The SIP endpoint gateway does not always fail over to secondary server if the UDP connection is lost while a call is in progress.
DGW-13549
An invalid NAT configuration can cause the lost of the network contact with the device.
DGW-13570
Add two new ECDSA ciphers for TLS 1.2.
IN-14900
DGW-13652
The Sbc service is missing replacement expressions to retrieve the "From" and "To" SIP headers.
IN-14471
DGW-13668
Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.
IN-14918
DGW-13695
Option 77 cannot be removed from DHCP requests.
DGW-13701
The EpServ.AutoCall and EpServ.DelayedHotline parameters are not accessible via TR-069.
DGW-13750
Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.
DGW-13765
Add TLS 1.3 support for the Conf, Cwmp and File services.
DGW-13785
SRTP interoperability improvements for the Mipt service.
IN-14651
DGW-13818
Add a "bye delay" parameter to the "Call Transfer Handling" ruleset action of the Sbc service.
DGW-13830
SRTP interoperability improvements for the Sbc service.
DGW-13844
Improve interoperability of the Cwmp service for download requests.
DGW-13848
The Cwmp service need a method to execute CLI commands.
IN-14945
DGW-13870
An interop parameter is needed to add/remove the <Cwmp:ID> header in Cwmp Inform requests.
DGW-13883
The SetParameterValuesFault node is missing from the SetParameterValues error response sent by the Cwmp service.
DGW-13887
The Sbc service resumes SIP calls with the wrong connection address.
IN-15005
DGW-13933
Some RTP packets may cause the application to stop responding.
DGW-13963
Protect DGW Web pages against Cross-Site Request Forgery attacks.
DGW-13969
The crypto tag in the SDP answer may not match the SDP offer.
DGW-14049
The SRTP header remains the same after a SIP hold/resume.
DGW-14063
New parameter "Remove REFER from Allow Header" is needed.
DGW-14180
The answer sent by the Sbc service to a SIP session refresh contains a new SDES crypto key instead of reusing the one previously advertised.
DGW-14183
Permanent certificates are not present after a backup is restored.
DGW-14229
CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).
DGW-14268
The Sbc service does not handle the REPLACES header.
New Features
DGW-14268 - The Sbc service does not handle the REPLACES header.
The SBC ruleset action "Handle INVITE with Replaces header" was added.
DGW-14063 - New parameter "Remove REFER from Allow Header" is needed.
A new parameter "Remove REFER from Allow Header" was added to the ruleset action "Call transfer handling".
When this parameter is set, all responses and in-dialog SIP requests relayed by the SBC to the call agent peer have the REFER method filtered-out from the "Allow" header.
DGW-13963 - Protect DGW Web pages against Cross-Site Request Forgery attacks.
The following strategies have now been implemented in the DGW Web pages to protect against Cross-Site Request Forgery (CSRF/XSRF) attacks:
The SameSite=Lax attribute is included in the cookie.
CSRF tokens were added to all forms submissions (POST) and background AJAX requests (GET and POST).
The CSRF protection is always enabled.
DGW-13848 - The Cwmp service need a method to execute CLI commands.
The CWMP parameter .Services.X_0090F8_Cwmp.CwmpEx.Command was added to execute a CLI command. The CWMP parameter .Services.X_0090F8_Cwmp.CwmpEx.LastResult was also added to display the result of the last executed CLI command.
DGW-13830 - SRTP interoperability improvements for the Sbc service.
When using SDES key exchange with the Sbc service, an incorrect usage of the SRTP crytography caused the cryptographic context, which includes the rollover counter also known as ROC, to reset at inappropriate times. This does not affect the DTLS-SRTP key exchange.
A new "SRTP preferences" ruleset action was added to configure interoperability parameters.
This ruleset action allows the configuration of the following three parameters:
CryptoModeOnOffer
CryptoModeOnAnswer
CryptoContextBehavior
When this new ruleset action is not added, the default behavior of the Call Agents continues to be:
Both crypto mode (CryptoModeOnOffer/CryptoModeOnAnswer) are set to keep their crypto keys.
By default the crypto context behavior (CryptoContextBehavior) is now set to never reset the cryptographic context.
Important change: If this new default behavior causes audio decryption issue, set the CryptoContextBehavior parameter to "AlwaysReset".
DGW-13818 - Add a "bye delay" parameter to the "Call Transfer Handling" ruleset action of the Sbc service.
Incident Number: IN-14651
A new parameter was added to delay the SIP BYE issued by the Sbc service to disconnect the original call leg when handling the SIP REFER method. This new parameter should be used when more time is needed for the peer to issue the SIP BYE itself.
This new parameter only has an effect when the "Call Transfer Handling" action uses the "internal handling" method.
DGW-13785 - SRTP interoperability improvements for the Mipt service.
The Mipt.SessionUpdateCryptoMode parameter was removed and replaced by the following three parameters:
The default behavior of DGW with SRTP streams is not changed.
When an upgrade is performed, the configuration of the oldMipt.SessionUpdateCryptoModeparameter is taken into account and applied to the three new parameters using the following mapping:
Mipt.SessionUpdateCryptoMode
Regenerate
Keep
Mipt.CryptoModeWhenSendingOffer
RegenerateAlways
KeepAlways
Mipt.CryptoModeWhenSendingAnswer
RegenerateAlways
KeepAlways
Mipt.CryptoContextBehavior
ResetAlways
ResetAlways
Note: the CryptoModeWhenSendingOffer and CryptoModeWhenSendingAnswer parameters apply only to the SDES key management protocol. The CryptoContextBehavior parameter applies to both SDES and MIKEY.
DGW-13765 - Add TLS 1.3 support for the Conf, Cwmp and File services.
The Conf, Cwmp and File services now support TLS 1.3.
DGW-13701 - The EpServ.AutoCall and EpServ.DelayedHotline parameters are not accessible via TR-069.
The EpServ.AutoCall and EpServ.DelayedHotline parameters are now accessible via TR-069.
Added the following objects trees to the TR-069 data model:
DGW-13668 - Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.
Incident Number: IN-14471
A new Web.HstsHeaderEnable parameter was added to enable the HTTP Strict-Transport-Security (HSTS) header, as described in RFC 6797.
When enabled, this feature prevents users from accessing the DGW Web pages using HTTP, and forces the browser to always communicate using HTTPS.
DGW-13570 - Add two new ECDSA ciphers for TLS 1.2.
The support of ECDSA certificates for TLS 1.2 was improved.
Two new AES cipher suites from RFC 8422 were added:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Issues Fixed
DGW-14229 - CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).
An important security flaw was found in the OpenSSL library affecting DGW v46.1, v46.2, v47.0, and, v47.1. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.
The OpenSSL library was fixed, addressing CVE-2021-3449.
DGW-14183 - Permanent certificates are not present after a backup is restored.
Permanent certificates are now present after a backup is restored.
DGW-14180 - The answer sent by the Sbc service to a SIP session refresh contains a new SDES crypto key instead of reusing the one previously advertised.
The problem occurred when the advertised a=crypto attributes changed its tag during the same SIP call.
a=crypto:<tag> <crypto-suite> <key-params>
The Sbc service will now reuse the same key-params instead of generating a new one.
DGW-14049 - The SRTP header remains the same after a SIP hold/resume.
When a SIP call was put on hold by the remote SIP peer,the outgoing SRTPheader remained the same.
This behavior is now fixed. Theoutgoing SRTPheader will now have its SSRC, sequence number, and timestamp randomized to different values.
DGW-13969 - The crypto tag in the SDP answer may not match the SDP offer.
When all the following conditions were met, the crypto tag of the SDP answer may have had a mismatch:
Secured SIP call with SDES key management;
Mipt.SessionUpdateCryptoMode parameter configured to Keep;
SIP Hold is sent by remote peer and its crypto tag has different value than the previous SIP exchange;
The behavior is now fixed. The SDP answer will now have the matching crypto tag.
DGW-13933 - Some RTP packets may cause the application to stop responding.
Incident Number: IN-15005
When using the DSP codec Bank2, some RTP packets could cause the DSP to stop responding.
Fixed the DSP configuration that caused the problem.
DGW-13887 - The Sbc service resumes SIP calls with the wrong connection address.
When handling a SIP REFER request to connect two SIP calls from two different signaling interfaces, the Sbc service would resume the SIP call with the wrong connection address. This lead to a one way audio.
The Sbc service now generates the SDP with the correct connection address.
DGW-13883 - The SetParameterValuesFault node is missing from the SetParameterValues error response sent by the Cwmp service.
In various failure scenarios, the SetParameterValuesFault node was not present in the SetParameterValues error response of the Cwmp service.
The SetParameterValuesFault node is now present in the error response.
DGW-13870 - An interop parameter is needed to add/remove the <Cwmp:ID> header in Cwmp Inform requests.
Incident Number: IN-14945
Added an interop parameterCwmp.InteropCwmpIdHeader to add or remove the <Cwmp:ID> header in the unit's Cwmp Inform requests sent to an ACS.
DGW-13844 - Improve interoperability of the Cwmp service for download requests.
Cwmp service now supports receiving download requests with a NULL value as the TargetFileName XML element.
DGW-13750 - Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.
It is now possible tocorrectly limit Cwmp service HTTPS provisioning to only use TLS 1.2 with the parameter Cwmp.TransportHttpsTlsVersion.
DGW-13695 - Option 77 cannot be removed from DHCP requests.
Incident Number: IN-14918
Bni.DhcpClientUserClass now accepts an empty value.
When Bni.DhcpClientUserClass is empty, the DHCP request no longer contains a value for Option 77.
DGW-13652 - The Sbc service is missing replacement expressions to retrieve the "From" and "To" SIP headers.
Incident Number: IN-14900
New replacement expressions are now available to retrieve the "From", $fQ, and the "To", $tQ, SIP headers.
DGW-13549 - An invalid NAT configuration can cause the lost of the network contact with the device.
An invalid NAT configuration no longer cause the lost of the network contact with the device.
DGW-13290 - The SIP endpoint gateway does not always fail over to secondary server if the UDP connection is lost while a call is in progress.
Incident Number: IN-14782
Under a certain critical timing, when using UDP transport, if multiple SIP registration attempts were not answered by the primary server while there was an ongoing call, the SIP endpoint gateway did not fail over to the secondary server once the call ended.
The SIP endpoint gateway now correctly fail over to the secondary server.
Known Issues
There are no known issues.
Copyright Notice
Copyright 2021 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.