PS> Port for PSI - Static vs Dynamic issues

PS> Port for PSI - Static vs Dynamic issues

McDonald, Ira imcdonald at sharplabs.com
Fri Oct 11 14:26:04 EDT 2002


Hi,

Per my action item from Tuesday's PSI Telecon:

PSI interfaces SHOULD have a static port (IANA-registered by vendor 'PWG')
that is always the PSI listen port.  

PSI interfaces SHOULD NOT use dynamic ports (even by protocol agreement 
during PSI WSDL sessions), because:


1)  Firewalls and NAT (Network Address Translator) systems assume that
    all protocols allowed to pass (traverse the domain boundary) use
    static IANA-registered ports (permission rules are normally based
    on a specific application protocol over a specific numbered port).
    Firewalls/NATs often implement ALGs (Application Layer Gateways)
    that enforce fine-grained permission rules.  But the premise is
    always that the protocol on a given port is INVARIANT, and is 
    determined by the port number (FTP proxies are fundamentally
    dangerous, for this reason).

    Dynamic ports completely defeat ALGs and firewall permissions
    (thus destroying the 'security perimeter' of the firewall).

    (There are a series of horrible exceptions in ALGs around HTTP 
    port 80, due to other 'hidden' application protocols - PSI should
    not go there...)


2)  Boundary routers (between enterprise and public networks) and
    core routers (within the Internet backbone) manage quality of
    service and packet delivery by 'aggregating' destinations
    (host/port pairs) for routing decisions.  

    Dynamic ports completely defeat traffic 'aggregation' (because
    the router has no way to know that the alternate port traffic
    is associated with the original static port traffic).

    Routers also block all ports that are not specifically
    authorized to cross a domain boundary (in one direction or
    the other - not necessarily both) in their permission rules.
    Dynamic ports simply won't work in the general case.

Hope this helps.

Cheers,
- Ira McDonald
  High North Inc




More information about the Ps mailing list