--- Begin Message ---
Draconian, huh?
In any case, from my point of view concerns are identification,
mitigation of risk, assurance, and accreditation. Ports open to any
host create opportunity. This opportunity can be used for good (such as
the Access Grid) or for the bad (vulnerability exploitation, leading to
system compromise etc.) Port ranges more so, partly because there are
more of them, and partly because there is no secure guarantee the
*expected* application or service is indeed behind the open port.
For example, suppose an AG bridge host is also running services
involving Remote Procedure Calls (AFS, Kerberos, Microsoft services,
NFS, remote backup applications, etc.) RPCs may create service ports
within a range intended for use by the Access Grid. This has at least
two problems:
1) it could represent exposure of the host or denial of service
depending on how the access controls (e.g. a firewall) to that host were
implemented and what vulnerabilities were exposed in doing so.
2) it may cause an AG venue to fail because other dynamic applications
(such as the RPC in the example) had usurped a port the AG venue wanted
I would think the right answer would be static port mapping per venue.
Either that, or make sure there are no other dynamic services running on
the host bridge and the end points of the bridge are trustworthy.
Cullen
-----Original Message-----
From: Roberts, Ian E
Sent: Thursday, March 02, 2006 9:08 AM
To: Tollbom, S Cullen
Subject: FW: [AG-TECH] One-page summary of AG port usage --
please help us complete it
Cullen, would you please take a few moments (you can use that
NVAC charge code) and reply to Tom Uram? He is asking for input on port
ranges for the future of the Access Grid. Thanks! ~ian
------ Forwarded Message
From: "Thomas D. Uram" <[email protected]>
Date: Tue, 14 Feb 2006 13:02:27 -0600
To: "R. P. Channing [\"Rick\"] Rodgers" <[email protected]>
Cc: <[email protected]>, <[email protected]>,
<[email protected]>
Subject: Re: [AG-TECH] One-page summary of AG port usage --
please help us complete it
I'm gonna try to take a practical line here. First, some
clarification:
- By default, the VenueServer allocates multicast addresses
dynamically as follows:
address range: 224.2.128.0 - 224.2.255.254
port range: 49152-65535
- "Dynamic" in this case means that addresses are allocated when
someone
enters the venue, and are recycled when the last person
leaves the venue.
- "Static" (the opposite of Dynamic) means that addresses/ports
are assigned
to a venue by the admin, and do not change.
- VenueServer admins can, through provided tools, configure the
address
range however they like. There is currently no option for
configuring the
port range, but there probably should be.
- The BridgeServer does provide a mechanism for configuring the
port range
used for bridges. By default, it uses ports in the range
49152-65535.
One thing we could do is significantly narrow the range of
addresses and ports
used by the VenueServer and BridgeServer by default. This would
make the
default case easier for everyone to deal with. It would also,
unfortunately, open
us up to more likely address redundancy across Venues.
Whatever is done, it should clearly be subject to the user
community.
What are the concerns of your admins?
Do they care at all about opening up the multicast address
range? Why?
Would it be enough to be able to select a bridge with a known
port range that
would work for any venue?
I think the real problem is in bridging, where you're concerned
with traffic from
real hosts. But let's get input from some of those (Draconian)
net admins and
Build a practical solution.
Frank Sweetser, other net admins: Are you listening?
Tom Uram
On 2/13/06 1:05 PM, R. P. Channing ["Rick"] Rodgers wrote:
>> From: "Ivan R. Judson" <[email protected]>
>> Subject: RE: [AG-TECH] One-page summary of AG port usage --
please help us
> complete it
>> Date: Mon, 13 Feb 2006 11:41:32 -0600
>>
>>
>> I think what you're hearing is unwillingness for anyone to
commit to a wrong
>> answer.
>>
>> From memory, the ports for vic, rat, and the rest of the
tools are allocated
>> by the venue server. It can be a static allocation configured
by the
>> provider or a dynamic allocation (I think the default).
>
> Perhaps my understanding is faulty, but I also believe that
the default is
> automated assignment by the server. But that can not be
entirely random --
> the numbers must be drawn from a range of values appearing
somewhere in the
> code. Having that range in a doc. is much better than having
nothing,
> which is what he have now.
>
> A subsequent posting from Zsolt Nagykaldi makes the point,
which I emphatically
> agree with, that port assignment is a crucial problem to solve
if AG is truly
> going to take off. He suggests using fixed port numbers with
a registry, which
> is one solution (and by "fixed" I believe he means that
required ports would
> remain the same for a given venue over time). Another might
be to adapt or
> create a protocol allowing the exchange of port numbers when
entering a venue
> (which would at least tell you what ports were required, even
if they don't
> happen to be open at the moment). Another might be to devise
a tunnelling
> mechanism through a number of fixed ports which are
permanently assigned for
> that purpose, sort of a port-related sibling to the
multicast-unicast bridging
> that the AG can do now. This would allow people working in
tightly constrained
> networks to use the AG, at the cost of some performance
penalty.
>
> Whatever solution is ultimately pursued, dealing with the port
issue is the
> single most important single technical issue I see right now
on with AG. It
> has certainly been delaying our deployment at the UCSSF
medical center.
> This document helps focus our attention on the problem, and I
hope we can get
> help completing it. it needs to be accompanied by fuher
instructions related
> to port assignment (r.g., how they can be statically
configured).
>
> Cheers, Rick Rodgers
>
>> Given this configurability, it's impossible to state exactly
what ports the
>> media tools will or won't use.
>>
>> Sorry for the complicated answer.
>>
>> --Ivan
>>
>>> -----Original Message-----
>>> From: [email protected]
[mailto:[email protected]] On
>>> Behalf Of R. P. Channing ["Rick"] Rodgers
>>> Sent: Monday, February 13, 2006 11:36 AM
>>> To: [email protected]; [email protected];
[email protected]
>>> Cc: [email protected]; [email protected];
>>> [email protected]
>>> Subject: RE: [AG-TECH] One-page summary of AG port usage --
please help us
>>> complete it
>>>
>>> Michael,
>>>
>>> Thanks, I agree that AG Central would be an excellent
development resource
>>> and then final home for our summary of AG port usage. We
certainly need
>>> help completing it. The biggest gap right now is port
ranges for vic and
>>> rat.
>>> I just *know* that folks working with the code for these
applications more
>>> actively than we do could produce these numbers in a few
minutes.
>>>
>>> In browsing around in the AG Central forums, it appears that
they have
>>> only
>>> received light traffic thus far, not that that should stop
us from helping
>>> to
>>> kick-start the community there. It's not clear which forums
would be
>>> optimal
>>> for our purposes -- I suppose "AG Toolkit/General"? So I'm
taking your
>>> advice,
>>> reattaching our two documents here, and also posting my
original message
>>> to
>>> "AG Toolkit/General" on the forum at http://agcentral.org as
wel.
>>>
>>> CORRECTION: just tried to do the above, and got completely
wedged -- not
>>> clear that I have permissions to post to the forum, even
though I'm
>>> registered.
>>> Then my web client got completely stuck. Will try again
later, sigh...
>>>
>>> Cheers, Rick Rodgers
>>>
>>>> From: "Michael Daw" <[email protected]>
>>>> Subject: RE: [AG-TECH] One-page summary of AG port usage --
please help
>>> us
>>> complete it
>>>> Date: Mon, 13 Feb 2006 09:43:55 +0000
>>>>
>>>> Great work guys! This is going to be good.
>>>>
>>>> But, can I suggest using http://agcentral.org for this? If
the document
>>> is
>>> discussed and refined in a forum, it will be easy to find.
Once it's
>>> ready, it
>>> can be posted to the help center. Because most of us still
aren't
>>> completely
>>> used to using agcentral, you can always post frequently to
ag-tech too
>>> with
>>> pointers.
>>>>
>>>>> -----Original Message-----
>>>>> From: [email protected]
>>>>> [mailto:[email protected]] On Behalf Of R. P.
>>>>> Channing ["Rick"] Rodgers
>>>>> Sent: 10 February 2006 20:21
>>>>> To: [email protected]
>>>>> Cc: [email protected]; [email protected];
>>>>> [email protected]; [email protected]
>>>>> Subject: [AG-TECH] One-page summary of AG port usage --
>>>>> please help us complete it
>>>>>
>>>>> Dear AG Colleagues,
>>>>>
>>>>> I now realize that the work I started last December,
trying
>>>>> to create a
>>>>> one-page summary of AG port usage (based on the
commendable
>>>>> document created by
>>>>> Javier Gomez Alonso of the Access Grid Support Centre at
the
>>>>> University
>>>>> of Manchester) is not easily locatable in the list
archives.
>>>>> I resend it,
>>>>> attached, along with the Excel version that David E.
>>>>> Bernholdt of ORNL kindly
>>>>> created. As I said earlier, all of these documents are
missing some
>>>>> key information, such as the port ranges used by vic and
rat.
>>>>> I send this out
>>>>> again in the hope that another AG colleague will pick it
up
>>>>> and complete it.
>>>>> We all really need to have something like this, and i
would
>>>>> hope that eventually
>>>>> it would end up on the AG web site(s), and be maintained
to
>>>>> reflect any
>>>>> coding changes/additions made to AG software.
>>>>>
>>>>> Best Regards, Rick Rodgers
>>>>>
>>>>>
--------------------------------------------------------------
>>>>> ------------------
>>>>> R. P. C. Rodgers, M.D. * [email protected] *
(301)435-3267
>>>>> (voice, fax)
>>>>> OHPCC, LHNCBC, U.S. National Library of Medicine, NIH
>>>>> Bldg 38, Rm. B1N-30F2, 8600 Rockville Pike, Bethesda MD
20894 USA
>>>>> http://lhc.nlm.nih.gov/staff/rodgers/rodgers.html
>>>>>
>>>>>
>>>>>
>>>
------------------------------------------------------------------------
--
>>> ------
>>> R. P. C. Rodgers, M.D. * [email protected] * (301)435-3267
(voice, fax)
>>> OHPCC, LHNCBC, U.S. National Library of Medicine, NIH
>>> Bldg 38, Rm. B1N-30F2, 8600 Rockville Pike, Bethesda MD
20894 USA
>>> http://lhc.nlm.nih.gov/staff/rodgers/rodgers.html
>
>
------------------------------------------------------------------------
--------
> R. P. C. Rodgers, M.D. * [email protected] * (301)435-3267
(voice, fax)
> OHPCC, LHNCBC, U.S. National Library of Medicine, NIH
> Bldg 38, Rm. B1N-30F2, 8600 Rockville Pike, Bethesda MD 20894
USA
> http://lhc.nlm.nih.gov/staff/rodgers/rodgers.html
>
>
------ End of Forwarded Message
--- End Message ---
