H.323 NAT/firewall traversal A chance for APAN? 19 th APAN Meeting - - PowerPoint PPT Presentation

h 323 nat firewall traversal a chance for apan
SMART_READER_LITE
LIVE PREVIEW

H.323 NAT/firewall traversal A chance for APAN? 19 th APAN Meeting - - PowerPoint PPT Presentation

May 26, 2023 442 likes •692 views

H.323 NAT/firewall traversal A chance for APAN? 19 th APAN Meeting BoF on H.323 networking in APAN Bangkok, Thailand January 2005 K. Stoeckigt, kewin@acm.org Outline A brief intro to GnuGK What is it? What it does? some

slide-1
SLIDE 1
  • K. Stoeckigt, kewin@acm.org

H.323 NAT/firewall traversal – A chance for APAN?

19th APAN Meeting BoF on H.323 networking in APAN Bangkok, Thailand January 2005

slide-2
SLIDE 2
  • K. Stoeckigt, kewin@acm.org

Outline

  • A brief intro to GnuGK

– What is it? – What it does? – some extra features

  • NAT/firewall traversal

– The H.323 firewall problem – NAT traversal

  • A chance for APAN?

– “Braindump” or a few ideas… – Peering with the rest of the world (GDS, etc)

slide-3
SLIDE 3
  • K. Stoeckigt, kewin@acm.org

The H.323 firewall problem

  • H.323 uses a few fixed ports, such as 1718, 1719 tcp
  • Other communication ports are DYNAMICALLY negotiated during the

setup process

– Used port range: 210 to 216 (1024 – 65535) udp – 4 to 8 ports used per call – This dynamic negotiation is the problem aka. H.323-Firewall problem How do you open ports if you don’t know them?

  • Complexity of the media streams can cause problems

as well

– many different sub-protocols are used for several different data/control channels ? today more or less just a minor glitch

slide-4
SLIDE 4
  • K. Stoeckigt, kewin@acm.org

The H.323 firewall problem (cont’)

  • The screenshot on the right hand

side shows a Viavideo in call

– 3 TCP streams

  • Control channels (H.225, H.245)
  • 1 fixed port: 1720
  • 2 dyn. ports: 1436, 1437

– 5 UDP streams

  • 1 Control channel
  • 4 data channel (a/v)
  • all ports dynamically

– 1435 – 49154 to 49157

slide-5
SLIDE 5
  • K. Stoeckigt, kewin@acm.org

The H.323 firewall problem (cont’)

  • The big picture or what happens if…

– often the setup (tcp) will go through the firewall (black lines) – audio/video can be send from inside ? outside, but not vice versa

  • external H.323 endpoint gets audio and video
  • internal H.323 endpoint gets a black screen
slide-6
SLIDE 6
  • K. Stoeckigt, kewin@acm.org

The H.323 firewall problem (cont’)

  • Is there a way to solve this problem?

– Don’t use H.323 – “OpenFirewalling”

  • Open the firewall for all H.323 endpoints

– Wait until some one rewrote the standard – Use GnuGK ☺

slide-7
SLIDE 7
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • What is it?

– A fully functional Gatekeeper – Available for free – Supports H.323 V.4 (depending on underlying libraries) – Besides the standard features each Gatekeeper has, such as Bandwidth control, Address translation, Admission control, Zone management, and Call control signaling, GnuGK comes with a wide range of authentication methods and a full-feature media proxy

slide-8
SLIDE 8
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • Why should you use it?

– Its free ☺ – It runs on a variety of OS, like Unix/Linux, Windows and Macs

  • Precompiled binaries are available for several platforms
  • Some features are not (yet) available on Windows

– Media Proxy (? this solves the H.323-firewall problem) – Several endpoint authentication methods – New services can be applied by interacting with other tools

  • billing, etc.
slide-9
SLIDE 9
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • The proxy

– Proxy is used to bypass firewalls

  • Only gk/proxy IP address is allowed to bypass the firewall by opening the

port ranges only for this system, and not for all clients

– Proxy transports (‘proxies’) all control/media streams (tcp/udp)

  • Data/Stream flow

– Endpoint ? Proxy ? Endpoint: for signaling streams (tcp) – Endpoint ? Proxy ? Endpoint: for media streams (udp)

– Endpoints don’t know that proxy is a proxy; they assume proxy is the endpoint

slide-10
SLIDE 10
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • The proxy (cont’)

– external H.323 endpoint ‘talks’ to the gatekeeper/proxy, who then forwards the streams to the internal H.323 endpoint, and vice versa – only the IP of the gatekeeper/proxy is allowed to bypass the firewall – both endpoints get audio/video

slide-11
SLIDE 11
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • Is it secure?

– All systems who have internet connection can be hacked, highjacked,

  • etc. NO SYSTEM IS 100% SECURE

– Apart from that, yes it is, because

  • Videoconferencingsystems and/or IP-Phones are still protected by the

firewall, and they are only allowed to talk to the IP of the gatekeeper/proxy

  • Gatekeeper/Proxy should be located in DMZ
  • An example: H.323 system using this scheme were not affected by the

H.323 vulnerability reported early 2004

– Is it possible to get it even more secure? YES

slide-12
SLIDE 12
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • …add some more security

– Add a second gatekeeper; one in the internal network, the other one in the external network, and open the firewall, that only the two IP addresses are allowed to talk to each other ? other traffic is blocked

slide-13
SLIDE 13
  • K. Stoeckigt, kewin@acm.org

GnuGK

  • Some extra features

– Support for NATed endpoints/private networks – Load balancing via alternate GKs – Call Queueing (using 3rd party software) – Call forwarding – H.235 – ToS bit forwarding – Accounting/Billing (File, mySQL, Radius,…) – Call limitation for prefixes, IPs, subnets, etc. – Several authentication schemes – ….

slide-14
SLIDE 14
  • K. Stoeckigt, kewin@acm.org

NAT/firewall traversal

  • NAT

– Network address translation

  • NAT is used if a company/institute has not enough public IP addresses

for their systems

  • Private address range

– Common ranges » 192.168.xxx.xxx » 10.10.xxx.xxx » …

  • NAT translates a private IP address to a public IP address

– 10.10.2.12 ? 134.12.27.156

– NAT and H.323 usually don’t work very well together, unless

  • you only connect to other systems on the same private network
  • have a solution in place for solving the NAT problem
  • use public IP addresses for the H.323 terminals/endpoints
slide-15
SLIDE 15
  • K. Stoeckigt, kewin@acm.org

NAT/firewall traversal

  • The big picture of what happens

if…

– 10.10.2.12 sends a setup request to B can not resolve the IP 130.201.17.26 – B wants to accept the call and sends a connect/alert to A

  • A is on a private network and

therefore has no public (official) IP address

? Connection is not established THIS IS NOT A PARTICULAR PROBLEM OF H.323

slide-16
SLIDE 16
  • K. Stoeckigt, kewin@acm.org

NAT/firewall traversal

  • GnuGK can handle NAT as well as bypass the firewall
  • How does it work/what is necessary

– Gatekeeper/Proxy has two network interfaces, one to the public network, one to the private network – Full forwarding between the two interfaces is necessary

  • Uni Ljubljana (Slovenia) has a setup in place
slide-17
SLIDE 17
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

+64 New Zealand +61 Australia +63 Philippines +61 Singapore +60 Malaysia +66 Thailand +880 Bangladesh +94 Sri Lanka +91 India +852 Hong Kong +886 Taiwan +86 China +82 Korea (South) +81 Japan

slide-18
SLIDE 18
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

  • Peering with the rest of the world

– use of the GDS (Global dialing scheme)

  • This will connect you to hundreds of other sides around the world

– 125+ zones – 10000+ endpoints

  • check http://videnet.unc.edu
slide-19
SLIDE 19
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

  • Principles

– International, but freedom of choice for local situation – E.164/tel.no. integration

  • Numbers look like 0064 9 367 7100 32012

– Implemented by present gatekeeper technology – Compatible with existing network (ViDeNet) – Governed by ViDe’s Numerical Address Space Management (NASM) working group

  • Proposal

– by SURFnet, UKERNA, HEAnet, UNC – Implemented by ViDeNet, Internet2 and NREN-services and testbeds

derived from E. Verharen, 2005

slide-20
SLIDE 20
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

541

slide-21
SLIDE 21
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

  • Project proposal

– Setup and install local gatekeepers and institutes/Universities with help from me and AARNet(??) – If no country gatekeeper is in place, maybe AARNet would run the service for a while (or if Stephens project 1 goes through, then use this Linux box for hosting temporary several country zones), or if more local zones become available setup and install a country gatekeeper

slide-22
SLIDE 22
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

  • Project proposal (cont’)

– It is simple with GnuGK – It’s cheap

  • GnuGK is free, it runs on Linux (free)
  • Your need a computer for about US$1000

– Help will be provided [RasSrv::Neighbors] DECGK=194.95.240.3:1719;0049,49; AUCGK=138.1.1.1:1719;0061,61; NLCGK=1.2.3.4;0031,31; UKCGK=2.3.4.5;0044,44; …

slide-23
SLIDE 23
  • K. Stoeckigt, kewin@acm.org

A chance for APAN?

  • YES. YOU SHOULD USE IT