[Contents] [Prev] [Next] [Index] [Report an Error]

Sun RPC ALG

Sun Microsystems Remote Procedure Call—also known as Open Network Computing Remote Procedure Call (ONC RPC)—provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

J-series devices running JUNOS software support the Sun RPC as a predefined service and allow and deny traffic based on a security policy you configure. The Application Layer Gateway (ALG) provides the functionality for J-series devices to handle the dynamic transport address negotiation mechanism of the Sun RPC and to ensure program number-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific program number. The ALG also supports route and NAT mode for incoming and outgoing requests. The following SUN RPC topics are addressed in this section:

Typical RPC Call Scenario

When an application or a PC client calls a remote service, it needs to find the transport address of the service. In the case of TCP/UDP, the address is a port number. A typical procedure for this case is as follows:

  1. The client sends the GETPORT message to the RPCBIND service on the remote machine. The GETPORT message contains the program number, and version and procedure number of the remote service it is attempting to call.
  2. The RPCBIND service replies with a port number.
  3. The client calls the remote service using the port number returned.
  4. The remote service replies to the client.

A client also can use the CALLIT message to call the remote service directly, without determining the port number of the service. In this case, the procedure is as follows:

  1. The client sends a CALLIT message to the RPCBIND service on the remote machine. The CALLIT message contains the program number, and the version and procedure number of the remote service it attempting to call.
  2. RPCBIND calls the service for the client.
  3. RCPBIND replies to the client if the call has been successful. The reply contains the call result and the services's port number.

Sun RPC Services

Table 86 lists predefined Sun RPC services.

Table 86: Predefined Sun RPC Services

junos-sun-rpc-portmap-tcp

junos-sun-rpc-portmap

junos-sun-rpc-portmap-udp

 

CustomizingSun RPC Services

Because Sun RPC services use dynamically negotiated ports, you cannot use regular fixed TCP/UDP ports to permit Sun RPC services in a security policy. Instead, you must specify a Sun RPC program number. For example, NFS uses two program numbers: 100003 and 100227. The corresponding TCP/UDP ports are dynamic. To permit the program numbers, you use a set applications application-name term term-name rpc-program-number number statement for each number. The ALG maps the program numbers into dynamically negotiated TCP/UDP ports and permits or denies the service based on a policy you configure.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.