The term firewall has been completely diluted. If the same thing had happened to anti-virus software we'd be calling file extension based blockers anti-virus agents.
Now, Skype's technique is quite interesting and clearly well executed. But it underlines a fundamental problem with trying to glean protocol information from port numbers and SYN packets. Similarly you can "reverse" SSH connections to bypass incoming connection blockers on firewalls.
Besides, philosophically speaking, trying to allow one form of communication but not another is a losing battle. Any communication channel can be used for any purpose. People have been hiding small messages in bigger ones through steganography for a long time. As long as I have friendly server on the outside to reroute my traffic, there's very little you can actually do (Tor anyone?).
Don't even get me started on NATs. Those things make IPv6 look like god's gift to network engineers.
Friis and Zennstrøm have been using this technology for longer than Skype has existed, their previous venture, the filesharing application Kazaa, used this approach as well and they built Skype on top of the network technology they developed back in those days.
The article is about how it negotiates NAT using forged UDP packets. What is more interesting is how it actually gets past firewalls.
It exploits common default rules in firewalls. ie. to allow web surfing, a firewall will allow port 80, but most of the time it will allow both outbound and inbound 80, rather than just outbound. Skype will listen on a bunch of common ports (80, 25, 110, 443, etc.) and blast out connection requests, and then wait to see which port it actually receives a response on. It will also fall back on using UPnP to find a way through - a protocol that is often overlooked by network admins.
If you netstat while running skype, you will see it listening on a bunch of ports. It often prevents a local web server from starting up. The way it does this is a lot more interesting than the actual NAT punching - skype and kazaa will almost always find a way in and out of a network and they are a pain to block. Joost is also using the same tech stack.
"ie. to allow web surfing, a firewall will allow port 80, but most of the time it will allow both outbound and inbound 80"? outbound http traffic uses ephemeral ports, not 80.
Outbound firewall rules almost never limit the source port, 99.99% of them only limit the destination port. If party A can accept packets on port 80 then almost any client out there can connect to the service on that port. The point being made is that a lot of default firewall rules allow traffic to any port 80 destination and accept traffic from any source to the local port 80.
Now, Skype's technique is quite interesting and clearly well executed. But it underlines a fundamental problem with trying to glean protocol information from port numbers and SYN packets. Similarly you can "reverse" SSH connections to bypass incoming connection blockers on firewalls.
Besides, philosophically speaking, trying to allow one form of communication but not another is a losing battle. Any communication channel can be used for any purpose. People have been hiding small messages in bigger ones through steganography for a long time. As long as I have friendly server on the outside to reroute my traffic, there's very little you can actually do (Tor anyone?).
Don't even get me started on NATs. Those things make IPv6 look like god's gift to network engineers.