[cisco-voip] CUBE not requesting codec... call fails... need to force SDP in invite...

Nick Matthews matthnick at gmail.com
Wed Jan 25 14:39:32 EST 2012


While MGCP is active it doesn't apply.  And usually MGCP will be
active while internet/WAN connectivity is up.  If you had both
internet and MPLS circuits, and MGCP depended on the MPLS, and the
internet was unsecured (TCP/UDP 5060 open), and were before 15.1(2)T,
you would be vulnerable.

-nick

On Wed, Jan 25, 2012 at 2:33 PM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
> We've got MGCP with SRST/H323 failover so I guess that vulnerability is
> there.
>
> The thought of moving to H323 over MGCP was also considered so we could do
> some call processing first.
>
> Thanks, Lelio
>
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
>                               - LFJ (with apologies to Mr. Popeil)
>
>
> ________________________________
> From: "Nick Matthews" <matthnick at gmail.com>
> To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
> Cc: "Jonathan Charles" <jonvoip at gmail.com>, "Cisco VOIP"
> <cisco-voip at puck.nether.net>
> Sent: Wednesday, January 25, 2012 2:25:50 PM
>
> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need to
> force SDP in invite...
>
> It's actually really hard to hijack MGCP via SIP.  You would need dial
> peers pointing toward CUCM, and CUCM would have to route via MGCP.
> MGCP takes control of that entire PRI and won't allow calls through
> unless they're sent by CUCM.
>
> Now H.323 is extremely easy.  If you set up a router with a public IP
> address not behind a firewall, and then put a PRI and some dial peers
> that allow international dialing with 9011T and you're on IOS before
> 15.1(2)T it's just a matter of time before you're sending calls to
> Cuba/Russia/Eastern Europe etc.
>
> -nick
>
> On Wed, Jan 25, 2012 at 10:49 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>> I also like the idea of having it separate so if we do still maintain MGCP
>> gateways, I'm assuming there would be some protection involved, i.e. SIP
>> hijacking of our MGCP gateways.
>>
>>
>> ---
>> Lelio Fulgenzi, B.A.
>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> Cooking with unix is easy. You just sed it and forget it.
>>                               - LFJ (with apologies to Mr. Popeil)
>>
>>
>> ________________________________
>> From: "Nick Matthews" <matthnick at gmail.com>
>> To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
>> Cc: "Jonathan Charles" <jonvoip at gmail.com>, "Cisco VOIP"
>> <cisco-voip at puck.nether.net>
>> Sent: Wednesday, January 25, 2012 10:28:03 AM
>>
>> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need
>> to
>> force SDP in invite...
>>
>> It's just an ISR, so the deployment is up to you.  Usually depends on
>> the scale.  If it's a pilot, whatever you have around.  It's really
>> what else you want to manage on your side and if you'll get confused
>> with so many things on one router.  When you get higher towards the
>> CPU capacity of the box in sessions you'll want to have a mostly
>> dedicated box to prevent other things from hogging the CPU.  There
>> really isn't a best practice but many organizations decide to put it
>> on dedicated hardware to keep it simple.
>>
>> -nick
>>
>> On Wed, Jan 25, 2012 at 9:43 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>> Speaking of CUBE, just wondering what the common practice is for physical
>>> deployment. We have two routers which will eventually house our MGCP
>>> gateways in HQ and one router at each of our remote sites, again, MGCP.
>>>
>>> If I want to deploy CUBE, is it usually installed separately from the
>>> main
>>> campus router?
>>>
>>> ---
>>> Lelio Fulgenzi, B.A.
>>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>>> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Cooking with unix is easy. You just sed it and forget it.
>>>                               - LFJ (with apologies to Mr. Popeil)
>>>
>>>
>>> ________________________________
>>> From: "Roger Wiklund" <roger.wiklund at gmail.com>
>>> To: "Jonathan Charles" <jonvoip at gmail.com>
>>> Cc: "Cisco VOIP" <cisco-voip at puck.nether.net>
>>> Sent: Wednesday, January 25, 2012 3:27:19 AM
>>> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need
>>> to
>>> force SDP in invite...
>>>
>>>
>>> On Wed, Jan 25, 2012 at 3:54 AM, Jonathan Charles <jonvoip at gmail.com>
>>> wrote:
>>>> Because, as far as I can tell, Cisco does not support SIP to SIP on the
>>>> CUBE... and it doesn't work.
>>>>
>>>> You need to be H.323 to the CUBE, then SIP to the provider.
>>>
>>> Hi,
>>>
>>> SIP-SIP is definitely the way to go, should be easier on the CPU to
>>> not have to convert between the two, and also easier to troubleshoot.
>>>
>>> I'm running SIP-SIP with DO-EO and RTP flow-around.
>>>
>>> I wrote some notes about it that may be useful (even if you are not
>>> running flow-around)
>>>
>>>
>>>
>>> http://wiklunds.wordpress.com/2012/01/02/sip-delayed-offer-to-early-offer-with-rtp-flow-around-support-in-cube-8-6/
>>>
>>> Regards
>>> Roger
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>



More information about the cisco-voip mailing list