H.235 password authentication
Until now, GnuGk only supported MD5 password tokens well. The passwordonly secured RRQ and ARQ messages in the direction from the endpoint to
the gatekeeper and MD5 is considered a pretty weak algorithm. MD5
tokens are widely supported by vendors and are usually called "H.235",
but strictly speaking they aren't part of any ITU spec.
The new implementation in GnuGk closely follows the H.235.1
specification. It secures all RAS (RRQ, ARQ, BRQ, DRQ etc.) and all
Q.931 (Setup, Alerting etc.) messages. It also secures both directions,
so the gatekeeper can check every message if it is really from the
endpoint and also the endpoint can make sure its really talking to its
gatekeeper.
The interpretation of H.235.1 varies between vendors (or their
implementation is just buggy, your call). Thats why GnuGk defaults to
rather strict checks, but has configuration switches ([H235] config
section) to enable interoperability with vendor implementations.
During development I ran tests with AudioCodes, Polycom, Inovaphone and
H323Plus endpoints.
For example if you are using a AudioCodes gateway, you should set
[Gatekeeper::Auth]
SimplePasswordAuth=required;RRQ,ARQ,DRQ,RAI,Setup,Alerting,Connect,ReleaseComplete,Facility
[H235]
UseEndpointIdentifier=1
RequireH2351GeneralID=0
FullQ931Checking=1
You can even tighten security with CheckID=1 in [SimplePasswordAuth].
Per endpoint codec filtering
Suppose you have this MCU, that works fine when endpoints use H.263,but a lot of calls using H.264 fail. Now you can simply disable H.264
in your GnuGk config, even if that MCU doesn't give you that option:
[RoutedMode]
H245Routed=1
[EP::MyMCU]
DisabledCodecs=genericVideoCapability
Now that MCU can't negotiate H.264 any more and all calls will use
H.263. All other endpoint can still use all codecs.
Or suppose you have a Radvision MCU that is rather strict about using
symmetric codecs. Many endpoints don't handle symmetric codec
requirements correctly, but it often helps to simply disable H.239 if
you aren't using it away:
[EP::RadvisionMCU]
DisabledCodecs=extendedVideoCapability;genericControlCapability
If all your endpoints follow all the specs, you'll probably never need
this feature. Unfortunately not all do and thats when this feature
comes in handy.
IPv6 and IPv4-IPv6 conversion
Actually this is not a new feature in GnuGk 4.0, but 4.0 brings somesignificant bug fixes and improvements.
We all know IPv6 will come some day, but hasn't so far, because some
equipment still works better with IPv4 or some network doesn't support
it, yet etc.
With GnuGk, you don't have to convert your network to IPv6, you can
simply add it as another option and GnuGk will convert between IPv4 and
IPv6 whenever necessary. So you can keep all your legacy endpoints that
only support IPv4 and still have them reach other endpoints that work
on IPv6.
I would suggest you give IPv6 a try in your network now, before things
get very urgent and must be done in a rush.
The config part in GnuGk is rather easy:
[Gatekeeper::Main]
EnableIPv6=1
In all places where you can put an IPv4 address, you can also place an
IPv6 address.
BTW: If you want to see your IPv6 H.323 calls in Wireshark, you need a
new version. I worked with the Wireshark developers to get the
disection fixed. That patch will probably be in 2.0.0rc1.
