[AG-TECH] Static Unicast Ports

Todd Zimmerman toddz at sfu.ca
Fri Jun 8 14:46:55 CDT 2007 

Within WestGrid, we have a need to have static unicast ports for venues so that firewall
administrators can limit the ports required to be opened for AG usage.  Assigning static multicast
ports is easy; however, assigning static unicast ports is not.

I thought I'd post to the list the small hacks I've implemented to achieve static unicast ports on
our Venueserver/Bridgeservers.

For background, WestGrid utilizes static multicast addresses from the Netera Alliance glop space
(233.59.192.x) which we have authorization to use.  We also use a port numbering convention that
utilizes ports in the range of 60500 - 60800 for these multicast addresses/venues.  For static
unicast ports, we have use a 'multicast port - 10000' convention - so our unicast range is 50500 -
50800.

For AG3 bridging, we still want to offer the bridge to users not using the WestGrid Venueserver - so
I start the bridge giving a range of usable ports outside of our statically used range
(55000-57000).  I then added a check in /usr/bin/Bridge to statically assign WestGrid venues while
leaving non-WestGrid venues to be assigned within the range assigned above.

Disclaimer - I am not a doctor nor do I play one on TV.  I'm not sure if there are any side effects
to using this hack - so don't blame me if something breaks ;-)  To use this hack you'll need access
to a multicast glop space and you need to make sure your static port range will not collide with
your non-static port range since all checks are bypassed.

This is the code I added at line 59 of /usr/bin/Bridge - just after the 'uaddr =
SystemConfig.instance().GetHostname()' line:


uport = None
if mnl["host"].startswith( "233.59.192" ):
   uport = mnl["port"] - 10000;

Then changed lines 64/65 from:

retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"],
mttl=mnl["ttl"], uaddr=uaddr,uport=none)

to

retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"],
mttl=mnl["ttl"], uaddr=uaddr,uport=uport)


For AG2.4, the hack was easier since we were only bridging our own venueserer - so we didn't have to
worry about setting up bridges outside of our range.  I added the following at line 560 (just after
'uport = 0' in __AddBridge:

uport = streamDesc.location.port - 10000;

I then commented out the proceeding lines 561-571 (the port allocation part) since we no longer need
to allocate ports.

I've attached diffs for anyone interested.  These hacks are just that - hacks and I wouldn't
recommend using them; however I know other people are in the same circumstance as WestGrid and need
to limit port usage for security administrators.  If anyone has any thoughts ideas on how best to
implement these in a better/more practical and configurable way I'd be interested to hear (I suppose
we could add a static bridge section to the bridge config file  etc.) and perhaps I could look at
coding something up for inclusion in the main source.

Cheers,

Todd

More information about the ag-tech mailing list