Table Of Contents
Inter-Domain Gatekeeper Security Enhancement
This document describes the Inter-Domain Gatekeeper Security Enhancement, including information about the benefits of the feature, supported platforms, related documents, and so on.
This document includes the following sections:
The Inter-Domain Gatekeeper Security Enhancement provides a means of authenticating and authorizing H.323 calls between the administrative domains of Internet Telephone Service Providers (ITSPs).
An interzone ClearToken (IZCT) is generated in the originating gatekeeper when a location request (LRQ) is initiated or an admission confirmation (ACF) is about to be sent for an intrazone call within an ITSP's administrative domain. As the IZCT traverses through the routing path, each gatekeeper stamps the IZCT's destination gatekeeper ID with its own ID. This identifies when the IZCT is being passed over to another ITSP's domain. The IZCT is then sent back to the originating gateway in the location confirmation (LCF) message. The originating gateway passes the IZCT to the terminating gateway in the SETUP message. The terminating gatekeeper forwards the IZCT in the admission request (ARQ) answerCall field to the terminating gatekeeper, which then validates it.
Within the IZCT format, the following information is required:
•srcCarrierID —Source carrier identification
•dstCarrierID — Destination carrier identification
•intCarrierID — Intermediate carrier identification
•srcZone — Source zone
•dstZone — Destination zone
Figure 1 shows a simple inter-ITSP diagram of the IZCT flow.
Figure 1 Inter-ITSP Diagram of the Inter-Domain Gatekeeper Security Enhancement Flow
1. The originating gateway sends an ARQ message with an interface description as a nonstandard field to originating gatekeeper 1 (OGK1). The interface description is treated as a source carrier identifier.
2. Upon receiving the ARQ, OGK1 creates an IZCT with the following:
–srcCarrierID— source carrier identification, received from the ARQ
–dstCarrierID—destination carrier identification, received from the CSR
–intCarrierID—intermediate carrier identification, received from the CSR
–srcZone—source zone name or a cluster name if the GK is member of a cluster
–dstZone—destination zone is set to null
–interZoneType—interzone type is set to INTRA_DOMAIN_CISCO
The IZCT is sent in an LRQ to OGK2.
3. OGK2 determines that the LRQ did not come from a foreign domain, replaces the IZCT's srcZoneID with its ID (or cluster name, if the gatekeeper is member of a cluster), and forwards the LRQ with the updated IZCT to terminating gatekeeper 2 (TGK2).
4. TGK2 determines that the LRQ came from a foreign domain, updates the IZCT's dstZone with its own ID (or cluster name, if the GK is member of a cluster) and the interZoneType as INTER_DOMAIN_CISCO, and passes the updated IZCT to TGK1. TGK2 treats the zone from which an LRQ is received as foreign-domain zone in either of the following two scenarios:
a. The TGK2's remote zone list does not contain the zone from which an LRQ is received.
b. The TGK2's remote zone list contains the zone from which an LRQ is received and the zone is marked with a foreign-domain flag. For details on how to mark a zone as foreign-domain, refer to the "Configuration Tasks" section.
5. TGK1 updates the IZCT's dstCarrierID to Carrier E, which is determined by the routing process; generates a hash with the IZCT's password; and sends an LCF with the updated IZCT in it. If TGK1 is a clustered GK, then the IZCT password is identical across the cluster.
6. TGK2 forwards the LCF to OGK2.
7. OGK2 forwards the LCF to OGK1.
8. OGK1 extracts the IZCT from the LCF and sends it in an ACF to the OGW.
9. The OGW sends the IZCT to the TGW in the H.225 SETUP message.
10. The TGW passes the IZCT to the TGK1 in an ARQ answerCall.
11. TGK1 authenticates the destination IZCT successfully, because TGK1generated the hash in the IZCT.
Note In the case of an inter-ITSP call, border zones (in the above example, OGK2 and TGK2) are identified as the srcZone and dstZone of the IZCT that is returned in the ACF to the OGW. If the call is intra-ITSP, leaf zones are identified as the srcZone and dstZone of the IZCT that is returned in the ACF to the OGW.
•Provides security for wholesale providers by supporting authentication and authorization capability for internet telephony calls between foreign other ITSP domains.
•Provides the security functionality necessary for billing and settlement.
Related Features and Technologies
•Settlements for Packet Voice, Phase 2
Cisco customer documentation:
•Settlements for Packet Voice, Phase 2
•Cisco IOS Voice, Video, and Fax Configuration Guide, Release 12.2
•Voice Features for Cisco 3600 Series Routers
•Configuring H.323 VoIP Gateway for Cisco Access Platforms
•Configuring H.323 VoIP Gatekeeper for Cisco Access Platforms
•Configuring Interactive Voice Response for Cisco Access Platforms
•Certification Authority Interoperability
•Cisco IOS Security Configuration Guide
•Cisco IP Security and Encryption Overview
•Token Card and Cisco Secure Authentication Support
•The SSL Protocol Version 3.0 as amended SSL 3.0 Errata of August 26, 1996
These platforms support Gatekeeper functionality for this feature:
•Cisco 3600 series (includes the 3620, 3640, and 3660)
These platforms support Gateway functionality for this feature:
•Cisco 3600 series
•Cisco AS5300(gateway functionality only)
•Cisco AS5850 (gateway functionality only)
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to email@example.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
No new or modified standards are supported by this feature.
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
No new or modified RFCs are supported by this feature.
See the following section for configuration tasks for the Inter-Domain Gatekeeper Security Enhancement.
•Configuring the Domain Zones and IZCT Password (Required)
Configuring the Domain Zones and IZCT Password
The main tasks are marking foreign and local domain zones and setting up an IZCT password for use in all the zones. To configure the domain zones and IZCT password, perform the following steps beginning in global configuration mode.
Verifying that the IZCT Is Enabled
To verify that the IZCT is enabled, use the show run command. The following show run example shows that an IZCT password is enabled.gatekeeperzone local 35_dirgk cisco.com 172.18.198.196zone remote 40_gatekeeper cisco.com 172.18.198.91 1719zone remote 34_dirgk cisco.com 172.18.198.197 1719 foreign-domainzone prefix 40_gatekeeper 408*zone prefix 34_dirgk *security izct password ABCDEFlrq forward-queriesno shutdown
This section provides the following configuration examples:
Originating Gatekeeper 1 Example
All of the configuration examples are for the set-up diagram shown in Figure 2. One IZCT password is enabled for all of the gatekeepers.
Figure 2 Set-Up Diagram for the Example Configuration
config terminalgatekeeperzone local 39_gatekeeper cisco.com 172.18.198.92zone remote 34_dirgk cisco.com 172.18.198.197 1719zone prefix 39_gatekeeper 919*zone prefix 34_dirgk *security izct password ciscogw-type-prefix 1#* default-technologyno shutdown
Terminating Gatekeeper 1 Exampleconfig terminalgatekeeperzone local 40_gatekeeper cisco.com 172.18.198.91zone remote 35_dirgk cisco.com 172.18.198.196 1719zone prefix 40_gatekeeper 408*zone prefix 35_dirgk *security izct password ciscogw-type-prefix 1#* default-technologyno shutdown
Originating Gatekeeper 2 Exampleconfig terminalgatekeeperzone local 34_dirgk cisco.com 172.18.198.197zone remote 39_gatekeeper cisco.com 172.18.198.92 1719zone remote 35_dirgk cisco.com 172.18.198.196 1719zone prefix 39_gatekeeper 919*zone prefix 35_dirgk *security izct password ciscolrq forward-queriesno shutdown
Terminating Gatekeeper 2 Exampleconfig terminalgatekeeperzone local 35_dirgk cisco.com 172.18.198.196zone remote 40_gatekeeper cisco.com 172.18.198.91 1719zone remote 34_dirgk cisco.com 172.18.198.197 1719 foreign-domainzone prefix 40_gatekeeper 408*zone prefix 34_dirgk *security izct password ciscolrq forward-queriesno shutdown
This feature introduces one new command and two modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
security izct password
To enable generation of the interzone ClearToken (IZCT) password, use the security izct password command. To disable IZCT generation, use the no form of this command.
security izct password password
no security izct password password
No default behavior or values.
After the security izct password command is issued the technology prefix for the gatekeepers must be configured for the gateways. The gatekeeper must be enabled to forward Location Requests (LRQs) that contain E.164 addresses matching zone prefixes controlled by remote gatekeepers.
Note All the gatekeepers in a cluster should have the same izct password.
The following example shows how to enable an IZCT password:Router(config-gk)#
security izct password cisco
zone cluster remote
To define a remote grouping of gatekeepers, including the gatekeeper that you are configuring, use the zone cluster remote gatekeeper configuration command. To disable, use the no form of this command.
zone cluster remote cluster name [cost cost-value [priority priority-value]] [foreign-domain]
no zone cluster remote
No default behavior or values.
Use this command to define a set of remote gatekeepers that act as alternates to each other and form a local cluster. This command causes the gatekeeper to optimize these remote gatekeepers by round-robin sending of LRQs.
The following example shows how to define a remote grouping of gatekeepers:Router(config-gk)# zone cluster remote AsiaCluster cost 70 priority 10
To statically specify a remote zone if domain name service (DNS) is unavailable or undesirable, use the zone remote command in gatekeeper configuration mode. To remove the remote zone, use the no form of this command.
zone remote other-gatekeeper-name other-domain-name other-gatekeeper-ip-address [port-number][cost cost-value [priority priority-value]] [foreign-domain]
no zone remote other-gatekeeper-name other-domain-name other-gatekeeper-ip-address [port-number][cost cost-value [priority priority-value]] [foreign-domain]
No remote zone is defined. DNS locates the remote zone.
Not all gatekeepers have to be in DNS. For those that are not, use the zone remote command so that the local gatekeeper knows how to access them. In addition, you may wish to improve call response time slightly for frequently accessed zones. If the zone remote command is configured for a particular zone, you do not need to make a DNS lookup transaction.
The maximum number of zones defined on a gatekeeper varies depending on the mode or the call model or both. For example, a directory gatekeeper may be in the mode of being responsible for forwarding LRQs and not handling any local registrations and calls; The call model might be E.164 addressed calls instead of H.323-ID addressed calls.
For a directory gatekeeper that does not handle local registrations and calls, the maximum remote zones defined should not exceed 10,000; An additional 4 MB of memory is required to store this maximum number of remote zones.
For a gatekeeper that handles local registrations and only E.164 addressed calls, the number of remote zones defined should not exceed 2000.
For a gatekeeper that handles H.323-ID calls, the number of remote zones defined should not exceed 2000.
When there are several "remote zones" configured, they can be ranked by cost and priority value. A zone with a lower cost value and a higher priority value is given preference over others.
The following example shows how to configure the cost and priority for the gatekeeper GK10 serving zone 1:Router(config-gk)# zone remote GK10 Zone1 188.8.131.52 cost 20 priority 5
Defines the gatekeeper's name or zone name. This is usually the fully domain-qualified host name of the gatekeeper.
ACF—RAS message sent as an admission confirmation.
answer call— When an ARQ is sent by the terminating gateway.
ARQ—RAS message sent as an admission request.
ClearToken—Token that provides data in a clear text format.
domain—A portion of the naming hierarchy tree that refers to general groupings of networks based on organization-type or geography.
ITSP—Internet Telephony Service Providers
IZCT—Interzone ClearToken (IZCT)
H.323—An International Telecommunication Union (ITU-T) standard that describes packet-based video, audio, and data conferencing. H.323 is an umbrella standard that describes the architecture of the conferencing system and refers to a set of other standards (H.245, H.225.0, and Q.931) to describe its actual protocol.
LCF—RAS message sent as a location confirmation.
LRQ—RAS message sent as a location request.
gatekeeper—A gatekeeper maintains a registry of devices in the multimedia network. The devices register with the gatekeeper at startup, and request admission to a call from the gatekeeper.
The gatekeeper is an H.323 entity that provides address translation and control access to the network for H.323 terminals and gateways. The gatekeeper may provide other services to the H.323 terminals and gateways, such as bandwidth management and locating gateways.
gatekeeper cluster—A group of alternate gatekeepers.
gateway—A gateway allows H.323 terminals to communicate with non-H.323 terminals by converting protocols. A gateway is the point at which a circuit-switched call is encoded and repackaged into IP packets. An H.323 gateway is an endpoint that provides real-time, two-way communications between H.323 terminals on the network and other ITU-T terminals in the WAN, or to another H.323 gateway.
GK—Gatekeeper (see gatekeeper)
OGK—Originating gatekeeper where the packet is issued (see also gatekeeper).
OGW—Originating gateway, see gateway
OSP—Open Settlement Protocol
RAS—Registration, admission, and status protocol. This is the protocol that is used between endpoints and the gatekeeper to perform management functions. The RAS signaling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper.
TGK—Terminating gatekeeper, see gatekeeper
TGW—Terminating gateway, see gateway
token—A frame that contains control information. Possession of the token allows a network device to transmit data onto the network.
zone—A collection of components, such as terminals and gateways, managed by a single gatekeeper.