Method to provide a facility for a user to reserve range of dynamic ports for a logical set of business applications installed in the same operating system environment
Publication Date: 2010-Sep-21
The IP.com Prior Art Database
Computer Network applications, network/OS configuration and the protocols for communications are well known in the Information Industry. One of the client server Network Application implementation is to assign specific port numbers for connecting a client system to a particular resource available on the server.Basically the port numbers are assigned to the server by OS called as server port and client also connects to that server via client port. A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when the message arrives at the server. Within the commonly utilized Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), a port number is a 16-bit integer that is included in the header appended to a data unit. This port number is passed logically between client and server transport layers and physically between the transport layer and the Internet Protocol (IP) layer. Some OS services or processes have conventionally assigned permanent port numbers. These are known as predefined port numbers. In other cases, port numbers are assigned temporarily (for the duration of the request and its completion) by Operating System from a range of assignable port numbers.These port numbers are called ephemeral port numbers or dynamic ports. Since the ephemeral ports are dynamic ports , there are many resources/application process which competes for the same port in a dynamically assigned port environment. Especially when there are process which uses rpc(remote procedural calls) uses dynamic binding(uses dynamic ports).some times , there might be a port conflict between the rpc application process since it wants to come up on the same ports due to business application needs (as the client want to connect to the process at the same port). Background: Customers came with a problem that they have provision in the IBM TXSeries to specify range of ports to be used. Currently the product doesn’t have provision to specify range of ports to be used for TXSeries rpc clients, servers,gateway servers and other client applications together as one logical set. Only they can specify the range of ports for server and that too restricted for a product. If any other product is installed in the same system, It’s going to provide the same problem for the customer. Customer’s requirement is to Configure Range of Ports for application process used by their business applications Restrict the Utilisation of range of ports to particular set of applications Avoid intrusion by having better view of Port security by monitoring the ports used by logical set of business applications. Avoid Ports Conflicts among his various set of applications running on the system We provided a workaround as specified in the “Existing Solution Section” We found that workaround is not a complete solution for the customer’s real requirement and it’s going to provide more conflicts, if some other Applications comes into picture which doesn’t have the workaround. Hence we propose this solution , Problems Addressed: 1.No method exists to avoid port conflicts among a logical group of business application which is used for particular business needs Currently, at least important middleware systems which uses RPC communication as protocol or any other communication protocol using dynamic ports,doesn't provide a mechanism to assign a range of ports to the particular group of applications. The same system might have different instance of applications , of different RPC,other applications which also uses ports. Since these applications uses dynamic ports, there seems to be always port clashes between certain products instances. For example, certain RPC process has been assigned a well known port by the OS. The moment the process goes down, OS assigns the port to any other process coming and executing bind at the same time. Since it’s a well known ports, the original process which has used it cannot come on the same port utilized earlier, which basically leads to a conflict. 2. No method exists for System Administrator to Configure range of ports to provide security for logical group of business applications. For ex. System admin implements a business application, which uses at least 10 sets of applications running on different ports. Then there is no way currently to make those business applications to run on a range of ports defined by the system admin. Even now custom made applications manage with the workaround of trial error method to bind to specific range of ports which seems to be expensive options on performance. 3. No OS API's exists to group a set of business application under a service name and assign port from a range of ports configured by System Administrator to the business applications. Existing implemented solutions in the IBM products: There are two workaround customers use currently to avoid these port conflict issues. Customers define range of ports to the product , product goes and binds to the port and return the port which is not already taken by other process. Basically , the application specifies that 1000-2000 is the range at which the ports needs to be used, and the process, when it binds checks one by one which is free within that range and picks up a port which is not already utilized by the other OS process. For that product has to execute at the maximum 999 time the bind calls 2. Customers define the range of ports for a process to external port management products like Tivoli Work Scheduler (TWS). External product also stores information and , checks for the port in the range and assigns it to the process. Though an external tool manages the ports, it also does the same bind way of retrieving a port from Operating System. The same performance overhead is still there in assigning the ports 3. What Operating System provides now? Currently user could able to reserve the ports for a particular services in /etc/services. Still it cannot reserve range of ports and also it’s not guaranteed that same service can get those ports next time. Proposal: Idea is to provide a facility for a user to reserve range of dynamic ports for a particular set of business applications. The idea provides a system and method for controlling access to range of TCP/UDP ports based on combined set of business application needs. The invention allows a system administrator to reserve ports and ensure that the port will only be utilized by a set of business application process . Set of business application process means a combined set of application products process. The invention provides a means to improve security based on logical grouping of business applications, which require privilege only to bind to a range of reserved ports, by eliminating the need for privilege where privilege is not required. By granting exclusive ownership of a range of ports to a user applications or group of applications , the system removes the need for applications to have privilege solely for the purpose of binding to the port. Unauthorized applications remain prohibited from binding to the range of ports, thereby maintaining the security of the system. Though the proposal mainly focusses on reserving range of ports for dynamic allocation, for set of business applications algorithm specified also includes static port allocation because of business needs
Method to provide a facility for a user to reserve range of dynamic ports for a logical set
of business applications installed in the same operating system environment Here is the implementation steps for the idea.
1. Define a service name for logical group of applications in the Operating System Configuration file.
Creating a new configuration file or adding to a current /etc/services file to provide an ability for the system administrator to define a service name and associate a range of port for those business service name. This business service name will used by the set of logical group of application which access ports.
In /etc/services or any other configuration file, specify range of ports, with Service Name Tag
1001 TCP LSN1
1002 TCP LSN2
Dynamic [1000-3000] TCP/UDP UserID
2.Data table needs to be maintained by operating systems
Port Configuration table
Range of Ports for dynamic allocation Static
Port Configuration table will be created and filled up by OS on system startup/reboot. Any dynamic changes to the table will be done , when the portrefresh command is issued as given in the step 4.
Port Configuration Table will have the following structure members,
4.Range of Ports Allowed
Kernel Port Allocation Table
Free list of Ports
Type of Port [TCP/UDP]
Kernel Port Allocation table will be created and filled up by OS kernel on system startup/reboot. It will read the services file and maintain the static ports allocated already from the configuration.
Pid - process id of the process
Port Free List - List of Free Ports
Type of Port - TCP/UDP
ProcessName - Name of the process allocated the port
Other than the API given in step 3,General already existing bind() API also will be changed to update the kernel Port Allocation table as given in the flowchart in step 4
3. API(Application Programming Interface) for application to provide the service name while binding
a. Introduction of a new API, which is an extension of the bind to accept service name
This can be passed to bind
Applications which System Admin categorise comes under EBANKING
Ranging from 1000 to 3000.
This provides a view on monitoring the ports on which applications run for security .
b. Changes to existing bind() to update kernel port allocation table for the every port allocation request. See step for algorithm in terms of flow chart
_Allocated - Port number allocated for the process currently
struct sockaddr *local_address,
char *PortType )
Applications can either set an environment variable to get the service name
and fill it in the application.
Here socket_descriptor in the descriptor returned by socket function
Local_address is the socket structure
Length of the socket structure
Servicename is the name of the logical grouping of application se...