AG Port issues (was Re: [AG-TECH] Access Grid 3.0 beta1 available !)

Brian Corrie bcorrie at
Tue Jan 31 14:21:55 CST 2006

Oh yes, I should add that our multicast IPs come from our own GLOP 
range, so they will not conflict with other multicast IP numbers used by 
other organizations (Argonne, NCSA, etc).


Brian Corrie wrote:

> Hello all,
> We (WestGrid) have fought this battle as well. We run our own venue 
> server and have set all of the ports on it manually so that they fall 
> within a very restricted range. We have documented this in the following 
> document. This is our attempt to help people get over this problem. Not 
> 100% satisfactory, and not as extensive as Javier's in terms of other 
> tools, but at least it is well defined for the problem apps (vic/rat)...
> In addition, it helps to soothe the network folks if you can tell them 
> what IPs to open specific ports to. You may have to open up the 
> multicast range (we don't do multicast across campus), but unicast UDP 
> ports can be limited to those bridges that you typically use. That is, 
> we open the unicast UDP port range to only specific IP numbers. These 
> are the Argonne, NCSA, and WestGrid bridges (and others as required). 
> This way, if UDP connections don't come from one of the known machines 
> the packets are tossed...
> We are fortunate in that although our networking folks are pretty strict 
>  they are also willing to listen and will open ports. It does take some 
> convincing...
> My $0.02 worth...
> Brian
> R. P. Channing ["Rick"] Rodgers wrote:
>> All of these points are well made.  I certainly subscribe to the "one 
>> port, one
>> service" line of thought, but the underlying problem remains, that to 
>> actually
>> deploy AG in most locations today, one has to deal with network 
>> administrators
>> and the policies they are required to implement (and it's pointless to
>> villify either), and we can not even hand these administrators a 
>> simple printed
>> list of ports to open.
>> I made a stab at this some weeks back, starting with the document created
>> by Javier Gomez Alonso of Manchester (see
>> David E. Bernholdt of Oak Ridge National Laboratory then recast my 
>> ASCII table in the form of a Excel spreadsheet, which I attach, as I 
>> can not find my
>> ASCII original now.  There are glaring holes for rat anc vic, among 
>> others.
>> We really, really, *really* need to create such a list, minimizing the 
>> number
>> of ports as far as is possible, consistent with clean engineering and 
>> adequate
>> functionality.  Or, better yet, have three such lists with varying 
>> numbers
>> of ports that are required to be opened, based on the level of 
>> functionality
>> required.  In any event, the list would have to be kept in synchrony 
>> with the
>> development of AG.  Having such a list is going to be an important as 
>> having
>> AG software, if we want the community to grow.
>> Best Regards, Rick Rodgers
>>> From: Colin Perkins <csp at>
>>> Subject: Re: [AG-TECH] Access Grid 3.0 beta1 available !
>>> Date: Tue, 31 Jan 2006 16:51:31 +0000
>>> To: "Ivan R.Judson" <judson at>
>>> On 31 Jan 2006, at 16:28, Ivan R. Judson wrote:
>>>> I think the interesting question from a user perspective is:
>>>> Would you rather open one port and we tunnel all traffic through it  
>>>> (and
>>>> you'll never know about all the types or kinds of traffic) or make  
>>>> it easy
>>>> to have one tunnel per type of data/connection that's easier to  
>>>> open/close
>>>> and audit based on actual use?
>>>> I *think* the future is in the latter, because you can easily see a
>>>> manageable system being built that allows programmatic (with  
>>>> authentication
>>>> obviously) access for dynamically opening and closing tunnels based on
>>>> specific "contracts" about usage, data, src/destination, duration,  
>>>> etc.
>>> And, if you have well defined (narrow) port ranges for each media,  
>>> makes it easy to firewall off specific media, or to assign varying  
>>> QoS for each media.
>>>> I can't see any good way to justify "opaque aggregate tunnels" that  
>>>> hide the
>>>> fact a break-in occurred in a mess of other data.
>>> Indeed.
>>> Colin
>> -------------------------------------------------------------------------------- 
>> R. P. C. Rodgers, M.D. * rodgers at * (301)435-3267 (voice, fax)
>> OHPCC, LHNCBC, U.S. National Library of Medicine, NIH
>> Bldg 38, Rm. B1N-30F2, 8600 Rockville Pike, Bethesda MD 20894 USA

More information about the ag-tech mailing list