H.323 NAT/firewall traversal – A chance for APAN? 19 th APAN Meeting BoF on H.323 networking in APAN Bangkok, Thailand January 2005 K. Stoeckigt, kewin@acm.org
Outline • A brief intro to GnuGK – What is it? – What it does? – some extra features • NAT/firewall traversal – The H.323 firewall problem – NAT traversal • A chance for APAN? – “Braindump” or a few ideas… – Peering with the rest of the world (GDS, etc) K. Stoeckigt, kewin@acm.org
The H.323 firewall problem • H.323 uses a few fixed ports, such as 1718, 1719 tcp • Other communication ports are DYNAMICALLY negotiated during the setup process – Used port range: 2 10 to 2 16 (1024 – 65535) udp – 4 to 8 ports used per call – This dynamic negotiation is the problem aka. H.323-Firewall problem How do you open ports if you don’t know them? • Complexity of the media streams can cause problems as well – many different sub-protocols are used for several different data/control channels ? today more or less just a minor glitch K. Stoeckigt, kewin@acm.org
The H.323 firewall problem (cont’) • The screenshot on the right hand side shows a Viavideo in call – 3 TCP streams • Control channels (H.225, H.245) • 1 fixed port: 1720 • 2 dyn. ports: 1436, 1437 – 5 UDP streams • 1 Control channel • 4 data channel (a/v) • all ports dynamically – 1435 – 49154 to 49157 K. Stoeckigt, kewin@acm.org
The H.323 firewall problem (cont’) • The big picture or what happens if… – often the setup (tcp) will go through the firewall (black lines) – audio/video can be send from inside ? outside, but not vice versa • external H.323 endpoint gets audio and video • internal H.323 endpoint gets a black screen � K. Stoeckigt, kewin@acm.org
The H.323 firewall problem (cont’) • Is there a way to solve this problem? – Don’t use H.323 � – “OpenFirewalling” � • Open the firewall for all H.323 endpoints – Wait until some one rewrote the standard � – Use GnuGK ☺ K. Stoeckigt, kewin@acm.org
GnuGK • What is it? – A fully functional Gatekeeper – Available for free – Supports H.323 V.4 (depending on underlying libraries) – Besides the standard features each Gatekeeper has, such as Bandwidth control, Address translation, Admission control, Zone management, and Call control signaling, GnuGK comes with a wide range of authentication methods and a full-feature media proxy K. Stoeckigt, kewin@acm.org
GnuGK • Why should you use it? – Its free ☺ – It runs on a variety of OS, like Unix/Linux, Windows and Macs • Precompiled binaries are available for several platforms • Some features are not (yet) available on Windows – Media Proxy (? this solves the H.323-firewall problem) – Several endpoint authentication methods – New services can be applied by interacting with other tools • billing, etc. K. Stoeckigt, kewin@acm.org
GnuGK • The proxy – Proxy is used to bypass firewalls • Only gk/proxy IP address is allowed to bypass the firewall by opening the port ranges only for this system, and not for all clients – Proxy transports (‘proxies’) all control/media streams (tcp/udp) • Data/Stream flow – Endpoint ? Proxy ? Endpoint: for signaling streams (tcp) – Endpoint ? Proxy ? Endpoint: for media streams (udp) – Endpoints don’t know that proxy is a proxy; they assume proxy is the endpoint K. Stoeckigt, kewin@acm.org
GnuGK • The proxy (cont’) – external H.323 endpoint ‘talks’ to the gatekeeper/proxy, who then forwards the streams to the internal H.323 endpoint, and vice versa – only the IP of the gatekeeper/proxy is allowed to bypass the firewall – both endpoints get audio/video K. Stoeckigt, kewin@acm.org
GnuGK • Is it secure? – All systems who have internet connection can be hacked, highjacked, etc. NO SYSTEM IS 100% SECURE – Apart from that, yes it is, because • Videoconferencingsystems and/or IP-Phones are still protected by the firewall, and they are only allowed to talk to the IP of the gatekeeper/proxy • Gatekeeper/Proxy should be located in DMZ • An example: H.323 system using this scheme were not affected by the H.323 vulnerability reported early 2004 – Is it possible to get it even more secure? YES K. Stoeckigt, kewin@acm.org
GnuGK • …add some more security – Add a second gatekeeper; one in the internal network, the other one in the external network, and open the firewall, that only the two IP addresses are allowed to talk to each other ? other traffic is blocked K. Stoeckigt, kewin@acm.org
GnuGK • Some extra features – Support for NATed endpoints/private networks – Load balancing via alternate GKs – Call Queueing (using 3 rd party software) – Call forwarding – H.235 – ToS bit forwarding – Accounting/Billing (File, mySQL, Radius,…) – Call limitation for prefixes, IPs, subnets, etc. – Several authentication schemes – …. K. Stoeckigt, kewin@acm.org
NAT/firewall traversal • NAT – Network address translation • NAT is used if a company/institute has not enough public IP addresses for their systems • Private address range – Common ranges » 192.168.xxx.xxx » 10.10.xxx.xxx » … • NAT translates a private IP address to a public IP address – 10.10.2.12 ? 134.12.27.156 – NAT and H.323 usually don’t work very well together, unless • you only connect to other systems on the same private network • have a solution in place for solving the NAT problem • use public IP addresses for the H.323 terminals/endpoints K. Stoeckigt, kewin@acm.org
NAT/firewall traversal • The big picture of what happens if… – 10.10.2.12 sends a setup request to B can not resolve the IP 130.201.17.26 – B wants to accept the call and sends a connect/alert to A • A is on a private network and therefore has no public (official) IP address ? Connection is not established THIS IS NOT A PARTICULAR PROBLEM OF H.323 K. Stoeckigt, kewin@acm.org
NAT/firewall traversal • GnuGK can handle NAT as well as bypass the firewall • How does it work/what is necessary – Gatekeeper/Proxy has two network interfaces, one to the public network, one to the private network – Full forwarding between the two interfaces is necessary • Uni Ljubljana (Slovenia) has a setup in place K. Stoeckigt, kewin@acm.org
A chance for APAN? Japan +81 Korea (South) +82 China +86 Taiwan +886 Hong Kong +852 India +91 Sri Lanka +94 Bangladesh +880 Thailand +66 Malaysia +60 Singapore +61 Philippines +63 Australia +61 New Zealand +64 K. Stoeckigt, kewin@acm.org
A chance for APAN? • Peering with the rest of the world – use of the GDS (Global dialing scheme) • This will connect you to hundreds of other sides around the world – 125+ zones – 10000+ endpoints • check http://videnet.unc.edu K. Stoeckigt, kewin@acm.org
A chance for APAN? • Principles – International, but freedom of choice for local situation – E.164/tel.no. integration • Numbers look like 0064 9 367 7100 32012 – Implemented by present gatekeeper technology – Compatible with existing network (ViDeNet) – Governed by ViDe’s Numerical Address Space Management (NASM) working group • Proposal – by SURFnet, UKERNA, HEAnet, UNC – Implemented by ViDeNet, Internet2 and NREN-services and testbeds derived from E. Verharen, 2005 K. Stoeckigt, kewin@acm.org
A chance for APAN? 541 K. Stoeckigt, kewin@acm.org
A chance for APAN? • Project proposal – Setup and install local gatekeepers and institutes/Universities with help from me and AARNet(??) – If no country gatekeeper is in place, maybe AARNet would run the service for a while (or if Stephens project 1 goes through, then use this Linux box for hosting temporary several country zones), or if more local zones become available setup and install a country gatekeeper K. Stoeckigt, kewin@acm.org
A chance for APAN? • Project proposal (cont’) – It is simple with GnuGK [RasSrv::Neighbors] DECGK=194.95.240.3:1719;0049,49; AUCGK=138.1.1.1:1719;0061,61; NLCGK=1.2.3.4;0031,31; UKCGK=2.3.4.5;0044,44; … – It’s cheap • GnuGK is free, it runs on Linux (free) • Your need a computer for about US$1000 – Help will be provided K. Stoeckigt, kewin@acm.org
A chance for APAN? YES. YOU SHOULD USE IT K. Stoeckigt, kewin@acm.org
Recommend
More recommend
