Hi,
Per my action item from Tuesday's PSI Telecon:
PSI interfaces SHOULD have a static port (IANA-registered by vendor 'PWG')
that is always the PSI listen port.
PSI interfaces SHOULD NOT use dynamic ports (even by protocol agreement
during PSI WSDL sessions), because:
1) Firewalls and NAT (Network Address Translator) systems assume that
all protocols allowed to pass (traverse the domain boundary) use
static IANA-registered ports (permission rules are normally based
on a specific application protocol over a specific numbered port).
Firewalls/NATs often implement ALGs (Application Layer Gateways)
that enforce fine-grained permission rules. But the premise is
always that the protocol on a given port is INVARIANT, and is
determined by the port number (FTP proxies are fundamentally
dangerous, for this reason).
Dynamic ports completely defeat ALGs and firewall permissions
(thus destroying the 'security perimeter' of the firewall).
(There are a series of horrible exceptions in ALGs around HTTP
port 80, due to other 'hidden' application protocols - PSI should
not go there...)
2) Boundary routers (between enterprise and public networks) and
core routers (within the Internet backbone) manage quality of
service and packet delivery by 'aggregating' destinations
(host/port pairs) for routing decisions.
Dynamic ports completely defeat traffic 'aggregation' (because
the router has no way to know that the alternate port traffic
is associated with the original static port traffic).
Routers also block all ports that are not specifically
authorized to cross a domain boundary (in one direction or
the other - not necessarily both) in their permission rules.
Dynamic ports simply won't work in the general case.
Hope this helps.
Cheers,
- Ira McDonald
High North Inc
This archive was generated by hypermail 2b29 : Fri Oct 11 2002 - 14:27:59 EDT