tag:blogger.com,1999:blog-31630715590937740922024-03-16T02:11:39.974+01:00GNU Gatekeeper BlogNews and thoughts on the GNU Gatekeeper, H.323, video conferencing and VoIPJanhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comBlogger48125tag:blogger.com,1999:blog-3163071559093774092.post-39884380939585275822024-02-26T10:18:00.001+01:002024-02-26T10:18:26.195+01:00New release of PTLib<p>I have just bundeled up the changes and bug fixes of the past 2 years and released PTLib 2.10.9.6.<br /><br />Most notable in this release is working IPv6 on *BSD, macOSX and Solaris as well as support for newer compilers and many small platform fixes.</p><p>Since PTLib is the foundation for the <a href="https://www.gnugk.org/" target="_blank">GNU Gatekeeper</a> and many <a href="https://www.h323plus.org/" target="_blank">H323Plus</a> projects, all these improvements get propagated into those projects as well.<br /></p><p>Changes:<br />- IPv6 support fixed for *BSD, macOSX and Solaris<br />- support for newer compiler, eg. gcc 13 and VS2022<br />- support for C++-17<br />- support for Win64 builds<br />- support AIX as platform<br />- small OpenBSD fixes<br />- other small fixes<br /><br />Download from <a href="https://www.h323plus.org/source/" target="_blank">https://www.h323plus.org/source/</a><br /><br /></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-61207109060293516372024-02-19T18:07:00.003+01:002024-02-19T18:21:28.590+01:00GNU Gatekeeper 5.12 released<p> GNU Gatekeeper version 5.12 has been released.</p><p>Download: <a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323downldad.html</a></p><p>This is a <b>bug fix release</b> with a few new features added.</p><p></p><p>Another important bug in the handling of the ExternalIP switch has been fixed as well as Y2K38 issues.</p><p>This release also adds features:<br /></p><ul style="text-align: left;"><li>support for <b>Oracle databases</b></li><li>easier cloud deployment with IP detection with STUN</li><li>better load scaling by mixing proxied with direct mode endpoints in a single gatekeeper</li><li><b>Windows 64bit executables</b> with VS2022</li></ul><p style="text-align: left;"></p>Full list of changes:<ul style="text-align: left;"><li>enable more runtime hardening flags from OpenSSF recommendation 11/2023</li><li>fix bug with H.245 address when using ExternalIP= switch without H.460.18/.19</li><li>auto-detect public IP with ExternalIP=STUN and STUNServer=stun.example.com</li><li>compiler support for VS2022</li><li>new database driver for Oracle and new timestamp format 'Oracle'</li><li>new switch [EP::xxx] ForceDirectMode=1 to handle all calls from this endpoint in direct mode</li><li>BUGFIX(RasSrv.cxx, gkauth.cxx) make sure time_t is handled unsigned to avoid Y2K38 issue</li><li>BUGFIX(ProxyChannel.cxx) check for too small packets when acting as encryption proxy</li></ul><p style="text-align: left;"><br /></p><p> </p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-57348841116753643792023-02-20T12:13:00.001+01:002023-02-20T12:13:20.439+01:00GNU Gatekeeper 5.11 released<p>GNU Gatekeeper version 5.11 has been released.</p><p>Download: <a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323downldad.html</a></p><p>This is a <b>bug fix release</b> with a few new features added.</p><p></p><p>An important bug in the handling of the ExternalIP switch has been fixed.</p><p>We also added a few features that make it easier to use GnuGk with Graphana and InfluxDB monitoring.<br /></p><p>Changes and additions:<br /></p><ul style="text-align: left;"><li>remove non-working command line switch -e / --externalip, use config file to set ExternalIP</li><li>new accounting variables %{registrations}, %{calls}, %{total-calls}, %{successful-calls}, %{allocated-bandwidth}</li><li>new switch [HttpAcct] Authorization= to send authorization headers to support InfluxDB</li><li>replace \r and \n in HttpAcct body with carriage return and line feed characters</li><li>new switch: [RasSrv::LRQFeatures] PreserveDestination=1 (helpful when calling Pexip servers)</li></ul><p style="text-align: left;"><br /></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-72110356089797264262022-08-24T09:13:00.002+02:002022-08-24T09:13:36.662+02:00GNU Gatekeeper 5.10 released<p> </p><p>GNU Gatekeeper version 5.10 has been released.</p><p>Download: <a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323downldad.html</a></p><p>This is a <b>bug fix release</b>.</p><p></p><p>Bugs fixed:</p><ul style="text-align: left;"><li>fix a crash when handling the MasterSlaveDetermination message<br /></li><li>fix the documentation of [RasSrv::LRQFeatures] NeighborTimeout and consistently treat the value as 10th of a second in the program<br /></li></ul>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-89409143181641388952021-10-26T15:21:00.005+02:002021-10-26T15:21:29.742+02:00GNU Gatekeeper 5.9 released<p>GNU Gatekeeper version 5.9 is out with a number of bug fixes and a few new features.</p><p>Download: <a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323download.html</a><br /></p><p>New features:</p><ul style="text-align: left;"><li>new switches [Proxy] CachePortDetection=1 and CachePortDetectionDuration= to cache port detection packets for faster media connects when IgnoreSignaledIPs= is active<br /></li><li>new switch: [EP::] ForceTerminalType=</li><li>new place holder for port notifications: %t for port type</li><li>experimental: better error recovery if multiplexed RTP sending fails</li></ul><p>Please note that Radius support is disabled by default now. You can enable it with the --enable-radius switch when running configure.</p><p>Bug fixes:</p><ul style="text-align: left;"><li>fix bug in port detection with AllowSignaledIPsFrom=</li><li>when DNS name resolves to IP without alias, remove alias from ACF completely (Cisco interop)</li><li>remove RTP session 0 from internal tables once H.245 master has assigned a session ID</li><li>fix compilation of Avaya support</li><li>initialized cmsg struct to zero before using</li><li>fix regression introduced with MatchH239SessionsByIDOnly= switch</li></ul><p style="text-align: left;"><br /></p><p> </p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-57799751473673393012021-07-22T11:04:00.000+02:002021-07-22T11:04:28.529+02:00GNU Gatekeeper 5.8 released<p>GNU Gatekeeper version 5.8 has been released with a number of bug fixes and a few new features.</p><p>To stay updated on new releases, please also follow us on <a href="https://twitter.com/h323" target="_blank">Twitter</a>!</p><p>Improved interoperability with:</p><ul style="text-align: left;"><li>EdgeProtect</li><li>Avaya<br /></li></ul><p> New features:</p><ul style="text-align: left;"><li>experimental support for Avaya's non-standard version of H.323 (./configure --enable-avaya) (thanks Konstantin Prokazov)</li><li>consider RFC 6598 shared network space (100.64.0.0/10) and Zeroconf (169.254.0.0/16) as private IPs<br /></li><li>new switch [Proxy] AllowSignaledIPsFrom= to skip auto-detect for messages received directly from certain IPs when IgnoreSignaledIPs=1</li><li>new switch [Proxy] AllowAnyRTPSourcePortForH239From= to handle incorrect RTCP addresses in H.239 OLC (EdgeProtect interop)</li><li>new switch [RoutedMode] MatchH239SessionsByIDOnly= to never attempt to
match a H.239 reverse channel by type for improved interoperability with
EdgeProtect</li><li>new switches to set the HTTP Content-Type header in HttpAcct, HttpPasswordAuth and Routing::Http</li><li>new switch [Routing::Http] JSONResponse=1 to send more flexible routing data in the HTML reponses</li><li>many new status port shortcuts (see manual section for details)</li></ul><p style="text-align: left;">Bug fixes:</p><ul style="text-align: left;"><li>fix H.460.18/.19 on multi-homed servers</li><li>fix race condition when handling H.460.19 multiplex IDs</li><li>fix media loop on half port-detected channel when media is very early</li><li>fix Net-SNMP query for total bandwidth</li><li>save RTCP address from OLC for port-detection</li><li>always check AllowSignaledIPs= before applying IgnoreSignaledAllH239IPs or IgnoreSignaledPrivateH239IPs</li><li>handle extensions and CSRC in RTP header with H.235 half-call media</li><li>better endpointIDs on Windows when compiling without OpenSSL</li></ul><p style="text-align: left;"><br /></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-68421792355165481762021-03-04T10:41:00.007+01:002021-03-04T13:33:55.294+01:00GNU Gatekeeper 5.7 released<p>GNU Gatekeeper version 5.7 has some important bug fixes, improves interoperability<br />with other vendors and also has a few new features.<br /> </p><p>Several severe crashes and a few memory leaks have been fixed.<br /><br />Improved interoperability with:<br /></p><ul style="text-align: left;"><li>Lifesize endpoints</li><li>Poly's Microsoft Teams gateway</li><li>Polycom RealPresence Capture Server</li></ul><p style="text-align: left;"><br />New features:<br /></p><ul style="text-align: left;"><li>You get a warning in the GUI / on the status port if one of your endpoints has an incorrect time setting and this password authentication fails. This makes trouble shooting a lot easier.</li><li>Invalid TPKT packets (eg. due to network errors) now don't necessarily take down an otherwise healthy call. Use the new AbortOnInvalidTPKT=0 switch to enable.</li><li>GnuGk will now also return unused memory back to the OS periodically to make it available again to other applications on the same server.<br /></li><li>You have a new %{Vendor} variable for SqlAuth RegQuerys and LuaAuth</li></ul><p style="text-align: left;"><br /><br />Full change log:<br /><br />- BUGFIX(ProxyChannel.cxx) fix crash on non-standard H.245 Indication from<br /> Polycom RealPresence Capture Server<br />- BUGFIX(ProxyChannel.cxx) fix possible crashes on non-standard generic information in OLCs<br />- print warning message on status port when passwords get rejected due to wrong time<br />- BUGFIX(httpacct.cxx) fix memory leak<br />- BUGFIX(ProxyChannel.cxx) fix possible crash<br />- BUGFIX(gk.cxx) avoid crash when terminating in the middle of program startup,<br /> set non-zero exit code so restarter notices error<br />- return unused memory back to OS periodically<br />- new switch: [RoutedMode] AbortOnInvalidTPKT=0 for more graceful handling of network errors<br />- BUGFIX(gk.cxx) fix for running on Alpine Linux (needs updated PTLib, too)<br />- don't start GnuGk if RTP multiplexing is configured, but we can't start the listener<br />- new switch: [RoutedMode] MatchH239SessionsByType=0 to fix presentations with<br /> LifeSize endpoints over Poly's Microsoft Teams gateway<br />- BUGFIX(ProxyChannel.cxx) make sure we don't set RTP address on multiplexed RTCP keepalive<br />- BUGFIX(RasSrv.cxx) look at all tokens for H.235.TSSM<br />- add %{Vendor} variable for SqlAuth RegQuery and LuaAuth<br /><br /></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-15939534701677781762021-02-02T11:58:00.000+01:002021-02-02T11:58:06.862+01:00New releases of H323Plus and PTLib<p> H323Plus 1.27.2 and PTLib 2.10.9.4 have been released.</p><p>Changes in H323Plus:</p><p>- support for Alpine Linux for smaller container images<br />- crash fixed on invalid RTCP packets<br />- memory leaks fixed<br />- GetCrytoMasterKey() restored that got lost in 1.27.1<br />- better support for cross-compiling<br />- various updates for newer compilers<br />- some smaller bug fixes</p><p><a href="https://www.h323plus.org/source/" target="_blank">https://www.h323plus.org/source/</a><br /></p><p> </p><p>Changes in PTLib:</p><p>- support for Alpine Linux<br />- better support for cross-compiling<br />- various smaller bug fixes<br /></p><p><a href="https://github.com/willamowius/ptlib/releases" target="_blank">https://github.com/willamowius/ptlib/releases</a><br /></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-43588622085887011462021-01-19T10:00:00.001+01:002021-01-19T10:00:01.154+01:00H.323: IPv4 to IPv6 migration<p>Many networks are migrating from IPv4 to IPv6. What can you do if still have H.323 endpoints that only support IPv4 ?<br /></p><p>The GNU Gatekeeper can translate IPv4 into IPv6 calls and vice versa.<br />
You can use one GnuGk to IPv6 enable all of your existing IPv4 endpoints.
</p><br /> <p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.gnugk.org/images/gnugk-ipv6-conversion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="800" height="226" src="https://www.gnugk.org/images/gnugk-ipv6-conversion.png" width="400" /></a></div><br /> <p>
All you have to do is enable IPv6 in your configuration and GnuGk will automatically<br />
detect the connection type of your endpoints and convert the call.</p><p>All it takes is one switch in your config: <br /></p><pre>[Gatekeeper::Main]
EnableIPv6=1 </pre><pre> </pre><p></p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-83757109222244382532021-01-13T10:00:00.004+01:002021-01-13T10:00:03.466+01:00Using the GNU Gatekeeper to create TLS tunnels<p>Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.<br /></p><p>Suppose you have 2 locations and want to connect them securely over the public internet.
</p><p>
GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption). </p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.gnugk.org/images/gnugk-tls-tunnel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="303" data-original-width="800" height="243" src="https://www.gnugk.org/images/gnugk-tls-tunnel.png" width="640" /></a></div><br /><p></p><h2 style="text-align: left;"> Configuration for GNU Gatekeeper 1 (prefix 01)</h2><p> </p><pre>[Gatekeeper::Main]
[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1
[Proxy]
Enable=1
[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED
[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1
[Gatekeeper::Auth]
FileIPAuth=required;Setup
[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS
[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 02
1.2.3.4:1300=remote-gw;02
[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 </pre><pre> </pre><h2 style="text-align: left;">Configuration for GNU Gatekeeper 2 (prefix 02)</h2><pre>[Gatekeeper::Main]
[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1
[Proxy]
Enable=1
[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED
[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1
[Gatekeeper::Auth]
FileIPAuth=required;Setup
[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS
[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 01
1.2.3.5:1300=remote-gw;01
[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 </pre><pre> </pre><h2 style="text-align: left;">Other options</h2><p style="text-align: left;">You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the
RAS traffic between neighbors will show meta data (whois is caling who) in clear text! </p><p style="text-align: left;">See the <a href="https://www.gnugk.org/gnugk-manual-12.html#ss12.11">GnuGk manual section on TLS</a> for more details and examples how to generate the OpenSSL certificates. </p><p style="text-align: left;"> </p>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-18907953708240366412021-01-08T17:54:00.000+01:002021-01-08T17:54:10.729+01:00Using TCP Keepalive to Detect Network Errors<p>This is not only a H.323 topic, but since H.323 also uses TCP connections, it applies to H.323 as well: <br /></p><p>To detect network errors and signaling connection problems, you can enable
TCP keep alive feature. It will increase signaling bandwidth used, but as bandwidth
utilized by signaling channels is low from its nature, the increase should
not be significant. Moreover, you can control it using keep alive timeout.
</p><p>
The problem is that most system use keep alive timeout of 7200 seconds,
which means the system is notified about a dead connection after 2 hours.
You probably want this time to be shorter, like one minute or so.
On each operating system, the adjustment is done in a different way.
</p><p>
After settings all parameters, it's recommended to check whether the feature
works correctly - just make a test call and unplug a network cable at either
side of the call. Then see if the call terminates after the configured timeout.
</p><p></p><h2>Linux systems</h2>
<pre>Use sysctl -A to get a list of available kernel variables
and grep this list for net.ipv4 settings (sysctl -A | grep net.ipv4).
There should exist the following variables:</pre><pre>net.ipv4.tcp_keepalive_time: time of connection inactivity after which
the first keep alive request is sent
net.ipv4.tcp_keepalive_probes: number of keep alive requests retransmitted
before the connection is considered broken
net.ipv4.tcp_keepalive_intvl: time interval between keep alive probes
You can manipulate with these settings using the following command:
sysctl -w net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_probes=3 \</pre><pre><span> </span>net.ipv4.tcp_keepalive_intvl=10
This sample command changes TCP keepalive timeout to 60 seconds with 3 probes,
10 seconds gap between each. With this, your application will detect dead TCP
connections after 90 seconds (60 + 10 + 10 + 10).
</pre>
<h2>FreeBSD and MacOS X</h2>
<pre>For the list of available TCP settings (FreeBSD 4.8 an up and 5.4):
sysctl -A | grep net.inet.tcp
net.inet.tcp.keepidle - Amount of time, in milliseconds, that the (TCP)
connection must be idle before keepalive probes (if enabled) are sent.
net.inet.tcp.keepintvl - The interval, in milliseconds, between
keepalive probes sent to remote machines. After TCPTV_KEEPCNT (default
8) probes are sent, with no response, the (TCP)connection is dropped.
net.inet.tcp.always_keepalive - Assume that SO_KEEPALIVE is set on all
TCP connections, the kernel will periodically send a packet to the
remote host to verify the connection is still up.
therefore formula to calculate maximum TCP inactive connection time is
following:
net.inet.tcp.keepidle + (net.inet.tcp.keepintvl x 8)
the result is in milliseconds.
therefore, by setting
net.inet.tcp.keepidle = 10000
net.inet.tcp.keepintvl = 5000
net.inet.tcp.always_keepalive =1 (must be 1 always)
the system will disconnect a call when TCP connection is dead for:
10000 + (5000 x 8) = 50000 msec (50 sec)
To make system remember these settings at startup, you should add them
to /etc/sysctl.conf file
</pre>
<h2>Solaris</h2>
<pre>For the list of available TCP settings:
ndd /dev/tcp \?
Keepalive related variables:
- tcp_keepalive_interval - idle timeout
Example:
ndd -set /dev/tcp tcp_keepalive_interval 60000
</pre>
<h2>Windows 2000 and Windows NT<br /></h2>
<pre>Search Knowledge Base for article ID 120642:
<a href="https://web.archive.org/web/20140904162603/http://support.microsoft.com/kb/120642/EN-US">http://support.microsoft.com/kb/120642/EN-US</a>
Basically, you need to tweak some registry entries under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
</pre>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-75369047297553988802020-10-29T10:41:00.000+01:002020-10-29T10:41:22.145+01:00GNU Gatekeeper 5.6 released<p>Today GNU Gatekeeper version 5.6 has been released.</p><p>Download: <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html </a><br /></p><p>It contains an important bug fix to H.460.19 multiplexing and H.460.26 (media over TCP) when using GnuGk's internal call forwarding (ForwadOnFacility).</p><p>I have also added an interop tweak to be able to call video services that don't understand H.323 URL aliases (eg. videobutler.nl). You can enable it with</p><div style="margin-left: 40px; text-align: left;">[Routing::SRV]</div><div style="margin-left: 40px; text-align: left;">ConvertURLs=1</div><div style="text-align: left;"><p style="text-align: left;">Here is the full changelog:</p><p style="text-align: left;"></p><ul style="text-align: left;"><li>new switch: [Routing::SRV] ConvertURLs=1 to convert URL_IDs into H323_IDs</li><li>BUGFIX(ProxyChannel.cxx) fix RTP multiplexing and H.460.26 when ForwardOnFacility is used</li><li>BUGFIX(ProxyChannel.cxx) remove H.460.19 feature from Setup when using ForwardOnFacility=1</li><li>new switch: [Gatekeeper::Main] GrantAllBRQ=1 to accept any BRQ, even if the conferenceID is invalid</li></ul><p style="text-align: left;"><br /></p></div>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-57012018071139442962020-06-30T08:34:00.000+02:002020-06-30T08:34:52.055+02:00GNU Gatekeeper 5.5. releasedI am happy to announce the release of GNU Gatekeeper 5.5.<br /><br />This release has new features and bug fixes when you run clustered gatekeepers. It also improves the port detection feature and we have a complete and up to date Chinese documentation.<br /><br />You can download it from <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br /><br />New features:<br />
<ul>
<li>new feature GnuGkAssignedGatekeeper to push endpoints back to their intended home gatekeepers in the cluster, even if the endpoints don't support assigned gatekeepers</li>
<li>support new PBKDF2 password hashes for ssh logins to the status port</li>
<li>new switches to fine tune port detection for H.239 channels (IgnoreSignaledPublicH239IPsFrom=x and IgnoreSignaledAllH239IPs=1)</li>
<li>new Chinese manual</li>
</ul>
<br />Bug fixes:<br />
<ul>
<li>select correct source IP for neighbor pings</li>
<li>set altGKisPermanent=true when redirecting endpoints</li>
<li>fix RRJ to include alternates when RedirectGK=Endpoints limit is reached</li>
<li>fix reading of AllowSignaledIPs= switch</li>
<li>don't complain about [Neighbor::xxx] SendAliases switch when using--strict</li>
</ul>
<br />Enjoy!<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-72222214650654841882020-01-07T09:15:00.000+01:002020-01-07T09:15:39.415+01:00GNU Gatekeeper 5.4 releasedI am happy to announce the release of GNU Gatekeeper 5.4.<br /><br />You can download it from <a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323download.html</a><br /><br />
New features:<br />
<ul>
<li>new accounting module to send accounting data to an MQTT server</li>
<li>support for redis as database (eg. as backend for password storage)</li>
</ul>
<br />Bug fixes:<br />
<ul>
<li>important fix for H.245 tunneling translation with H.460.18 endpoints</li>
<li>fix for snmpwalk in PTLib-SNMP implementation</li>
<li>fix sending alternate gatekeeper list to endpoints with assigned gatekeeper</li>
<li>improved DRQ from child gatekeepers</li>
<li>fix TLS with neighbor gatekeeper</li>
</ul>
<br /><br />Please also note that a bug has been found in PTLib that can cause a crash in any GnuGk version if you use the status port (manually of from an application). Please upgrade to PTLib 2.10.9.3!<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-22977388382466553972019-08-12T12:22:00.001+02:002019-08-12T12:22:31.276+02:00Howto block H.323 spam calls with fail2banWhen you run the <a href="https://www.gnugk.org/" target="_blank">GNU Gatekeeper</a>, you can block spam calls from the well known bots ("MERA RU", "SimpleOPAL" etc.) eg. using a small LUA script in your config.<br />
<br />
But that alone doesn't stop the load on the server, because often these bots keep on making calls.<br />
<br />
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page" target="_blank">Fail2ban</a> to the rescue!<br />
<br />
With this filter definition in /etc/fail2ban/filter.d/gnugk.conf you can check fro rejected calls:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">[Definition]<br />failregex = Dropping call CRV=[0-9]+ from <HOST>:[0-9]+ due to Setup authentication failure<br />ignoreregex = </span><br />
<br />
<br />
And then you can add this jail definition to /etc/fail2ban/jail.local to block the IP:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">[gnugk]<br />enabled = true<br />logpath = /var/log/gnugk.log<br />filter = gnugk<br />bantime = 6000<br />maxretry = 2<br />action = iptables[name=GnuGk, port=1720, protocol=tcp]</span><br />
<br />
<br />
Voila!<br />
<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-364522739392446712019-07-26T16:18:00.000+02:002019-07-26T16:18:02.766+02:00GNU Gatekeeper 5.3 releasedI have just released GNU Gatekeeper version 5.3.<br /><br />You can download it from <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br /><br />This release has a number of new features as well as some important bug<br />fixes.<br /><br />Whats new ?<br /><br />
<ul>
<li>LRQ loop detection to optimize calls flows between multiple neighbor gatekeepers This new feature has the potential to significantly reduce the load on all gatekeepers and prevent "LRQ storms". </li>
<li>new routing policy to set call destinations by querying HTTP or REST servers, see [Routing::Http]</li>
<li>much improved support for SNMP </li>
<li>important bug fix for TLS encryption of signaling channels</li>
<li>important bug fixes for H.460.18 NAT traversal (for H.245 tunneling and for multi-homed servers)</li>
<li>performance optimization: this version can handle 5-10% more proxied calls on the same hardware </li>
<li>performance optimization: re-authenticate lightweight, additive registrations only when new aliases differ. This significantly reduces the load on password databases.</li>
</ul>
<br />Enjoy!<br /><br /><br />Full change log:<br /><br />- BUGFIX(ProxyChannel.cxx) don't send H.245 address to tunneling<br /> H.460.18 endpoint, breaks call when H.245 multiplexing<br />- performance optimization: 5% faster UDP handling<br />- changed default: [SNMP] Implementation=PTlib<br />- remove unfinished Windows-SNMP implementation, use PTLib-SNMP on Windows<br />- support SET and GET-NEXT in PTLib-SNMP<br />- support SNMP sysUpTime when running as standalone agent<br />- BUGFIX(configure.in) LARGE_FDSET defaults to off<br />- new SNMP OID 1.3.6.1.4.1.27938.11.1.9 to query total bandwidth allocated to ongoing calls<br />- BUGFIX(ProxyChannel.cxx) fix hangup when making many TLS calls quickly one after another<br />- BUGFIX(RasSrv.cxx) don't require H.460.22 parameters in ARQs<br />- BUGFIX(ProxyChannel.cxx) fix TLS without LARGE_FDSET<br />- BUGFIX(ProxyChannel.cxx) don't send H.460.22 priority field in SCI<br />- BUGFIX(gkauth.cxx) free memory from cached and expired passwords<br />- re-authenticate lightweight, additive registrations only when new aliases differ<br />- remove switch [Proxy]DisableRTPQueueing, always disabled now<br />- new routing policy: http with config section [Routing::Http]<br />- BUGFIX(ProxyChannel.cxx) fix H.460.18 on multi-homed servers (SCI comes from the correct IP now)<br />- new switch to disable SNMP traps [SNMP] EnableTraps=0<br />- BUGFIX(ProxyChannel.cxx) don't throw SNMP trap on H.245 connection errors<br /> (causes crash under load with Net-SNMP)<br />- BUGFIX(snmp.cxx) shutdown GnuGk when SNMP agent can't be started<br />- BUGFIX(snmp.cxx) protect NetSNMP library calls with mutex<br />- changed default: ForwardResponse now defaults to 1 in [RasSrv::LRQFeatures] and [Neighbor::...]<br />- new feature: loop detection for LRQs [RasSrv::LRQFeatures] LoopDetection=1<br />- BUGFIX(Neighbor.cxx) some settings in [RasSrv::LRQFeatures] were ignored if not set in [Neighbor::...]<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-91732713404110930582019-06-05T10:09:00.000+02:002019-06-05T10:09:24.668+02:00Celebrating 20 Years of GnuGk<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyE6tqhmHp5CFDghH5-WqDFhIocDdfh2A4pwCpqJH0pKUzkuawc3-6A0B58GLux2gBwm8UmxmP0TTnMseFghjjF7J_UuARfr4UrUckBDs9P074iaUd_tcLUunEoO7pynYMlXWW3yYgamkO/s1600/20-years.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="20 years" border="0" data-original-height="160" data-original-width="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyE6tqhmHp5CFDghH5-WqDFhIocDdfh2A4pwCpqJH0pKUzkuawc3-6A0B58GLux2gBwm8UmxmP0TTnMseFghjjF7J_UuARfr4UrUckBDs9P074iaUd_tcLUunEoO7pynYMlXWW3yYgamkO/s1600/20-years.jpg" title="20 years of GnuGk" /></a></div>
<br />
20 years ago, in June 1999, I released the first version of the GNU Gatekeeper. Back then we still called it "OpenH323 Gatekeeper".<br />
<br />
The first version was very simple and only supported RAS and what we call 'direct mode' today, but it still seems useful to people and within a year it grew into a tool that people used in production.<br />
<br />
I quit my day job in 2003 to work full time on GnuGk and it has feed the family ever since. I am still amazed how well it works to give software away for free. How many people and companies contribute and give feedback and how many are willing to pay for support or new<br />
features.<br />
<br />
I want to thank everybody who used it, provided feedback, bug fixes and ideas to make it into the great software that it is today!<br />
<br />
We are not stopping here, the next release is already underway with many improvements and new features. Watch for it!<br />
<br />
Happy Birthday GnuGk!Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-53878501929085246682019-03-18T17:49:00.000+01:002019-03-18T17:49:53.517+01:00GNU Gatekeeper 5.2 releasedThis release that has a rewritten networking implementation (aka<br />"large-fdset") that allows GnuGk to scale to higher numbers of calls<br />per server than previous versions.<br /><br />This new implementation replaces the old hack to extend the select()<br />system call by using poll() which enables GnuGk to handle huge numbers<br />of sockets at the same time. The new implementation also works on<br />Windows, but has been tested mostly on the different Unix versions we<br />support.<br /><br />Please note that the relevant configure option when comping GnuGk<br />source code has changed to <i>--enable-large-fdset</i>. There is no need to<br />specify a maximum number of sockets any more.<br /><br />This release also has a few bug fixes, eg. for using LUA scripts with<br />shared libraries and for memory leaks in the error handling of H.235<br />password authentication.<br /><br /><br />Whats new ?<br /><ul>
<li>re-implement LARGE_FDSET using poll(), enable with configure option --enable-large-fdset</li>
<li>ExternalIP is automatically added to the default domains</li>
<li>support running LUA scripts that require dynamic libraries</li>
<li>change default for [TLS] CipherList= to allow elliptical curve ciphers</li>
<li>BUGFIX(gkauth.h) fix memory leak in H.235 password auth</li>
<li>BUGFIX(gkacct.cxx) set known, but unavailable accounting parameters to empty string</li>
<li>BUGFIX(ProxyChannel.cxx) fix setting UDP source IP on Windows when compiled for Vista or higher</li>
</ul>
<br />You can download it from <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-55533909742486675162019-01-04T17:13:00.001+01:002019-04-10T11:37:07.565+02:00GNU Gatekeeper 5.1 is outThe main new feature in this release is <b>H.245 multiplexing</b>.<br />
Together with the long supported RTP multiplexing it allows GnuGk to handle a large amount of concurrent calls from H.460 endpoints using just 5 ports total.<br />
<br />
Whats new ?<br />
<ul>
<li>support for H.245 multiplexing with H.460.18: [RoutedMode] EnableH245Multiplexing=1, H245MultiplexPort=1722</li>
<li>improved interop with Lifesize Icon (H.235), Scopia VC240 (H.460.18) and Yealink Mobile (H.239 and H.460.19)</li>
<li>improved detection of neighbor gatekeeper availability</li>
<li>public IP detection for Google Cloud</li>
<li>new feature to let GnuGk send an event if port detection fails</li>
</ul>
<br />
Bug fixes:<br />
<br />
<ul>
<li>allow ommitting Host= switch in Neighbor section for H.460.18 clients</li>
<li>fix sending of queued H.245 messages</li>
<li>update RAS port when NAT mapping for H.460.18 endpoint changes</li>
<li>fix H.245 tunneling translation with H.460.18 endpoints</li>
<li>always send genericIndication to traversal server gatekeeper</li>
<li>don't include 'bearer service changed' in keep-alive Notify</li>
<li>fix building Status and StatusInquiry keep-alives</li>
<li>fix check for librabbitmq</li>
<li>Solaris 11 compile fix</li>
<li>better OLC sessionType matching (fix for Yealink H.239)</li>
<li>fix handling aliases of type email_ID</li>
</ul>
You can download it from <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br />
<br />
Enjoy!<br />
<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-22940557677774122472018-08-17T18:04:00.000+02:002018-08-17T18:07:15.754+02:00GNU Gatekeeper 5.0 releasedI'm happy to announce the release of GNU Gatekeeper version 5.0.<br />
<br />
This version has new features and a few bug fixes. You can download it from <a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br />
<br />
Whats new ?<br />
<br />
<ul>
<li>support for Azure and Alibaba Cloud in addition to AWS</li>
<li>performance optimizations, especially for multiplexed RTP and LUA</li>
<li>compatible with OpenSSL 1.1.x</li>
<li>switch to translate Facility transfers into gatekeeper TCS0 reroutes</li>
</ul>
<br />
There were also a number of bug fixes, please see <a href="https://github.com/willamowius/gnugk/blob/v5_0_STABLE/changes.txt" target="_blank">changes.txt </a>for<br />
details.<br />
<br />
Enjoy!Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-21074791913452827002018-04-05T11:31:00.002+02:002018-04-05T11:31:39.429+02:00GNU Gatekeeper 4.9 releasedThis version has new features and a few bug fixes. You can download it from<br /><a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br /><br />
<b>Whats new ?</b><br />
<br />We have 2 new accounting modules: HtttpAcct and AMQPAcct that allow<br />you to send accounting events via HTTP GET or POST to a web service<br />or push them into a RabbitMQ queue.<br /><br />There are also many new accounting placeholders that you can use with<br />any of the accounting modules and there is a new accounting event<br />'reject' to track calls rejected with ARJ that went unnoticed before.<br /><br />The new RTP inactivity checking allows you to drop calls if there<br />wasn't any RTP activity for a defined amount of time.<br /><br />GeoIP authentication has been significantly updated to support all<br />RAS and all Q.931 messages and to support the new Maxmind database<br />format (GeoIP2).<br /><br />There were also a few bug fixes:<br />
<ul>
<li>fix crash while handling RTP packets</li>
<li>fix disconnecting unregistered endpoints</li>
<li>fix crash in some Avaya endpoints when receiving GCF with a gatekeeperIdentifier</li>
<li>fix crash when using IPv6</li>
<li>fix handling of CloseLogicalChannel </li>
</ul>
Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-44405211315454395252018-03-21T18:00:00.001+01:002018-03-21T18:00:43.848+01:00What to do when your H.323 videoconferencing equipment reaches end-of-life ?
<br />
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
The big videoconferencing vendors (Polycom, Lifesize, Cisco etc.)
only support their products for a limited time. After that they go
„end-of-life“ and don't receive any more updates. That doesn't
mean they don't work any longer. That H.323
standard how to do video conferences didn't change much in recent
years, so there is no need for updates to accomodate other changes. But you there is a certain risk that
they may have a security hole that doesn't get fixed any more.</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<h3 class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
Save money and stay independent</h3>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
The vendors would prefer if you simply buy something new or subscribe
to their proprietary “cloud service”. But to you this means
spending money and a possible lock-in into their system versus just
keeping systems going that run fine and owning the technology yourself
with the independence that comes with it.</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<h3 class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
Move endpoints inside your firewall to private IPs</h3>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
One important suggestion is to move end-of-life endpoints away from
public IP addresses and to private IPs inside your firewall. Out of
convenience many people used to operate their H.323 endpoints on
public IPs, but nowadays its not much of a problem to use H.460 NAT
traversal and move them to a safe place inside behind a GNU
Gatekeeper.</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
If you have very old endpoints that don't support support H.460 NAT
traversal, you can still do this. You just need a 2nd GNU Gatekeeper
inside your firewall that tunnels the calls out to your external GNU
Gatekeeper on the public IP. (Hey, its a free, you just need a 2nd
server!)</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<h3 class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
Replace infrastructure devices with a GNU Gatekeeper</h3>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
Some infrastructure devices (gatekeepers, gateways, proxies etc.)
need to be on public IPs and thus there is a risk of exposing
possible security holes to the open internet. Many of those can be
replaced with a GNU Gatekeeper. Keep in mind it can be configured to
do many different things that ordinary gatekeepers don't do.</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<div class="western" lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br />
</div>
<style type="text/css">p { margin-bottom: 0.25cm; direction: ltr; color: rgb(0, 0, 0); line-height: 120%; }p.western { font-family: "Liberation Serif", "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "Noto Sans CJK SC Regular"; font-size: 12pt; }p.ctl { font-family: "FreeSans"; font-size: 12pt; }</style>Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-73423645968297608902018-01-17T16:22:00.000+01:002018-01-17T16:22:52.846+01:00GNU Gatekeeper 4.8 releasedGNU Gatekeeper version 4.8 has been released<br />
<br />
This version has many new features. You can download the new version from<br /><a href="https://www.gnugk.org/h323download.html">https://www.gnugk.org/h323download.html</a><br /><br />Overview:<br /><br />New <b>maintenance mode</b>: When you need to take down your GnuGk server<br />(eg. for an OS update), you can switch GnuGk to maintenance mode where<br />it will only allow ongoing calls to finish and automatically redirects<br />all idle endpoints to an alternate GnuGk server.<br />The status port command is "MaintenanceMode <alternate IP>".<br /><br />Detailed information about <b>ongoing calls</b>: You can now display lots of<br />information about each ongoing call (codecs, bandwidth used, IPs etc.).<br />The web interface has been extended to to show this information.<br />See https://www.gnugk.org/images/web7.jpg<br /><br />Easier installation on <b>AWS</b> and inside <b>docker</b> containers. You can now<br />let GnuGk automatically detect the public IP of your AWS server, even<br />from within a docker container. You can also automatically insert your<br />public/external IP into your trace file names to store logs from many<br />servers in the same directory.<br /><br /><b>Extended API</b>: Call routing with external applications has been<br />expanded. You can now set the display names for participants and<br />desired reject codes on the status port. You can also access the<br />vendor information of all registered endpoints. The web interface has<br />been extended to provide this information, too.<br /><br /><b>HttpPasswordAuth</b> has been greatly extended to fetch password<br />information from backend servers. We now use curl to support https<br />and you can add many new placeholders in your queries.<br /><br />Extended <b>screening</b> and rewriting of display names and calling party<br />names.<br /><br />Important <b>bug fixes</b>: Multiplexed RTP is now much more robust and<br />password authentication to parent gatekeepers has been fixed. There<br />are also interop fixes for TCP keep-alives.<br /><br /><br />Please see the full change log below for more details.<br /><br /><u>Changes from 4.7 to 4.8</u><br />
<ul>
<li>HttpPasswordAuth: support https and add new placeholders</li>
<li>PrintAllRegistrationsVerbose now also shows the endpoint vendor</li>
<li>new status port command: MaintenanceMode</li>
<li>new status port command: PrintCallInfo</li>
<li>allow placeholder %{gkip} and %{external-ip} in [LogFile] Filename=</li>
<li>fetch AWS public/elastic IP if ExternalIP=AWSPublicIP</li>
<li>new commandline switch: -e / --externalip</li>
<li>extend status port command RouteReject to set reject reason</li>
<li>extend status port commands RouteToAlias, RouteToGateway etc. to set display IE for calling and called</li>
<li>new switch: [LogFile] DeleteOnRotation=1 to delete the old logfile when rotating instead of renaming it</li>
<li>new switches: [RoutedMode] AppendToCallingPartyNumberIE= / PrependToCallingPartyNumberIE= to add any string before or after the calling party number IE when ScreenCallingPartyNumberIE=RegisteredAlias</li>
<li>when [RoutedMode] ScreenCallingPartyNumberIE= is set to RegisteredAlias, GnuGk sets calling party number IE to the registered alias (forced screening)</li>
<li>delete DisplayIE when [RoutedMode] ScreenDisplayIE=Delete</li>
<li>new switch [Endpoint] Authenicators=</li>
<li>new default: [RoutedMode] GnuGkTcpKeepAliveMethodH225=EmptyFacility</li>
<li>new default: [RoutedMode] H460KeepAliveMethodH225=EmptyFacility for Cisco interop</li>
<li>new setting "None" for keep-alive methods</li>
<li>BUGFIX(ProxyChannel.cxx) fix bugs in H.460.19 RTP multiplexing</li>
<li>BUGFIX(ProxyChannel.cxx) don't send H.460 keep-alive to non-H.460 party when calling H.460 party</li>
<li>BUGFIX(Routing.cxx) show called port in RouteRequests (as documented)</li>
<li>BUGFIX(GkClient.*) fix password authentication with parent</li>
<li>BUGFIX(Routing.cxx) remove semicolon and pipe chars from vendor string in RouteRequests</li>
<li>better handling of IPv6 GRQ without RAS address</li>
<li>BUGFIX(ProxyChannel.cxx) turn off encryption proxy if DH key is negotiated, but TCS doesn't contain any H.235 entries</li>
<li>BUGFIX(ProxyChannel.cxx) fix running in proxy mode on FreeBSD when one Home IP is set</li>
<li>BUGFIX(ProxyChannel.cxx) fix DisableSettingUDPSourceIP=1 for Windows, NetBSD, OpenBSD and Solaris</li>
<li>BUGFIX(yasocket.cxx) fix LARGE_FDSET for NetBSD, OpenBSD and Solaris</li>
</ul>
<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-23529092080732626922017-10-04T14:14:00.002+02:002017-10-04T14:15:44.834+02:00Background: What is an RTP Bleed attack ?now that hopefully everybody has updated to <a href="http://blog.gnugk.org/2017/09/gnu-gatekeeper-4-7.html" target="_blank">GnuGk 4.7</a> here is a little bit of background information on the latest security update:<br />
<br />
<a href="https://rtpbleed.com/" rel="nofollow" target="_blank">RTP bleed</a> is an attack that allows the attacker to redirect the RTP media stream (or parts of it) to his own IP without even having to manipulate any IP routing or being in a man-in-the-middle position. It also has good potential to mount a denial of service attack.<br />
<br />
This vulnerability is not specific to GnuGk or H.323. It exists in a number of telephony products and RTP proxies. recently <a href="https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed" rel="nofollow" target="_blank">Asterisk was found to be <span id="goog_877650608"></span>vulnerable<span id="goog_877650609"></span></a>.<br />
<br />
How is this attack possible ?<br />
<br />
Originally H.323 announced all the ports that it intended to use inside the signaling and all was well. Then came firewalls and today most endpoints live on private IPs and have no idea what their public IP might be or which port the NAT router assigns then.<br />
<br />
Thus H.323 introduced port detection in the form or H.460.19 which only works with registered endpoints and GnuGk extends that to unregistered endpoints with the <a href="https://www.gnugk.org/gnugk-manual-5.html#ss5.2" target="_blank">IgnoreSignaledIPs=1</a> switch.<br />
<br />
This works very well, but it means that GnuGk has to listen to RTP from any IP address and then send RTP for the other direction to what ever IP the sender appears to have. An attacker can now try to send its own RTP packets and trick GnuGk into believing they come from the call participants. And thats really easy, since RTP itself doesn't carry any form of authentication. When receiving such a malicious RTP packet at the right time, GnuGk<br />
would thus send the media stream to the attacker.<br />
<br />
The first step to reducing the attack surface is to stop allowing incoming RTP packets to change the send destination after the initial port detection is done. GnuGk has always done this for H.460.19, but not for unregistered calls until version 4.7.<br />
<br />
Unfortunately this still leaves the possibility for an attacker to try to send RTP packets before the real call participants do. And since RTP is UDP, it can easily be sent with a spoofed source address to turn this into a hard do defend against denial of service attack.<br />
<br />
Since H.323 doesn't make any requirements where RTP will come from, you can't defend against this remaining vulnerability without disrupting some valid configurations.<br />
<br />
But is most cases RTP will come from the same IP or at least the same network where the signaling comes from. Thus GnuGk introduces a new switch in version 4.7 so you can tell GnuGk to only accept RTP from these IPs (<a href="https://www.gnugk.org/gnugk-manual-5.html#ss5.2" target="_blank">RestrictRTPSources=Net</a>). Thus an attacker would have to be inside the calling parties network to cause harm which is way more<br />
difficult that to be just anywhere on the internet.<br />
<br />
If you use a load balancer or routed mode gatekeepers distributed over multiple networks, you need to take more elaborate steps to secure your network, but the vast majority of users should be able to secure their configurations with RestrictRTPSources=Net. Since we violate the H.323 standard a bit here, the switch is off by default and you will<br />
need to set it explicitly.<br />
<br />
I hope this clarifies the issue and explains why you should update and secure your configuration!Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.comtag:blogger.com,1999:blog-3163071559093774092.post-67129917181302266332017-09-21T11:02:00.000+02:002017-09-21T11:02:24.295+02:00GNU Gatekeeper 4.7 (security update)This version is purely a security update and has no new features. All users are encouraged to update, especially if you use port detection (<span style="font-family: "Courier New",Courier,monospace;">IgnoreSignaledIPs=1</span>) you should update ASAP.<br /><br />It has been discovered that GnuGk is vulnerable in some configurations for RTP bleed attacks (<a href="https://rtpbleed.com/" rel="nofollow" target="_blank">https://rtpbleed.com/</a>). By updating to version 4.7 only the first packets in each media stream influence the media destination.<br /><br />To further secure your configuration, you can set<br /><br /><span style="font-family: "Courier New",Courier,monospace;">[Proxy]<br />RestrictRTPSources=Net</span><br /><br />to only accept RTP from the same class C network that the call signaling came from. Please beware that this may break a few valid calls where this condition isn't met.<br /><br />You can download the new version from<br /><a href="https://www.gnugk.org/h323download.html" target="_blank">https://www.gnugk.org/h323download.html</a><br /><br /><br />Please see the full change log below.<br /><br /><u>Changes from 4.6 to 4.7</u><br />
<ul>
<li>fixes for RTP Bleed</li>
<li>new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP from the call signal IPs or the respective class C network</li>
<li>new switch [Proxy] LegacyPortDetection=1 to keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks</li>
<li>BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using RedirectCallsToGkIP</li>
<li>BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs</li>
<li>new command line option: now you can use -S instead of --strict (needed on BSD systems)</li>
</ul>
<br />Janhttp://www.blogger.com/profile/11726606189890617851noreply@blogger.com