Friday, January 29, 2016

Getting H.323 through Firewalls and NAT by using the free GNU Gatekeeper

The H.323 protocol places IP numbers inside the signaling messages and establishes multiple TCP and UDP connections for a single call. You can't even be sure beforehand of the direction in which some of these connections are established. This makes it harder to get
H.323 through a NAT than other protocols.

To get through firewalls and NATs, the GNU Gatekeeper supports a lot of different traversal methods and protocols. The combination of H.460.18 and H.460.19 (usually called "H.460 NAT traversal" for short) is by far the most common NAT traversal protocol and is supported by virtually all H.323 endpoints today.

The best approach is to place a GNU Gatekeeper on a public IP address in front of your firewall and enable H.460.18 NAT traversal. You don't have to open any inbound port - just allow outgoing connections in your firewall, which is usually the default anyway.

If not all of your endpoints support H.460.18 or if you have a lot of internal calls, you can place a 2nd GnuGk inside your firewall and let it tunnel calls out for all internal endpoints combined. This called a "traversal zone". See Chapter 10 in the GNU Gatekeeper manual how to configure the outside GnuGk as traversal server and the GnuGk inside the firewall as traversal client.

A simple, one gatekeeper configuration for NAT traversal looks like this:

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
EnableH46018=1

[Proxy]
Enable=1
ProxyAlways=1


Register all your endpoints with the gatekeeper, whether they are inside or outside the firewall, and you should be able to make calls in and out.

Thursday, December 3, 2015

GNU Gatekeeper 4.0 available

I am pleased to announce the release of GNU Gatekeeper 4.0.

It is now available from http://www.gnugk.org/h323download.html.

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.

GnuGk 4.0 includes many new features as well as some important bug
fixes, but remains fully compatible with your previous configuration
files.

Whats new ?
  • rewrite of the H.235 password authentication - much better interoperability and much more secure (it is high time to get ride of MD5 based authentication!)
  • IP authentication for all RAS and Q.931 messages
  • important IPv6 updates and fixes
  • support for TCS0 call transfers ("reroute") that can be initiated from applications
  • better NAT traversal support for unregistered endpoints
  • better blocking of spam calls using SQLAuth
  • per endpoint codec filtering
  • DisplayIE rewriting
  • more secure handling of status port passwords (only hash stored)
  • important fix for ODBC database driver
  • CalledPartyNumber IE rewriting for better Polycom interoperability
  • bug fixes

Some of the new 4.0 features are discussed in more detail this post:
http://blog.gnugk.org/2015/11/gnu-gatekeeper-40-features.html


Changes from 3.9 to 4.0
  • [...PasswordAuth] CheckID switch is now deprecated, use [H235] CheckSendersID instead
  • provide vendor informations from ARQ or Setup as %{Vendor} in SQLAuth CallQuery
  • prepend timestamp to events in status port backlog
  • BUGFIX(Routing.cxx) remove newlines from vendor string before sending out  RouteRequest to virtual queue
  • BUGFIX(gksql_odbc.cxx) fix DSN initialization when having multiple DSNs at the same time
  • new switch: [RoutedMode] UpdateCalledPartyToH225Destination=1 to always rewrite the CalledPartyNumberIE in Setup to the first E.164 of the H.225 destinationAddress
  • BUGFIX(ProxyChannel.cxx) fix crash on shutdown
  • new settings for [RoutedMode] ScreenDisplayIE=: 'Calling', 'Called', 'CallingCalled' to set the DisplayIE to the (rewritten) caller ID
  • new switch: [RoutedMode] AppendToDisplayIE= to add a string to the DisplayIE when ScreenDisplayIE= is on
  • changed default: H.460.18 keep-alive in traversal zone between neighbors now defaults to 19 sec (was 29)
  • new switch: [RoutedMode] H46018KeepAliveInterval=
  • BUGFIX(ProxyChannel.cxx) better port detection for H.239 when IgnoreSignaledPrivateH239IPs=1
  • BUGFIX(gkacct.cxx) %{caller-port} and %{called-port} now default to "0" instead of the empty string when not available (eg. in direct mode) to avoid SQL errors when they are stored in a numeric column
  • BUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeper
  • BUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and Windows
  • dump file descriptor usage on USR2 signal (Linux only)
  • new switch [RoutedMode] DisableFastStart=1
  • support for H.235.1, incl. setting and checking tokens in all RAS and Q.931 messages
  • extend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931 messages
  • store only PBKDF2 hash for [GkStatus::Auth] password in config, not a recoverable password
  • BUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIE
  • new switch [EP::] DisabledCodecs=
  • much improved TCS0 3rd-party call transfer using 'Reroute' command on status port
  • BUGFIX(Routing.cxx) add field for destination alias in ARQ if missing and a dynamic routing policy sets it
  • BUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with more than 64 capability entries in TCS
  • new switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for network when IgnoreSignaledIPs=1

Friday, November 20, 2015

Wireshark 2 is out - including H.323 over IPv6 decoding

Wireshark 2 has been released. It includes decoding of H.323 over IPv6 wich didn't work properly in all previous version.

Wireshark 2 has a new UI that takes a moment to get used to, but also includes a version with the 'lecacy' UI if you need to get things donme in a hurry and can't fuss with the new UI right now.

Sunday, November 1, 2015

New GNU Gatekeeper 4.0 Features

GnuGk 4.0 is in Beta now. Please give it a try!
http://www.gnugk.org/gnugk-4.0-beta.html


H.235 password authentication

Until now, GnuGk only supported MD5 password tokens well. The password
only secured RRQ and ARQ messages in the direction from the endpoint to
the gatekeeper and MD5 is considered a pretty weak algorithm. MD5
tokens are widely supported by vendors and are usually called "H.235",
but strictly speaking they aren't part of any ITU spec.

The new implementation in GnuGk closely follows the H.235.1
specification. It secures all RAS (RRQ, ARQ, BRQ, DRQ etc.) and all
Q.931 (Setup, Alerting etc.) messages. It also secures both directions,
so the gatekeeper can check every message if it is really from the
endpoint and also the endpoint can make sure its really talking to its
gatekeeper.

The interpretation of H.235.1 varies between vendors (or their
implementation is just buggy, your call). Thats why GnuGk defaults to
rather strict checks, but has configuration switches ([H235] config
section) to enable interoperability with vendor implementations.

During development I ran tests with AudioCodes, Polycom, Inovaphone and
H323Plus endpoints.

For example if you are using a AudioCodes gateway, you should set

[Gatekeeper::Auth]
SimplePasswordAuth=required;RRQ,ARQ,DRQ,RAI,Setup,Alerting,Connect,ReleaseComplete,Facility

[H235]
UseEndpointIdentifier=1
RequireH2351GeneralID=0
FullQ931Checking=1

You can even tighten security with CheckID=1 in [SimplePasswordAuth].


Per endpoint codec filtering

Suppose you have this MCU, that works fine when endpoints use H.263,
but a lot of calls using H.264 fail. Now you can simply disable H.264
in your GnuGk config, even if that MCU doesn't give you that option:

[RoutedMode]
H245Routed=1

[EP::MyMCU]
DisabledCodecs=genericVideoCapability

Now that MCU can't negotiate H.264 any more and all calls will use
H.263. All other endpoint can still use all codecs.

Or suppose you have a Radvision MCU that is rather strict about using
symmetric codecs. Many endpoints don't handle symmetric codec
requirements correctly, but it often helps to simply disable H.239 if
you aren't using it away:

[EP::RadvisionMCU]
DisabledCodecs=extendedVideoCapability;genericControlCapability

If all your endpoints follow all the specs, you'll probably never need
this feature. Unfortunately not all do and thats when this feature
comes in handy.

IPv6 and IPv4-IPv6 conversion

Actually this is not a new feature in GnuGk 4.0, but 4.0 brings some
significant bug fixes and improvements.

We all know IPv6 will come some day, but hasn't so far, because some
equipment still works better with IPv4 or some network doesn't support
it, yet etc.

With GnuGk, you don't have to convert your network to IPv6, you can
simply add it as another option and GnuGk will convert between IPv4 and
IPv6 whenever necessary. So you can keep all your legacy endpoints that
only support IPv4 and still have them reach other endpoints that work
on IPv6.

I would suggest you give IPv6 a try in your network now, before things
get very urgent and must be done in a rush.

The config part in GnuGk is rather easy:

[Gatekeeper::Main]
EnableIPv6=1

In all places where you can put an IPv4 address, you can also place an
IPv6 address.

BTW: If you want to see your IPv6 H.323 calls in Wireshark, you need a
new version. I worked with the Wireshark developers to get the
disection fixed. That patch will probably be in 2.0.0rc1.

Thursday, October 8, 2015

GnuGk 4.0 Beta available

The beta version for the upcoming 4.0 version is now available:

http://www.gnugk.org/gnugk-4.0-beta.html

Most important new features:
  • much improved H.235 password authentication
  • IPv6 updates and fixes
  • support for TCS0 3rd-party call transfer (reroute) for applications
  • disable codecs per endpoint
  • bug fixes

Especially if you use password authentication, it is important that you
try the new version, so we can fix any issues before the release!

The purpose of this beta release is to get feedback. If you find
anything that needs fixing, please let us know!


Full change log:

- BUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeper
- BUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and
  Windows
- dump file descriptor usage on USR2 signal (Linux only)
- new switch [RoutedMode] DisableFastStart=1
- support for H.235.1, incl. setting and checking tokens in all RAS and
  Q.931 messages
- extend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931
  messages
- store only PBKDF2 hash for [GkStatus::Auth] password in config, not a
  recoverable password
- BUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIE
- new switch [EP::] DisabledCodecs=
- much improved TCS0 call transfer using 'Reroute' command on status
  port
- BUGFIX(Routing.cxx) add field for destination alias in ARQ if missing
  and a dynamic routing policy sets it
- BUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with
  more than 64 capability entries in TCS
- new switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for
  network when IgnoreSignaledIPs=1 (experimental)

Friday, July 10, 2015

GNU Gatekeeper 3.9 released

I am pleased to announce a new release of the GNU Gatekeeper,
version 3.9, now available from http://www.gnugk.org/h323download.html.

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.


Whats new in GnuGk 3.9 ?

  • bug fixes, including a crash and hanging status port on Windows servers
  • a new IP/port detection algorithm for endpoints behind NAT that works  well even with unregistered (!) endpoint
  • neighbor pings to speed up call routing if your neighbors are frequently down
  • geo-blocking: with the GeoIPAuth policy, you can allow or block calls based on the location of the IP
  • status port event back log: When you connect to the status port to diagnose an issue, the relevant events are already gone. With this new feature you can tell GnuGk to save the last n events and show them later on. This way you can take a look at eg. the last 100 failed registrations etc.
  • QoS DiffServ marking for RAS, H.225 and H.245 messages (based on patch provided by Vidyo) Now you can set the DiffServ class for signaling messages. Previously you could only mark RTP packets.
  • support for H.235.TSSM: H.235 needs time synchronization between gatekeeper and endpoints and the proposed H.235.TSSM standard provides a means for endpoints to detect that they are not in sync with the gatekeeper and apply a time offset.

Wednesday, April 8, 2015

Please tell us what you think !

I have prepared a short survey to learn more about how you all use the GNU
Gatekeeper, which features you use, what might be missing etc.

Please take a moment to provide some feedback for the future direction
of the GnuGk project:

http://www.gnugk.org/survey-2015.html

Thanks!