网关到网守 (H.235) 与网守到网守(IZCT) 安全故障排除指南
目录
简介
H.323网络有不同的配置和呼叫流。本文档讨论涉及网守的H.323网络的大多数安全问题。本文档总结了每种功能的工作方式以及如何对其进行故障排除,并对大多数调试进行了说明。本文档未介绍VoIP的整体安全性。
本文档包括以下功能:
-
域内网关到网守安全 — 此安全性基于H.235,其中H.323呼叫由网守进行身份验证、授权和路由。在网关尝试向其注册时网关不对其进行身份验证的意义上,网守被视为已知和受信任实体。
-
域间网守到网守安全 — 此安全功能包括使用InterZone Clear Token(IZCT)对互联网电话服务提供商(ITSP)的管理域之间的H.323呼叫进行身份验证和授权。 本文档仅涵盖终端网守在其位置确认(LCF)消息中发送令牌以验证应答呼叫准入请求(ARQ)的部分。 此功能中不包含位置请求(LRQ)验证。LRQ验证是为将来的Cisco IOS®软件版本安排的一项功能。
定义
| 缩写词 | 定义 |
|---|---|
| ARQ | 准入请求 — 从H.323终端向请求准入以建立呼叫的网守发送的注册、准入和状态协议(RAS)消息。 |
| ACF | 准入确认 — 从网守向终端发送的确认接受呼叫的RAS消息。 |
| ARJ | 准入拒绝 — 从网守到终端的拒绝准入请求的RAS消息。 |
| CAT | 思科访问令牌 — H.235清除令牌。 |
| CHAP | 质询握手身份验证协议 — 使用质询的身份验证协议。 |
| GCF | 网守确认 — 从网守发送到H.323终端的RAS消息,确认发现网守。 |
| GRQ | 网守请求 — 从H.323终端发送的用于发现网守的RAS消息。 |
| H.235 | ITU对H系列(H.323和其他基于H.245的)多媒体终端的安全和加密的建议。 |
| IZCT | InterZone Clear Token — 当LRQ启动或ACF即将在ITSP管理域内为区域内呼叫发送时,在始发网守中生成IZCT。 |
| LRQ | 位置请求 — 从网守发送到下一跳网守或呼叫段以跟踪和路由呼叫的RAS消息。 |
| RAS | 注册、准入和状态 — 允许网守对终端执行注册、准入和状态检查的协议。 |
| RCF | Registration Confirm — 从网守发送到终端的确认注册的RAS消息。 |
| RRJ | Registration Reject — 从网守发送的拒绝注册请求的RAS消息。 |
| RRQ | 注册请求 — 从终端发送到网守的RAS消息,请求向其注册。 |
| RIP | Request In Progress — 从网守向发送方发送的RAS消息,表示呼叫正在进行。 |
域内网关到网守安全
H.323是ITU的建议,用于解决在不安全网络上保护实时通信的问题。这涉及两个主要关注领域:身份验证和隐私。根据H.235,身份验证分为两种类型:
-
基于对称加密的身份验证,无需在通信实体之间预先联系。
-
基于拥有某些先前共享密钥(进一步称为基于订用)的能力,提供两种基于订用的身份验证形式:
-
密码
-
证书
-
令牌中传输的时间戳
时间戳用于防止重播攻击。因此,需要对时间(从中导出时间戳)进行双方均可接受的引用。 可接受的时间偏差量是本地实施的问题。
Cisco 如何实现 H.235 建议
思科使用类似挑战握手身份验证协议(CHAP)的身份验证方案作为其网关到其网守H.235实施的基础。这允许您利用身份验证、授权和记帐(AAA),使用现有功能执行实际身份验证。也意味着网守无需访问网关ID、用户帐户号、密码和PIN的数据库。该方案基于H.235第10.3.3节。该方案被描述为带散列的基于订阅的密码。
但是,此方法不使用H.225 cryptoToken,而是使用H.235 clearToken,其中字段已适当填充,以便与RADIUS配合使用。此令牌称为思科访问令牌(CAT)。 您始终可以在网守本地执行身份验证,而不是使用RADIUS服务器。
使用cryptoToken要求网守维护所有用户和网关的口令,或者以某种方式获取口令。这是因为cryptoToken的令牌字段已指定,因此身份验证实体需要密码来生成其自己的令牌,以便与收到的令牌进行比较。
思科网守完全忽略cryptoTokens。但是,VocalTek网守和支持H.235第10.3.3节的其他人使用cryptoTokens对网关进行身份验证。Cisco网守使用CAT对网关进行身份验证。由于网关不知道它与哪种类型的网守通信,因此它在RRQ中同时发送。GRQ中的authenticationCapability用于cryptoToken,并指示MD5散列是身份验证机制(尽管CAT也使用MD5)。
有关详细信息,请参阅Cisco H.323网关安全和记帐增强功能。
如何配置安全等级
-
终端或注册级安全
在网守上启用注册安全后,网关需要在所有重量级RRQ消息中包含CAT。在本例中,CAT包含对网关本身进行网守身份验证的信息。网守将消息格式化到RADIUS服务器,该服务器对令牌中包含的信息进行身份验证。它使用Access-Accept或Access-Reject回复网守。这反过来会以RCF或RRJ响应网关。
如果随后从成功验证的网关发出呼叫,则该网关在从网守接收到使用网关密码的ACF时生成新CAT。此CAT与注册期间生成的CAT相同,时间戳除外。它被置于传出SETUP消息中。目的网关从SETUP消息提取令牌并将其放入目的端ARQ。网守在发送目的端ACF之前使用RADIUS对始发网关进行身份验证。这可以防止知道网关地址的未经身份验证的终端使用它来规避安全方案并访问公共交换电话网络(PSTN)。
因此,在此级别中,不需要在始发ARQ中包含任何令牌。
从网守命令行界面(CLI)键入注册所需的[no]安全令牌,以配置网守。命令no选项导致网守不再检查RAS消息中的令牌。
从网关CLI键入[no] security password <PASSWORD>级别终端以配置网关。命令no选项导致网关不再为RAS消息生成令牌。
-
每呼叫级别安全
每个呼叫的安全建立在注册级安全的基础上。除了满足注册安全要求外,当在网守上启用每呼叫安全时,网关还需要在所有始发端ARQ消息中包括接入令牌。本例中的令牌包含标识网关用户到网守的信息。此信息通过网关上的交互式语音响应(IVR)脚本获取。这会提示用户在发出呼叫之前从键盘输入其用户ID和PIN。
始发ARQ中包含的CAT由RADIUS以与前面在终端或注册级别安全中描述的相同方式进行身份验证。在收到ACF后,网关使用其密码生成新的CAT,并在H.225 SETUP消息内将其发送到终端网关。
从网守CLI键入[no] security token required-for all,以配置网守。命令no选项导致网守不再检查RAS消息中的令牌。
从网关CLI键入[no] security password <PASSWORD> level per-call,以配置网关。命令no选项导致网关不再为RAS消息生成令牌。
-
所有级别安全
这允许网关在注册和呼叫所需的所有RAS消息中包含CAT。因此,它是上述两个级别的组合。使用此选项,ARQ消息中CAT的验证基于发出呼叫的用户的帐号和PIN。在所有其他RAS消息中发送的CAT的验证基于为网关配置的密码。因此,它类似于每呼叫级别。
从网守CLI键入[no] security token required-for all,以配置网守。命令no选项导致网守不再检查RAS消息中的令牌。
从网关CLI键入[no] security password <PASSWORD> level all以配置网关。命令no选项导致网关不再为RAS消息生成令牌。
没有 IVR 时在每呼叫级别上的 H.235 用法
H.235不能在没有IVR的每个呼叫级别上使用。如果没有IVR来收集帐户和PIN,网关需要发送ARQ而不带Clear Token(但带加密令牌)。 由于思科网守仅接受清除令牌,因此网守会拒绝呼叫,因此会拒绝安全。
此示例显示从未为IVR配置来收集帐户和PIN的始发网关(OGW)收集的h225 asn1调试。RRQ消息有清除令牌,但ARQ没有。ARJ消息将发回网关。
Mar 4 01:31:24.358: H235 OUTGOING ENCODE BUFFER::= 61 000100C0
2B955BEB 08003200 32003200 32000006 006F0067 00770000
Mar 4 01:31:24.358:
Mar 4 01:31:24.358: RAS OUTGOING PDU ::=
value RasMessage ::= registrationRequest :
{
requestSeqNum 29
protocolIdentifier { 0 0 8 2250 0 3 }
discoveryComplete FALSE
callSignalAddress
{
}
rasAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 57514
}
}
terminalType
{
mc FALSE
undefinedNode FALSE
}
gatekeeperIdentifier {"ogk1"}
endpointVendor
{
vendor
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
}
timeToLive 60
tokens
!--- Clear Token is included in the RRQ message.
{
{
tokenOID { 1 2 840 113548 10 1 2 1 }
timeStamp 731208684
challenge 'F57C3C65B59724B9A45C93F98CCF9E45'H
random 12
generalID {"ogw"}
}
}
cryptoTokens
{
cryptoEPPwdHash :
{
alias h323-ID : {"ogw"}
timeStamp 731208684
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "D7F85666AF3B881ADD876DD61C20D5D9"
}
}
}
keepAlive TRUE
endpointIdentifier {"81F5E24800000001"}
willSupplyUUIEs FALSE
maintainConnection TRUE
}
Mar 4 01:31:24.370: RAS OUTGOING ENCODE BUFFER::= 0E 40001C06 0008914A
00030000 0100AC10 0D0FE0AA 0003006F 0067006B 003100B5 00001212 EF000200
3B2F014D 000A2A86 4886F70C 0A010201 C02B955B EB10F57C 3C65B597 24B9A45C
93F98CCF 9E45010C 06006F00 67007700 002A0104 02006F00 670077C0 2B955BEB
082A8648 86F70D02 05008080 D7F85666 AF3B881A DD876DD6 1C20D5D9 0180211E
00380031 00460035 00450032 00340038 00300030 00300030 00300030 00300031
01000180
Mar 4 01:31:24.378: h323chan_dgram_send:Sent UDP msg. Bytes sent: 173 to
172.16.13.35:1719
Mar 4 01:31:24.378: RASLib::GW_RASSendRRQ:
3640-1#debug RRQ (seq# 29) sent to 172.16.13.35
Mar 4 01:31:24.462: h323chan_chn_process_read_socket
Mar 4 01:31:24.462: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data
Mar 4 01:31:24.462: h323chan_chn_process_read_socket: h323chan accepted/connected
Mar 4 01:31:24.462: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on so
ck[2]
Mar 4 01:31:24.466: RAS INCOMING ENCODE BUFFER::= 12 40001C06 0008914A
00030006 006F0067 006B0031 1E003800 31004600 35004500 32003400 38003000
30003000 30003000 30003000 310F8A01 0002003B 01000180
Mar 4 01:31:24.466:
Mar 4 01:31:24.466: RAS INCOMING PDU ::=
value RasMessage ::= registrationConfirm :
{
requestSeqNum 29
protocolIdentifier { 0 0 8 2250 0 3 }
callSignalAddress
{
}
gatekeeperIdentifier {"ogk1"}
endpointIdentifier {"81F5E24800000001"}
alternateGatekeeper
{
}
timeToLive 60
willRespondToIRR FALSE
maintainConnection TRUE
}
Mar 4 01:31:24.470: RCF (seq# 29) rcvd
Mar 4 01:32:00.220: H225 NONSTD OUTGOING PDU ::=
value ARQnonStandardInfo ::=
{
sourceAlias
{
}
sourceExtAlias
{
}
callingOctet3a 129
interfaceSpecificBillingId "ISDN-VOICE"
}
Mar 4 01:32:00.220: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 000008A0
01810B12 4953444E 2D564F49 4345
Mar 4 01:32:00.220:
Mar 4 01:32:00.220: H235 OUTGOING ENCODE BUFFER::= 61 000100C0
2B955C0F 08003200 32003200 32000006 006F0067 00770000
Mar 4 01:32:00.224:
Mar 4 01:32:00.224: RAS OUTGOING PDU ::=
value RasMessage ::= admissionRequest :
{
requestSeqNum 30
callType pointToPoint : NULL
callModel direct : NULL
endpointIdentifier {"81F5E24800000001"}
destinationInfo
{
e164 : "3653"
}
srcInfo
{
e164 : "5336",
h323-ID : {"ogw"}
}
bandWidth 1280
callReferenceValue 5
nonStandardData
{
nonStandardIdentifier h221NonStandard :
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
data '80000008A001810B124953444E2D564F494345'H
}
conferenceID 'E1575DA6175611CC8014A6051561649A'H
activeMC FALSE
answerCall FALSE
canMapAlias TRUE
callIdentifier
{
guid 'E1575DA6175611CC8015A6051561649A'H
}
cryptoTokens
!--- Only cryptoTokens are included, no clear ones.
{
cryptoEPPwdHash :
{
alias h323-ID : {"ogw"}
timeStamp 731208720
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "105475A4C0A833E7DE8E37AD3A8CDFF"
}
}
}
willSupplyUUIEs FALSE
}
Mar 4 01:32:00.236: RAS OUTGOING ENCODE BUFFER::= 27 88001D00 F0003800
31004600 35004500 32003400 38003000 30003000 30003000 30003000 31010180
69860201 80866940 02006F00 67007740 05000005 40B50000 12138000 0008A001
810B1249 53444E2D 564F4943 45E1575D A6175611 CC8014A6 05156164 9A056120
01801100 E1575DA6 175611CC 8015A605 1561649A 2A010402 006F0067 0077C02B
955C0F08 2A864886 F70D0205 00808010 5475A4C0 A833E7DE 8E370AD3 A8CDFF01 00
Mar 4 01:32:00.240: h323chan_dgram_send:Sent UDP msg. Bytes sent: 170 to
172.16.13.35:1719
Mar 4 01:32:00.240: RASLib::GW_RASSendARQ: ARQ (seq# 30) sent to 172.16.13.35
Mar 4 01:32:00.312: h323chan_chn_process_read_socket
Mar 4 01:32:00.312: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data
Mar 4 01:32:00.312: h323chan_chn_process_read_socket: fd (2) of type CONNECTED has data
Mar 4
3640-1#01:32:00.312: h323chan_chn_process_read_socket: h323chan accepted/connected
Mar 4 01:32:00.312: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on so
ck[2]
Mar 4 01:32:00.312: RAS INCOMING ENCODE BUFFER::= 2C 001D8001 00
Mar 4 01:32:00.312:
Mar 4 01:32:00.312: RAS INCOMING PDU ::=
value RasMessage ::= admissionReject :
!--- ARQ is rejected with a security denial reason.
{
requestSeqNum 30
rejectReason securityDenial : NULL
}
Mar 4 01:32:00.312: ARJ (seq# 30) rcvd
主要问题
您需要关注的主要问题包括:
-
网关和网守的配置
-
网守和RADIUS服务器上的RADIUS配置
-
网络时间协议(NTP) — 您必须在所有网关和网守上具有相同的时间。由于身份验证信息包含时间戳,因此必须同步所有Cisco H.323网关和网守(或执行身份验证的其他实体)。Cisco H.323网关必须使用NTP同步。
-
由于错误导致软件故障
不同级别的调试和呼叫流
由于所有级别的安全性都涵盖注册案例和每次呼叫案例,因此本练习将使用该级别的安全性来设置实验。注册部分和普通VoIP呼叫的呼叫流在此配置中说明。
注意:此处的配置不完整。调试输出之间会出现更多命令。它旨在显示如果您不检查所有内容(如配置、NTP和RADIUS),会发生什么问题。此外,网关在本地网守上进行身份验证,以便您能够查看为网关ID和密码设置的值。此配置被剪断,以便仅显示相关配置。
! interface Ethernet0/0 ip address 172.16.13.15 255.255.255.224 half-duplex h323-gateway voip interface h323-gateway voip id gka-1 ipaddr 172.16.13.35 1718 !--- The gatekeeper name is gka-1. h323-gateway voip h323-id gwa-1@cisco.com !--- The gateway H323-ID is gwa-1@cisco.com. h323-gateway voip tech-prefix 1# ! ! gateway ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 password ww logging synchronous end !--- No NTP is configured. !--- The snipped gatekeeper configuration is like this: ! aaa new-model aaa authentication login default local aaa authentication login h323 local aaa authorization exec default local aaa authorization exec h323 local aaa accounting connection h323 start-stop group radius ! username gwa-1 password 0 2222 username gwa-2 password 0 2222 ! gatekeeper zone local gka-1 cisco.com 172.16.13.35 security token required-for all !--- The gatekeeper is configured for the "All level security". no shutdown ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password ww line vty 5 15 ! no scheduler max-task-time no scheduler allocate ntp master !--- This gatekeeper is set as an NTP master. ! end
以下调试在本示例中启用:
首先,网关向网守发送GRQ,网守向网关发送GCF。然后,网关发送RRQ并等待RCF或RRJ。
在上一配置中,网关未设置任何安全级别,因此其GRQ不提供令牌所需的authenticationCapability。但是,网守仍然发送回GCF,如以下输出所示:
*Mar 2 13:32:45.413: RAS INCOMING ENCODE BUFFER::= 00 A0000006
0008914A 000200AC 100D0FD2 C6088001 3C050401 00204002 00006700 6B006100
2D003102 400E0067 00770061 002D0031 00400063 00690073 0063006F 002E0063
006F006D 0080CC
*Mar 2 13:32:45.421:
*Mar 2 13:32:45.425: RAS INCOMING PDU ::=
value RasMessage ::= gatekeeperRequest :
{
requestSeqNum 1
protocolIdentifier { 0 0 8 2250 0 2 }
rasAddress ipAddress :
{
ip 'AC100D0F'H
port 53958
}
endpointType
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
gatekeeperIdentifier {"gka-1"}
endpointAlias
{
h323-ID : {"gwa-1@cisco.com"},
!--- The H.323-ID of the gateway is gwa-1@cisco.com.
e164 : "99"
}
}
*Mar 2 13:32:45.445: RAS OUTGOING PDU ::=
value RasMessage ::= gatekeeperConfirm :
{
requestSeqNum 1
protocolIdentifier { 0 0 8 2250 0 3 }
gatekeeperIdentifier {"gka-1"}
rasAddress ipAddress :
{
ip 'AC100D23'H
port 1719
}
}
!--- The gateway sends an RRQ message to the gatekeeper with the
!--- IP address sent in the GCF. This RRQ does not carry any Token information
!--- because security is not configured on the gateway.
*Mar 2 13:32:45.477: RAS INCOMING ENCODE BUFFER::= 0E C0000106 0008914A
00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020 40000240
0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00
80CC0800 67006B00 61002D00 3100B500 00120E8A 02003B01 000100
*Mar 2 13:32:45.489:
*Mar 2 13:32:45.493: RAS INCOMING PDU ::=
value RasMessage ::= registrationRequest :
{
requestSeqNum 2
protocolIdentifier { 0 0 8 2250 0 2 }
discoveryComplete TRUE
callSignalAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 1720
}
}
rasAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 53958
}
}
terminalType
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
terminalAlias
{
h323-ID : {"gwa-1@cisco.com"},
e164 : "99"
}
gatekeeperIdentifier {"gka-1"}
endpointVendor
{
vendor
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
}
timeToLive 60
keepAlive FALSE
willSupplyUUIEs FALSE
}
!--- Since the gateway does not include
!--- any tokens and the gatekeeper is set to authenticate
!--- all endpoints and calls, the gatekeeper rejects the gateway request.
!--- It sends an RRJ with the securityDenial reason.
*Mar 2 13:32:45.525: RAS OUTGOING PDU ::=
value RasMessage ::= registrationReject :
{
requestSeqNum 2
protocolIdentifier { 0 0 8 2250 0 3 }
rejectReason securityDenial : NULL
!--- Gatekeeper rejects the RRQ with security denial reason.
gatekeeperIdentifier {"gka-1"}
}
*Mar 2 13:32:45.529: RAS OUTGOING ENCODE BUFFER::= 14 80000106
0008914A 00038301 00080067 006B0061 002D0031
*Mar 2 13:32:45.533:
!--- Configure the security password 2222 level all command on the gateway.
!--- The configuration of the gateway appears like this:
!
gateway
security password 0356095954 level all
!--- The password is hashed.
!
!--- As soon as you make this change the gateway
!--- sends a new GRQ to the gatekeeper.
!--- You see the authenticationCapability and algorithmOIDs.
*Mar 2 13:33:15.551: RAS INCOMING ENCODE BUFFER::= 02 A0000206
0008914A 000200AC 100D0FD2 C6088001 3C050401 00204002 00006700 6B006100
2D003102 400E0067 00770061 002D0031 00400063 00690073 0063006F 002E0063
006F006D 0080CC0C 30020120 0A01082A 864886F7 0D0205
*Mar 2 13:33:15.563:
*Mar 2 13:33:15.567: RAS INCOMING PDU ::=
value RasMessage ::= gatekeeperRequest :
{
requestSeqNum 3
protocolIdentifier { 0 0 8 2250 0 2 }
rasAddress ipAddress :
{
ip 'AC100D0F'H
port 53958
}
endpointType
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
gatekeeperIdentifier {"gka-1"}
endpointAlias
{
h323-ID : {"gwa-1@cisco.com"},
e164 : "99"
}
authenticationCapability
{
pwdHash : NULL
}
algorithmOIDs
{
{ 1 2 840 113549 2 5 }
}
}
这解释了GRQ中的一些消息:
-
authenticationCapability — 此字段仅具有pwdHash值。它表示MD5散列是身份验证机制。
-
algorithmOIDs — 算法对象ID。在本例中,它带有值(1 2 840 113549 2 5),该值是消息摘要5散列的对象ID。
(1 2 840 113549 2 5)转换为iso(1)member-body(2)US(840)rsadsi(113549)digestAlgorithm(2)md5(5)。 因此,思科执行MD5密码散列。
Rsadsi代表RSA数据安全公司。RSA Data Security, Inc.的开放系统互联(OSI)对象标识符为1.2.840.113549(0x2a、0x86、0x48、0x86、0xf7、0x0d(十六进制),由美国国民党注册标准协会(ANSI)。
网守再次发送GCF作为上一条消息。然后,网关发送包含特定字段的RRQ,以描述其用于进行身份验证的令牌。本例中显示了发送的asn1 RRQ消息。
*Mar 2 13:33:15.635: RAS INCOMING ENCODE BUFFER::= 0E C0000306
0008914A 00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020
40000240 0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300
6F006D00 80CC0800 67006B00 61002D00 3100B500 00120EEA 02003B47 014D000A
2A864886 F70C0A01 0201C02B 92A53610 B9D84DAE 58F6CB4B 5EE5DFB6 B92DD281
01011E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00
6D000042 01040E00 67007700 61002D00 31004000 63006900 73006300 6F002E00
63006F00 6DC02B92 A536082A 864886F7 0D020500 80802B21 B94F3980 ED12116C
56B79F4B 4CDB0100 0100
*Mar 2 13:33:15.667:
*Mar 2 13:33:15.671: RAS INCOMING PDU ::=
value RasMessage ::= registrationRequest :
{
requestSeqNum 4
protocolIdentifier { 0 0 8 2250 0 2 }
discoveryComplete TRUE
callSignalAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 1720
}
}
rasAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 53958
}
}
terminalType
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
terminalAlias
{
h323-ID : {"gwa-1@cisco.com"},
e164 : "99"
}
gatekeeperIdentifier {"gka-1"}
endpointVendor
{
vendor
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
}
timeToLive 60
tokens
!--- Clear Token, or what is called CAT.
{
{
tokenOID { 1 2 840 113548 10 1 2 1 }
timeStamp 731030839
challenge 'B9D84DAE58F6CB4B5EE5DFB6B92DD281'H
random 1
generalID {"gwa-1@cisco.com"}
}
}
cryptoTokens
!--- CryptoToken field.
{
cryptoEPPwdHash :
{
alias h323-ID : {"gwa-1@cisco.com"}
timeStamp 731030839
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "2B21B94F3980ED12116C56B79F4B4CDB"
}
}
}
keepAlive FALSE
willSupplyUUIEs FALSE
}
在讨论响应之前,这里将解释上述RRQ消息中的一些相关字段。令牌有两种类型:清除令牌或CAT)和加密令牌。
如前所述,思科网守忽略加密令牌。但是,网关仍会发送这两种消息,因为它不知道它正在通话的网守类型。由于其他供应商可能使用加密令牌,因此网关会同时发送这两个令牌。
这解释了ClearToken语法。
-
tokenOID — 用于标识令牌的对象ID。
-
timeStamp — 网关的当前协调世界时(UTC)时间。自UTC 00:00 1/1/1970以来的秒数。
它用作隐含的CHAP质询,就像它最初来自网守一样。
-
challenge — 网关使用以下字段生成的16字节MD5消息摘要:
质询= [随机+ GW/用户密码+时间戳] MD5哈希
RADIUS执行此计算(因为它知道随机数、网关密码和CHAP质询)以确定质询应是什么:CHAP响应= [ CHAP ID +用户密码+ CHAP质询] MD5哈希
-
random - RADIUS用于标识此特定请求的一个字节值。
网关会为每个身份验证请求增加一个256的变量模块,以满足此RADIUS要求。
-
generalID — 网关H323-ID或基于安全级别和RAS消息类型的用户帐户号。
注意:所有这些字段都很重要。但是,对时间戳和generalID都给予了更多关注。在本例中,时间戳为731030839,generalID为gwa-1@cisco.com。
RRQ中的cryptoToken包含有关生成令牌的网关的信息。这包括网关ID(即网关上配置的H.323 ID)和网关密码。
此字段包含为H.225中指定的CryptoH323Token字段定义的一种cryptoToken类型。目前,仅支持的cryptoToken类型是cryptoEPPwdHash。
以下字段包含在cryptoEPPwdHash字段中:
-
alias — 网关别名,即网关的H.323 ID。
-
timestamp — 当前时间戳。
-
token — 消息摘要5(MD5)编码的PwdCertToken。此字段包含以下项目:
-
timestamp — 与cryptoEPPwdHash的时间戳相同。
-
password — 网关的密码。
-
generalID — 与cryptoEPPwdHash中包含的网关别名相同。
-
tokenID — 对象ID。
-
在本例中,查看来自网守的响应。
*Mar 2 13:33:15.723: RAS OUTGOING PDU ::=
value RasMessage ::= registrationReject :
{
requestSeqNum 4
protocolIdentifier { 0 0 8 2250 0 3 }
rejectReason securityDenial : NULL
!--- The gatekeeper rejects the RRQ with securityDenial reason.
gatekeeperIdentifier {"gka-1"}
}
*Mar 2 13:33:15.727: RAS OUTGOING ENCODE BUFFER::= 14 80000306 0008914A
00038301 00080067 006B0061 002D0031
*Mar 2 13:33:15.731:
RRQ被网守拒绝。原因是网关配置中未设置NTP。网守检查令牌的时间戳,以查看它是否在相对于其自身时间的可接受窗口内。当前,此窗口在网守的UTC时间前后为+/- 30秒。
此窗口外的令牌会导致网守丢弃此消息。这可以防止试图重新使用监听令牌的人发起重播攻击。实际上,所有网关和网守都需要使用NTP来避免这种时间偏差问题。网守发现令牌中的时间戳在其时间的可接受窗口内。因此,它不会与RADIUS进行验证。
然后,网关将配置为NTP,指向网守作为NTP主设备,以便网关和网守具有相同的时间。发生这种情况时,网关会发送新的RRQ,这次网守会用RRJ回复新的RRQ。
这些调试来自网守。调试运行以查看网守是否进入身份验证阶段。
Mar 2 13:57:41.313: RAS INCOMING ENCODE BUFFER::= 0E C0005906 0008914A
00028001 00AC100D 0F06B801 00AC100D 0FD2C608 80013C05 04010020 40000240
0E006700 77006100 2D003100 40006300 69007300 63006F00 2E006300 6F006D00
80CC0800 67006B00 61002D00 3100B500 00120EEA 02003B47 014D000A 2A864886
F70C0A01 0201C02B 9367D410 7DD4C637 B6DD4E34 0883A7E5 E12A2B78 012C1E00
67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00 6D000042
01040E00 67007700 61002D00 31004000 63006900 73006300 6F002E00 63006F00
6DC02B93 67D4082A 864886F7 0D020500 8080ED73 946B13E9 EAED6F4D FED13478
A6270100 0100
Mar 2 13:57:41.345:
Mar 2 13:57:41.349: RAS INCOMING PDU ::=
value RasMessage ::= registrationRequest :
{
requestSeqNum 90
protocolIdentifier { 0 0 8 2250 0 2 }
discoveryComplete TRUE
callSignalAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 1720
}
}
rasAddress
{
ipAddress :
{
ip 'AC100D0F'H
port 53958
}
}
terminalType
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
terminalAlias
{
h323-ID : {"gwa-1@cisco.com"},
e164 : "99"
}
gatekeeperIdentifier {"gka-1"}
endpointVendor
{
vendor
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
}
timeToLive 60
tokens
{
{
tokenOID { 1 2 840 113548 10 1 2 1 }
timeStamp 731080661
challenge '7DD4C637B6DD4E340883A7E5E12A2B78'H
random 44
generalID {"gwa-1@cisco.com"}
}
}
cryptoTokens
{
cryptoEPPwdHash :
{
alias h323-ID : {"gwa-1@cisco.com"}
timeStamp 731080661
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "ED73946B13E9EAED6F4DFED13478A627"
}
}
}
keepAlive FALSE
willSupplyUUIEs FALSE
}
Mar 2 13:57:41.401: AAA: parse name=<no string> idb type=-1 tty=-1
Mar 2 13:57:41.405: AAA/MEMORY: create_user (0x81416060) user='gwa-1@cisco.com'
ruser='NULL' ds0=0port='NULL' rem_addr='NULL' authen_type=CHAP
service=LOGIN priv=0 initial_task_id='0'
Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): port='' list='h323'
action=LOGIN service=LOGIN
Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): found list h323
Mar 2 13:57:41.405: AAA/AUTHEN/START (2845574558): Method=LOCAL
Mar 2 13:57:41.405: AAA/AUTHEN (2845574558): User not found, end of method list
Mar 2 13:57:41.405: AAA/AUTHEN (2845574558): status = FAIL
!--- Authentication fails. The user is not found on the list.
Mar 2 13:57:41.405: voip_chapstyle_auth: astruct.status = 2
Mar 2 13:57:41.405: AAA/MEMORY: free_user (0x81416060) user='gwa-1@cisco.com'
ruser='NULL' port='NULL' rem_addr='NULL' authen_type=CHAP service=LOGIN priv=0
Mar 2 13:57:41.409: RAS OUTGOING PDU ::=
value RasMessage ::= registrationReject :
{
requestSeqNum 90
protocolIdentifier { 0 0 8 2250 0 3 }
rejectReason securityDenial : NULL
gatekeeperIdentifier {"gka-1"}
}
配置NTP后,网守仍拒绝RRQ。但是,这次它将完成该网关的身份验证过程。网守拒绝RRQ,因为在RADIUS上的有效用户列表中找不到用户(此处为网关ID)。网关在网守配置中本地进行身份验证。在用户列表上,您会看到gwa-1。但是,这不是正确的用户,因为RRQ中的用户是gwa-1@cisco.com。
此外,一旦在网守上配置了username gwa-1@cisco.com password 0 2222命令,网守将确认RRQ并注册网关。
在本实验中,另一个网关(gwa-2)注册到同一网守(gka-1)。从gwa-1@cisco.com向gwa-2发出呼叫,以查看ARQ、ACF和设置消息的外观。
收集的这些调试来自始发网关和终端网关(gwa-2)。
其中包括一些调试消息的说明。
在从始发/终接网关打印调试之前,此文本将说明呼叫流:
-
当从PSTN接收SETUP消息时,网关向网守发送ARQ并从网守接收ACF。
-
当网关收到ACF时,网关使用网关密码、H323-ID别名和当前时间生成CAT。令牌被置于呼叫控制块(CCB)中。
-
当网关将SETUP消息发送到终端网关时,它从CCB检索访问令牌,并将其放在SETUP消息中clearToken的nonStandardParameter字段中。
-
终端网关从SETUP消息中删除令牌,将其从非StandardParameter转换为CAT,并将其置于ARQ中。
-
网守检查令牌的时间戳,以查看它是否在相对于其自身时间的可接受窗口内。当前,此窗口在网守的UTC时间前后为+/- 30秒。此窗口外的令牌会导致网守丢弃此消息。这会导致呼叫被拒绝。
-
如果令牌可接受,则网守将格式化RADIUS访问请求数据包,填写相应属性以验证CHAP质询,并将其发送到RADIUS服务器。
-
基于在服务器上已知网关别名的假设,服务器定位与此别名关联的密码,并使用别名、密码和来自网守的CHAP质询生成自己的CHAP响应。如果其CHAP响应与从网守接收的CHAP响应匹配,服务器会向网守发送“接入接受”数据包。如果它们不匹配,或者如果网关的别名不在服务器的数据库中,则服务器会向网守发回Access Reject数据包。
-
如果网守收到Access Accept(接入接受),则网关使用ACF响应;如果网守收到Access Reject(接入拒绝),则网守使用ARJ(原因代码安全拒绝)响应网关。如果网关收到ACF,则呼叫将连接。
此示例显示来自始发网关的调试。
注:此示例中不显示设置的h225 asn1调试,因为它与始发网关示例后的终端网关示例中所示相同。
Mar 2 19:39:07.376: cc_api_call_setup_ind (vdbPtr=0x6264AB2C,
callInfo={called=3653,called_oct3=0x81,calling=,calling_oct3=0x81,calling_oct3a=0x0,
calling_xlated=false,subscriber_type_str=RegularLine,fdest=1,peer_tag=5336,
prog_ind=3},callID=0x61DDC2A8)
Mar 2 19:39:07.376: cc_api_call_setup_ind type 13 , prot 0
Mar 2 19:39:07.376: cc_process_call_setup_ind (event=0x6231F0C4)
Mar 2 19:39:07.380: >>>>CCAPI handed cid 30 with tag 5336 to app "DEFAULT"
Mar 2 19:39:07.380: sess_appl: ev(24=CC_EV_CALL_SETUP_IND), cid(30), disp(0)
Mar 2 19:39:07.380: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(30), disp(0)
Mar 2 19:39:07.380: ssaCallSetupInd
Mar 2 19:39:07.380: ccCallSetContext (callID=0x1E, context=0x6215B5A0)
Mar 2 19:39:07.380: ssaCallSetupInd cid(30), st(SSA_CS_MAPPING),oldst(0),
ev(24)ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1
Mar 2 19:39:07.380: ssaCallSetupInd finalDest cllng(1#5336), clled(3653)
Mar 2 19:39:07.380: ssaCallSetupInd cid(30), st(SSA_CS_CALL_SETTING),oldst(0),
ev(24)dpMatchPeersMoreArg result= 0
Mar 2 19:39:07.380: ssaSetupPeer cid(30) peer list: tag(3653) called number (3653)
Mar 2 19:39:07.380: ssaSetupPeer cid(30), destPat(3653), matched(4), prefix(),
peer(62664554), peer->encapType (2)
Mar 2 19:39:07.380: ccCallProceeding (callID=0x1E, prog_ind=0x0)
Mar 2 19:39:07.380: ccCallSetupRequest (Inbound call = 0x1E, outbound peer =3653,
dest=, params=0x62327730 mode=0, *callID=0x62327A98, prog_ind = 3)
Mar 2 19:39:07.380: ccCallSetupRequest numbering_type 0x81
Mar 2 19:39:07.380: ccCallSetupRequest encapType 2 clid_restrict_disable 1
null_orig_clg 1 clid_transparent 0 callingNumber 1#5336
Mar 2 19:39:07.380: dest pattern 3653, called 3653, digit_strip 0
Mar 2 19:39:07.380: callingNumber=1#5336, calledNumber=3653, redirectNumber=
display_info= calling_oct3a=0
Mar 2 19:39:07.384: accountNumber=, finalDestFlag=1,
guid=6aef.3a87.165c.11cc.8040.d661.b74f.9390
Mar 2 19:39:07.384: peer_tag=3653
Mar 2 19:39:07.384: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=,
callParams={called=3653,called_oct3=0x81, calling=1#5336,calling_oct3=0x81,
calling_xlated=false, subscriber_type_str=RegularLine, fdest=1,
voice_peer_tag=3653},mode=0x0) vdbPtr type = 1
Mar 2 19:39:07.384: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=,
callParams={called=3653, called_oct3 0x81, calling=1#5336,calling_oct3
0x81, calling_xlated=false, fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-5)
Mar 2 19:39:07.384: ccSaveDialpeerTag (callID=0x1E, dialpeer_tag=0xE45)
Mar 2 19:39:07.384: ccCallSetContext (callID=0x1F, context=0x621545DC)
Mar 2 19:39:07.384: ccCallReportDigits (callID=0x1E, enable=0x0)
Mar 2 19:39:07.384: cc_api_call_report_digits_done (vdbPtr=0x6264AB2C,
callID=0x1E, disp=0)
Mar 2 19:39:07.384: sess_appl: ev(52=CC_EV_CALL_REPORT_DIGITS_DONE), cid(30),disp(0)
Mar 2 19:39:07.384: cid(30)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_REPORT_DIGITS_DONE)
oldst(SSA_CS_MAPPING)cfid(-1)csize(0)in(1)fDest(1)
Mar 2 19:39:07.384: -cid2(31)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_MAPPING)
Mar 2 19:39:07.384: ssaReportDigitsDone cid(30) peer list: (empty)
Mar 2 19:39:07.384: ssaReportDigitsDone callid=30 Reporting disabled.
Mar 2 19:39:07.388: H225 NONSTD OUTGOING PDU ::=
value ARQnonStandardInfo ::=
{
sourceAlias
{
}
sourceExtAlias
{
}
interfaceSpecificBillingId "ISDN-VOICE"
}
Mar 2 19:39:07.388: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 00000820
0B124953 444E2D56 4F494345
Mar 2 19:39:07.388:
Mar 2 19:39:07.388: H235 OUTGOING ENCODE BUFFER::= 61 000100C0 2B93B7DA
08003200 32003200 3200001E 00670077 0061002D 00310040 00630069 00730063
006F002E 0063006F 006D0000
Mar 2 19:39:07.392:
Mar 2 19:39:07.392: RAS OUTGOING PDU ::=
value RasMessage ::= admissionRequest :
!--- The ARQ is sent to the gatekeeper.
{
requestSeqNum 549
callType pointToPoint : NULL
callModel direct : NULL
endpointIdentifier {"8155346000000001"}
destinationInfo
{
e164 : "2#3653"
}
srcInfo
{
e164 : "1#5336",
h323-ID : {"gwa-1@cisco.com"}
}
bandWidth 640
callReferenceValue 15
nonStandardData
{
nonStandardIdentifier h221NonStandard :
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
data '80000008200B124953444E2D564F494345'H
}
conferenceID '6AEF3A87165C11CC8040D661B74F9390'H
activeMC FALSE
answerCall FALSE
canMapAlias TRUE
callIdentifier
{
guid '6AEF3A87165C11CC8041D661B74F9390'H
}
tokens
!--- Token is included since there is an all level of security.
{
{
tokenOID { 1 2 840 113548 10 1 2 1 }
timeStamp 731101147
challenge '1CADDBA948A8291C1F134035C9613E3E'H
random 246
generalID {"gwa-1@cisco.com"}
}
}
cryptoTokens
{
cryptoEPPwdHash :
{
alias h323-ID : {"gwa-1@cisco.com"}
timeStamp 731101147
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "5760B7B4877335B7CD24BD24E4A2AA89"
}
}
}
willSupplyUUIEs FALSE
}
Mar 2 19:39:07.408: RAS OUTGOING ENCODE BUFFER::= 27 88022400 F0003800
31003500 35003300 34003600 30003000 30003000 30003000 30003000 31010280
50698602 02804086 69400E00 67007700 61002D00 31004000 63006900 73006300
6F002E00 63006F00 6D400280 000F40B5 00001211 80000008 200B1249 53444E2D
564F4943 456AEF3A 87165C11 CC8040D6 61B74F93 9004E320 01801100 6AEF3A87
165C11CC 8041D661 B74F9390 48014D00 0A2A8648 86F70C0A 010201C0 2B93B7DA
101CADDB A948A829 1C1F1340 35C9613E 3E0200F6 1E006700 77006100 2D003100
40006300 69007300 63006F00 2E006300 6F006D00 00420104 0E006700 77006100
2D003100 40006300 69007300 63006F00 2E006300 6F006DC0 2B93B7DA 082A8648
86F70D02 05008080 5760B7B4 877335B7 CD24BD24 E4A2AA89 0100
Mar 2 19:39:07.412: h323chan_dgram_send:Sent UDP msg. Bytes sent: 291 to
172.16.13.35:1719
Mar 2 19:39:07.416: RASLib::GW_RASSendARQ: ARQ (seq# 549) sent to 172.16.13.35
Mar 2 19:39:07.432: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719] on sock[1]
Mar 2 19:39:07.432: RAS INCOMING ENCODE BUFFER::= 2B 00022440 028000AC
100D1706 B800EF1A 00C00100 020000
Mar 2 19:39:07.432:
Mar 2 19:39:07.432: RAS INCOMING PDU ::=
value RasMessage ::= admissionConfirm :
!--- Received from the gatekeeper with no tokens.
{
requestSeqNum 549
bandWidth 640
callModel direct : NULL
destCallSignalAddress ipAddress :
{
ip 'AC100D17'H
port 1720
}
irrFrequency 240
willRespondToIRR FALSE
uuiesRequested
{
setup FALSE
callProceeding FALSE
connect FALSE
alerting FALSE
information FALSE
releaseComplete FALSE
facility FALSE
progress FALSE
empty FALSE
}
}
Mar 2 19:39:07.436: ACF (seq# 549) rcvd
此示例显示来自终端网关(TGW)的调试。 请注意,TGW自获得ACF后已设置第二个支路,并且呼叫已连接。
Mar 2 19:39:07.493: PDU DATA = 6147C2BC
value H323_UserInformation ::=
{
h323-uu-pdu
{
h323-message-body setup :
{
protocolIdentifier { 0 0 8 2250 0 2 }
sourceAddress
{
h323-ID : {"gwa-1@cisco.com"}
!--- Setup is sent from gwa-1@cisco.com gateway.
}
sourceInfo
{
gateway
{
protocol
{
voice :
{
supportedPrefixes
{
{
prefix e164 : "1#"
}
}
}
}
}
mc FALSE
undefinedNode FALSE
}
activeMC FALSE
conferenceID '6AEF3A87165C11CC8040D661B74F9390'H
conferenceGoal create : NULL
callType pointToPoint : NULL
sourceCallSignalAddress ipAddress :
{
ip 'AC100D0F'H
port 11032
}
callIdentifier
{
guid '6AEF3A87165C11CC8041D661B74F9390'H
}
tokens
!--- Setup includes the Clear Token (CAT).
{
{
tokenOID { 1 2 840 113548 10 1 2 1 }
timeStamp 731101147
challenge 'AFBAAFDF79446B9D8CE164DB8C111A87'H
random 247
generalID {"gwa-1@cisco.com"}
nonStandard
{
nonStandardIdentifier { 0 1 2 4 }
data '2B93B7DBAFBAAFDF79446B9D8CE164DB8C111A87...'H
}
}
}
fastStart
{
'0000000C6013800A04000100AC100D0F4673'H,
'400000060401004C6013801114000100AC100D0F...'H
}
mediaWaitForConnect FALSE
canOverlapSend FALSE
}
h245Tunneling TRUE
nonStandardControl
{
{
nonStandardIdentifier h221NonStandard :
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
data 'E001020001041504039090A31803A983811E0285...'H
}
}
}
}
RAW_BUFFER::=
E0 01020001 04150403 9090A318 03A98381 1E028583 70058133 36353302 80060004
00000003
Mar 2 19:39:07.509: PDU DATA = 6147F378
value H323_UU_NonStdInfo ::=
{
version 2
protoParam qsigNonStdInfo :
{
iei 4
rawMesg '04039090A31803A983811E028583700581333635...'H
}
progIndParam progIndIEinfo :
{
progIndIE '00000003'H
}
}
PDU DATA = 6147F378
value ARQnonStandardInfo ::=
{
sourceAlias
{
}
sourceExtAlias
{
}
}
RAW_BUFFER::=
00 0000
Mar 2 19:39:07.517: RAW_BUFFER::=
61 000100C0 2B93B7DA 08003200 32003200 3200000A 00670077 0061002D
00320000
Mar 2 19:39:07.517: PDU DATA = 6147C2BC
value RasMessage ::= admissionRequest :
!--- An answer ARQ is sent to the gatekeeper to authenticate the caller.
{
requestSeqNum 22
callType pointToPoint : NULL
callModel direct : NULL
endpointIdentifier {"81F5989C00000002"}
destinationInfo
{
e164 : "2#3653"
}
srcInfo
{
e164 : "1#5336"
}
srcCallSignalAddress ipAddress :
{
ip 'AC100D0F'H
port 11032
}
bandWidth 640
callReferenceValue 2
nonStandardData
{
nonStandardIdentifier h221NonStandard :
{
t35CountryCode 181
t35Extension 0
manufacturerCode 18
}
data '000000'H
}
conferenceID '6AEF3A87165C11CC8040D661B74F9390'H
activeMC FALSE
answerCall TRUE
canMapAlias FALSE
callIdentifier
{
guid '6AEF3A87165C11CC8041D661B74F9390'H
}
tokens
!--- CAT is included.
{
{
tokenOID { 0 4 0 1321 1 2 }
timeStamp 731101147
challenge 'AFBAAFDF79446B9D8CE164DB8C111A87'H
random 247
generalID {"gwa-1@cisco.com"}
}
}
cryptoTokens
{
cryptoEPPwdHash :
{
alias h323-ID : {"gwa-2"}
timeStamp 731101147
token
{
algorithmOID { 1 2 840 113549 2 5 }
paramS
{
}
hash "8479E7DE63AC17C6A46E9E19659568"
}
}
}
willSupplyUUIEs FALSE
}
RAW_BUFFER::=
27 98001500 F0003800 31004600 35003900 38003900 43003000 30003000 30003000
30003000 32010280 50698601 02804086 6900AC10 0D0F2B18 40028000 0240B500
00120300 00006AEF 3A87165C 11CC8040 D661B74F 939044E3 20010011 006AEF3A
87165C11 CC8041D6 61B74F93 9044014D 00060400 8A290102 C02B93B7 DA10AFBA
AFDF7944 6B9D8CE1 64DB8C11 1A870200 F71E0067 00770061 002D0031 00400063
00690073 0063006F 002E0063 006F006D 00002E01 04040067 00770061 002D0032
C02B93B7 DA082A86 4886F70D 02050080 808479E7 0DE63AC1 7C6A46E9 E1965905
680100
Mar 2 19:39:07.533: h323chan_dgram_send:Sent UDP msg. Bytes sent: 228
to 172.16.13.35:1719
Mar 2 19:39:07.533: RASLib::GW_RASSendARQ: ARQ (seq# 22) sent to 172.16.13.35
Mar 2 19:39:07.549: h323chan_dgram_recvdata:rcvd from [172.16.13.35:1719]
on sock[1]
RAW_BUFFER::=
2B 00001540 028000AC 100D1706 B800EF1A 00C00100 020000
Mar 2 19:39:07.549: PDU DATA = 6147C2BC
value RasMessage ::= admissionConfirm :
!--- ACF is received from the gatekeeper.
{
requestSeqNum 22
bandWidth 640
callModel direct : NULL
destCallSignalAddress ipAddress :
{
ip 'AC100D17'H
port 1720
}
irrFrequency 240
willRespondToIRR FALSE
uuiesRequested
{
setup FALSE
callProceeding FALSE
connect FALSE
alerting FALSE
information FALSE
releaseComplete FALSE
facility FALSE
progress FALSE
empty FALSE
}
}
Mar 2 19:39:07.553: ACF (seq# 22) rcvd
Mar 2 19:39:07.553: cc_api_call_setup_ind (vdbPtr=0x61BC92EC,
callInfo={called=2#3653,called_oct3=0x81,calling=1#5336,calling_oct3=0x81,
calling_oct3a=0x0,subscriber_type_str=Unknown, fdest=1 peer_tag=5336,
prog_ind=3},callID=0x6217CC64)
Mar 2 19:39:07.553: cc_api_call_setup_ind type 0 , prot 1
Mar 2 19:39:07.553: cc_api_call_setup_ind (vdbPtr=0x61BC92EC,
callInfo={called=2#3653, calling=1#5336, fdest=1 peer_tag=5336},
callID=0x6217CC64)
Mar 2 19:39:07.553: cc_process_call_setup_ind (event=0x61E1EAFC)
Mar 2 19:39:07.553: >>>>CCAPI handed cid 9 with tag 5336 to app "DEFAULT"
Mar 2 19:39:07.553: sess_appl: ev(25=CC_EV_CALL_SETUP_IND), cid(9), disp(0)
Mar 2 19:39:07.553: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(9), disp(0)
Mar 2 19:39:07.553: ssaCallSetupInd
Mar 2 19:39:07.553: ccCallSetContext (callID=0x9, context=0x62447A28)
Mar 2 19:39:07.553: ssaCallSetupInd cid(9), st(SSA_CS_MAPPING),oldst(0),
ev(25)ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1
Mar 2 19:39:07.553: ssaCallSetupInd finalDest cllng(1#5336), clled(2#3653)
Mar 2 19:39:07.553: ssaCallSetupInd cid(9), st(SSA_CS_CALL_SETTING),oldst(0),
ev(25)dpMatchPeersMoreArg result= 0
Mar 2 19:39:07.557: ssaSetupPeer cid(9) peer list: tag(3653)
called number (2#3653)
Mar 2 19:39:07.557: ssaSetupPeer cid(9), destPat(2#3653), matched(5),
prefix(21), peer(620F1EF0), peer->encapType (1)
Mar 2 19:39:07.557: ccCallProceeding (callID=0x9, prog_ind=0x0)
Mar 2 19:39:07.557: ccCallSetupRequest (Inbound call = 0x9, outbound peer
=3653, dest=, params=0x61E296C0 mode=0, *callID=0x61E299D0, prog_ind = 3)
Mar 2 19:39:07.557: ccCallSetupRequest numbering_type 0x81
Mar 2 19:39:07.557: dest pattern 2#3653, called 2#3653, digit_strip 1
Mar 2 19:39:07.557: callingNumber=1#5336, calledNumber=2#3653,
redirectNumber=display_info= calling_oct3a=0
Mar 2 19:39:07.557: accountNumber=, finalDestFlag=1,
guid=6aef.3a87.165c.11cc.8040.d661.b74f.9390
Mar 2 19:39:07.557: peer_tag=3653
Mar 2 19:39:07.557: ccIFCallSetupRequestPrivate: (vdbPtr=0x61E4473C, dest=,
callParams={called=2#3653,called_oct3=0x81, calling=1#5336,calling_oct3=0x81,
subscriber_type_str=Unknown, fdest=1, voice_peer_tag=3653},mode=0x0) vdbPtr
type = 6
Mar 2 19:39:07.557: ccIFCallSetupRequestPrivate: (vdbPtr=0x61E4473C, dest=,
callParams={called=2#3653, called_oct3 0x81, calling=1#5336,calling_oct3 0x81,
fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-4)
Mar 2 19:39:07.557: ccSaveDialpeerTag (callID=0x9, dialpeer_tag=
Mar 2 19:39:07.557: ccCallSetContext (callID=0xA, context=0x6244D9EC)
Mar 2 19:39:07.557: ccCallReportDigits (callID=0x9, enable=0x0)
网关 IOS 问题
在同一实验中,OGW上加载了IOS映像12.2(6a)。呼叫时,会注意到OGW仍根据其密码发送清除令牌,即使网关未配置为IVR收集帐户/PIN。此外,为所有级别配置的网守都接受该呼叫。这记录在Cisco Bug ID CSCdw43224(仅限注册客户)中。
带备选终点的安全性
如本文档前面所述,使用RAS/H.225消息中的clearTokens字段发送的访问令牌,可提供端到端呼叫安全。当启用这种安全性时,源网关将从ACF中的网守接收的访问令牌转发到H.225 SETUP消息中的目标H.323终端。然后,此目标H.323终端将SETUP消息中接收的访问令牌转发到其准入请求中的网守。通过这样,它使远程网守能够根据访问令牌的有效性来允许呼叫。访问令牌的内容取决于生成该令牌的实体。为了最小化安全漏洞并防止中间人攻击,网守可以在访问令牌中对目标特定信息进行编码。这意味着当在ACF中提供alternateEndpoints时,网守可以为指定的每个alternateEndpoint提供单独的访问令牌。
当首次尝试建立连接时,思科网关将在ACF的clearToken字段中收到的访问令牌发送到destCallSignalAddress字段中的地址。如果此尝试失败,并且思科网关继续尝试与备用终端建立连接,则使用alternateEndpoints列表中的关联访问令牌(如果可用)。如果在ACF中接收的alternateEndpoints列表不包括访问令牌,但ACF包括访问令牌,则思科网关在所有尝试连接备用终端时都包括此访问令牌。
OSP 令牌支持
目前,只有思科网关支持开放式结算协议(OSP)及其令牌。网守不支持。网关识别从结算服务器接收的OSP令牌,并将它们插入到Q.931设置消息到终端网关。
各端点或区域的不同安全级别
目前,您无法为每个终端或区域配置不同的安全级别。安全级别适用于该网守管理的所有区域。可以针对此问题打开功能请求。
域间网守到网守安全
域间网守到网守安全提供了按跳验证域内和域间网守到网守请求的能力。这意味着,如果网守决定向前转发LRQ,则目的网守会终止CAT并生成新的网守。如果网守检测到无效的LRQ签名,则会通过发送位置拒绝(LRJ)做出响应。
实施网守到网守安全
当LRQ被启动或ACF即将在区域内呼叫的情况下发送时,始发网守生成IZCT。此令牌通过其路由路径。在路径中,每个网守更新目标网守ID和/或源网守ID(如果需要),以反映区域信息。终端网守使用其密码生成令牌。此令牌在位置确认(LCF)消息中返回并传递给OGW。OGW在H.225 SETUP消息中包含此令牌。当TGW收到令牌时,它以ARQ answerCall转发,并由终端网守(TGK)验证,而无需RADIUS服务器。
身份验证类型基于ITU H.235中所述的带散列的密码。具体而言,加密方法是MD5带密码散列。
IZCT的目的是了解LRQ是否从外部域、从哪个区域以及从哪个运营商到达。它还用于从TGK向LCF中的OGW传递令牌。在IZCT格式中,需要以下信息:
-
srcCarrierID — 源载波标识
-
dstCarrierID — 目标载波标识
-
intCarrierID — 中间载波标识
-
srcZone — 源区域
-
dstZone — 目标区域
-
区域间类型
-
INTRA_DOMAIN_CISCO
-
域间思科
-
INTRA_DOMAIN_TERM_NOT_CISCO
-
INTER_DOMAIN_ORIG_NOT_CISCO
-
此功能运行正常,无需网关或载波敏感路由(CSR)服务器的载波ID。在这种情况下,有关运营商ID的字段为空。此处的示例不包括任何运营商ID。有关详细的呼叫流程、版本和平台支持以及配置,请参阅域间网守安全增强。
网守配置
IZCT功能要求在网守上进行此配置。
Router(gk-config)# [no] security izct password
密码需要6到8个字符。识别外部域中的区域,如下所示:
Router(config-gk)# zone remote other-gatekeeper-name other-domain-name other-gatekeeper-ip-address [port-number] [cost cost-value [priority priority-value]] [foreign-domain]
IZCT 呼叫流
此图显示IZCT流。
在此配置中,网关和网守的名称与IZCT呼叫流程图中使用的名称相同,但大小写更小。在配置后解释呼叫流,并说明调试说明。
为了解释IZCT功能和呼叫流,第一个示例没有网守安全的域内网关。之后,TGW无法生成IZCT,以便TGK1拒绝呼叫的示例。这是为了说明该功能按设计工作。所有这些设置均基于IZCT呼叫流程图中的拓扑。
示例 1:仅网守到网守安全的呼叫流
本示例显示所有网关和网守的相关配置。
| OGW配置 | TGW配置 |
|---|---|
! hostname ogw !controller E1 3/0 pri-group timeslots 1-2,16 ! interface Ethernet0/0 ip address 172.16.13.15 255.255.255.224 half-duplex h323-gateway voip interface h323-gateway voip id ogk1 ipaddr 172.16.13.35 1718 h323-gateway voip h323-id ogw h323-gateway voip tech-prefix 1# ! voice-port 3/0:15 ! dial-peer voice 5336 pots incoming called-number . destination-pattern 5336 direct-inward-dial port 3/0:15 prefix 21 ! dial-peer voice 3653 voip incoming called-number . destination-pattern 3653 session target ras dtmf-relay h245-alphanumeric codec g711ulaw ! gateway ! ntp clock-period 17178791 ntp server 172.16.13.35 end |
hostname tgw ! controller E1 0 clock source line primary ds0-group 0 timeslots 1-2 type r2-digital r2-compelled ! interface Ethernet0 ip address 172.16.13.23 255.255.255.224 h323-gateway voip interface h323-gateway voip id tgk1 ipaddr 172.16.13.41 1718 h323-gateway voip h323-id tgw h323-gateway voip tech-prefix 2# ! voice-port 0:0 compand-type a-law ! dial-peer voice 3653 pots application test1 incoming called-number . destination-pattern 3653 port 0:0 prefix 21 ! dial-peer voice 5336 voip incoming called-number . destination-pattern 5336 session target ras dtmf-relay h245-alphanumeric codec g711ulaw ! gateway ! ntp clock-period 17179814 ntp server 172.16.13.35 end |
| OGK1配置 | TGK1配置 |
|---|---|
! hostname ogk1 ! interface Ethernet0/0 ip address 172.16.13.35 255.255.255.224 half-duplex ! gatekeeper zone local ogk1 domainA.com 172.16.13.35 zone remote ogk2 domainA.com 172.16.13.14 1719 zone prefix ogk2 36* zone prefix ogk1 53* security izct password 111222 gw-type-prefix 1#* default- technology no shutdown ! ! no scheduler max-task-time no scheduler allocate ntp master ! end |
! hostname tgk1 ! interface Ethernet0/0 ip address 172.16.13.41 255.255.255.224 ip directed-broadcast half-duplex ! gatekeeper zone local tgk1 domainB.com 172.16.13.41 zone remote tgk2 domainB.com 172.16.13.16 1719 zone prefix tgk1 36* zone prefix tgk2 53* security izct password 111222 gw-type-prefix 2#* default- technology no shutdown ! ntp clock-period 17179797 ntp server 172.16.13.35 ! end |
| OGK2配置 | TGK2配置 |
|---|---|
! hostname ogk2 ! interface Ethernet0/0 ip address 172.16.13.14 255.255.255.224 full-duplex ! gatekeeper zone local ogk2 domainA.com zone remote ogk1 domainA.com 172.16.13.35 1719 zone remote tgk2 domainB.com 172.16.13.16 1719 foreign-domain zone prefix tgk2 36* zone prefix ogk1 53* security izct password 111222 lrq forward-queries no shutdown ! ntp clock-period 17208242 ntp server 172.16.13.35 ! end |
! hostname tgk2 ! interface Ethernet0/0 ip address 172.16.13.16 255.255.255.224 half-duplex ! gatekeeper zone local tgk2 domainB.com zone remote tgk1 domainB.com 172.16.13.41 1719 zone remote ogk2 domainA.com 172.16.13.14 1719 foreign-domain zone prefix tgk1 36* zone prefix ogk2 53* security izct password 111222 lrq forward-queries no shutdown ! ntp clock-period 17179209 ntp server 172.16.13.35 ! end |
带调试的呼叫流
这些示例使用调试来解释呼叫流。
-
运营商E上的用户呼叫运营商D上的用户。
Mar 4 15:31:19.989: cc_api_call_setup_ind (vdbPtr=0x6264ADF0, callInfo={called=3653, called_oct3=0x80,calling=4085272923,calling_oct3=0x21,calling_oct3a=0x80 calling_xlated=false,subscriber_type_str=RegularLine,fdest=1,peer_tag=5336, prog_ind=0},callID=0x6219F9F0) Mar 4 15:31:19.993: cc_api_call_setup_ind type 13 , prot 0 Mar 4 15:31:19.993: cc_process_call_setup_ind (event=0x6231A6B4) Mar 4 15:31:19.993: >>>>CCAPI handed cid 7 with tag 5336 to app "DEFAULT" Mar 4 15:31:19.993: sess_appl: ev(24=CC_EV_CALL_SETUP_IND), cid(7), disp(0) Mar 4 15:31:19.993: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(7), disp(0) Mar 4 15:31:19.993: ssaCallSetupInd Mar 4 15:31:19.993: ccCallSetContext (callID=0x7, context=0x621533F0) Mar 4 15:31:19.997: ssaCallSetupInd cid(7), st(SSA_CS_MAPPING),oldst(0), ev(24) ev->e.evCallSetupInd.nCallInfo.finalDestFlag = 1 Mar 4 15:31:19.997: ssaCallSetupInd finalDest cllng(4085272923), clled(3653) Mar 4 15:31:19.997: ssaCallSetupInd cid(7), st(SSA_CS_CALL_SETTING),oldst(0), ev(24)dpMatchPeersMoreArg result= 0 Mar 4 15:31:19.997: ssaSetupPeer cid(7) peer list: tag(3653) called number (3653) Mar 4 15:31:19.997: ssaSetupPeer cid(7), destPat(3653), matched(4), prefix(), peer(626640B0), peer->encapType (2) Mar 4 15:31:19.997: ccCallProceeding (callID=0x7, prog_ind=0x0) Mar 4 15:31:19.997: ccCallSetupRequest (Inbound call = 0x7, outbound peer=3653, dest=, params=0x62327730 mode=0, *callID=0x62327A98, prog_ind = 0) Mar 4 15:31:19.997: ccCallSetupRequest numbering_type 0x80 Mar 4 15:31:19.997: ccCallSetupRequest encapType 2 clid_restrict_disable 1 null _orig_clg 0 clid_transparent 0 callingNumber 4085272923 Mar 4 15:31:19.997: dest pattern 3653, called 3653, digit_strip 0 Mar 4 15:31:19.997: callingNumber=4085272923, calledNumber=3653, redirectNumber = display_info= calling_oct3a=80 Mar 4 15:31:19.997: accountNumber=, finalDestFlag=1, guid=221b.686c.17cc.11cc.8010.a049.e052.4766 Mar 4 15:31:19.997: peer_tag=3653 Mar 4 15:31:19.997: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653,called_oct3=0x80, calling=4085272923,calling_oct3=0x21, calling_xlated=false, subscriber_type_str=RegularLine, fdest=1, voice_peer_tag=365 3},mode=0x0) vdbPtr type = 1 Mar 4 15:31:19.997: ccIFCallSetupRequestPrivate: (vdbPtr=0x621B2360, dest=, callParams={called=3653, called_oct3 0x80, calling=4085272923,calling_oct3 0x21, calling_xlated=false, fdest=1, voice_peer_tag=3653}, mode=0x0, xltrc=-5) Mar 4 15:31:20.001: ccSaveDialpeerTag (callID=0x7, dialpeer_tag=0xE45) Mar 4 15:31:20.001: ccCallSetContext (callID=0x8, context=0x6215388C) Mar 4 15:31:20.001: ccCallReportDigits (callID=0x7, enable=0x0) -
由于始发网关的拨号对等体(tag=3653)配置为RAS,因此它向OGK1发送ARQ。
Mar 4 15:31:20.001: H225 NONSTD OUTGOING PDU ::= value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } callingOctet3a 128 interfaceSpecificBillingId "ISDN-VOICE" } Mar 4 15:31:20.005: H225 NONSTD OUTGOING ENCODE BUFFER::= 80 000008A0 01800B12 4953444E 2D564F49 4345 Mar 4 15:31:20.005: Mar 4 15:31:20.005: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : !--- ARQ is sent out to ogk1. { requestSeqNum 1109 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"81567A4000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923", h323-ID : {"ogw"} } bandWidth 640 callReferenceValue 4 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008A001800B124953444E2D564F494345'H } conferenceID '221B686C17CC11CC8010A049E0524766'H activeMC FALSE answerCall FALSE canMapAlias TRUE callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } willSupplyUUIEs FALSE } Mar 4 15:31:20.013: RAS OUTGOING ENCODE BUFFER::= 27 88045400 F0003800 31003500 36003700 41003400 30003000 30003000 30003000 30003000 31010180 69860204 8073B85A 5C564002 006F0067 00774002 80000440 B5000012 13800000 08A00180 0B124953 444E2D56 4F494345 221B686C 17CC11CC 8010A049 E0524766 04E02001 80110022 1B686C17 CC11CC80 11A049E0 52476601 00 Mar 4 15:31:20.017: h323chan_dgram_send:Sent UDP msg. Bytes sent: 130 to 172.16.13.35:1719 Mar 4 15:31:20.017: RASLib::GW_RASSendARQ: ARQ (seq# 1109) sent to 172.16.13.35 -
当OGK1收到ARQ时,它确定目的地由远程区域OGK2提供服务。然后它确定需要IZCT(通过CLI:security izct password <pwd>)。OGK1在发送LRQ之前继续创建IZCT。然后,它将IZCT和LRQ发送到OGK2,并将RIP消息发回OGW。
Mar 4 15:31:19.927: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 6 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:19.935: H225 NONSTD OUTGOING ENCODE BUFFER::= 82 86B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:19.939: Mar 4 15:31:19.939: PDU ::= value IZCToken ::= !--- The gatekeeper creates and sends out the IZCT. { izctInterZoneType intraDomainCisco : NULL !--- The destination is in the same domain, it is intraDomainCisco type. izctSrcZone "ogk1" !--- The source zone is ogk1. ) Mar 4 15:31:19.943: ENCODE BUFFER::= 07 00C06F67 6B310473 72630464 73740469 6E74 Mar 4 15:31:19.947: Mar 4 15:31:19.947: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- LRQ is sent out to ogk2. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8286B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '0700C06F676B31047372630464737404696E74'H } } } } Mar 4 15:31:19.967: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288286 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C56400 2 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 802B0100 80092A 86 4886F70C 0A010009 2A864886 F70C0A01 00130700 C06F676B 31047372 63046473 74046 96E 74 Mar 4 15:31:19.983: Mar 4 15:31:19.987: IPSOCK_RAS_sendto: msg length 122 from 172.16.13.35:1719 to 172.16.13.14: 1719 Mar 4 15:31:19.987: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.14 Mar 4 15:31:19.987: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- RIP message is sent back to OGW. { requestSeqNum 1109 delay 9000 } Mar 4 15:31:19.991: RAS OUTGOING ENCODE BUFFER::= 80 05000454 2327 Mar 4 15:31:19.991: Mar 4 15:31:19.991: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.35:1719 to 172.16.13.15: 57076 Mar 4 15:31:19.991: RASLib::RASSendRIP: RIP (seq# 1109) sent to 172.16.13.15 -
当OGK2收到LRQ时,它会检查IZCT。从配置中,它发现LRQ也需要包含IZCT。然后,OGK2通过将izctSrcZone和izctDstZone更改为ogk2来创建新的IZCT,并将LRQ转发到TGK2。在将LRQ发送到TGK2后,它会向OGK1发回RIP消息。
如果网守是集群的一部分,则集群名称用于SrcZone或DstZone。
Mar 4 15:31:20.051: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- RIP message is sent back to OGK1. { requestSeqNum 2048 delay 6000 } Mar 4 15:31:20.055: RAS OUTGOING ENCODE BUFFER::= 80 050007FF 176F Mar 4 15:31:20.055: Mar 4 15:31:20.055: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.14:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.059: RASLib::RASSendRIP: RIP (seq# 2048) sent to 172.16.13.35 Mar 4 15:31:20.059: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 5 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:20.063: H225 NONSTD OUTGOING ENCODE BUFFER::= 82 06B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:20.072: Mar 4 15:31:20.072: PDU ::= value IZCToken ::= { izctInterZoneType intraDomainCisco : NULL !--- This is still intraDomain since message OGK1 is !--- not a foreign domain. izctSrcZone "ogk2" !--- ScrZone and DstZone become ogk2. izctDstZone "ogk2" } Mar 4 15:31:20.076: ENCODE BUFFER::= 47 00C06F67 6B32066F 676B3204 73726304 64737404 696E74 Mar 4 15:31:20.080: Mar 4 15:31:20.080: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- The LRQ is forwarded to TGK2. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8206B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '4700C06F676B32066F676B320473726304647374...'H } } } } Mar 4 15:31:20.104: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288206 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C564002 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 80300100 80092A86 4886F70C 0A010009 2A864886 F70C0A01 00184700 C06F676B 32066F67 6B320473 72630464 73740469 6E74 Mar 4 15:31:20.120: Mar 4 15:31:20.120: IPSOCK_RAS_sendto: msg length 127 from 172.16.13.14:1719 to 172.16.13.16: 1719 Mar 4 15:31:20.124: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.16 -
TGK2确定LRQ来自外域。它使用自己的ID和interZoneType更新IZCT的dstZone,并将其作为INTER_DOMAIN_CISCO。然后创建新的CAT,并将更新的IZCT和LRQ传递到TGK1。
TGK2将从其接收LRQ的区域视为以下两种情况之一的外域区域:
-
TGK2的远程区域列表不包含从中接收LRQ的区域。
-
TGK2的远程区域列表包含从中接收LRQ的区域。区域标有外域标志。
然后,它会向OGK1发回“请求中”消息。
Mar 4 15:31:20.286: RAS OUTGOING PDU ::= value RasMessage ::= requestInProgress : !--- The RIP message is sent back to !--- OGK1 since lrq-forward queries are configured on OGK2 and TGK2. { requestSeqNum 2048 delay 6000 } Mar 4 15:31:20.286: RAS OUTGOING ENCODE BUFFER::= 80 050007FF 176F Mar 4 15:31:20.286: Mar 4 15:31:20.286: IPSOCK_RAS_sendto: msg length 7 from 172.16.13.16:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.286: RASLib::RASSendRIP: RIP (seq# 2048) sent to 172.16.13.35 Mar 4 15:31:20.286: H225 NONSTD OUTGOING PDU ::= value LRQnonStandardInfo ::= { ttl 4 nonstd-callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } callingOctet3a 128 gatewaySrcInfo { e164 : "4085272923", h323-ID : {"ogw"} } } Mar 4 15:31:20.290: H225 NONSTD OUTGOING ENCODE BUFFER::= 81 86B01100 221B686C 17CC11CC 8011A049 E0524766 01801002 048073B8 5A5C5640 02006F00 670077 Mar 4 15:31:20.290: Mar 4 15:31:20.290: PDU ::= value IZCToken ::= !--- The IZCT information. { izctInterZoneType interDomainCisco : NULL !--- The zone type is interDomain since the OGK2 !--- in a foreign domain is configured in TGK2. izctSrcZone "ogk2" !--- SrcZone is still ogk2. izctDstZone "tgk2" !--- DstZone changed to tgk2. } Mar 4 15:31:20.294: ENCODE BUFFER::= 47 20C06F67 6B320674 676B3204 73726304 64737404 696E74 Mar 4 15:31:20.294: Mar 4 15:31:20.294: RAS OUTGOING PDU ::= value RasMessage ::= locationRequest : !--- LRQ is sent to TGK1. { requestSeqNum 2048 destinationInfo { e164 : "3653" } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '8186B01100221B686C17CC11CC8011A049E05247...'H } replyAddress ipAddress : { ip 'AC100D23'H port 1719 } sourceInfo { h323-ID : {"ogk1"} } canMapAlias TRUE tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '4720C06F676B320674676B320473726304647374...'H } } } } Mar 4 15:31:20.302: RAS OUTGOING ENCODE BUFFER::= 4A 8007FF01 01806986 40B50000 12288186 B0110022 1B686C17 CC11CC80 11A049E0 52476601 80100204 8073B85A 5C564002 006F0067 007700AC 100D2306 B70BA00B 01400300 6F006700 6B003101 80300100 80092A86 4886F70C 0A010009 2A864886 F70C0A01 00184720 C06F676B 32067467 6B320473 72630464 73740469 6E74 Mar 4 15:31:20.306: Mar 4 15:31:20.306: IPSOCK_RAS_sendto: msg length 127 from 172.16.13.16:1719 to 172.16.13.41: 1719 Mar 4 15:31:20.306: RASLib::RASSendLRQ: LRQ (seq# 2048) sent to 172.16.13.41 -
-
通常,TGK1会将IZCT的dstCarrierID更新到运营商E,由路由过程确定。但是,由于没有使用任何载波,您看不到这一点。TGK1使用IZCT的密码生成散列令牌。它向OGK1发送包含更新的IZCT的LCF。当TGK1稍后从OGW接收VoIP设置消息时,此izctHash用于验证TGW从TGW接收的应答呼叫ARQ。
Mar 4 15:31:20.351: PDU ::= value IZCToken ::= !--- IZCT with a hash is generated to be sent back to TGK2. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.355: ENCODE BUFFER::= 7F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E74 Mar 4 15:31:20.355: Mar 4 15:31:20.355: RAS OUTGOING PDU ::= value RasMessage ::= locationConfirm : !--- LCF is sent back to OGK1 since lrq-forward queries !--- are configured on OGK2 and TGK2. { requestSeqNum 2048 callSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } rasAddress ipAddress : { ip 'AC100D17'H port 55762 } nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '000140020074006700770600740067006B003101...'H } destinationType { gateway { protocol { voice : { supportedPrefixes { } } } } mc FALSE undefinedNode FALSE } tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } } Mar 4 15:31:20.367: RAS OUTGOING ENCODE BUFFER::= 4F 07FF00AC 100D1706 B800AC10 0D17D9D2 40B50000 122F0001 40020074 00670077 06007400 67006B00 31011001 40020074 00670077 00AC100D 1706B800 00000000 00000000 00104808 0880013C 05010000 48010080 092A8648 86F70C0A 0100092A 864886F7 0C0A0100 307F20C0 6F676B32 0674676B 32C02B96 20C70103 105A7D5E 18AA658A 6A4B4709 BA5ABEF2 B9047372 63046473 7404696E 74 Mar 4 15:31:20.371: Mar 4 15:31:20.371: IPSOCK_RAS_sendto: msg length 154 from 172.16.13.41:1719 to 172.16.13.35: 1719 Mar 4 15:31:20.371: RASLib::RASSendLCF: LCF (seq# 2048) sent to 172.16.13.35 -
OGK1从LCF提取IZCT,并将其以ACF的形式发送到OGW。
Mar 4 15:31:20.316: PDU ::= value IZCToken ::= !--- The extracted IZCT. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.324: ENCODE BUFFER::= 7F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E74 Mar 4 15:31:20.328: Mar 4 15:31:20.332: RAS OUTGOING PDU ::= value RasMessage ::= admissionConfirm : !--- ACF is sent back to OGW with the hashed IZCToken. { requestSeqNum 1109 bandWidth 640 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 tokens !--- The IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } } Mar 4 15:31:20.352: RAS OUTGOING ENCODE BUFFER::= 2B 00045440 028000AC 100D1706 B800EF1A 08C04801 0080092A 864886F7 0C0A0100 092A8648 86F70C0A 0100307F 20C06F67 6B320674 676B32C0 2B9620C7 0103105A 7D5E18AA 658A6A4B 4709BA5A BEF2B904 73726304 64737404 696E7401 00020000 Mar 4 15:31:20.364: Mar 4 15:31:20.364: IPSOCK_RAS_sendto: msg length 97 from 172.16.13.35:1719 to 172.16.13.15: 57076 Mar 4 15:31:20.368: RASLib::RASSendACF: ACF (seq# 1109) sent to 172.16.13.15 -
OGW在H.225 SETUP消息中将IZCT发送到TGW。
Mar 4 15:31:20.529: H225.0 OUTGOING PDU ::= value H323_UserInformation ::= { h323-uu-pdu { h323-message-body setup : !--- H.225 SETUP message is sent to TGW. { protocolIdentifier { 0 0 8 2250 0 2 } sourceAddress { h323-ID : {"ogw"} } sourceInfo { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } activeMC FALSE conferenceID '221B686C17CC11CC8010A049E0524766'H conferenceGoal create : NULL callType pointToPoint : NULL sourceCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11003 } callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } tokens !--- The hashed IZCT information is included in the setup message. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } fastStart { '0000000C6013800A04000100AC100D0F4125'H, '400000060401004C6013801114000100AC100D0F...'H } mediaWaitForConnect FALSE canOverlapSend FALSE } h245Tunneling TRUE nonStandardControl { { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '6001020001041F04038090A31803A983816C0C21...'H } } } } -
TGW以ARQ answerCall的方式将IZCT传递到TGK1。
Mar 4 15:31:20.613: Mar 4 15:31:20.613: RAS OUTGOING PDU ::= value RasMessage ::= admissionRequest : !--- ARQ answerCall type is sent to TGK1. { requestSeqNum 78 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"617D829000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923", h323-ID : {"ogw"} } srcCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11003 } bandWidth 1280 callReferenceValue 3 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008800180'H } conferenceID '221B686C17CC11CC8010A049E0524766'H activeMC FALSE answerCall TRUE canMapAlias TRUE callIdentifier { guid '221B686C17CC11CC8011A049E0524766'H } tokens !--- The hashed IZCToken information is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B9620C7010310...'H } } } willSupplyUUIEs FALSE } -
TGK1成功对目的IZCT进行身份验证。这是因为TGK1在IZCT中生成哈希值,并将ACF发回TGW。
Mar 4 15:31:20.635: Mar 4 15:31:20.635: PDU ::= value IZCToken ::= !--- The extracted IZCT from the ARQ to be validated. { izctInterZoneType interDomainCisco : NULL izctSrcZone "ogk2" izctDstZone "tgk2" izctTimestamp 731259080 izctRandom 3 izctHash '5A7D5E18AA658A6A4B4709BA5ABEF2B9'H } Mar 4 15:31:20.639: RAS OUTGOING PDU ::= value RasMessage ::= admissionConfirm : !--- After the IZCT is validated, ACF is sent back to TGW. { requestSeqNum 78 bandWidth 1280 callModel direct : NULL destCallSignalAddress ipAddress : { ip 'AC100D17'H port 1720 } irrFrequency 240 willRespondToIRR FALSE uuiesRequested { setup FALSE callProceeding FALSE connect FALSE alerting FALSE information FALSE releaseComplete FALSE facility FALSE progress FALSE empty FALSE } } -
TGW在收到ACF后建立向载波D的呼叫。
示例 2:呼叫失败,因为TGW无法从收到的设置消息中提取IZCT。
本示例基于与示例1相同的拓扑和配置。在本示例中,TGW的软件更改为不支持IZCT的版本。在这种情况下,TGW无法从设置消息中提取IZCT。这会导致TGK1拒绝呼叫,并且断开原因为安全拒绝。
此示例仅显示TGW上的设置消息、ARQ和ARJ,因为呼叫流与示例1相同。
Mar 4 19:50:32.346: PDU DATA = 6147C2BC value H323_UserInformation ::= { h323-uu-pdu { h323-message-body setup : !--- H.225 SETUP message is received with a token included. { protocolIdentifier { 0 0 8 2250 0 2 } sourceAddress { h323-ID : {"ogw"} } sourceInfo { gateway { protocol { voice : { supportedPrefixes { { prefix e164 : "1#" } } } } } mc FALSE undefinedNode FALSE } activeMC FALSE conferenceID '56CA67C817F011CC8014A049E0524766'H conferenceGoal create : NULL callType pointToPoint : NULL sourceCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11004 } callIdentifier { guid '56CA67C817F011CC8015A049E0524766'H } tokens !--- Hashed IZCT is included. { { tokenOID { 1 2 840 113548 10 1 0 } nonStandard { nonStandardIdentifier { 1 2 840 113548 10 1 0 } data '7F20C06F676B320674676B32C02B965D85010410...'H } } } fastStart { '0000000C6013800A04000100AC100D0F45D9'H, '400000060401004C6013801114000100AC100D0F...'H } mediaWaitForConnect FALSE canOverlapSend FALSE } h245Tunneling TRUE nonStandardControl { { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '6001020001041F04038090A31803A983816C0C21...'H } } } } RAW_BUFFER::= 60 01020001 041F0403 8090A318 03A98381 6C0C2180 34303835 32373239 32337005 80333635 33 Mar 4 19:50:32.362: PDU DATA = 6147F378 value H323_UU_NonStdInfo ::= { version 2 protoParam qsigNonStdInfo : { iei 4 rawMesg '04038090A31803A983816C0C2180343038353237...'H } } PDU DATA = 6147F378 value ARQnonStandardInfo ::= { sourceAlias { } sourceExtAlias { } callingOctet3a 128 } RAW_BUFFER::= 80 00000880 0180 Mar 4 19:50:32.366: PDU DATA = 6147C2BC value RasMessage ::= admissionRequest : !--- ARQ is sent out. There is no token in it. { requestSeqNum 23 callType pointToPoint : NULL callModel direct : NULL endpointIdentifier {"617D829000000001"} destinationInfo { e164 : "3653" } srcInfo { e164 : "4085272923" } srcCallSignalAddress ipAddress : { ip 'AC100D0F'H port 11004 } bandWidth 640 callReferenceValue 1 nonStandardData { nonStandardIdentifier h221NonStandard : { t35CountryCode 181 t35Extension 0 manufacturerCode 18 } data '80000008800180'H } conferenceID '56CA67C817F011CC8014A049E0524766'H activeMC FALSE answerCall TRUE canMapAlias FALSE callIdentifier { guid '56CA67C817F011CC8015A049E0524766'H } willSupplyUUIEs FALSE } RAW_BUFFER::= 27 98001600 F0003600 31003700 44003800 32003900 30003000 30003000 30003000 30003000 31010180 69860104 8073B85A 5C5600AC 100D0F2A FC400280 000140B5 00001207 80000008 80018056 CA67C817 F011CC80 14A049E0 52476644 E0200100 110056CA 67C817F0 11CC8015 A049E052 47660100 Mar 4 19:50:32.374: h323chan_dgram_send:Sent UDP msg. Bytes sent: 117 to 172.16.13.41:1719 Mar 4 19:50:32.374: RASLib::GW_RASSendARQ: ARQ (seq# 23) sent to 172.16.13.41 Mar 4 19:50:32.378: h323chan_dgram_recvdata:rcvd from [172.16.13.41:1719] on sock[1] RAW_BUFFER::= 2C 00168001 00 Mar 4 19:50:32.378: PDU DATA = 6147C2BC value RasMessage ::= admissionReject : !--- ARJ is received with a reason of security denial. { requestSeqNum 23 rejectReason securityDenial : NULL } Mar 4 19:50:32.378: ARJ (seq# 23) rcvd
反馈