UpgradesRelease notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1
Release name: |
Ingate Firewall® 4.8.1
Ingate SIParator® 4.8.1 |
The new version can be found here
Release notice for Ingate Firewall(R) 4.8.1 and Ingate SIParator(R) 4.8.1
Release name: Ingate Firewall(R) 4.8.1
Ingate SIParator(R) 4.8.1
Release date: November 26, 2009
The new version and User Manuals can be found at:
http://www.ingate.com/Upgrades.php
This is a major release with many new features, bug fixes and security
fixes. We recommend everybody to upgrade.
* General change
*** "Firewall" and "SIParator" product operation are now user-
selectable through web GUI, CLI and startup tool. [Tracking ID:
3507]. Switching between Firewall and SIParator is now user
configurable on the SIParator Type page in the Web GUI, or
through the Start-Up Tool.
* New SIP-related features
*** Embedded SIP Test Agent. Test calls are manually initiated or
scheduled for periodic tests. A call is considered successful if
200 OK is received and at least 4 media packets are sent and
received. [Tracking ID: 4125]
*** Embedded SIP Test Agent - Echo Server. An echo server listening to
a configured address answers all incoming calls and echoes back
the media. Hosts/networks allowed to access the Echo Server are
configurable. This feature is intended for usage with the embedded
Test Agent or any other test tool. [Tracking ID: 4129]
*** Estimated MOS values are calculated for RTP streams. A MOS value
(0-5) is estimated for each call and sent in the RADIUS STOP
ticket. The MOS values are estimated based on CODEC (type,
parameters) and packet loss (distribution taken into
account).
New RADIUS attributes:
- IG-Acct-Input-Last-Payload-Type Number describing CODEC used
- IG-Acct-Output-Last-Payload-Type
- IG-Acct-Input-Reordered No of re-ordered RTP packts
- IG-Acct-Output-Reordered
- IG-Acct-Input-Comfort-Noise Comfort Noise used (yes/no)
- IG-Acct-Output-Comfort-Noise
- IG-Acct-Input-Codec-Name Name of CODEC used (e.g PCMU)
- IG-Acct-Output-Codec-Name
- IG-Acct-Input-Jitter-Max Maximum jitter during the call
- IG-Acct-Output-Jitter-Max
[Tracking ID: 4269]
*** Additional attributes in RADIUS accounting messages. The following
additional SIP headers in the initial SIP INVITE will be reported
by the Ingate:
- Remote-Party-Id
- P-Asserted-Identity
- Diversion
The value of the header field will be sent as "raw" unformatted data.
(In cases of several similar headers, the first will be reported.
[Tracking ID: 4458]
*** Wildcard patterns can be used for domains in DNS override. Only
patters starting with * are supported. [Tracking ID: 4226]
*** Rewriting FROM-header in the Dial-Plan. Rewrite of the From header
is enabled by adding a ";from=" parameter to the Forward To Reg
Expr field in the same way ";b2bua" can be used today.
The from parameter may contain references to Reg Expr sub-strings
in "Forward To", except the string may both reference sub strings
in "From Header", and Request-URI Reg Exprs. Sub strings of the
From header are referenced as $fx, x >= 0. And Request-URI sub
strings as $rx, x >= 0.
The from parameter may also contain the following references "$()":
- ruri.user
- ruri.host
- to.user
- to.host
- from.user
- from.host
- ip.
Where iface is the name of a network interface, i.e. one of eth0,
eth1 etc.
Examples:
1) Replace From domain with IP of interface eth1:
from="$(from.user)@$(ip.eth1)"
2) Replace From domain with example.com:
from="$(from.user)@example.com"
[Tracking ID: 2765]
*** "Refer-To replacement domain" is used in attended transfers
too. This was a new feature in 4.7.0, which replaces the domain in
Refer-To headers of REFER requests for unattended transfers. In
4.8 this behaviour can be used in attended transfers too.
The Refer-To headers of REFER for attended transfers normally
contain the remote target of a dialog which don't need this
setting. But some SIP devices use an AOR in the Refer-To header
for attended transfers. [Tracking ID: 4394]
*** Wildcard matching of TLS certificates according to RFC 2818. It is
now supported to use wildcard matching of subjectAltName and CN in
TLS certificates. [Tracking ID: 4224]
*** Fake support of "privacy" option tag. "privacy" is added as a
supported options tag. And as a result the sip module will forward
requests containing "Proxy-Require: privacy". The headers
Remote-Party-ID and RPID-Privacy are forwarded by the proxy, but
otherwise ignored.
In the case of the B2BUA, both Proxy-Require and Remote-Party-ID
are removed (but RPID-Privacy is kept) before the requests are
forwarded. [Tracking ID: 4460]
*** INFOs with Content-Type application/media_control+xml are ignored
by the B2BUA and responses with 200 (OK) are sent. [Tracking ID:
4456]
*** 491 (Request Pending) to Re-INVITEs are delayed on one call leg,
if an outgoing Re-INVITE has been sent on the other leg. Instead
the Ingate will wait some time before responding to allow a pending
request on the other leg to complete. [Tracking ID: 4384]
*** Improved interoperability between RFC 2543 and RFC 3264 peers
regarding onhold. Ingate complies with RFC 3264 and answers an SDP
containing "inactive" with an SDP containing "inactive" even if the
other peer didn't include the "inactive" (RFC 2543). [Tracking
ID: 4390]
*** New re-INVITEs are now delayed until an ACK is received from
the previous re-INVITE. [Tracking ID: 4229]
* Other new features
*** An SNMP trap is sent when time-limited licenses expire.
Tracking ID: 4263
* Fixed Security problems
*** Fixed two remotely exploitable bugs in the ASN.1 parser of
Openswan. This is CVE-2009-2185 and is fixed in Openswan 2.4.15.
[Tracking ID: 4356]
*** The Bonk attack (aka ping of death) was not satisfactorily
handled according to ICSA.
[Tracking ID: 4312]
*** Fixed man-in-the-middle vulnerability for SSL and TLS by
disabling renegotiations. This is CVE-2009-3555.
[Tracking ID: 4471]
* Fixed SIP-related bugs
*** The B2BUA unexpectedly changed the From URI when NAT:ing as an
alias address. [Tracking ID: 4252]
*** The SIP module failed to start if a static route was configured to
a network behind a router on a VLAN unless the physical ethernet
interface also was configured with an IP address. [Tracking ID:
4397]
*** Route header was not removed in retransmission of stateless ACK
(2xx) [Tracking ID: 4402]
* Fixed CLI-related bugs
*** The reboot-command uploaded via the GUI in a CLI file containing
"reboot --now" works as expected. [Tracking ID: 4465]
* Other
*** The Mediator mode for the Ingate SIParator(R) has been removed and
is no longer supported. [Tracking ID: 4228]
|