ITU-T H 235 9-2005 H 323 security Security gateway support for H 323 (Study Group 16)《H 323 安全框架 H 323安全网关支持 研究组16》.pdf

1、 International Telecommunication Union ITU-T H.235.9TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2005) SERIES H: AUDIOVISUAL AND MULTIMEDIA SYSTEMSInfrastructure of audiovisual services Systems aspects H.323 security: Security gateway support for H.323 ITU-T Recommendation H.235.9 ITU-T H-SER

2、IES RECOMMENDATIONS AUDIOVISUAL AND MULTIMEDIA SYSTEMS CHARACTERISTICS OF VISUAL TELEPHONE SYSTEMS H.100H.199 INFRASTRUCTURE OF AUDIOVISUAL SERVICES General H.200H.219 Transmission multiplexing and synchronization H.220H.229 Systems aspects H.230H.239 Communication procedures H.240H.259 Coding of mo

3、ving video H.260H.279 Related systems aspects H.280H.299 Systems and terminal equipment for audiovisual services H.300H.349 Directory services architecture for audiovisual and multimedia services H.350H.359 Quality of service architecture for audiovisual and multimedia services H.360H.369 Supplement

4、ary services for multimedia H.450H.499 MOBILITY AND COLLABORATION PROCEDURES Overview of Mobility and Collaboration, definitions, protocols and procedures H.500H.509 Mobility for H-Series multimedia systems and services H.510H.519 Mobile multimedia collaboration applications and services H.520H.529

5、Security for mobile multimedia systems and services H.530H.539 Security for mobile multimedia collaboration applications and services H.540H.549 Mobility interworking procedures H.550H.559 Mobile multimedia collaboration inter-working procedures H.560H.569 BROADBAND AND TRIPLE-PLAY MULTIMEDIA SERVIC

6、ES Broadband multimedia services over VDSL H.610H.619 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. H.235.9 (09/2005) i ITU-T Recommendation H.235.9 H.323 security: Security gateway support for H.323 Summary This Recommendation defines a method for the discovery

7、of Security Gateways in the signalling path between communicating H.323 entities, and for sharing of security information between a gatekeeper and the SGs in order to preserve signalling integrity and privacy. Source ITU-T Recommendation H.235.9 was approved on 13 September 2005 by ITU-T Study Group

8、 16 (2005-2008) under the ITU-T Recommendation A.8 procedure. Keywords Gateway, security, signalling. ii ITU-T Rec. H.235.9 (09/2005) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standa

9、rdization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), whi

10、ch meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within I

11、TU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendati

12、on is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “mus

13、t“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation ma

14、y involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of thi

15、s Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent data

16、base. ITU 2006 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. H.235.9 (09/2005) iii CONTENTS Page 1 Scope 1 2 References. 1 2.1 Normative references 1 2.2 Informative references 1 3 Definitions 1 4

17、Abbreviations 2 5 Conventions 2 6 Basic operation . 4 6.1 Endpoint gatekeeper discovery. 4 6.2 Endpoint authentication key distribution 5 6.3 Address manipulation. 6 7 Signalling details 7 8 SG configuration considerations. 8 8.1 SG registration 8 8.2 Authentication credentials 9 9 Security consider

18、ations. 9 10 Applicability . 10 11 Object Identifier 10 iv ITU-T Rec. H.235.9 (09/2005) Introduction The use of Firewalls and/or Network Address Translation devices to provide traffic security between network regions under different administrative controls creates problems for telephony signalling p

19、rotocols that must exchange network addresses for signalling and media exchange. ITU-T Rec. H.235.5 introduces a framework by which an endpoint and its gatekeeper, or two gatekeepers, can use the initial RAS messages to negotiate a set of strong-shared secrets between them, and use those secrets to

20、encrypt selected parts of subsequent RAS and call signalling messages and to authenticate those messages. The method applies to gatekeeper-routed signalling only. Similar methods and security profiles are defined by ITU-T Recs H.235.1, H.235.2 and H.235.3. This security can come into conflict with A

21、pplication Level Gateways (ALGs) which interconnect network realms and manipulate the signalling and media transport addresses carried in the H.225.0 RAS and/or call signalling messages. Such changes in the message will cause the message authentication check to fail at the destination. This Recommen

22、dation describes a simple means by which the gatekeeper may be informed of the ALGs in a signalling path, and may share the negotiated signalling authentication key with those ALGs. This will permit the ALGs to manipulate non-private data, particularly transport addresses, in the signalling messages

23、, and then authenticate the result before passing the modified messages onward. Such devices are referred to as Security Gateways (SGs) in the subsequent text. This technique retains the end-to-end privacy of any encrypted elements in the signalling. ITU-T Rec. H.235.9 (09/2005) 1 ITU-T Recommendati

24、on H.235.9 H.323 security: Security gateway support for H.323 1 Scope This Recommendation is usable by any gatekeeper and endpoint using the H.225.0 RAS protocols, with one or more intervening Security Gateways with the prescribed behaviour. 2 References 2.1 Normative references The following ITU-T

25、Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation a

26、re therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as

27、 a stand-alone document, the status of a Recommendation. ITU-T Recommendation H.225.0 (2003), Call signalling protocols and media stream packetization for packet-based multimedia communication systems. ITU-T Recommendation H.235.0 (2005), H.323 security: Framework for security in H-series (H.323 and

28、 other H.245-based) multimedia systems. ITU-T Recommendation H.235.1 (2005), H.323 security: Baseline security profile. ITU-T Recommendation H.235.2 (2005), H.323 security: Signature security profile. ITU-T Recommendation H.235.3 (2005), H.323 security: Hybrid security profile. ITU-T Recommendation

29、H.235.5 (2005), H.323 security: Framework for secure authentication in RAS using weak shared secrets. ITU-T Recommendation H.245 (2005), Control protocol for multimedia communication. ITU-T Recommendation H.323 (2003), Packet-based multimedia communications systems. 2.2 Informative references IETF R

30、FC 2246 (1999), The TLS Protocol Version 1.0. IETF RFC 3546 (2003), Transport Layer Security (TLS) Extensions. IETF RFC 2401 (1998), Security Architecture for the Internet Protocol. 3 Definitions This Recommendation defines the following terms: 3.1 application level gateway: A protocol-aware device

31、that interconnects two or more network regions which is able to interpret and modify the application level protocols to provide transport address translations and other functions. An ALG may provide transport level NAT and firewall functions internally, or may control them externally. 3.2 local addr

32、ess: A transport address within a local address realm. 2 ITU-T Rec. H.235.9 (09/2005) 3.3 media gateway: A device which interconnects two or more network realms and which can be controlled by another device (e.g., an SG) to provide controlled media flows between realms. The MG is effectively a progr

33、ammable NAT/firewall operating at the transport layer and below. 3.4 network address translation: The operation of mapping network transport addresses from one network realm to another. 3.5 pinhole: A flow path through an SG (or a media gateway under its control) by which packets or messages are per

34、mitted to move from one realm to another. A pinhole is typically characterized by four transport addresses (the realm A source address, the SG realm A address, the SG realm B address, and the realm B destination address), and other characteristics such as transport protocol and directionality. The s

35、ource address may be unspecified, e.g., for a listen port. 3.6 realm: A network region which shares a common network address space; by presumption, different realms use incompatible, conflicting, or private address spaces. 3.7 security gateway: A device installed between two or more IP network regio

36、ns in order to perform security functions such as the validation or restriction of packet flows and the mapping of transport addresses between network regions. For this Recommendation, it is assumed that the Security Gateway is an ALG knowledgeable of H.323 signalling protocols. 4 Abbreviations This

37、 Recommendation uses the following abbreviations: ALG Application Level Gateway GCF GatekeeperConfirm GK Gatekeeper GRJ GatekeeperReject LCF LocationConfirm LRQ LocationRequest MG Media Gateway NAT Network Address Translation OID Object Identifier RAS Registration, Admission and Status SG Security G

38、ateway UDP User Datagram Protocol 5 Conventions This Recommendation defines various object identifiers (OIDs) for signalling security capabilities, procedures or security algorithms. These OIDs relate to a hierarchical tree of assigned values that may origin from external sources or are part of the

39、ITU-T maintained OID tree. Those OIDs that are specifically related to ITU-T Rec. H.235 have the following appearance in the text: “OID“ = itu-t (0) recommendation (0) h (8) 235 version (0) V N where V symbolically represents a single decimal digit denoting the corresponding version of ITU-T Rec. H.

40、235; e.g., 1, 2, 3 or 4. N symbolically represents a decimal number uniquely identifying the instance of the OID and thus, the procedure, algorithm or security capability. Thus, the ASN.1 encoded OID consists of a sequence of numbers. For convenience, a textual mnemonic shorthand string notation for

41、 each OID is used in the text such as “OID“. A mapping is ITU-T Rec. H.235.9 (09/2005) 3 given that relates each OID string with the ASN.1 sequence of numbers. Implementations conforming to ITU-T Rec. H.235 shall use only the ASN.1 encoded numbers Basic Assumptions This Recommendation considers an I

42、P network model in which multiple network regions, called realms, are interconnected by devices called Security Gateways (SGs) which are H.323 protocol aware, and which are designed to control information flows between the network realms they interconnect. The SGs are expected to examine signalling

43、messages flowing between realms, insure their validity, and extract transport address information being exchanged, and use that transport information to construct appropriate flow paths between the realms, and to modify the transport addresses as appropriate for the realm to which the message is for

44、warded. The SGs must insure the signalling paths flow through themselves, of course, but they may control another device to support any media flows that are established. The control protocol between the SG and the “media gateway“ is not specified by this Recommendation. In order to make the services

45、 of a gatekeeper in one realm available to endpoints or gatekeepers in another realm, an SG may provide a gatekeeper discovery address in each realm it serves in which there is no known gatekeeper. The SG would then forward any discovery message received on one of those addresses on toward the actua

46、l gatekeeper after performing any necessary processing of the H.323 message. An example configuration is illustrated in Figure 1, which shows a gatekeeper serving endpoints in multiple network realms. In effect, the Security Gateways must represent the gatekeeper in each of the realms they serve (ex

47、cept, of course, the realm in which the gatekeeper resides, e.g., realm A for gatekeeper A in the diagram). SG B provides discovery addresses for both gatekeepers in the figure, thus it provides a gatekeeper-to-gatekeeper path for LRQ/LCF signalling. Note also that an SG need not provide access to e

48、very gatekeeper in every realm. For example, in Figure 1, SG A might be configured to supply a discovery address in realm B only for gatekeeper A. It is assumed that each gatekeeper knows a unique name for each SG in the system, and that the gatekeeper and each SG also share a cryptographically stro

49、ng secret that may be used to communicate securely between them. The manner in which these identities, and the corresponding keys, are negotiated or exchanged is discussed below, but is not the main subject of this Recommendation. The shared secrets should be unique per SG/gatekeeper pair. It is assumed that the SGs will modify the RAS and call signalling addresses exchanged to insure that the RAS and call signalling traffic passes through them. 4 ITU-T Rec. H.235.9 (09/2005) Figure 1/H.235.9 Security gateway configuration In addition, the mean