Tuesday, October 26, 2021

GNU Gatekeeper 5.9 released

GNU Gatekeeper version 5.9 is out with a number of bug fixes and a few new features.

Download: https://www.gnugk.org/h323download.html

New features:

  • new switches [Proxy] CachePortDetection=1 and CachePortDetectionDuration= to cache port detection packets for faster media connects when IgnoreSignaledIPs= is active
  • new switch: [EP::] ForceTerminalType=
  • new place holder for port notifications: %t for port type
  • experimental: better error recovery if multiplexed RTP sending fails

Please note that Radius support is disabled by default now. You can enable it with the --enable-radius switch when running configure.

Bug fixes:

  • fix bug in port detection with AllowSignaledIPsFrom=
  • when DNS name resolves to IP without alias, remove alias from ACF completely (Cisco interop)
  • remove RTP session 0 from internal tables once H.245 master has assigned a session ID
  • fix compilation of Avaya support
  • initialized cmsg struct to zero before using
  • fix regression introduced with MatchH239SessionsByIDOnly= switch


Thursday, July 22, 2021

GNU Gatekeeper 5.8 released

GNU Gatekeeper version 5.8 has been released with a number of bug fixes and a few new features.

To stay updated on new releases, please also follow us on Twitter!

Improved interoperability with:

  • EdgeProtect
  • Avaya

 New features:

  • experimental support for Avaya's non-standard version of H.323 (./configure --enable-avaya) (thanks Konstantin Prokazov)
  • consider RFC 6598 shared network space (100.64.0.0/10) and Zeroconf (169.254.0.0/16) as private IPs
  • new switch [Proxy] AllowSignaledIPsFrom= to skip auto-detect for messages received directly from certain IPs when IgnoreSignaledIPs=1
  • new switch [Proxy] AllowAnyRTPSourcePortForH239From= to handle incorrect RTCP addresses in H.239 OLC (EdgeProtect interop)
  • new switch [RoutedMode] MatchH239SessionsByIDOnly= to never attempt to match a H.239 reverse channel by type for improved interoperability with EdgeProtect
  • new switches to set the HTTP Content-Type header in HttpAcct, HttpPasswordAuth and Routing::Http
  • new switch [Routing::Http] JSONResponse=1 to send more flexible routing data in the HTML reponses
  • many new status port shortcuts (see manual section for details)

Bug fixes:

  • fix H.460.18/.19 on multi-homed servers
  • fix race condition when handling H.460.19 multiplex IDs
  • fix media loop on half port-detected channel when media is very early
  • fix Net-SNMP query for total bandwidth
  • save RTCP address from OLC for port-detection
  • always check AllowSignaledIPs= before applying IgnoreSignaledAllH239IPs or IgnoreSignaledPrivateH239IPs
  • handle extensions and CSRC in RTP header with H.235 half-call media
  • better endpointIDs on Windows when compiling without OpenSSL


Thursday, March 4, 2021

GNU Gatekeeper 5.7 released

GNU Gatekeeper version 5.7 has some important bug fixes, improves interoperability
with other vendors and also has a few new features.
 

Several severe crashes and a few memory leaks have been fixed.

Improved interoperability with:

  • Lifesize endpoints
  • Poly's Microsoft Teams gateway
  • Polycom RealPresence Capture Server


New features:

  • You get a warning in the GUI / on the status port if one of your endpoints has an incorrect time setting and this password authentication fails. This makes trouble shooting a lot easier.
  • Invalid TPKT packets (eg. due to network errors) now don't necessarily take down an otherwise healthy call. Use the new  AbortOnInvalidTPKT=0 switch to enable.
  • GnuGk will now also return unused memory back to the OS periodically to make it available again to other applications on the same server.
  • You have a new %{Vendor} variable for SqlAuth RegQuerys and LuaAuth



Full change log:

- BUGFIX(ProxyChannel.cxx) fix crash on non-standard H.245 Indication from
  Polycom RealPresence Capture Server
- BUGFIX(ProxyChannel.cxx) fix possible crashes on non-standard generic information in OLCs
- print warning message on status port when passwords get rejected due to wrong time
- BUGFIX(httpacct.cxx) fix memory leak
- BUGFIX(ProxyChannel.cxx) fix possible crash
- BUGFIX(gk.cxx) avoid crash when terminating in the middle of program startup,
  set non-zero exit code so restarter notices error
- return unused memory back to OS periodically
- new switch: [RoutedMode] AbortOnInvalidTPKT=0 for more graceful handling of network errors
- BUGFIX(gk.cxx) fix for running on Alpine Linux (needs updated PTLib, too)
- don't start GnuGk if RTP multiplexing is configured, but we can't start the listener
- new switch: [RoutedMode] MatchH239SessionsByType=0 to fix presentations with
  LifeSize endpoints over Poly's Microsoft Teams gateway
- BUGFIX(ProxyChannel.cxx) make sure we don't set RTP address on multiplexed RTCP keepalive
- BUGFIX(RasSrv.cxx) look at all tokens for H.235.TSSM
- add %{Vendor} variable for SqlAuth RegQuery and LuaAuth

Tuesday, February 2, 2021

New releases of H323Plus and PTLib

 H323Plus 1.27.2 and PTLib 2.10.9.4 have been released.

Changes in H323Plus:

- support for Alpine Linux for smaller container images
- crash fixed on invalid RTCP packets
- memory leaks fixed
- GetCrytoMasterKey() restored that got lost in 1.27.1
- better support for cross-compiling
- various updates for newer compilers
- some smaller bug fixes

https://www.h323plus.org/source/

 

Changes in PTLib:

- support for Alpine Linux
- better support for cross-compiling
- various smaller bug fixes

https://github.com/willamowius/ptlib/releases

Tuesday, January 19, 2021

H.323: IPv4 to IPv6 migration

Many networks are migrating from IPv4 to IPv6. What can you do if still have H.323 endpoints that only support IPv4 ?

The GNU Gatekeeper can translate IPv4 into IPv6 calls and vice versa.
You can use one GnuGk to IPv6 enable all of your existing IPv4 endpoints.


 


 

All you have to do is enable IPv6 in your configuration and GnuGk will automatically
detect the connection type of your endpoints and convert the call.

All it takes is one switch in your config:

[Gatekeeper::Main]
EnableIPv6=1 
 

Wednesday, January 13, 2021

Using the GNU Gatekeeper to create TLS tunnels

Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.

Suppose you have 2 locations and want to connect them securely over the public internet.

GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption). 


 Configuration for GNU Gatekeeper 1 (prefix 01)

 

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 02
1.2.3.4:1300=remote-gw;02

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 
 

Configuration for GNU Gatekeeper 2 (prefix 02)

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 01
1.2.3.5:1300=remote-gw;01

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 
 

Other options

You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the RAS traffic between neighbors will show meta data (whois is caling who) in clear text! 

See the GnuGk manual section on TLS for more details and examples how to generate the OpenSSL certificates. 

 

Friday, January 8, 2021

Using TCP Keepalive to Detect Network Errors

This is not only a H.323 topic, but since H.323 also uses TCP connections, it applies to H.323 as well:

To detect network errors and signaling connection problems, you can enable TCP keep alive feature. It will increase signaling bandwidth used, but as bandwidth utilized by signaling channels is low from its nature, the increase should not be significant. Moreover, you can control it using keep alive timeout.

The problem is that most system use keep alive timeout of 7200 seconds, which means the system is notified about a dead connection after 2 hours. You probably want this time to be shorter, like one minute or so. On each operating system, the adjustment is done in a different way.

After settings all parameters, it's recommended to check whether the feature works correctly - just make a test call and unplug a network cable at either side of the call. Then see if the call terminates after the configured timeout.

Linux systems

Use sysctl -A to get a list of available kernel variables
and grep this list for net.ipv4 settings (sysctl -A | grep net.ipv4).
There should exist the following variables:
net.ipv4.tcp_keepalive_time:   time of connection inactivity after which
                               the first keep alive request is sent
net.ipv4.tcp_keepalive_probes: number of keep alive requests retransmitted
                               before the connection is considered broken
net.ipv4.tcp_keepalive_intvl:  time interval between keep alive probes

You can manipulate with these settings using the following command:

sysctl -w net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_probes=3 \
    net.ipv4.tcp_keepalive_intvl=10

This sample command changes TCP keepalive timeout to 60 seconds with 3 probes,
10 seconds gap between each. With this, your application will detect dead TCP
connections after 90 seconds (60 + 10 + 10 + 10).

FreeBSD and MacOS X

For the list of available TCP settings (FreeBSD 4.8 an up and 5.4):

sysctl -A | grep net.inet.tcp

net.inet.tcp.keepidle - Amount of time, in milliseconds, that the (TCP) 
connection must be idle before keepalive probes (if enabled) are sent.

net.inet.tcp.keepintvl - The interval, in milliseconds, between 
keepalive probes sent to remote machines. After TCPTV_KEEPCNT (default 
8) probes are sent, with no response, the (TCP)connection is dropped.

net.inet.tcp.always_keepalive - Assume that SO_KEEPALIVE is set on all 
TCP connections, the kernel will periodically send a packet to the 
remote host to verify the connection is still up.

therefore formula to calculate maximum TCP inactive connection time is 
following:

net.inet.tcp.keepidle + (net.inet.tcp.keepintvl x 8)

the result is in milliseconds.

therefore, by setting
net.inet.tcp.keepidle = 10000
net.inet.tcp.keepintvl = 5000
net.inet.tcp.always_keepalive =1 (must be 1 always)

the system will disconnect a call when TCP connection is dead for:
10000 + (5000 x 8) = 50000 msec (50 sec)

To make system remember these settings at startup, you should add them 
to /etc/sysctl.conf file

Solaris

For the list of available TCP settings:

ndd /dev/tcp \?

Keepalive related variables:
- tcp_keepalive_interval - idle timeout

Example:
ndd -set /dev/tcp tcp_keepalive_interval 60000

Windows 2000 and Windows NT

Search Knowledge Base for article ID 120642:
http://support.microsoft.com/kb/120642/EN-US

Basically, you need to tweak some registry entries under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters