Friday, November 20, 2015

Wireshark 2 is out - including H.323 over IPv6 decoding

Wireshark 2 has been released. It includes decoding of H.323 over IPv6 wich didn't work properly in all previous version.

Wireshark 2 has a new UI that takes a moment to get used to, but also includes a version with the 'lecacy' UI if you need to get things donme in a hurry and can't fuss with the new UI right now.

Sunday, November 1, 2015

New GNU Gatekeeper 4.0 Features

H.235 password authentication

Until now, GnuGk only supported MD5 password tokens well. The password
only secured RRQ and ARQ messages in the direction from the endpoint to
the gatekeeper and MD5 is considered a pretty weak algorithm. MD5
tokens are widely supported by vendors and are usually called "H.235",
but strictly speaking they aren't part of any ITU spec.

The new implementation in GnuGk closely follows the H.235.1
specification. It secures all RAS (RRQ, ARQ, BRQ, DRQ etc.) and all
Q.931 (Setup, Alerting etc.) messages. It also secures both directions,
so the gatekeeper can check every message if it is really from the
endpoint and also the endpoint can make sure its really talking to its
gatekeeper.

The interpretation of H.235.1 varies between vendors (or their
implementation is just buggy, your call). Thats why GnuGk defaults to
rather strict checks, but has configuration switches ([H235] config
section) to enable interoperability with vendor implementations.

During development I ran tests with AudioCodes, Polycom, Inovaphone and
H323Plus endpoints.

For example if you are using a AudioCodes gateway, you should set

[Gatekeeper::Auth]
SimplePasswordAuth=required;RRQ,ARQ,DRQ,RAI,Setup,Alerting,Connect,ReleaseComplete,Facility

[H235]
UseEndpointIdentifier=1
RequireH2351GeneralID=0
FullQ931Checking=1

You can even tighten security with CheckID=1 in [SimplePasswordAuth].


Per endpoint codec filtering

Suppose you have this MCU, that works fine when endpoints use H.263,
but a lot of calls using H.264 fail. Now you can simply disable H.264
in your GnuGk config, even if that MCU doesn't give you that option:

[RoutedMode]
H245Routed=1

[EP::MyMCU]
DisabledCodecs=genericVideoCapability

Now that MCU can't negotiate H.264 any more and all calls will use
H.263. All other endpoint can still use all codecs.

Or suppose you have a Radvision MCU that is rather strict about using
symmetric codecs. Many endpoints don't handle symmetric codec
requirements correctly, but it often helps to simply disable H.239 if
you aren't using it away:

[EP::RadvisionMCU]
DisabledCodecs=extendedVideoCapability;genericControlCapability

If all your endpoints follow all the specs, you'll probably never need
this feature. Unfortunately not all do and thats when this feature
comes in handy.

IPv6 and IPv4-IPv6 conversion

Actually this is not a new feature in GnuGk 4.0, but 4.0 brings some
significant bug fixes and improvements.

We all know IPv6 will come some day, but hasn't so far, because some
equipment still works better with IPv4 or some network doesn't support
it, yet etc.

With GnuGk, you don't have to convert your network to IPv6, you can
simply add it as another option and GnuGk will convert between IPv4 and
IPv6 whenever necessary. So you can keep all your legacy endpoints that
only support IPv4 and still have them reach other endpoints that work
on IPv6.

I would suggest you give IPv6 a try in your network now, before things
get very urgent and must be done in a rush.

The config part in GnuGk is rather easy:

[Gatekeeper::Main]
EnableIPv6=1

In all places where you can put an IPv4 address, you can also place an
IPv6 address.

BTW: If you want to see your IPv6 H.323 calls in Wireshark, you need a
new version. I worked with the Wireshark developers to get the
disection fixed. That patch will probably be in 2.0.0rc1.