perfSONAR User Q&A and Other Discussion

[Roland Karch <>]

Hi Ralph,

Niederberger, Ralph schrieb:
> Dear all,
> 
> yesterday I did some tests with bwctl software.
> 
> I am using
> 
> - MonPC-A as host initiating measurements between MonPC-B and MonPC-C.
> - MonPC-B as Sendhost for iperf
> - MonPC-C as Recvhost for iperf
> 
> 
> Starting at MonPC-A the command
> 
>   /usr/local/bin/bwctl -s MonPC-B -c MonPC-C
> 
> I see with wireshark on host MonPC-A connections from high ports to port
> 4823 at hosts MonPC-B and MonPC-C.
> So this is for initiating the measurement.
> 
> On MonPC-B I see, that MonPC-B and MonPC-C are starting communications on
> high ports on both sides.
> I assume they are  exchanging parameters for the later iperf measurement?
> After this they are doing the iperf measurement using port 5001 on both
> sides.
> 
> After the measurement has been done, the communications on the already
> existing connections to host MonPC-A are used again to provide the
> measurement output to this host. This communications use the high ports on
> MonPC-A and the port 4823 on hosts MonPC-B and MonPC-C again.
> 
> So my questions:
> 
> A.) Is this the normal behavior.

Yes. Regarding your earlier assumption, there is some documentation in
the man page of bwctld.conf, specifically the "peer_ports" section.

> B.) Can the communication be changed in the way that parameter exchanges
> between MonPC-B and MonPC-C use predefined well known ports and not arbitray
> high ports?

See above, you can limit the ports used to a set range with the
parameter "peer_ports".

> If this is normal behavior this would imply that MonPC-B and MonPC-C have to
> trust each other. Opening of arbitrary ports between both hosts. From a
> security point of view this very annoying.
> 
> Furthermore this would imply that measurements between administratively
> separated domains, i.e. Multi Domain Monitoring would not be possible,
> without mutual trust relationships.
> 
> Any comments, suggestions, feedback?

To tackle both of these issues perfectly, you would need a stateful
firewall that inspects the BWCTL data stream which contains the control
information exchanged and then that firewall would temporarily open only
the negotiated ports. It would be the equivalent of the handling of
active FTP which also needs the firewall to open up a second connection
on the fly. I'm not aware of any existing solutions for this however, so
I think you would need to spend some development effort on this.

Depending on your security needs, it might be sufficient however to
limit your configuration to a range of ten ports and to just open these
up to all possible peers.

And finally a "scope of the mailing list" remark: The ideal forum for
BWCTL-related questions would be the bwctl-users mailing list
<https://mail.internet2.edu/wws/info/bwctl-users> on the same server.

With best wishes,
Roland
-- 
Roland Karch, DFN-Labor
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales RechenZentrum Erlangen (RRZE)
Martensstraße 1, 91058 Erlangen, Germany
Tel. +49 9131 85-27806, -28800, Fax: +49 9131 302941
mailto:
http://www-win.rrze.uni-erlangen.de/