[Fwd: Re: [AG-TECH] One-page summary of AG port usage -- please help us complete it]

Frank Sweetser fs at WPI.EDU
Wed Mar 1 11:02:18 CST 2006 

On Mon, Feb 27, 2006 at 02:47:54PM -0600, Thomas D. Uram wrote:
> >What are the concerns of your admins?  Do they care at all about opening up
> >the multicast address range?  Why?  Would it be enough to be able to select
> >a bridge with a known port range that would work for any venue?
> >
> >I think the real problem is in bridging, where you're concerned with traffic
> >from real hosts.  But let's get input from some of those (Draconian) net
> >admins and build a practical solution. 

Sure, I'll ramble for a bit =)

There are two parts to this: the technical, and the political.

It looks to me like a venue be uniquely identified by an (address, port) tuple.
Since the multicast address range in use here is fairly small, the possability
of a collision is mitigated by using a large port range.  Correct?

Looking at it from the view of a paranoid net admin, whenever a request comes
in, the more restrictive it is, the more likely it is to get granted.  Requests
for thousands of port ranges tend to be indicative of "shotgun"
troubleshooting, and signifigantly more likely to have unintended consequences.
The ability to narrow down a venue to a minimal number of required ports will
make it much more palatable to security admins, and most likely much more
compatible with security policies.

On the other hand, it is already a hard technical requirement for AG that
multicast must be wide open.  If other sufficient restrictions are in place
(port filtering, application layer filtering like a packeshaper or tipping
point) then allowing multicast shouldn't open up any holes that weren't already
there for unicast.

What I would suggest, then, is to move the technical issue to one that is
politically easier to handle.  If the multicast range could be expanded by
using GLOP addressing, and the port range narrowed down, then the port range
document could be greatly simplified.  Obviously this wouldn't be the ideal in
all cases, especially if the site is already using some of their GLOP
addresses, but it would be nice to have a choice between "Use generic AG range"
or "Use your sites GLOP range".

Ideally, the venue server setup would even interface with a BGP looking glass
to automagically fill in the default multicast range with the appropriate range
for the machines ASN.

Beyond that, I think the most useful tool for users in getting coordination
with net admins would be to expand the port range documentation to also include
an explanation/justification for any ports and address ranges it asks to be
opened, and also explain some of the security measures AG takes.  That way, a)
the user doesn't have to understand the information to explain it to the local
admins, and b) it is quite obvious that the AGTk itself is taking adequate
security measures to secure those resources.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Network Engineer          |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the ag-tech mailing list