Thursday, April 5, 2018

GNU Gatekeeper 4.9 released

This version has new features and a few bug fixes. You can  download it from

Whats new ?

We have 2 new accounting modules: HtttpAcct and AMQPAcct that allow
you to send accounting events via HTTP GET or POST to a web service
or push them into a RabbitMQ queue.

There are also many new accounting placeholders that you can use with
any of the accounting modules and there is a new accounting event
'reject' to track calls rejected with ARJ that went unnoticed before.

The new RTP inactivity checking allows you to drop calls if there
wasn't any RTP activity for a defined amount of time.

GeoIP authentication has been significantly updated to support all
RAS and all Q.931 messages and to support the new Maxmind database
format (GeoIP2).

There were also a few bug fixes:
  • fix crash while handling RTP packets
  • fix disconnecting unregistered endpoints
  • fix crash in some Avaya endpoints when receiving GCF with a gatekeeperIdentifier
  • fix crash when using IPv6
  • fix handling of CloseLogicalChannel

Wednesday, March 21, 2018

What to do when your H.323 videoconferencing equipment reaches end-of-life ?

The big videoconferencing vendors (Polycom, Lifesize, Cisco etc.) only support their products for a limited time. After that they go „end-of-life“ and don't receive any more updates. That doesn't mean they don't work any longer. That H.323 standard how to do video conferences didn't change much in recent years, so there is no need for updates to accomodate other changes. But you there is a certain risk that they may have a security hole that doesn't get fixed any more.

Save money and stay independent

The vendors would prefer if you simply buy something new or subscribe to their proprietary “cloud service”. But to you this means spending money and a possible lock-in into their system versus just keeping systems going that run fine and owning the technology yourself with the independence that comes with it.

Move endpoints inside your firewall to private IPs

One important suggestion is to move end-of-life endpoints away from public IP addresses and to private IPs inside your firewall. Out of convenience many people used to operate their H.323 endpoints on public IPs, but nowadays its not much of a problem to use H.460 NAT traversal and move them to a safe place inside behind a GNU Gatekeeper.

If you have very old endpoints that don't support support H.460 NAT traversal, you can still do this. You just need a 2nd GNU Gatekeeper inside your firewall that tunnels the calls out to your external GNU Gatekeeper on the public IP. (Hey, its a free, you just need a 2nd server!)

Replace infrastructure devices with a GNU Gatekeeper

Some infrastructure devices (gatekeepers, gateways, proxies etc.) need to be on public IPs and thus there is a risk of exposing possible security holes to the open internet. Many of those can be replaced with a GNU Gatekeeper. Keep in mind it can be configured to do many different things that ordinary gatekeepers don't do.

Wednesday, January 17, 2018

GNU Gatekeeper 4.8 released

GNU Gatekeeper version 4.8 has been released

This version has many new features. You can download the new version from


New maintenance mode: When you need to take down your GnuGk server
(eg. for an OS update), you can switch GnuGk to maintenance mode where
it will only allow ongoing calls to finish and automatically redirects
all idle endpoints to an alternate GnuGk server.
The status port command is "MaintenanceMode <alternate IP>".

Detailed information about ongoing calls: You can now display lots of
information about each ongoing call (codecs, bandwidth used, IPs etc.).
The web interface has been extended to to show this information.

Easier installation on AWS and inside docker containers. You can now
let GnuGk automatically detect the public IP of your AWS server, even
from within a docker container. You can also automatically insert your
public/external IP into your trace file names to store logs from many
servers in the same directory.

Extended API: Call routing with external applications has been
expanded. You can now set the display names for participants and
desired reject codes on the status port. You can also access the
vendor information of all registered endpoints. The web interface has
been extended to provide this information, too.

HttpPasswordAuth has been greatly extended to fetch password
information from backend servers. We now use curl to support https
and you can add many new placeholders in your queries.

Extended screening and rewriting of display names and calling party

Important bug fixes: Multiplexed RTP is now much more robust and
password authentication to parent gatekeepers has been fixed. There
are also interop fixes for TCP keep-alives.

Please see the full change log below for more details.

Changes from 4.7 to 4.8
  • HttpPasswordAuth: support https and add new placeholders
  • PrintAllRegistrationsVerbose now also shows the endpoint vendor
  • new status port command: MaintenanceMode
  • new status port command: PrintCallInfo
  • allow placeholder %{gkip} and %{external-ip} in [LogFile] Filename=
  • fetch AWS public/elastic IP if ExternalIP=AWSPublicIP
  • new commandline switch: -e / --externalip
  • extend status port command RouteReject to set reject reason
  • extend status port commands RouteToAlias, RouteToGateway etc. to set display IE for calling and called
  • new switch: [LogFile] DeleteOnRotation=1 to delete the old logfile when rotating instead of renaming it
  • new switches: [RoutedMode] AppendToCallingPartyNumberIE= / PrependToCallingPartyNumberIE= to add any string before or after the calling party number IE when ScreenCallingPartyNumberIE=RegisteredAlias
  • when [RoutedMode] ScreenCallingPartyNumberIE= is set to RegisteredAlias, GnuGk sets calling party number IE to the registered alias (forced screening)
  • delete DisplayIE when [RoutedMode] ScreenDisplayIE=Delete
  • new switch [Endpoint] Authenicators=
  • new default: [RoutedMode] GnuGkTcpKeepAliveMethodH225=EmptyFacility
  • new default: [RoutedMode] H460KeepAliveMethodH225=EmptyFacility for Cisco interop
  • new setting "None" for keep-alive methods
  • BUGFIX(ProxyChannel.cxx) fix bugs in H.460.19 RTP multiplexing
  • BUGFIX(ProxyChannel.cxx) don't send H.460 keep-alive to non-H.460 party when calling H.460 party
  • BUGFIX(Routing.cxx) show called port in RouteRequests (as documented)
  • BUGFIX(GkClient.*) fix password authentication with parent
  • BUGFIX(Routing.cxx) remove semicolon and pipe chars from vendor string in RouteRequests
  • better handling of IPv6 GRQ without RAS address
  • BUGFIX(ProxyChannel.cxx) turn off encryption proxy if DH key is negotiated, but TCS doesn't contain any H.235 entries
  • BUGFIX(ProxyChannel.cxx) fix running in proxy mode on FreeBSD when one Home IP is set
  • BUGFIX(ProxyChannel.cxx) fix DisableSettingUDPSourceIP=1 for Windows, NetBSD, OpenBSD and Solaris
  • BUGFIX(yasocket.cxx) fix LARGE_FDSET for NetBSD, OpenBSD and Solaris

Tuesday, October 10, 2017

Please subscribe to the new mailinglist

The GNU Gatekeeper mailinglist is moving to a new hosting service and you have to re-subscribe to remain on the list and stay informed!

The list has rather litle volume, but you will get announcements of new versions and have a chance to ask question to the community.

Please (re-)subscribe at

If you have been on the old mailinglist, you may also have to update your email filtering rules since the name is changing from "openh323gk-users" to "gnugk-users" (finally!).

Sadly SourceForge is blocking my access to subscriber emails so I can not make this move automatic for existing subscribers. Sorry for the inconvenience!

Wednesday, October 4, 2017

Background: What is an RTP Bleed attack ?

now that hopefully everybody has updated to GnuGk 4.7 here is a little bit of background information on the latest security update:

RTP bleed is an attack that allows the attacker to redirect the RTP media stream (or parts of it) to his own IP without even having to manipulate any IP routing or being in a man-in-the-middle position. It also has good potential to mount a denial of service attack.

This vulnerability is not specific to GnuGk or H.323. It exists in a number of telephony products and RTP proxies. recently Asterisk was found to be vulnerable.

How is this attack possible ?

Originally H.323 announced all the ports that it intended to use inside the signaling and all was well. Then came firewalls and today most endpoints live on private IPs and have no idea what their public IP might be or which port the NAT router assigns then.

Thus H.323 introduced port detection in the form or H.460.19 which only works with registered endpoints and GnuGk extends that to unregistered endpoints with the IgnoreSignaledIPs=1 switch.

This works very well, but it means that GnuGk has to listen to RTP from any IP address and then send RTP for the other direction to what ever IP the sender appears to have. An attacker can now try to send its own RTP packets and trick GnuGk into believing they come from the call participants. And thats really easy, since RTP itself doesn't carry any form of authentication. When receiving such a malicious RTP packet at the right time, GnuGk
would thus send the media stream to the attacker.

The first step to reducing the attack surface is to stop allowing incoming RTP packets to change the send destination after the initial port detection is done. GnuGk has always done this for H.460.19, but not for unregistered calls until version 4.7.

Unfortunately this still leaves the possibility for an attacker to try to send RTP packets before the real call participants do. And since RTP is UDP, it can easily be sent with a spoofed source address to turn this into a hard do defend against denial of service attack.

Since H.323 doesn't make any requirements where RTP will come from, you can't defend against this remaining vulnerability without disrupting some valid configurations.

But is most cases RTP will come from the same IP or at least the same network where the signaling comes from. Thus GnuGk introduces a new switch in version 4.7 so you can tell GnuGk to only accept RTP from these IPs (RestrictRTPSources=Net). Thus an attacker would have to be inside the calling parties network to cause harm which is way more
difficult that to be just anywhere on the internet.

If you use a load balancer or routed mode gatekeepers distributed over multiple networks, you need to take more elaborate steps to secure your network, but the vast majority of users should be able to secure their configurations with RestrictRTPSources=Net. Since we violate the H.323 standard a bit here, the switch is off by default and you will
need to set it explicitly.

I hope this clarifies the issue and explains why you should update and secure your configuration!

Thursday, September 21, 2017

GNU Gatekeeper 4.7 (security update)

This version is purely a security update and has no new features. All users are encouraged to update, especially if you use port detection (IgnoreSignaledIPs=1) you should update ASAP.

It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks ( By updating to version 4.7 only the first packets in each media stream influence the media destination.

To further secure your configuration, you can set


to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.

You can download the new version from

Please see the full change log below.

Changes from 4.6 to 4.7
  • fixes for RTP Bleed
  • new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP from the call signal IPs or the respective class C network
  • new switch [Proxy] LegacyPortDetection=1 to keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks
  • BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using RedirectCallsToGkIP
  • BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
  • new command line option: now you can use -S instead of --strict (needed on BSD systems)

Monday, September 4, 2017

GNU Gatekeeper 4.6 is out

I'm happy to announce that GNU Gatekeeper version 4.6 has just been

This version has a few new features as well as bug fixes.

New features:
  • least used routing: distribute calls evenly between gateways or MCUs (new switch [RasSrv::ARQFeatures] LeastUsedRouting=1)
  • ability to log to the Unix syslog instead of the trace file (new switch [LogFile] TraceToSyslog=1)
  • new authentication module TwoAliasAuth this is not very safe, but you can use it with endpoints that do not support any password transmission
  • new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth  for the calls generated by the GnuGk status port API
  • new status port command: UnregisterEP <ep-id>
  • a number of switches to fine tune TCP keepalives
  • new switch to remove load balancers from the call path ([RoutedMode] RedirectCallsToGkIP=1)

Bug fixes:
  • fixed TCP keepalive for H.460 calls (important!)
  • fixes to port detection for unregistered calls
  • audio fix when GnuGk adds encryption to calls
  • many smaller fixes

You can download the new version from

Please see the full change log below.

Changes from 4.5 to 4.6

  • new switch: [RoutedMode] RedirectCallsToGkIP=1
  • new switches: [RoutedMode] H460KeepAliveMethodH225=, H460KeepAliveMethodH245=, GnuGkTcpKeepAliveMethodH225=, GnuGkTcpKeepAliveMethodH245=
  • BUGFIX(ProxyChannel.cxx) TCP keep-alives for H.460.18 calls weren't always  enabled correctly
  • don't open a status port listener if [Gatekeeper::Main] StatusPort=0
  • BUGFIX(Toolkit.cxx) remove trailing chars before checking for DefaultDomain
  • add callID to H.245 trace messages for easier debugging
  • BUGFIX(ProxyChannel.cxx) forward ReleaseComplete from remaining party while doing call reroute
  • BUGFIX(ProxyChannel.cxx) drop un-en/decryptable RTP packets at end of call  when adding encryption
  • new status port command: UnregisterEP <ep-id>
  • BUGFIX(RasSrv.cxx) remove IPv6 addresses before processing RRQs when IPv6 is not enabled
  • send Facility message as as non-H.460.18 keep-alive for H.225
  • send non-standard H.245 userIndication as non-H.460.18 keep-alive for H.245
  • new switch [RoutedMode] DisableGnuGkH245TcpKeepAlive=1
  • new switch [LogFile] TraceToSyslog=1 to send trace output to syslog (Unix only)
  • BUGFIX(ProxyChannel.cxx) fix port detection for re-opened channels with IgnoreSignaledIPs=1
  • new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth for the call
  • new switch [RasSrv::ARQFeatures] LeastUsedRouting=1 to select the least used gateway
  • new authentication module TwoAliasAuth