[AG-TECH] Access Grid 3.0 beta1 available !

Andrew A Rowley Andrew.Rowley at manchester.ac.uk
Tue Jan 31 02:50:09 CST 2006


Hi,

Currently there is only ever one RAT instance but there are often more than one VIC instances, even on a node with one camera.  This will be fine using multicast, but will fail for the current unicast model if vic is made to bind to the same port for all instances.  This multiple-instance-in-unicast-mode is the current reason for sometimes seeing all the video streams muted in unicast mode.  If you "fix" this bug, you will find that you may also not be able to send multiple video feeds in unicast mode!

A better solution is for the AGTk to handle all the bridging regardless of the ports in use.  This could be done in a similar (same?) way as AG Connector - the AGTk gives vic and rat the multicast addresses and ports regardless of if it is in unicast or multicast mode, and regardless of the venue (e.g. 224.0.0.1).  In unicast mode, the AGTk client then forwards all traffic on this multicast address to the bridge.  In multicast mode, the AGTk forwards all traffic on this multicast address to the actual multicast address of the venue.

This also has the advantage that you now don't need to close and open vic and rat to change venue.  You just change which address the traffic is being forwarded from and to.  You also take away any other network problems from the tools, and put them into the toolkit.  This means that you could decide to use something other than UDP multicast, and it would still work fine.

Just an idea...  I have no time to code this myself at present, but I don't think it would be too hard to do...

Andrew :)

============================================
Access Grid Support Centre,
RSS Group,
Manchester Computing,
Kilburn Building,
University of Manchester,
Oxford Road,
Manchester, 
M13 9PL, 
UK
Tel: +44(0)161-275 0685
Email: Andrew.Rowley at manchester.ac.uk 

> -----Original Message-----
> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
> Behalf Of Thomas D. Uram
> Sent: 30 January 2006 22:08
> To: Nagykaldi, Zsolt F. (HSC)
> Cc: ag-tech at mcs.anl.gov
> Subject: Re: [AG-TECH] Access Grid 3.0 beta1 available !
> 
> The problem is that, while RAT uses the same source port as destination
> port
> which allows
> it to work through reflexive firewalls (those that open the source port
> based
> on the outgoing
> connection), VIC does not.  VIC instead uses an ephemeral port as the
> source
> port, which will
> not be opened according to a reflexive rule.
> 
> We received a patch from Chris Willing to make VIC first try to match the
> source port to the destination port,
> then use an ephemeral port if that fails.  The first part of the patch
> worked,
> but a second
> instance of this vic never started (on Windows, at least).  If someone
> would
> like to take
> up looking at that patch, I'd be happy to work with them to test it and
> get it
> into the
> core toolkit for the next release.  Details (and the patch) can be found
> in Bug
> 1228:
> 
> http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228
> 
> Tom
> 
> 
> 
> On 1/30/06 3:17 PM, Nagykaldi, Zsolt F. (HSC) wrote:
> >
> > 2 comments:
> >
> > 1) Win XP SP2 indeed self-configures the client machine firewall for the
> > AG Toolkit. The problem is that most Universities have a group policy to
> > overtake individual firewall control (usually they turn it off) when the
> > PC is connected to the local network. This renders local settings void
> > and only central settings count.
> > 2) Interestingly, RAT almost always works (apart when clients have
> > "local " IPs assigned by PIX, where port forwarding or dedicated IP
> > address assignment help only), but VIC almost never works just by
> > installing the Toolkit behind regular firewalls. This tells me that in
> > the case of VIC, the connection is actually initiated by the server
> > (???) and since many networks specifically block INBOUND connections,
> > VIC can not receive incoming video, while RAT is fine (client initiates
> > connection??). This would explain why in many cases parties can talk and
> > may be visible on one side, but can not receive video on the other
> > (ominous "waiting for video..." message). I wonder whether something
> > could be done regarding this specific problem (i.e. can VIC work like
> > RAT in this regard).
> >
> > Zsolt
> >
> >
> > _ _ _
> >
> > Zsolt Nagykaldi, PhD
> > Research Associate, Clinical IT Specialist
> > University Of Oklahoma Health Sciences Center
> > Department Of Family And Preventive Medicine
> > Oklahoma Center For Family Medicine Research
> >
> > 900 NE 10th Street
> > Oklahoma City, OK 73104
> > Phone: (405) 271-8000 Ext.:1-32212
> > Fax:     (405) 271-1682
> >
> > ------------------------------------------------------------------------
> > *From:* Piers O'Hanlon [mailto:p.ohanlon at cs.ucl.ac.uk]
> > *Sent:* Mon 1/30/2006 12:21 PM
> > *To:* michael.daw at manchester.ac.uk
> > *Cc:* Nagykaldi, Zsolt F. (HSC); ag-tech; Socrates Varakliotis
> > *Subject:* Re: [AG-TECH] Access Grid 3.0 beta1 available !
> >
> > Hi Mike (and others),
> >
> >  > We discussed doing this as part of the SUMOVER project workshop in
> >  > November. This project is updating vic and rat at UCL, mainly for the
> >  > AG community. I can't remember where it was on the priority list,
> >  > though...
> >
> > I guess there's a couple of issues here - There's port selection, and
> > there's firewall config.
> > - As mentioned by others the media port ranges are controlled by the AG
> > server's config - these can be taken down to narrower ranges. There's
> > shouldn't be too much of an issue with multicast venue address clashing
> > if the 233/8 GLOP addressing is used by the servers.
> >
> > - Secondly the firewall interaction then depends on which platform AG
> > client is running on - For those lucky folk running WinXP-SP2 I
> > understand that AG will automatically configure the windows firewall to
> > let AG traffic pass (could possibly explain lack connectivity in one
> > previous email if things go wrong?). If you're not running Windows
> > Firewall then you're probably back to manual FW config. If you're
> > running Linux then you'll need to open some holes in your firewall
> > (iptables/ipchains etc) manually.
> >
> > I should mention that most of this is out of scope of the media tools
> > themselves as UDP port selection isn't generally done by the tools
> > themselves. The one caveat is that vic does normally allow the OS to
> > choose the source port when it sends video packets, though this doesn't
> > usually matter if the firewall is appropriately configured. If needs be
> > we could add an option to enable source port selection, or 'symmetric'
> > ports usage.
> >
> > Piers.
> >
> >  >
> >  > More information (though sparse!):
> >  > http://www.cs.ucl.ac.uk/research/sumover/
> >
> > It has been updated today with more info.
> >
> > Piers.
> >
> >  >
> >  > Perhaps one of the team could enlighten us...?!
> >  >
> >  >
> > ------------------------------------------------------------------------
> >  >     *From:* owner-ag-tech at mcs.anl.gov
> >  >     [mailto:owner-ag-tech at mcs.anl.gov] *On Behalf Of *Nagykaldi,
> Zsolt
> >  >     F. (HSC)
> >  >     *Sent:* 30 January 2006 15:19
> >  >     *To:* ag-tech
> >  >     *Subject:* RE: [AG-TECH] Access Grid 3.0 beta1 available !
> >  >
> >  >
> >  >     It seems that most practical problems during implementation come
> >  >     from firewall issues. Are you guys planning to (at least) narrow
> >  >     the UDP port range for VIC and RAT, or maybe (in my dreams)
> tunnel
> >  >     all audio/video traffic through a few number of ports that are
> >  >     usually open? I have been networking with a lot of people who are
> >  >     desperate to set up their nodes and they hit a brick wall every
> >  >     time it comes to push changes through their IT departments, who
> >  >     are freaking out about the idea of opening ports in such a wide
> >  >     range. More and more people would like to use the system via PIGs
> >  >     and not necessarily big institutional nodes that require weeks,
> if
> >  >     not months of negotiations and arm-twisting each time a new
> client
> >  >     is added at a new location. (The AG Connector would be really
> >  >     helpful, except it causes an ominous looping drop of all
> >  >     audio-video connections, as it has been reported before, and it
> is
> >  >     very unreliable). Extra features in v3.0 are nice, but I truly
> >  >     believe that the firewall/ports issue is the most significant
> >  >     barrier to wider adoption of the Toolkit.
> >  >
> >  >
> >  >     Zsolt
> >  >
> >  >     _ _ _
> >  >
> >  >     Zsolt Nagykaldi, PhD
> >  >     Research Associate, Clinical IT Specialist
> >  >     University Of Oklahoma Health Sciences Center
> >  >     Department Of Family And Preventive Medicine
> >  >     Oklahoma Center For Family Medicine Research
> >  >
> >  >     900 NE 10th Street
> >  >     Oklahoma City, OK 73104
> >  >     Phone: (405) 271-8000 Ext.:1-32212
> >  >     Fax:     (405) 271-1682
> >  >
> >
> >
> 
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date:
> 27/01/2006
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date:
> 27/01/2006
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date:
> 27/01/2006




More information about the ag-tech mailing list