H.323網路具有不同型別的配置和呼叫流。本文討論涉及網守的H.323網路的大多數安全問題。本文總結了每個功能的運作方式以及如何對其進行疑難排解,並提供了大部份偵錯說明。本文檔沒有說明VoIP的總體安全性。
本檔案介紹以下功能:
域內網關到網守安全 — 此安全基於H.235,其中H.323呼叫由網守進行身份驗證、授權和路由。閘道管理員被視為已知且受信任的實體,其意義在於當閘道嘗試向其註冊時,閘道不會對其進行驗證。
網域間網守到網守安全 — 此安全包括使用InterZone Clear Token(IZCT)對網際網路電話服務提供商(ITSP)的管理域之間的H.323呼叫進行身份驗證和授權。 本文檔僅涵蓋終端網守在其位置確認(LCF)消息中傳送令牌以便對answerCall Admission Request(ARQ)進行身份驗證的部分。 此功能中不包括位置請求(LRQ)驗證。LRQ驗證是一項為未來的Cisco IOS®軟體版本而安排的功能。
定義
縮寫 | 定義 |
---|---|
ARQ | 准入請求 — 從H.323端點傳送到請求准入以建立呼叫的網守的註冊、准入和狀態協定(RAS)消息。 |
ACF | 許可確認 — 從網守傳送到終端的RAS消息,用於確認呼叫被接受。 |
ARJ | 准入拒絕(Admission Rejection) — 從網守到拒絕准入請求的終端的RAS消息。 |
貓 | 思科訪問令牌 — H.235清除令牌。 |
CHAP | Challenge Handshake Authentication Protocol — 在其中使用質詢的身份驗證協定。 |
GCF | Gatekeeper Confirm — 從網守傳送到H.323端點的RAS消息,用於確認網守發現。 |
GRQ | 網守請求 — 從H.323端點傳送的RAS消息以發現網守。 |
H.235 | ITU針對H系列(H.323和其他基於H.245)多媒體終端的安全性和加密的建議。 |
IZCT | InterZone Clear Token — 當在ITSP管理域內發起區域內LRQ或將要傳送區域內呼叫的ACF時,在源網守中生成IZCT。 |
LRQ | 位置請求 — 從網守傳送到下一跳網守或呼叫支路以跟蹤和路由呼叫的RAS消息。 |
RAS | Registration、Admission和Status — 允許網守執行終端的註冊、准入和狀態檢查的協定。 |
RCF | 註冊確認 — 從網守傳送到終端的RAS消息,用於確認註冊。 |
RRJ | 註冊拒絕 — 從拒絕註冊請求的網守傳送的RAS消息。 |
RRQ | 註冊請求 — 從端點傳送到請求向其註冊的網守的RAS消息。 |
RIP | Request In Progress — 從網守向傳送者傳送的RAS消息,表示呼叫正在進行。 |
H.323是ITU的一項建議,旨在解決通過不安全網路進行安全即時通訊的問題。這涉及兩個主要關切領域:身份驗證和隱私。根據H.235,有兩種型別的身份驗證:
基於對稱加密的身份驗證,在通訊實體之間不需要預先聯絡。
基於具有某些先前共用金鑰(進一步稱為基於訂閱)的能力,提供了兩種形式的基於訂閱的身份驗證:
密碼
憑證
時間戳用於防止重放攻擊。因此,它需要有一個互相可以接受的參考時間(從中匯出時間戳)。 可接受的時間偏差量取決於本地實現。
思科使用類似質詢握手身份驗證協定(CHAP)的身份驗證方案作為其網關到網守H.235實施的基礎。這允許您利用身份驗證、授權和記帳(AAA),使用現有功能執行實際身份驗證。這也意味著網守無需訪問包含網關ID、使用者帳戶號、密碼和PIN的資料庫。該方案基於H.235第10.3.3節,描述為基於訂閱的雜湊密碼。
但是,此方法不使用H.225 cryptoTokens,而是使用H.235 clearTokens,其欄位已正確填充以用於RADIUS。此權杖稱為思科存取權杖(CAT)。 您始終可以在網守本地執行身份驗證,而不是使用RADIUS伺服器。
使用cryptoTokens要求網守維護所有使用者和網關的口令,或用某種方法獲取口令。這是因為指定了cryptoToken的令牌欄位,以便身份驗證實體需要密碼來生成其自己的令牌,與收到的令牌進行比較。
Cisco網守完全忽略cryptoTokens。但是,VocalTek網守和支援H.235部分10.3.3的其他使用者使用cryptoTokens來驗證網關。思科閘道管理員使用CAT驗證閘道。由於閘道不知道其交談的閘道管理員型別,因此會同時在RRQ中傳送訊息。GRQ中的authenticationCapability用於cryptoToken,並指示MD5雜湊是身份驗證機制(儘管CAT也使用MD5)。
如需詳細資訊,請參閱Cisco H.323閘道安全和計費增強功能。
終端或註冊級安全
在網守上啟用註冊安全後,網關需要在所有重量級RRQ消息中包含CAT。在這種情況下,CAT包含將閘道本身驗證到閘道管理員的資訊。網守將消息格式化到RADIUS伺服器,RADIUS伺服器驗證令牌中包含的資訊。它會使用Access-Accept或Access-Reject回覆給網守。這反過來會使用RCF或RRJ響應網關。
如果隨後從成功認證網關發出呼叫,則網關使用網關密碼在接收到來自網守的ACF時生成新的CAT。此CAT與註冊期間生成的相同(時間戳除外)。它被置於傳出SETUP消息中。目的地網關從SETUP消息提取令牌並將其置於目的地端ARQ中。閘道管理員在傳送目的地端ACF之前,使用RADIUS驗證來源閘道。這可以防止知道網關地址的非認證終端使用它來規避安全方案並訪問公共交換電話網路(PSTN)。
因此,在此級別中,不需要在源ARQ中包括任何令牌。
從網守命令列介面(CLI)鍵入[no] security token required-for registration以配置網守。此命令的no選項會導致閘道管理員不再檢查RAS訊息中的權杖。
從網關CLI鍵入[no] security password <PASSWORD> level endpoint以配置網關。該命令的no選項會導致網關不再為RAS消息生成令牌。
每個呼叫級別的安全性
每個呼叫的安全性建立在註冊級別的安全性之上。除了滿足註冊安全要求外,當在網守上啟用每呼叫安全時,網關還需要在所有始發端ARQ消息中包括接入令牌。這種情況下,令牌包含向網守標識網關使用者的資訊。此資訊在網關上使用互動式語音應答(IVR)指令碼獲取。這提示使用者在發出呼叫之前從鍵盤輸入其使用者ID和PIN。
始發ARQ中包含的CAT由RADIUS以與先前終端或註冊級安全中所述的方法進行身份驗證。收到ACF後,網關使用其密碼生成新的CAT,並在H.225 SETUP消息中將其傳送到終端網關。
從網守CLI鍵入[no] security token required-for all,以配置網守。此命令的no選項會導致閘道管理員不再檢查RAS訊息中的權杖。
從網關CLI鍵入[no] security password <PASSWORD> level per-call以配置網關。該命令的no選項會導致網關不再為RAS消息生成令牌。
所有級別安全性
這樣,網關就可以在註冊和呼叫所需的所有RAS消息中包含CAT。因此,它是以上兩個級別的組合。通過此選項,ARQ消息中的CAT驗證基於呼叫使用者的帳號和PIN。驗證所有其他RAS消息中傳送的CAT取決於為網關配置的密碼。因此,它與每個呼叫的級別類似。
從網守CLI鍵入[no] security token required-for all,以配置網守。此命令的no選項會導致閘道管理員不再檢查RAS訊息中的權杖。
在網關CLI中鍵入[no] security password <PASSWORD> level all以配置網關。該命令的no選項會導致網關不再為RAS消息生成令牌。
H.235不能在沒有IVR的呼叫級別上使用。如果沒有IVR來收集帳戶和PIN,網關需要傳送不帶清除令牌的ARQ(但帶有加密令牌)。 由於思科網守僅接受清除令牌,因此該呼叫被網守拒絕,原因是拒絕安全。
此示例顯示從始發網關(OGW)收集的h225 asn1調試,該始發網關未配置為使用IVR收集帳戶和PIN。RRQ消息具有清除令牌,但ARQ沒有。將ARJ消息傳送回網關。
Mar 4 01:31:24.358: H235 OUTGOING ENCODE BUFFER::= 61 000100C0 2B955BEB 08003200 32003200 32000006 006F0067 00770000 Mar 4 01:31:24.358: Mar 4 01:31:24.358: RAS OUTGOING PDU ::= value RasMessage ::= registrationRequest : { requestSeqNum 29 protocolIdentifier { 0 0 8 2250 0 3 } discoveryComplete FALSE callSignalAddress { } rasAddress { ipAddress : { ip 'AC100D0F'H port 57514 } } terminalType { mc FALSE undefinedNode FALSE } gatekeeperIdentifier {"ogk1"} endpointVendor { vendor { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } } timeToLive 60 tokens !--- Clear Token is included in the RRQ message. { { tokenOID { 1 2 840 113548 10 1 2 1 } timeStamp 731208684 challenge 'F57C3C65B59724B9A45C93F98CCF9E45'H random 12 generalID {"ogw"} } } cryptoTokens { cryptoEPPwdHash : { alias h323-ID : {"ogw"} timeStamp 731208684 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "D7F85666AF3B881ADD876DD61C20D5D9" } } } keepAlive TRUE endpointIdentifier {"81F5E24800000001"} willSupplyUUIEs FALSE maintainConnection TRUE } Mar 4 01:31:24.370: RAS OUTGOING ENCODE BUFFER::= 0E 40001C06 0008914A 00030000 0100AC10 0D0FE0AA 0003006F 0067006B 003100B5 00001212 EF000200 3B2F014D 000A2A86 4886F70C 0A010201 C02B955B EB10F57C 3C65B597 24B9A45C 93F98CCF 9E45010C 06006F00 67007700 002A0104 02006F00 670077C0 2B955BEB 082A8648 86F70D02 05008080 D7F85666 AF3B881A DD876DD6 1C20D5D9 0180211E 00380031 00460035 00450032 00340038 00300030 00300030 00300030 00300031 01000180 Mar 4 01:31:24.378: h323chan_dgram_send:Sent UDP msg. Bytes sent: 173 to 172.16.13.35:1719 Mar 4 01:31:24.378: RASLib::GW_RASSendRRQ: 3640-1#debug RRQ (seq# 29) sent to 172.16.13.35 Mar 4 01:31:24.462: h323chan_chn_process_read_socket Mar 4 01:31:24.462: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data Mar 4 01:31:24.462: h323chan_chn_process_read_socket: h323chan accepted/connected Mar 4 01:31:24.462: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on so ck[2] Mar 4 01:31:24.466: RAS INCOMING ENCODE BUFFER::= 12 40001C06 0008914A 00030006 006F0067 006B0031 1E003800 31004600 35004500 32003400 38003000 30003000 30003000 30003000 310F8A01 0002003B 01000180 Mar 4 01:31:24.466: Mar 4 01:31:24.466: RAS INCOMING PDU ::= value RasMessage ::= registrationConfirm : { requestSeqNum 29 protocolIdentifier { 0 0 8 2250 0 3 } callSignalAddress { } gatekeeperIdentifier {"ogk1"} endpointIdentifier {"81F5E24800000001"} alternateGatekeeper { } timeToLive 60 willRespondToIRR FALSE maintainConnection TRUE } Mar 4 01:31:24.470: RCF (seq# 29) rcvd Mar 4 01:32:00.220: H225 NONSTD OUTGOING PDU ::= value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } callingOctet3a 129 interfaceSpecificBillingId "ISDN-VOICE" } Mar 4 01:32:00.220: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 000008A0 01810B12 4953444E 2D564F49 4345 Mar 4 01:32:00.220: Mar 4 01:32:00.220: H235 OUTGOING ENCODE BUFFER::= 61 000100C0 2B955C0F 08003200 32003200 32000006 006F0067 00770000 Mar 4 01:32:00.224: Mar 4 01:32:00.224: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : { requestSeqNum 30 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"81F5E24800000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "5336", h323-ID : {"ogw"} } bandWidth 1280 callReferenceValue 5 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008A001810B124953444E2D564F494345'H } conferenceID 'E1575DA6175611CC8014A6051561649A'H activeMC FALSE answerCall FALSE canMapAlias TRUE callIdentifier { guid 'E1575DA6175611CC8015A6051561649A'H } cryptoTokens !--- Only cryptoTokens are included, no clear ones. { cryptoEPPwdHash : { alias h323-ID : {"ogw"} timeStamp 731208720 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "105475A4C0A833E7DE8E37AD3A8CDFF" } } } willSupplyUUIEs FALSE } Mar 4 01:32:00.236: RAS OUTGOING ENCODE BUFFER::= 27 88001D00 F0003800 31004600 35004500 32003400 38003000 30003000 30003000 30003000 31010180 69860201 80866940 02006F00 67007740 05000005 40B50000 12138000 0008A001 810B1249 53444E2D 564F4943 45E1575D A6175611 CC8014A6 05156164 9A056120 01801100 E1575DA6 175611CC 8015A605 1561649A 2A010402 006F0067 0077C02B 955C0F08 2A864886 F70D0205 00808010 5475A4C0 A833E7DE 8E370AD3 A8CDFF01 00 Mar 4 01:32:00.240: h323chan_dgram_send:Sent UDP msg. Bytes sent: 170 to 172.16.13.35:1719 Mar 4 01:32:00.240: RASLib::GW_RASSendARQ: ARQ (seq# 30) sent to 172.16.13.35 Mar 4 01:32:00.312: h323chan_chn_process_read_socket Mar 4 01:32:00.312: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data Mar 4 01:32:00.312: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data Mar 4 3640-1#01:32:00.312: h323chan_chn_process_read_socket: h323chan accepted/connected Mar 4 01:32:00.312: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on so ck[2] Mar 4 01:32:00.312: RAS INCOMING ENCODE BUFFER::= 2C 001D8001 00 Mar 4 01:32:00.312: Mar 4 01:32:00.312: RAS INCOMING PDU ::= value RasMessage ::= admissionReject : !--- ARQ is rejected with a security denial reason. { requestSeqNum 30 rejectReason securityDenial : NULL } Mar 4 01:32:00.312: ARJ (seq# 30) rcvd
您需要關注的主要問題包括:
網關和網守的配置
網守和RADIUS伺服器上的RADIUS配置
網路時間協定(NTP) — 所有網關和網守必須具有相同時間。由於身份驗證資訊包括時間戳,因此必須同步所有Cisco H.323網關和網守(或執行身份驗證的其他實體)。必須使用NTP同步Cisco H.323網關。
錯誤引起的軟體故障
由於所有級別的安全保護都涵蓋註冊和每次呼叫的情況,因此本實驗設定了此練習的安全級別。註冊部分的呼叫流程和普通VoIP呼叫在此配置中說明。
注意:此處的配置不完整。debug輸出之間接有更多命令。它旨在顯示如果您不檢查所有內容(如配置、NTP和RADIUS),可能會發生什麼問題。此外,網關會在本地的網守上進行身份驗證,這樣您就可以看到為網關ID和口令設定了哪些值。將對此配置進行剪下,以便僅顯示相關配置。
! interface Ethernet0/0 ip address 172.16.13.15 255.255.255.224 half-duplex h323-gateway voip interface h323-gateway voip id gka-1 ipaddr 172.16.13.35 1718 !--- The gatekeeper name is gka-1. h323-gateway voip h323-id gwa-1@cisco.com !--- The gateway H323-ID is gwa-1@cisco.com. h323-gateway voip tech-prefix 1# ! ! gateway ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 password ww logging synchronous end !--- No NTP is configured. !--- The snipped gatekeeper configuration is like this: ! aaa new-model aaa authentication login default local aaa authentication login h323 local aaa authorization exec default local aaa authorization exec h323 local aaa accounting connection h323 start-stop group radius ! username gwa-1 password 0 2222 username gwa-2 password 0 2222 ! gatekeeper zone local gka-1 cisco.com 172.16.13.35 security token required-for all !--- The gatekeeper is configured for the "All level security". no shutdown ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password ww line vty 5 15 ! no scheduler max-task-time no scheduler allocate ntp master !--- This gatekeeper is set as an NTP master. ! end
以下範例中開啟了偵錯:
首先發生的是網關向網守傳送GRQ,網守向網關傳送GCF。然後,網關傳送RRQ並等待RCF或RRJ。
在以前的配置中,網關未設定為任何安全級別,因此其GRQ不攜帶令牌所需的authenticationCapability。但是,網守仍會傳回GCF,如以下輸出所示:
*Mar 2 13:32:45.413: RAS INCOMING ENCODE BUFFER::= 00 A0000006 0008914A 000200AC 100D0FD2 C6088001 3C050401 00204002 00006700 6B006100 2D003102 400E0067 00770061 002D0031 00400063 00690073 0063006F 002E0063 006F006D 0080CC *Mar 2 13:32:45.421: *Mar 2 13:32:45.425: RAS INCOMING PDU ::= value RasMessage ::= gatekeeperRequest : { requestSeqNum 1 protocolIdentifier { 0 0 8 2250 0 2 } rasAddress ipAddress : { ip 'AC100D0F'H port 53958 } endpointType { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } gatekeeperIdentifier {"gka-1"} endpointAlias { h323-ID : {"gwa-1@cisco.com"}, !--- The H.323-ID of the gateway is gwa-1@cisco.com. e164 : "99" } } *Mar 2 13:32:45.445: RAS OUTGOING PDU ::= value RasMessage ::= gatekeeperConfirm : { requestSeqNum 1 protocolIdentifier { 0 0 8 2250 0 3 } gatekeeperIdentifier {"gka-1"} rasAddress ipAddress : { ip 'AC100D23'H port 1719 } } !--- The gateway sends an RRQ message to the gatekeeper with the !--- IP address sent in the GCF. This RRQ does not carry any Token information !--- because security is not configured on the gateway. *Mar 2 13:32:45.477: RAS INCOMING ENCODE BUFFER::= 0E C0000106 0008914A 00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020 40000240 0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00 80CC0800 67006B00 61002D00 3100B500 00120E8A 02003B01 000100 *Mar 2 13:32:45.489: *Mar 2 13:32:45.493: RAS INCOMING PDU ::= value RasMessage ::= registrationRequest : { requestSeqNum 2 protocolIdentifier { 0 0 8 2250 0 2 } discoveryComplete TRUE callSignalAddress { ipAddress : { ip 'AC100D0F'H port 1720 } } rasAddress { ipAddress : { ip 'AC100D0F'H port 53958 } } terminalType { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } terminalAlias { h323-ID : {"gwa-1@cisco.com"}, e164 : "99" } gatekeeperIdentifier {"gka-1"} endpointVendor { vendor { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } } timeToLive 60 keepAlive FALSE willSupplyUUIEs FALSE } !--- Since the gateway does not include !--- any tokens and the gatekeeper is set to authenticate !--- all endpoints and calls, the gatekeeper rejects the gateway request. !--- It sends an RRJ with the securityDenial reason. *Mar 2 13:32:45.525: RAS OUTGOING PDU ::= value RasMessage ::= registrationReject : { requestSeqNum 2 protocolIdentifier { 0 0 8 2250 0 3 } rejectReason securityDenial : NULL !--- Gatekeeper rejects the RRQ with security denial reason. gatekeeperIdentifier {"gka-1"} } *Mar 2 13:32:45.529: RAS OUTGOING ENCODE BUFFER::= 14 80000106 0008914A 00038301 00080067 006B0061 002D0031 *Mar 2 13:32:45.533: !--- Configure the security password 2222 level all command on the gateway. !--- The configuration of the gateway appears like this: ! gateway security password 0356095954 level all !--- The password is hashed. ! !--- As soon as you make this change the gateway !--- sends a new GRQ to the gatekeeper. !--- You see the authenticationCapability and algorithmOIDs. *Mar 2 13:33:15.551: RAS INCOMING ENCODE BUFFER::= 02 A0000206 0008914A 000200AC 100D0FD2 C6088001 3C050401 00204002 00006700 6B006100 2D003102 400E0067 00770061 002D0031 00400063 00690073 0063006F 002E0063 006F006D 0080CC0C 30020120 0A01082A 864886F7 0D0205 *Mar 2 13:33:15.563: *Mar 2 13:33:15.567: RAS INCOMING PDU ::= value RasMessage ::= gatekeeperRequest : { requestSeqNum 3 protocolIdentifier { 0 0 8 2250 0 2 } rasAddress ipAddress : { ip 'AC100D0F'H port 53958 } endpointType { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } gatekeeperIdentifier {"gka-1"} endpointAlias { h323-ID : {"gwa-1@cisco.com"}, e164 : "99" } authenticationCapability { pwdHash : NULL } algorithmOIDs { { 1 2 840 113549 2 5 } } }
以下內容解釋了GRQ中的某些消息:
authenticationCapability — 此欄位只有pwdHash值。它表示MD5雜湊是身份驗證機制。
algorithmOIDs — 演算法對象ID。在本例中,它帶有值(1 2 840 113549 2 5),該值是消息摘要5雜湊的對象ID。
(1 2 840 113549 2 5)轉換為iso(1)成員 — 主體(2)US(840)rsadsi(113549)digestAlgorithm(2)md5(5)。 因此Cisco會執行MD5密碼雜湊。
Rsadsi代表RSA data security Inc.。 RSA Data Security, Inc.的開放式系統互聯(OSI)對象識別符號為1.2.840.113549(0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,十六進位制),由美國國家標準協會(ANSI)註冊。
網守再次傳送GCF作為上一消息。然後閘道傳送包含特定欄位的RRQ,以說明其用來進行驗證的權杖。以下範例顯示傳送的asn1 RRQ訊息。
*Mar 2 13:33:15.635: RAS INCOMING ENCODE BUFFER::= 0E C0000306 0008914A 00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020 40000240 0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00 80CC0800 67006B00 61002D00 3100B500 00120EEA 02003B47 014D000A 2A864886 F70C0A01 0201C02B 92A53610 B9D84DAE 58F6CB4B 5EE5DFB6 B92DD281 01011E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6D000042 01040E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6DC02B92 A536082A 864886F7 0D020500 80802B21 B94F3980 ED12116C 56B79F4B 4CDB0100 0100 *Mar 2 13:33:15.667: *Mar 2 13:33:15.671: RAS INCOMING PDU ::= value RasMessage ::= registrationRequest : { requestSeqNum 4 protocolIdentifier { 0 0 8 2250 0 2 } discoveryComplete TRUE callSignalAddress { ipAddress : { ip 'AC100D0F'H port 1720 } } rasAddress { ipAddress : { ip 'AC100D0F'H port 53958 } } terminalType { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } terminalAlias { h323-ID : {"gwa-1@cisco.com"}, e164 : "99" } gatekeeperIdentifier {"gka-1"} endpointVendor { vendor { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } } timeToLive 60 tokens !--- Clear Token, or what is called CAT. { { tokenOID { 1 2 840 113548 10 1 2 1 } timeStamp 731030839 challenge 'B9D84DAE58F6CB4B5EE5DFB6B92DD281'H random 1 generalID {"gwa-1@cisco.com"} } } cryptoTokens !--- CryptoToken field. { cryptoEPPwdHash : { alias h323-ID : {"gwa-1@cisco.com"} timeStamp 731030839 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "2B21B94F3980ED12116C56B79F4B4CDB" } } } keepAlive FALSE willSupplyUUIEs FALSE }
在討論響應之前,此處將解釋上述RRQ消息中的某些相關欄位。令牌有兩種型別:清除權杖或CAT)以及密碼編譯權杖。
如前所述,思科閘道管理員會忽略密碼編譯權杖。但是,網關仍會同時傳送這兩個消息,因為它不知道它正在通話的網守型別。由於其他廠商可能使用密碼編譯權杖,因此閘道會傳送這兩種權杖。
以下說明了ClearToken語法。
tokenOID — 用於標識令牌的對象ID。
時間戳 — 網關的當前協調世界時(UTC)時間。自00:00 1/1/1970 UTC以來的秒數。
它用作隱含的CHAP質詢,就像它最初來自網守一樣。
challenge — 網關使用以下欄位生成的16位元組MD5消息摘要:
質詢= [ random + GW/使用者密碼+ timeStamp ] MD5雜湊
RADIUS會執行此計算(因為它知道隨機數、網關密碼和CHAP質詢)以確定質詢內容:CHAP響應= [ CHAP ID +使用者密碼+ CHAP質詢] MD5雜湊
random - RADIUS用於標識此特定請求的一個位元組值。
網關為每個身份驗證請求增加256的變數模組,以滿足此RADIUS要求。
generalID — 基於安全級別和RAS消息型別的網關H323-ID或使用者帳戶號。
注意:所有這些欄位都很重要。但是,對時間戳和generalID都給予了更多的注意。在這種情況下,時間戳為731030839,generalID為gwa-1@cisco.com。
RRQ中的cryptoToken包含有關生成令牌的網關的資訊。其中包括網關ID(在網關上配置的H.323 ID)和網關密碼。
此欄位包含為H.225中指定的CryptoH323Token欄位定義的cryptoToken型別之一。當前,唯一支援的cryptoToken型別是cryptoEPPwdHash。
以下欄位包含在cryptoEPPwdHash欄位中:
alias — 網關別名,是網關的H.323 ID。
timestamp — 當前時間戳。
token — 消息摘要5(MD5)編碼的PwdCertToken。此欄位包含以下專案:
timestamp — 與cryptoEPPwdHash的時間戳相同。
password — 網關的密碼。
generalID — 與cryptoEPPwdHash中包含的網關別名相同。
tokenID — 對象ID。
檢視此範例中閘道管理員的回應。
*Mar 2 13:33:15.723: RAS OUTGOING PDU ::= value RasMessage ::= registrationReject : { requestSeqNum 4 protocolIdentifier { 0 0 8 2250 0 3 } rejectReason securityDenial : NULL !--- The gatekeeper rejects the RRQ with securityDenial reason. gatekeeperIdentifier {"gka-1"} } *Mar 2 13:33:15.727: RAS OUTGOING ENCODE BUFFER::= 14 80000306 0008914A 00038301 00080067 006B0061 002D0031 *Mar 2 13:33:15.731:
RRQ被網守拒絕。這是因為網關的配置中沒有設定NTP。網守檢查令牌的時間戳,看它是否在與其自身時間相關的可接受視窗內。當前該視窗在網守的UTC時間前後為+/- 30秒。
此視窗外部的令牌導致網守丟棄此消息。這可以防止嘗試重新使用已監聽令牌的人員進行重播攻擊。在實踐中,所有網關和網守都需要使用NTP來避免此時間偏差問題。網守發現令牌中的時間戳在其時間的可接受視窗內。因此,它不會檢查RADIUS以驗證閘道。
然後網關被配置為將指向網守的NTP作為NTP主機,以便網關和網守具有相同的時間。發生此情況時,閘道會傳送新的RRQ,這次,閘道管理員會使用RRJ回復到新的RRQ。
這些調試來自網守。運行調試以檢視網守是否進入身份驗證階段。
Mar 2 13:57:41.313: RAS INCOMING ENCODE BUFFER::= 0E C0005906 0008914A 00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020 40000240 0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00 80CC0800 67006B00 61002D00 3100B500 00120EEA 02003B47 014D000A 2A864886 F70C0A01 0201C02B 9367D410 7DD4C637 B6DD4E34 0883A7E5 E12A2B78 012C1E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6D000042 01040E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6DC02B93 67D4082A 864886F7 0D020500 8080ED73 946B13E9 EAED6F4D FED13478 A6270100 0100 Mar 2 13:57:41.345: Mar 2 13:57:41.349: RAS INCOMING PDU ::= value RasMessage ::= registrationRequest : { requestSeqNum 90 protocolIdentifier { 0 0 8 2250 0 2 } discoveryComplete TRUE callSignalAddress { ipAddress : { ip 'AC100D0F'H port 1720 } } rasAddress { ipAddress : { ip 'AC100D0F'H port 53958 } } terminalType { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } terminalAlias { h323-ID : {"gwa-1@cisco.com"}, e164 : "99" } gatekeeperIdentifier {"gka-1"} endpointVendor { vendor { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } } timeToLive 60 tokens { { tokenOID { 1 2 840 113548 10 1 2 1 } timeStamp 731080661 challenge '7DD4C637B6DD4E340883A7E5E12A2B78'H random 44 generalID {"gwa-1@cisco.com"} } } cryptoTokens { cryptoEPPwdHash : { alias h323-ID : {"gwa-1@cisco.com"} timeStamp 731080661 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "ED73946B13E9EAED6F4DFED13478A627" } } } keepAlive FALSE willSupplyUUIEs FALSE } Mar 2 13:57:41.401: AAA: parse name=<no string> idb type=-1 tty=-1 Mar 2 13:57:41.405: AAA/MEMORY: create_user (0x81416060) user='gwa-1@cisco.com' ruser='NULL' ds0=0port='NULL' rem_addr='NULL' authen_type=CHAP service=LOGIN priv=0 initial_task_id='0' Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): port='' list='h323' action=LOGIN service=LOGIN Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): found list h323 Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): Method=LOCAL Mar 2 13:57:41.405: AAA/AUTHEN (2845574558): User not found, end of method list Mar 2 13:57:41.405: AAA/AUTHEN (2845574558): status = FAIL !--- Authentication fails. The user is not found on the list. Mar 2 13:57:41.405: voip_chapstyle_auth: astruct.status = 2 Mar 2 13:57:41.405: AAA/MEMORY: free_user (0x81416060) user='gwa-1@cisco.com' ruser='NULL' port='NULL' rem_addr='NULL' authen_type=CHAP service=LOGIN priv=0 Mar 2 13:57:41.409: RAS OUTGOING PDU ::= value RasMessage ::= registrationReject : { requestSeqNum 90 protocolIdentifier { 0 0 8 2250 0 3 } rejectReason securityDenial : NULL gatekeeperIdentifier {"gka-1"} }
配置NTP後,網守仍會拒絕RRQ。但是這一次,它將經過該網關的身份驗證過程。網守拒絕RRQ,因為在RADIUS上的有效使用者清單上找不到使用者(這裡是閘道ID)。在網守的配置中,網關在本地進行身份驗證。在使用者清單中看到gwa-1。但是,這不是正確的使用者,因為RRQ中的使用者是gwa-1@cisco.com。
此外,一旦在網守上配置了username gwa-1@cisco.com password 0 2222命令,網守將確認RRQ並註冊網關。
在本實驗中,另一個網關(gwa-2)註冊到同一個網守(gka-1)。從gwa-1@cisco.com到gwa-2進行呼叫,檢視ARQ、ACF和設定消息的外觀。
收集到的這些調試資訊來自源網關和終端網關(gwa-2)。
其中包括一些調試消息的解釋。
在從始發/終止網關列印調試之前,以下文本說明呼叫流程:
當從PSTN收到SETUP消息時,網關向網守傳送ARQ並從網守接收ACF。
當網關收到ACF時,網關使用網關密碼、H323-ID別名以及當前時間生成CAT。令牌被置於呼叫控制塊(CCB)中。
當網關向終端網關傳送SETUP消息時,它從CCB檢索訪問令牌並將其放在SETUP消息中的clearToken的nonStandardParameter欄位中。
終止網關從SETUP消息中刪除令牌,將其從非StandardParameter轉換為CAT,然後將其放入ARQ。
網守檢查令牌的時間戳,看它是否在與其自身時間相關的可接受視窗內。當前該視窗在網守的UTC時間前後為+/- 30秒。此視窗外部的令牌導致網守丟棄此消息。這將導致呼叫被拒絕。
如果令牌可接受,則網守格式化RADIUS訪問請求資料包,填寫適當的屬性以驗證CHAP質詢並將其傳送到RADIUS伺服器。
基於網關的別名在伺服器上為已知這一假設,伺服器會查詢與此別名關聯的密碼,並使用別名、密碼和來自網守的CHAP質詢生成自己的CHAP響應。如果其CHAP響應與從網守接收的響應匹配,伺服器將向網守傳送一個訪問接受資料包。如果它們不匹配,或者網關的別名不在伺服器的資料庫中,伺服器會將Access Reject資料包傳送回網守。
如果網關收到Access Accept,則網守通過ACF對網關做出響應;如果網關收到Access Reject,則網守通過ARJ做出響應,如果網關收到Access Reject,則其原因代碼為securityDenial。如果網關收到ACF,則呼叫已連線。
此範例顯示來自始發閘道的偵錯。
註:本示例中沒有設定的h225 asn1 debug,因為它與在源網關示例之後的終止網關示例中看到的相同。
Mar 2 19:39:07.376: cc_api_call_setup_ind (vdbPtr=0x6264AB2C, callInfo={called=3653,called_oct3=0x81,calling=,calling_oct3=0x81,calling_oct3a=0x0, calling_xlated=false,subscriber_type_str=RegularLine,fdest=1,peer_tag=5336, prog_ind=3},callID=0x61DDC2A8) Mar 2 19:39:07.376: cc_api_call_setup_ind type 13 , prot 0 Mar 2 19:39:07.376: cc_process_call_setup_ind (event=0x6231F0C4) Mar 2 19:39:07.380: >>>>CCAPI handed cid 30 with tag 5336 to app "DEFAULT" Mar 2 19:39:07.380: sess_appl: ev(24=CC_EV_CALL_SETUP_IND), cid(30), disp(0) Mar 2 19:39:07.380: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(30), disp(0) Mar 2 19:39:07.380: ssaCallSetupInd Mar 2 19:39:07.380: ccCallSetContext (callID=0x1E, context=0x6215B5A0) Mar 2 19:39:07.380: ssaCallSetupInd cid(30), st(SSA_CS_MAPPING),oldst(0), ev(24)ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1 Mar 2 19:39:07.380: ssaCallSetupInd finalDest cllng(1#5336), clled(3653) Mar 2 19:39:07.380: ssaCallSetupInd cid(30), st(SSA_CS_CALL_SETTING),oldst(0), ev(24)dpMatchPeersMoreArg result= 0 Mar 2 19:39:07.380: ssaSetupPeer cid(30) peer list: tag(3653) called number (3653) Mar 2 19:39:07.380: ssaSetupPeer cid(30), destPat(3653), matched(4), prefix(), peer(62664554), peer->encapType (2) Mar 2 19:39:07.380: ccCallProceeding (callID=0x1E, prog_ind=0x0) Mar 2 19:39:07.380: ccCallSetupRequest (Inbound call = 0x1E, outbound peer =3653, dest=, params=0x62327730 mode=0, *callID=0x62327A98, prog_ind = 3) Mar 2 19:39:07.380: ccCallSetupRequest numbering_type 0x81 Mar 2 19:39:07.380: ccCallSetupRequest encapType 2 clid_restrict_disable 1 null_orig_clg 1 clid_transparent 0 callingNumber 1#5336 Mar 2 19:39:07.380: dest pattern 3653, called 3653, digit_strip 0 Mar 2 19:39:07.380: callingNumber=1#5336, calledNumber=3653, redirectNumber= display_info= calling_oct3a=0 Mar 2 19:39:07.384: accountNumber=, finalDestFlag=1, guid=6aef.3a87.165c.11cc.8040.d661.b74f.9390 Mar 2 19:39:07.384: peer_tag=3653 Mar 2 19:39:07.384: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653,called_oct3=0x81, calling=1#5336,calling_oct3=0x81, calling_xlated=false, subscriber_type_str=RegularLine, fdest=1, voice_peer_tag=3653},mode=0x0) vdbPtr type = 1 Mar 2 19:39:07.384: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653, called_oct3 0x81, calling=1#5336,calling_oct3 0x81, calling_xlated=false, fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-5) Mar 2 19:39:07.384: ccSaveDialpeerTag (callID=0x1E, dialpeer_tag=0xE45) Mar 2 19:39:07.384: ccCallSetContext (callID=0x1F, context=0x621545DC) Mar 2 19:39:07.384: ccCallReportDigits (callID=0x1E, enable=0x0) Mar 2 19:39:07.384: cc_api_call_report_digits_done (vdbPtr=0x6264AB2C, callID=0x1E, disp=0) Mar 2 19:39:07.384: sess_appl: ev(52=CC_EV_CALL_REPORT_DIGITS_DONE), cid(30),disp(0) Mar 2 19:39:07.384: cid(30)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_REPORT_DIGITS_DONE) oldst(SSA_CS_MAPPING)cfid(-1)csize(0)in(1)fDest(1) Mar 2 19:39:07.384: -cid2(31)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_MAPPING) Mar 2 19:39:07.384: ssaReportDigitsDone cid(30) peer list: (empty) Mar 2 19:39:07.384: ssaReportDigitsDone callid=30 Reporting disabled. Mar 2 19:39:07.388: H225 NONSTD OUTGOING PDU ::= value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } interfaceSpecificBillingId "ISDN-VOICE" } Mar 2 19:39:07.388: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 00000820 0B124953 444E2D56 4F494345 Mar 2 19:39:07.388: Mar 2 19:39:07.388: H235 OUTGOING ENCODE BUFFER::= 61 000100C0 2B93B7DA 08003200 32003200 3200001E 00670077 0061002D 00310040 00630069 00730063 006F002E 0063006F 006D0000 Mar 2 19:39:07.392: Mar 2 19:39:07.392: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : !--- The ARQ is sent to the gatekeeper. { requestSeqNum 549 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"8155346000000001"} destinationInfo { e164 : "2#3653" } srcInfo { e164 : "1#5336", h323-ID : {"gwa-1@cisco.com"} } bandWidth 640 callReferenceValue 15 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008200B124953444E2D564F494345'H } conferenceID '6AEF3A87165C11CC8040D661B74F9390'H activeMC FALSE answerCall FALSE canMapAlias TRUE callIdentifier { guid '6AEF3A87165C11CC8041D661B74F9390'H } tokens !--- Token is included since there is an all level of security. { { tokenOID { 1 2 840 113548 10 1 2 1 } timeStamp 731101147 challenge '1CADDBA948A8291C1F134035C9613E3E'H random 246 generalID {"gwa-1@cisco.com"} } } cryptoTokens { cryptoEPPwdHash : { alias h323-ID : {"gwa-1@cisco.com"} timeStamp 731101147 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "5760B7B4877335B7CD24BD24E4A2AA89" } } } willSupplyUUIEs FALSE } Mar 2 19:39:07.408: RAS OUTGOING ENCODE BUFFER::= 27 88022400 F0003800 31003500 35003300 34003600 30003000 30003000 30003000 30003000 31010280 50698602 02804086 69400E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6D400280 000F40B5 00001211 80000008 200B1249 53444E2D 564F4943 456AEF3A 87165C11 CC8040D6 61B74F93 9004E320 01801100 6AEF3A87 165C11CC 8041D661 B74F9390 48014D00 0A2A8648 86F70C0A 010201C0 2B93B7DA 101CADDB A948A829 1C1F1340 35C9613E 3E0200F6 1E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00 00420104 0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006DC0 2B93B7DA 082A8648 86F70D02 05008080 5760B7B4 877335B7 CD24BD24 E4A2AA89 0100 Mar 2 19:39:07.412: h323chan_dgram_send:Sent UDP msg. Bytes sent: 291 to 172.16.13.35:1719 Mar 2 19:39:07.416: RASLib::GW_RASSendARQ: ARQ (seq# 549) sent to 172.16.13.35 Mar 2 19:39:07.432: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on sock[1] Mar 2 19:39:07.432: RAS INCOMING ENCODE BUFFER::= 2B 00022440 028000AC 100D1706 B800EF1A 00C00100 020000 Mar 2 19:39:07.432: Mar 2 19:39:07.432: RAS INCOMING PDU ::= value RasMessage ::= admissionConfirm : !--- Received from the gatekeeper with no tokens. { requestSeqNum 549 bandWidth 640 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } } Mar 2 19:39:07.436: ACF (seq# 549) rcvd
此範例顯示來自終端閘道(TGW)的偵錯。 請注意,TGW在獲得ACF後已設定了第二支路,並且呼叫已連線。
Mar 2 19:39:07.493: PDU DATA = 6147C2BC value H323_UserInformation ::= { h323-uu-pdu { h323-message-body setup : { protocolIdentifier { 0 0 8 2250 0 2 } sourceAddress { h323-ID : {"gwa-1@cisco.com"} !--- Setup is sent from gwa-1@cisco.com gateway. } sourceInfo { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } activeMC FALSE conferenceID '6AEF3A87165C11CC8040D661B74F9390'H conferenceGoal create : NULL callType pointToPoint : NULL sourceCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11032 } callIdentifier { guid '6AEF3A87165C11CC8041D661B74F9390'H } tokens !--- Setup includes the Clear Token (CAT). { { tokenOID { 1 2 840 113548 10 1 2 1 } timeStamp 731101147 challenge 'AFBAAFDF79446B9D8CE164DB8C111A87'H random 247 generalID {"gwa-1@cisco.com"} nonStandard { nonStandardIdentifier { 0 1 2 4 } data '2B93B7DBAFBAAFDF79446B9D8CE164DB8C111A87...'H } } } fastStart { '0000000C6013800A04000100AC100D0F4673'H, '400000060401004C6013801114000100AC100D0F...'H } mediaWaitForConnect FALSE canOverlapSend FALSE } h245Tunneling TRUE nonStandardControl { { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data 'E001020001041504039090A31803A983811E0285...'H } } } } RAW_BUFFER::= E0 01020001 04150403 9090A318 03A98381 1E028583 70058133 36353302 80060004 00000003 Mar 2 19:39:07.509: PDU DATA = 6147F378 value H323_UU_NonStdInfo ::= { version 2 protoParam qsigNonStdInfo : { iei 4 rawMesg '04039090A31803A983811E028583700581333635...'H } progIndParam progIndIEinfo : { progIndIE '00000003'H } } PDU DATA = 6147F378 value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } } RAW_BUFFER::= 00 0000 Mar 2 19:39:07.517: RAW_BUFFER::= 61 000100C0 2B93B7DA 08003200 32003200 3200000A 00670077 0061002D 00320000 Mar 2 19:39:07.517: PDU DATA = 6147C2BC value RasMessage ::= admissionRequest : !--- An answer ARQ is sent to the gatekeeper to authenticate the caller. { requestSeqNum 22 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"81F5989C00000002"} destinationInfo { e164 : "2#3653" } srcInfo { e164 : "1#5336" } srcCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11032 } bandWidth 640 callReferenceValue 2 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '000000'H } conferenceID '6AEF3A87165C11CC8040D661B74F9390'H activeMC FALSE answerCall TRUE canMapAlias FALSE callIdentifier { guid '6AEF3A87165C11CC8041D661B74F9390'H } tokens !--- CAT is included. { { tokenOID { 0 4 0 1321 1 2 } timeStamp 731101147 challenge 'AFBAAFDF79446B9D8CE164DB8C111A87'H random 247 generalID {"gwa-1@cisco.com"} } } cryptoTokens { cryptoEPPwdHash : { alias h323-ID : {"gwa-2"} timeStamp 731101147 token { algorithmOID { 1 2 840 113549 2 5 } paramS { } hash "8479E7DE63AC17C6A46E9E19659568" } } } willSupplyUUIEs FALSE } RAW_BUFFER::= 27 98001500 F0003800 31004600 35003900 38003900 43003000 30003000 30003000 30003000 32010280 50698601 02804086 6900AC10 0D0F2B18 40028000 0240B500 00120300 00006AEF 3A87165C 11CC8040 D661B74F 939044E3 20010011 006AEF3A 87165C11 CC8041D6 61B74F93 9044014D 00060400 8A290102 C02B93B7 DA10AFBA AFDF7944 6B9D8CE1 64DB8C11 1A870200 F71E0067 00770061 002D0031 00400063 00690073 0063006F 002E0063 006F006D 00002E01 04040067 00770061 002D0032 C02B93B7 DA082A86 4886F70D 02050080 808479E7 0DE63AC1 7C6A46E9 E1965905 680100 Mar 2 19:39:07.533: h323chan_dgram_send:Sent UDP msg. Bytes sent: 228 to 172.16.13.35:1719 Mar 2 19:39:07.533: RASLib::GW_RASSendARQ: ARQ (seq# 22) sent to 172.16.13.35 Mar 2 19:39:07.549: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on sock[1] RAW_BUFFER::= 2B 00001540 028000AC 100D1706 B800EF1A 00C00100 020000 Mar 2 19:39:07.549: PDU DATA = 6147C2BC value RasMessage ::= admissionConfirm : !--- ACF is received from the gatekeeper. { requestSeqNum 22 bandWidth 640 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } } Mar 2 19:39:07.553: ACF (seq# 22) rcvd Mar 2 19:39:07.553: cc_api_call_setup_ind (vdbPtr=0x61BC92EC, callInfo={called=2#3653,called_oct3=0x81,calling=1#5336,calling_oct3=0x81, calling_oct3a=0x0,subscriber_type_str=Unknown, fdest=1 peer_tag=5336, prog_ind=3},callID=0x6217CC64) Mar 2 19:39:07.553: cc_api_call_setup_ind type 0 , prot 1 Mar 2 19:39:07.553: cc_api_call_setup_ind (vdbPtr=0x61BC92EC, callInfo={called=2#3653, calling=1#5336, fdest=1 peer_tag=5336}, callID=0x6217CC64) Mar 2 19:39:07.553: cc_process_call_setup_ind (event=0x61E1EAFC) Mar 2 19:39:07.553: >>>>CCAPI handed cid 9 with tag 5336 to app "DEFAULT" Mar 2 19:39:07.553: sess_appl: ev(25=CC_EV_CALL_SETUP_IND), cid(9), disp(0) Mar 2 19:39:07.553: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(9), disp(0) Mar 2 19:39:07.553: ssaCallSetupInd Mar 2 19:39:07.553: ccCallSetContext (callID=0x9, context=0x62447A28) Mar 2 19:39:07.553: ssaCallSetupInd cid(9), st(SSA_CS_MAPPING),oldst(0), ev(25)ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1 Mar 2 19:39:07.553: ssaCallSetupInd finalDest cllng(1#5336), clled(2#3653) Mar 2 19:39:07.553: ssaCallSetupInd cid(9), st(SSA_CS_CALL_SETTING),oldst(0), ev(25)dpMatchPeersMoreArg result= 0 Mar 2 19:39:07.557: ssaSetupPeer cid(9) peer list: tag(3653) called number (2#3653) Mar 2 19:39:07.557: ssaSetupPeer cid(9), destPat(2#3653), matched(5), prefix(21), peer(620F1EF0), peer->encapType (1) Mar 2 19:39:07.557: ccCallProceeding (callID=0x9, prog_ind=0x0) Mar 2 19:39:07.557: ccCallSetupRequest (Inbound call = 0x9, outbound peer =3653, dest=, params=0x61E296C0 mode=0, *callID=0x61E299D0, prog_ind = 3) Mar 2 19:39:07.557: ccCallSetupRequest numbering_type 0x81 Mar 2 19:39:07.557: dest pattern 2#3653, called 2#3653, digit_strip 1 Mar 2 19:39:07.557: callingNumber=1#5336, calledNumber=2#3653, redirectNumber=display_info= calling_oct3a=0 Mar 2 19:39:07.557: accountNumber=, finalDestFlag=1, guid=6aef.3a87.165c.11cc.8040.d661.b74f.9390 Mar 2 19:39:07.557: peer_tag=3653 Mar 2 19:39:07.557: ccIFCallSetupRequestPrivate: (vdbPtr=0x61E4473C, dest=, callParams={called=2#3653,called_oct3=0x81, calling=1#5336,calling_oct3=0x81, subscriber_type_str=Unknown, fdest=1, voice_peer_tag=3653},mode=0x0) vdbPtr type = 6 Mar 2 19:39:07.557: ccIFCallSetupRequestPrivate: (vdbPtr=0x61E4473C, dest=, callParams={called=2#3653, called_oct3 0x81, calling=1#5336,calling_oct3 0x81, fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-4) Mar 2 19:39:07.557: ccSaveDialpeerTag (callID=0x9, dialpeer_tag= Mar 2 19:39:07.557: ccCallSetContext (callID=0xA, context=0x6244D9EC) Mar 2 19:39:07.557: ccCallReportDigits (callID=0x9, enable=0x0)
在同一實驗中,IOS映像12.2(6a)載入到OGW上。進行呼叫時,會注意到OGW仍會根據其密碼傳送一個清除令牌,即使網關未配置用於IVR來收集帳戶/PIN。此外,為所有級別配置的網守也接受該呼叫。此錯誤已記錄在Cisco錯誤ID CSCdw4324(僅限註冊客戶)。
如本文檔前面所述,使用在RAS/H.225消息的clearTokens欄位中傳送的訪問令牌來提供端到端呼叫安全。當啟用這種安全時,源網關將從ACF中的網守接收的接入令牌轉發到H.225 SETUP消息中的目標H.323端點。然後,該目標H.323端點在其准入請求中將SETUP消息中收到的接入令牌轉發給網守。這樣,遠端網守就能夠根據訪問令牌的有效性來允許呼叫。訪問令牌的內容取決於生成它的實體。為了最小化安全漏洞並防範中間人攻擊,網守可以在接入令牌中對目標特定資訊進行編碼。這意味著,在ACF中提供alternateEndpoints時,網守可以為指定的每個alternateEndpoint提供單獨的訪問令牌。
當首次嘗試建立連線時,思科網關會傳送在ACF的clearToken欄位中收到的訪問令牌,該令牌的地址在destCallSignalAddress欄位中。如果此嘗試不成功,並且思科網關繼續嘗試與備用終結點連線,它將使用備用終結點清單中的關聯訪問令牌(如果可用)。如果ACF中接收的備用終端清單不包括訪問令牌,但ACF包括訪問令牌,則思科網關將在所有嘗試與備用終端連線時包括此訪問令牌。
目前,只有思科閘道支援開放結算通訊協定(OSP)及其權杖。網守上不支援。網關識別從結算伺服器接收的OSP令牌,並將它們插入到到終端網關的Q.931設定消息中。
目前,您無法為每個端點或區域配置不同級別的安全性。安全級別適用於該網守管理的所有區域。可以針對此類問題開啟功能請求。
網域間網守對網守的安全性提供了逐跳驗證網域內和網域間網守對網守請求的能力。這表示目的地閘道管理員會終止CAT,並在閘道管理員決定向前轉送LRQ時產生新的CAT。如果網守檢測到無效的LRQ簽名,則通過傳送位置拒絕(LRJ)進行響應。
發起網守在區域內呼叫的情況下啟動LRQ或即將傳送ACF時生成IZCT。此權杖會透過其路由路徑進行遍歷。如果必要,每個網守將更新目標網守ID和/或源網守ID,以反映區域資訊。終止閘道管理員產生具有其密碼的權杖。此令牌在位置確認(LCF)消息中傳回,並傳遞到OGW。OGW在H.225 SETUP消息中包含此令牌。當TGW收到權杖時,它將在ARQ answerCall中轉送並由終端閘道管理員(TGK)驗證,而不需要任何RADIUS伺服器。
身份驗證型別基於ITU H.235中描述的帶雜湊的密碼。具體來說,加密方法是帶雜湊口令的MD5。
IZCT的目的是知道LRQ是否來自外部域、來自哪個區域以及來自哪個運營商。它還用於從TGK向LCF中的OGW傳遞令牌。在IZCT格式中,需要提供以下資訊:
srcCarrierID — 源載波標識
dstCarrierID — 目標載波標識
intCarrierID — 中間載波標識
srcZone — 源區域
dstZone — 目標區域
interzone type
域內_CISCO
INTER_DOMAIN_CISCO
INTRA_DOMAIN_TERM_NOT_CISCO
INTER_DOMAIN_ORIG_NOT_CISCO
此功能無需從閘道或載波敏感路由(CSR)伺服器取得載波ID,即可正常運作。在這種情況下,有關運營商ID的欄位為空。此處的示例不包括任何運營商ID。有關詳細的呼叫流程、版本和平台支援以及配置,請參閱域間網守安全性增強。
IZCT功能需要在網守上進行此配置。
Router(gk-config)# [no] security izct password
密碼需要六到八個字元。確定下列區域位於外部域中:
Router(config-gk)# zone remote other-gatekeeper-name other-domain-name other-gatekeeper-ip-address [port-number] [cost cost-value [priority priority-value]] [foreign-domain]
此圖顯示IZCT流程。
在此配置中,網關和網守的名稱與IZCT呼叫流程圖中使用的名稱相同,但大小寫更低。在設定後會以偵錯說明來說明通話流程。
要解釋IZCT功能和呼叫流程,第一個示例沒有域內網關到網守安全。在此之後,TGW無法生成IZCT以使TGK1拒絕該呼叫的例子也隨之出現。這表示功能按設計的那樣運作。所有這些設定都基於IZCT呼叫流程圖中的拓撲。
範例 1:僅網守對網守安全的呼叫流
此示例顯示所有網關和網守的相關配置。
OGW配置 | TGW配置 |
---|---|
! hostname ogw !controller E1 3/0 pri-group timeslots 1-2,16 ! interface Ethernet0/0 ip address 172.16.13.15 255.255.255.224 half-duplex h323-gateway voip interface h323-gateway voip id ogk1 ipaddr 172.16.13.35 1718 h323-gateway voip h323-id ogw h323-gateway voip tech-prefix 1# ! voice-port 3/0:15 ! dial-peer voice 5336 pots incoming called-number . destination-pattern 5336 direct-inward-dial port 3/0:15 prefix 21 ! dial-peer voice 3653 voip incoming called-number . destination-pattern 3653 session target ras dtmf-relay h245-alphanumeric codec g711ulaw ! gateway ! ntp clock-period 17178791 ntp server 172.16.13.35 end |
hostname tgw ! controller E1 0 clock source line primary ds0-group 0 timeslots 1-2 type r2-digital r2-compelled ! interface Ethernet0 ip address 172.16.13.23 255.255.255.224 h323-gateway voip interface h323-gateway voip id tgk1 ipaddr 172.16.13.41 1718 h323-gateway voip h323-id tgw h323-gateway voip tech-prefix 2# ! voice-port 0:0 compand-type a-law ! dial-peer voice 3653 pots application test1 incoming called-number . destination-pattern 3653 port 0:0 prefix 21 ! dial-peer voice 5336 voip incoming called-number . destination-pattern 5336 session target ras dtmf-relay h245-alphanumeric codec g711ulaw ! gateway ! ntp clock-period 17179814 ntp server 172.16.13.35 end |
OGK1配置 | TGK1配置 |
---|---|
! hostname ogk1 ! interface Ethernet0/0 ip address 172.16.13.35 255.255.255.224 half-duplex ! gatekeeper zone local ogk1 domainA.com 172.16.13.35 zone remote ogk2 domainA.com 172.16.13.14 1719 zone prefix ogk2 36* zone prefix ogk1 53* security izct password 111222 gw-type-prefix 1#* default- technology no shutdown ! ! no scheduler max-task-time no scheduler allocate ntp master ! end |
! hostname tgk1 ! interface Ethernet0/0 ip address 172.16.13.41 255.255.255.224 ip directed-broadcast half-duplex ! gatekeeper zone local tgk1 domainB.com 172.16.13.41 zone remote tgk2 domainB.com 172.16.13.16 1719 zone prefix tgk1 36* zone prefix tgk2 53* security izct password 111222 gw-type-prefix 2#* default- technology no shutdown ! ntp clock-period 17179797 ntp server 172.16.13.35 ! end |
OGK2配置 | TGK2配置 |
---|---|
! hostname ogk2 ! interface Ethernet0/0 ip address 172.16.13.14 255.255.255.224 full-duplex ! gatekeeper zone local ogk2 domainA.com zone remote ogk1 domainA.com 172.16.13.35 1719 zone remote tgk2 domainB.com 172.16.13.16 1719 foreign-domain zone prefix tgk2 36* zone prefix ogk1 53* security izct password 111222 lrq forward-queries no shutdown ! ntp clock-period 17208242 ntp server 172.16.13.35 ! end |
! hostname tgk2 ! interface Ethernet0/0 ip address 172.16.13.16 255.255.255.224 half-duplex ! gatekeeper zone local tgk2 domainB.com zone remote tgk1 domainB.com 172.16.13.41 1719 zone remote ogk2 domainA.com 172.16.13.14 1719 foreign-domain zone prefix tgk1 36* zone prefix ogk2 53* security izct password 111222 lrq forward-queries no shutdown ! ntp clock-period 17179209 ntp server 172.16.13.35 ! end |
這些示例使用debug來解釋呼叫流。
運營商E上的使用者呼叫運營商D上的使用者。
Mar 4 15:31:19.989: cc_api_call_setup_ind (vdbPtr=0x6264ADF0, callInfo={called=3653, called_oct3=0x80,calling=4085272923,calling_oct3=0x21,calling_oct3a=0x80 calling_xlated=false,subscriber_type_str=RegularLine,fdest=1,peer_tag=5336, prog_ind=0},callID=0x6219F9F0) Mar 4 15:31:19.993: cc_api_call_setup_ind type 13 , prot 0 Mar 4 15:31:19.993: cc_process_call_setup_ind (event=0x6231A6B4) Mar 4 15:31:19.993: >>>>CCAPI handed cid 7 with tag 5336 to app "DEFAULT" Mar 4 15:31:19.993: sess_appl: ev(24=CC_EV_CALL_SETUP_IND), cid(7), disp(0) Mar 4 15:31:19.993: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(7), disp(0) Mar 4 15:31:19.993: ssaCallSetupInd Mar 4 15:31:19.993: ccCallSetContext (callID=0x7, context=0x621533F0) Mar 4 15:31:19.997: ssaCallSetupInd cid(7), st(SSA_CS_MAPPING),oldst(0), ev(24) ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1 Mar 4 15:31:19.997: ssaCallSetupInd finalDest cllng(4085272923), clled(3653) Mar 4 15:31:19.997: ssaCallSetupInd cid(7), st(SSA_CS_CALL_SETTING),oldst(0), ev(24)dpMatchPeersMoreArg result= 0 Mar 4 15:31:19.997: ssaSetupPeer cid(7) peer list: tag(3653) called number (3653) Mar 4 15:31:19.997: ssaSetupPeer cid(7), destPat(3653), matched(4), prefix(), peer(626640B0), peer->encapType (2) Mar 4 15:31:19.997: ccCallProceeding (callID=0x7, prog_ind=0x0) Mar 4 15:31:19.997: ccCallSetupRequest (Inbound call = 0x7, outbound peer=3653, dest=, params=0x62327730 mode=0, *callID=0x62327A98, prog_ind = 0) Mar 4 15:31:19.997: ccCallSetupRequest numbering_type 0x80 Mar 4 15:31:19.997: ccCallSetupRequest encapType 2 clid_restrict_disable 1 null _orig_clg 0 clid_transparent 0 callingNumber 4085272923 Mar 4 15:31:19.997: dest pattern 3653, called 3653, digit_strip 0 Mar 4 15:31:19.997: callingNumber=4085272923, calledNumber=3653, redirectNumber = display_info= calling_oct3a=80 Mar 4 15:31:19.997: accountNumber=, finalDestFlag=1, guid=221b.686c.17cc.11cc.8010.a049.e052.4766 Mar 4 15:31:19.997: peer_tag=3653 Mar 4 15:31:19.997: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653,called_oct3=0x80, calling=4085272923,calling_oct3=0x21, calling_xlated=false, subscriber_type_str=RegularLine, fdest=1, voice_peer_tag=365 3},mode=0x0) vdbPtr type = 1 Mar 4 15:31:19.997: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653, called_oct3 0x80, calling=4085272923,calling_oct3 0x21, calling_xlated=false, fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-5) Mar 4 15:31:20.001: ccSaveDialpeerTag (callID=0x7, dialpeer_tag=0xE45) Mar 4 15:31:20.001: ccCallSetContext (callID=0x8, context=0x6215388C) Mar 4 15:31:20.001: ccCallReportDigits (callID=0x7, enable=0x0)
由於始發網關的撥號對等體(標籤=3653)配置了RAS,因此它會向OGK1傳送ARQ。
Mar 4 15:31:20.001: H225 NONSTD OUTGOING PDU ::= value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } callingOctet3a 128 interfaceSpecificBillingId "ISDN-VOICE" } Mar 4 15:31:20.005: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 000008A0 01800B12 4953444E 2D564F49 4345 Mar 4 15:31:20.005: Mar 4 15:31:20.005: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : !--- ARQ is sent out to ogk1. { requestSeqNum 1109 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"81567A4000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923", h323-ID : {"ogw"} } bandWidth 640 callReferenceValue 4 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008A001800B124953444E2D564F494345'H } conferenceID '221B686C17CC11CC8010A049E0524766'H activeMC FALSE answerCall FALSE canMapAlias TRUE callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } willSupplyUUIEs FALSE } Mar 4 15:31:20.013: RAS OUTGOING ENCODE BUFFER::= 27 88045400 F0003800 31003500 36003700 41003400 30003000 30003000 30003000 30003000 31010180 69860204 8073B85A 5C564002 006F0067 00774002 80000440 B5000012 13800000 08A00180 0B124953 444E2D56 4F494345 221B686C 17CC11CC 8010A049 E0524766 04E02001 80110022 1B686C17 CC11CC80 11A049E0 52476601 00 Mar 4 15:31:20.017: h323chan_dgram_send:Sent UDP msg. Bytes sent: 130 to 172.16.13.35:1719 Mar 4 15:31:20.017: RASLib::GW_RASSendARQ: ARQ (seq# 1109) sent to 172.16.13.35
當OGK1收到ARQ時,它確定由遠端區域OGK2為目標提供服務。然後,它確定需要IZCT(通過CLI:security izct password <pwd>)。OGK1在傳送LRQ之前繼續建立IZCT。然後,它將IZCT和LRQ傳送到OGK2,並將RIP消息傳送回OGW。
Mar 4 15:31:19.927: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 6 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:19.935: H225 NONSTD OUTGOING ENCODE BUFFER::= 82 86B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:19.939: Mar 4 15:31:19.939: PDU ::= value IZCToken ::= !--- The gatekeeper creates and sends out the IZCT. { izctInterZoneType intraDomainCisco : NULL !--- The destination is in the same domain, it is intraDomainCisco type. izctSrcZone "ogk1" !--- The source zone is ogk1. ) Mar 4 15:31:19.943: ENCODE BUFFER::= 07 00C06F67 6B310473 72630464 73740469 6E74 Mar 4 15:31:19.947: Mar 4 15:31:19.947: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- LRQ is sent out to ogk2. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8286B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '0700C06F676B31047372630464737404696E74'H } } } } Mar 4 15:31:19.967: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288286 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C56400 2 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 802B0100 80092A 86 4886F70C 0A010009 2A864886 F70C0A01 00130700 C06F676B 31047372 63046473 74046 96E 74 Mar 4 15:31:19.983: Mar 4 15:31:19.987: IPSOCK_RAS_sendto: msg length 122 from 172.16.13.35:1719 to 172.16.13.14: 1719 Mar 4 15:31:19.987: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.14 Mar 4 15:31:19.987: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- RIP message is sent back to OGW. { requestSeqNum 1109 delay 9000 } Mar 4 15:31:19.991: RAS OUTGOING ENCODE BUFFER::= 80 05000454 2327 Mar 4 15:31:19.991: Mar 4 15:31:19.991: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.35:1719 to 172.16.13.15: 57076 Mar 4 15:31:19.991: RASLib::RASSendRIP: RIP (seq# 1109) sent to 172.16.13.15
OGK2收到LRQ時,會檢查IZCT。從配置中發現LRQ也需要包含IZCT。OGK2通過將izctSrcZone和izctDstZone更改為ogk2建立新的IZCT,並將LRQ轉發到TGK2。向TGK2傳送LRQ後,向OGK1傳送一條RIP消息。
如果網守是群集的一部分,則群集名稱用於SrcZone或DstZone。
Mar 4 15:31:20.051: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- RIP message is sent back to OGK1. { requestSeqNum 2048 delay 6000 } Mar 4 15:31:20.055: RAS OUTGOING ENCODE BUFFER::= 80 050007FF 176F Mar 4 15:31:20.055: Mar 4 15:31:20.055: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.14:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.059: RASLib::RASSendRIP: RIP (seq# 2048) sent to 172.16.13.35 Mar 4 15:31:20.059: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 5 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:20.063: H225 NONSTD OUTGOING ENCODE BUFFER::= 82 06B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:20.072: Mar 4 15:31:20.072: PDU ::= value IZCToken ::= { izctInterZoneType intraDomainCisco : NULL !--- This is still intraDomain since message OGK1 is !--- not a foreign domain. izctSrcZone "ogk2" !--- ScrZone and DstZone become ogk2. izctDstZone "ogk2" } Mar 4 15:31:20.076: ENCODE BUFFER::= 47 00C06F67 6B32066F 676B3204 73726304 64737404 696E74 Mar 4 15:31:20.080: Mar 4 15:31:20.080: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- The LRQ is forwarded to TGK2. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8206B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '4700C06F676B32066F676B320473726304647374...'H } } } } Mar 4 15:31:20.104: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288206 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C564002 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 80300100 80092A86 4886F70C 0A010009 2A864886 F70C0A01 00184700 C06F676B 32066F67 6B320473 72630464 73740469 6E74 Mar 4 15:31:20.120: Mar 4 15:31:20.120: IPSOCK_RAS_sendto: msg length 127 from 172.16.13.14:1719 to 172.16.13.16: 1719 Mar 4 15:31:20.124: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.16
TGK2確定LRQ來自外部域。它使用自己的ID和作為INTER_DOMAIN_CISCO的interZone更新IZCT的dstZone。然後建立一個新的CAT,並將更新的IZCT和LRQ傳遞到TGK1。
在以下兩種情況中,TGK2將從中接收LRQ的區域視為外域區域:
TGK2的遠端區域清單不包含從中接收LRQ的區域。
TGK2的遠端區域清單包含從中接收LRQ的區域。該區域標有外部域標誌。
然後向OGK1傳送請求正在處理消息。
Mar 4 15:31:20.286: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- The RIP message is sent back to !--- OGK1 since lrq-forward queries are configured on OGK2 and TGK2. { requestSeqNum 2048 delay 6000 } Mar 4 15:31:20.286: RAS OUTGOING ENCODE BUFFER::= 80 050007FF 176F Mar 4 15:31:20.286: Mar 4 15:31:20.286: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.16:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.286: RASLib::RASSendRIP: RIP (seq# 2048) sent to 172.16.13.35 Mar 4 15:31:20.286: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 4 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:20.290: H225 NONSTD OUTGOING ENCODE BUFFER::= 81 86B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:20.290: Mar 4 15:31:20.290: PDU ::= value IZCToken ::= !--- The IZCT information. { izctInterZoneType interDomainCisco : NULL !--- The zone type is interDomain since the OGK2 !--- in a foreign domain is configured in TGK2. izctSrcZone "ogk2" !--- SrcZone is still ogk2. izctDstZone "tgk2" !--- DstZone changed to tgk2. } Mar 4 15:31:20.294: ENCODE BUFFER::= 47 20C06F67 6B320674 676B3204 73726304 64737404 696E74 Mar 4 15:31:20.294: Mar 4 15:31:20.294: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- LRQ is sent to TGK1. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8186B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '4720C06F676B320674676B320473726304647374...'H } } } } Mar 4 15:31:20.302: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288186 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C564002 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 80300100 80092A86 4886F70C 0A010009 2A864886 F70C0A01 00184720 C06F676B 32067467 6B320473 72630464 73740469 6E74 Mar 4 15:31:20.306: Mar 4 15:31:20.306: IPSOCK_RAS_sendto: msg length 127 from 172.16.13.16:1719 to 172.16.13.41: 1719 Mar 4 15:31:20.306: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.41
通常TGK1會將IZCT的dstCarrierID更新為運營商E,後者由路由過程決定。但是,由於不使用承運人,因此您看不到這一點。TGK1使用IZCT的密碼生成雜湊令牌。它將包含更新的IZCT的LCF傳送到OGK1。此izctHash用於驗證TGK1在後者從OGW接收VoIP設定消息時從TGW接收的應答Call ARQ。
Mar 4 15:31:20.351: PDU ::= value IZCToken ::= !--- IZCT with a hash is generated to be sent back to TGK2. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.355: ENCODE BUFFER::= 7F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E74 Mar 4 15:31:20.355: Mar 4 15:31:20.355: RAS OUTGOING PDU ::= value RasMessage ::= locationConfirm : !--- LCF is sent back to OGK1 since lrq-forward queries !--- are configured on OGK2 and TGK2. { requestSeqNum 2048 callSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } rasAddress ipAddress : { ip 'AC100D17'H port 55762 } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '000140020074006700770600740067006B003101...'H } destinationType { gateway { protocol { voice : { supportedPrefixes { } } } } mc FALSE undefinedNode FALSE } tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } } Mar 4 15:31:20.367: RAS OUTGOING ENCODE BUFFER::= 4F 07FF00AC 100D1706 B800AC10 0D17D9D2 40B50000 122F0001 40020074 00670077 06007400 67006B00 31011001 40020074 00670077 00AC100D 1706B800 00000000 00000000 00104808 0880013C 05010000 48010080 092A8648 86F70C0A 0100092A 864886F7 0C0A0100 307F20C0 6F676B32 0674676B 32C02B96 20C70103 105A7D5E 18AA658A 6A4B4709 BA5ABEF2 B9047372 63046473 7404696E 74 Mar 4 15:31:20.371: Mar 4 15:31:20.371: IPSOCK_RAS_sendto: msg length 154 from 172.16.13.41:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.371: RASLib::RASSendLCF: LCF (seq# 2048) sent to 172.16.13.35
OGK1從LCF提取IZCT並將其作為ACF傳送到OGW。
Mar 4 15:31:20.316: PDU ::= value IZCToken ::= !--- The extracted IZCT. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.324: ENCODE BUFFER::= 7F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E74 Mar 4 15:31:20.328: Mar 4 15:31:20.332: RAS OUTGOING PDU ::= value RasMessage ::= admissionConfirm : !--- ACF is sent back to OGW with the hashed IZCToken. { requestSeqNum 1109 bandWidth 640 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } } Mar 4 15:31:20.352: RAS OUTGOING ENCODE BUFFER::= 2B 00045440 028000AC 100D1706 B800EF1A 08C04801 0080092A 864886F7 0C0A0100 092A8648 86F70C0A 0100307F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E7401 00020000 Mar 4 15:31:20.364: Mar 4 15:31:20.364: IPSOCK_RAS_sendto: msg length 97 from 172.16.13.35:1719 to 172.16.13.15: 57076 Mar 4 15:31:20.368: RASLib::RASSendACF: ACF (seq# 1109) sent to 172.16.13.15
OGW在H.225 SETUP消息中將IZCT傳送到TGW。
Mar 4 15:31:20.529: H225.0 OUTGOING PDU ::= value H323_UserInformation ::= { h323-uu-pdu { h323-message-body setup : !--- H.225 SETUP message is sent to TGW. { protocolIdentifier { 0 0 8 2250 0 2 } sourceAddress { h323-ID : {"ogw"} } sourceInfo { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } activeMC FALSE conferenceID '221B686C17CC11CC8010A049E0524766'H conferenceGoal create : NULL callType pointToPoint : NULL sourceCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11003 } callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } tokens !--- The hashed IZCT information is included in the setup message. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } fastStart { '0000000C6013800A04000100AC100D0F4125'H, '400000060401004C6013801114000100AC100D0F...'H } mediaWaitForConnect FALSE canOverlapSend FALSE } h245Tunneling TRUE nonStandardControl { { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '6001020001041F04038090A31803A983816C0C21...'H } } } }
TGW在ARQ answerCall中將IZCT傳遞到TGK1。
Mar 4 15:31:20.613: Mar 4 15:31:20.613: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : !--- ARQ answerCall type is sent to TGK1. { requestSeqNum 78 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"617D829000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923", h323-ID : {"ogw"} } srcCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11003 } bandWidth 1280 callReferenceValue 3 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008800180'H } conferenceID '221B686C17CC11CC8010A049E0524766'H activeMC FALSE answerCall TRUE canMapAlias TRUE callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } tokens !--- The hashed IZCToken information is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } willSupplyUUIEs FALSE }
TGK1成功驗證目標IZCT。這是因為TGK1在IZCT中生成雜湊值,然後將ACF傳送回TGW。
Mar 4 15:31:20.635: Mar 4 15:31:20.635: PDU ::= value IZCToken ::= !--- The extracted IZCT from the ARQ to be validated. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.639: RAS OUTGOING PDU ::= value RasMessage ::= admissionConfirm : !--- After the IZCT is validated, ACF is sent back to TGW. { requestSeqNum 78 bandWidth 1280 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } }
TGW在收到ACF之後建立對運營商D的呼叫。
範例 2:呼叫失敗,因為TGW無法從收到的設定消息提取IZCT。
此示例基於與示例1相同的拓撲和配置。在此示例中,TGW的軟體已更改為不支援IZCT的版本。在這種情況下,TGW無法從設定消息中提取IZCT。這會導致TGK1拒絕呼叫,而斷開原因則是安全拒絕。
此示例僅顯示TGW上的設定消息ARQ和ARJ,因為呼叫流與示例1相同。
Mar 4 19:50:32.346: PDU DATA = 6147C2BC value H323_UserInformation ::= { h323-uu-pdu { h323-message-body setup : !--- H.225 SETUP message is received with a token included. { protocolIdentifier { 0 0 8 2250 0 2 } sourceAddress { h323-ID : {"ogw"} } sourceInfo { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } activeMC FALSE conferenceID '56CA67C817F011CC8014A049E0524766'H conferenceGoal create : NULL callType pointToPoint : NULL sourceCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11004 } callIdentifier { guid '56CA67C817F011CC8015A049E0524766'H } tokens !--- Hashed IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B965D85010410...'H } } } fastStart { '0000000C6013800A04000100AC100D0F45D9'H, '400000060401004C6013801114000100AC100D0F...'H } mediaWaitForConnect FALSE canOverlapSend FALSE } h245Tunneling TRUE nonStandardControl { { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '6001020001041F04038090A31803A983816C0C21...'H } } } } RAW_BUFFER::= 60 01020001 041F0403 8090A318 03A98381 6C0C2180 34303835 32373239 32337005 80333635 33 Mar 4 19:50:32.362: PDU DATA = 6147F378 value H323_UU_NonStdInfo ::= { version 2 protoParam qsigNonStdInfo : { iei 4 rawMesg '04038090A31803A983816C0C2180343038353237...'H } } PDU DATA = 6147F378 value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } callingOctet3a 128 } RAW_BUFFER::= 80 00000880 0180 Mar 4 19:50:32.366: PDU DATA = 6147C2BC value RasMessage ::= admissionRequest : !--- ARQ is sent out. There is no token in it. { requestSeqNum 23 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"617D829000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923" } srcCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11004 } bandWidth 640 callReferenceValue 1 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008800180'H } conferenceID '56CA67C817F011CC8014A049E0524766'H activeMC FALSE answerCall TRUE canMapAlias FALSE callIdentifier { guid '56CA67C817F011CC8015A049E0524766'H } willSupplyUUIEs FALSE } RAW_BUFFER::= 27 98001600 F0003600 31003700 44003800 32003900 30003000 30003000 30003000 30003000 31010180 69860104 8073B85A 5C5600AC 100D0F2A FC400280 000140B5 00001207 80000008 80018056 CA67C817 F011CC80 14A049E0 52476644 E0200100 110056CA 67C817F0 11CC8015 A049E052 47660100 Mar 4 19:50:32.374: h323chan_dgram_send:Sent UDP msg. Bytes sent: 117 to 172.16.13.41:1719 Mar 4 19:50:32.374: RASLib::GW_RASSendARQ: ARQ (seq# 23) sent to 172.16.13.41 Mar 4 19:50:32.378: h323chan_dgram_recvdata:rcvd from [172.16.13.41:1719] on sock[1] RAW_BUFFER::= 2C 00168001 00 Mar 4 19:50:32.378: PDU DATA = 6147C2BC value RasMessage ::= admissionReject : !--- ARJ is received with a reason of security denial. { requestSeqNum 23 rejectReason securityDenial : NULL } Mar 4 19:50:32.378: ARJ (seq# 23) rcvd
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
22-Jan-2002 |
初始版本 |