.

Don't misunderstand me. I think Bob and Ted made some hugely valuable observations. These are two brilliant minds who've grasped a key nugget of important information. Do not discount their words or ideas. I know I don't.

What it raises for me is a series of questions that I can't answer alone. I don't think the questions are uniquely mine, but perhaps I have a view of both sides that makes them larger in my view.

• How do we enterprise security managers manage Skype?
• How do we enterprise security managers protect our networks when P2P technologies put the security of the network in the hands of our weakest user?
• How do we do our jobs?

For we VoIP practitioners, developers, implementers and proponents, how to we socialize and aide the integration of P2P technologies into enterprise business? As long as P2P is injected as a "back door" without being embraced as a tool that doesn't increase risk, we will never see it accepted in the enterprise...for good reason.   P2P technologies pose a dangerous risk today. They expose the soft underbelly of enterprise network security to the weakest link in security - people.

Those of us who see the value and understand the benefits of P2P as it evolves into some next generation tool need to partner closely with network security industry professionals and leaders to build an approach that brings peer-to-peer out of the darkness of questionable use and into the realm of sound business practice.

Tags: VoIP, VoIP Security, Skype, Peer-tp-Peer, P2P