Discussion:
callbacks in TAO
(too old to reply)
graham
2011-09-14 10:12:37 UTC
Permalink
Hi,

Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?

cheers

Graham
Rob Ratcliff
2011-09-14 14:05:10 UTC
Permalink
I'm not sure about specifying a range, but how about using bi-directional IIOP? That way your outgoing connection will be reused.

With a quick search, I saw this:
http://groups.yahoo.com/group/tao-users/message/19267
Post by graham
Hi,
Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?
cheers
Graham
Rob Ratcliff
2011-09-14 14:11:21 UTC
Permalink
You also might repost this to:
comp.soft-sys.ace

Its a more active list and has lots of experts on ACE/TAO.
Post by graham
Hi,
Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?
cheers
Graham
graham
2011-09-14 14:54:27 UTC
Permalink
Post by Rob Ratcliff
comp.soft-sys.ace
Its a more active list and has lots of experts on ACE/TAO.
Post by graham
Hi,
Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?
cheers
Graham
Thanks for the replies. I'll post to ACE/TAO group as well. They
cannot use bidirectional iiop cos they use the port/connection as part
of their security identification. It has to be available otherwise
everybody would have firewall issues.

Thanks anyways,

G
graham
2011-09-15 07:51:56 UTC
Permalink
Graham,
Post by graham
Post by graham
Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?
Thanks for the replies. I'll post to ACE/TAO group as well. They
cannot use bidirectional iiop cos they use the port/connection as part
of their security identification. It has to be available otherwise
everybody would have firewall issues.
Can you elaborate more on the security identification scheme?
I looked up the various options in the TAO user guide and noticed that TAO does support a port range option with the ORBEndpoint
myserver -ORBEndpoint iiop://host:5000/portspan=10 (ports 5000-5009)
but I don't know if that constrains callback objects. I would hope so.
-ORBEndpoint is deprecated, so see the new -ORBListenEndpoints option as well.
If you figure it out, please post the solution back to the list! :-)
Rob
Hi rob,

Its legacy code thats in place for the authentication. They have
kerberos in place but in parallel they monitor/use the callbacks port
to determine whos connected and since when. I'll have to ask on the
ace/tao users forum. I'll post you the code when I get it up and
running (assuming I do of course :)

I better switch from -ORBEndpoint to -ORBListenEndpoints ASAP.
Didn't know that was deprecated.

cheers and have a nice day

Graham
Phil Mesnier
2011-09-17 15:58:34 UTC
Permalink
Post by graham
Graham,
Post by graham
Post by graham
Is it possible to specify a specific or range of ports to be used by a
callback object exported from a server. The callback is going back to
the client and it *must* use a fixed/range of ports in order to pass
thru the firewall. I'm using the latest version of TAO/ACE. Is there a
demo that does this?
Thanks for the replies. I'll post to ACE/TAO group as well. They
cannot use bidirectional iiop cos they use the port/connection as part
of their security identification. It has to be available otherwise
everybody would have firewall issues.
Can you elaborate more on the security identification scheme?
I looked up the various options in the TAO user guide and noticed that TAO does support a port range option with the ORBEndpoint
myserver -ORBEndpoint iiop://host:5000/portspan=10 (ports 5000-5009)
but I don't know if that constrains callback objects. I would hope so.
-ORBEndpoint is deprecated, so see the new -ORBListenEndpoints option as well.
If you figure it out, please post the solution back to the list! :-)
Rob
Hi rob,
Its legacy code thats in place for the authentication. They have
kerberos in place but in parallel they monitor/use the callbacks port
to determine whos connected and since when. I'll have to ask on the
ace/tao users forum. I'll post you the code when I get it up and
running (assuming I do of course :)
I better switch from -ORBEndpoint to -ORBListenEndpoints ASAP.
Didn't know that was deprecated.
It's not deprecated, just not portable. The two options invoke the same
code, its just that TAO had -ORBEndpoint before the spec defined
-ORBListenEndpoints. I don't think there is any need to strip out the
old option.

Regarding your problem at hand, TAO does not have a way to bind a client
side address to a port, which is what it sounds like you want to do.
Generally, client-side port binding is considered a bad thing to do,
particularly if the server side is also binding to specific ports.
However, there is nothing technically preventing it, so if you would
like to fund some research one of the commercial support providers to
research it, perhaps a solution could be found.

Best regards,
Phil
--
Phil Mesnier
Principal Software Engineer and Partner, http://www.ociweb.com
Object Computing, Inc. +01.314.579.0066 x225
Rob Ratcliff
2011-09-18 06:21:01 UTC
Permalink
It's not deprecated, just not portable. The two options invoke the same code, its just that TAO had -ORBEndpoint before the spec
defined -ORBListenEndpoints. I don't think there is any need to strip out the old option.
The TAO Developer's Guide mentioned that it was deprecated and to start using -ORBListenEndpoints instead even though they take the
same list of arguments. (Looks like the spec just
Regarding your problem at hand, TAO does not have a way to bind a client side address to a port, which is what it sounds like you
want to do. Generally, client-side port binding is considered a bad thing to do, particularly if the server side is also binding to
specific ports. However, there is nothing technically preventing it, so if you would like to fund some research one of the
commercial support providers to research it, perhaps a solution could be found.
I asked one of the guys working on TAO and he mentioned that the -ORBListenEndpoints constrains the ORB to use the given port range
even for callback objects. Graham, have you tried just specifying the port range on the client side ORB? Phil are you sure that this
option doesn't constrain the port range of the callback object?

Regarding client-side port binding, if you're not doing bidirectional IIOP where the outgoing connection can be reused for incoming
requests, I would think it would be almost required to be able to restrict the client-side ports to some port or range of ports in
order to be able to configure the firewall to allow these incoming connections on given ports. Why is it considered a "bad thing to
do"?

Issues like these are why CORBA didn't flourish on the internet early on, the firewall problem wasn"t treated more seriously, not to
mention that the JRE's version of CORBA didn't support bidirectional IIOP. Now we're stuck with HTTP/Comet polling solutions, which
have pluses and minuses.

Rob
Rob Ratcliff
2011-09-18 06:25:22 UTC
Permalink
Post by Rob Ratcliff
It's not deprecated, just not portable. The two options invoke the same code, its just that TAO had -ORBEndpoint before the spec
defined -ORBListenEndpoints. I don't think there is any need to strip out the old option.
The TAO Developer's Guide mentioned that it was deprecated and to start using -ORBListenEndpoints instead even though they take the
same list of arguments. (Looks like the spec just
Whoops, didn't finish my sentence....

Looks like the 3.0.2 spec just specifies that there is an option called -ORBListenEndpoints and doesnt specify the arguments or
their syntax:

4.5.1.2 Server Endpoint
The server endpoint information is passed into ORB_init by an argument of the form
-ORBListenEndpoints <endpoints>
The format of the <endpoints> argument is proprietary. All that is required by this
specification is that each time ORB_init is called with the same value for this
argument, the resulting ORB will listen for requests on the same set of endpoints, so
that persistent object references for the ORB will continue to function correctly.
Phil Mesnier
2011-09-18 19:20:31 UTC
Permalink
Post by Rob Ratcliff
It's not deprecated, just not portable. The two options invoke the same code, its just that TAO had -ORBEndpoint before the spec
defined -ORBListenEndpoints. I don't think there is any need to strip out the old option.
The TAO Developer's Guide mentioned that it was deprecated and to start using -ORBListenEndpoints instead even though they take the
same list of arguments. (Looks like the spec just
Right. Portable options are favored over TAO-specific ones. But really
this is a side topic.
Post by Rob Ratcliff
Regarding your problem at hand, TAO does not have a way to bind a client side address to a port, which is what it sounds like you
want to do. Generally, client-side port binding is considered a bad thing to do, particularly if the server side is also binding to
specific ports. However, there is nothing technically preventing it, so if you would like to fund some research one of the
commercial support providers to research it, perhaps a solution could be found.
I asked one of the guys working on TAO and he mentioned that the -ORBListenEndpoints constrains the ORB to use the given port range
even for callback objects. Graham, have you tried just specifying the port range on the client side ORB? Phil are you sure that this
option doesn't constrain the port range of the callback object?
The only endpoint constraint that can be configured is that of
server-side binding. By default, TAO will let the system select an
ephemeral port on all interfaces. the -ORB[listen]endpoint[s] option
allows you to constrain the interface IP address, the TCP port, or both.
The portspan option can be used tell the server to select any port
from a narrow band, which allows a collection of servers to share a
limited group of addresses. None of this affects the client side.

With Bidir IIOP, the client side, outside the firewall say, still uses
an ephemeral port. It will also open a listen socket following the above
rules, but this socket is only used to supply an endpoint to the
callback objects profile. Part of the Bidir connection negotiation is
the client supplies the callback address as an alias. So the client may
have a listen socket open on address "CHost:45021" and the server is
listening on "SHost:12345." The client side of its connection to the
server might be on "CHost:50055" establishing a connection:

CHost:50055 <----> SHost:12345

This might be transport ID 100 to the server. The client will send a
Bidir service context to the server on some request message carrying the
alias "CHost:45021" whi server will then associate with transport ID
100. Effectively mapping the above connection to

CHost 45021 <-----> SHost:12345

Thus when the client sends the IOR for its callback object to the
server, and the server invokes on it, the server will find transport 100
in its cache since the IOR will include CHost:45021.

So if Graham's authentication requirement is that the endpoint the
callback goes to, (eg CHost:45021) be well-known, then he's golden.
However, if the scheme requires that the endpoint he connects from (eg
CHost:50055) is the well-known address, then an enhancement is necessary.
Post by Rob Ratcliff
Regarding client-side port binding, if you're not doing bidirectional IIOP where the outgoing connection can be reused for incoming
requests, I would think it would be almost required to be able to restrict the client-side ports to some port or range of ports in
order to be able to configure the firewall to allow these incoming connections on given ports. Why is it considered a "bad thing to
do"?
I'm not quite following the logic in the first request. Most firewalls
do not restrict access by inbound port number. If they did, configuring
a web browser would be a lot more complicated. They typically restrict
the port to which a connection is requested.

Why client side binding is considered bad, I suggest you review the
definition of a TCP connection, the TCP state machine, and the typical
behavior during socket closure. Since I'm sitting on my couch far away
from my Stevens vol 1. I'll give you a poor paraphrase...

A TCP connection is defined by the 4-tuple of (active host, active port,
passive host, passive port). There may only be one connection at a time
with any given combination. Frequently the passive port is some
well-known value. Since the hosts are constant, that means only the
active port can vary. If you bind the connector to a specific port, that
means no other process can use that port number to connect to the same
server host:port.

My point about the state machine is that TCP connections can continue to
exist for some time (could be minutes) after one side or the other shuts
down. Lets say your client application terminates while it still has the
connection open. The connection will end up taking time going through
fin wait 1, fin wait 2, and close wait before being reusable.

Finally, TAO is liable to open multiple client connections to the same
server. For example a multithreaded client wants to send two requests at
the same time, the second thread will open a new connection if the
existing connection is busy. Of course this behavior is configurable,
but it would be absolutely overridden if the client had to bind to an
already used port.
Post by Rob Ratcliff
Issues like these are why CORBA didn't flourish on the internet early on, the firewall problem wasn"t treated more seriously, not to
mention that the JRE's version of CORBA didn't support bidirectional IIOP. Now we're stuck with HTTP/Comet polling solutions, which
have pluses and minuses.
No, CORBA didn't flourish because MS didn't back it. And MS didn't back
it because it was an open standard. The firewall issue and the
definition of bidir was addressed fairly quickly, but CORBA wasn't
invented as an Internet infrastructure to begin with. Unfortunately it
has been overtaken by events, and so that's why firewall tunneling
hasn't been given the full treatment it requires. At one point, there
was a push to make a new "CORBA/i" specification which was to collect
the particular details for using CORBA in a broad Internet distribution.
However I've never seen anything beyond the initial announcement for that.

The JRE version of CORBA in general is pathetic, which is why JacORB and
other Java ORBs are so useful.

Best regards,
Phil
--
Phil Mesnier
Principal Software Engineer and Partner, http://www.ociweb.com
Object Computing, Inc. +01.314.579.0066 x225
Rob Ratcliff
2011-09-18 22:33:23 UTC
Permalink
Phil,

Thanks for the nice explanation on inner workings of bidirectional IIOP. (I've been meaning to buy a copy of Stevens' books as well.)
Post by Rob Ratcliff
Regarding client-side port binding, if you're not doing bidirectional IIOP where the outgoing connection can be reused for incoming
requests, I would think it would be almost required to be able to restrict the client-side ports to some port or range of ports in
order to be able to configure the firewall to allow these incoming connections on given ports. Why is it considered a "bad thing to
do"?
I'm not quite following the logic in the first request. Most firewalls do not restrict access by inbound port number. If they did,
configuring a web browser would be a lot more complicated. They typically restrict the port to which a connection is requested.
Just to clarify, when I mentioned inbound it is the server attempting to connect to the client's socket not vice-a-verse. I believe
most firewalls will allow you to poke a hole in it by port number and then redirect the request to some internal server with a given
port and internal IP address.
Why client side binding is considered bad...
My point about the state machine is that TCP connections can continue to exist for some time (could be minutes) after one side or
the other shuts down. Lets say your client application terminates while it still has the connection open. The connection will end up
taking time going through fin wait 1, fin wait 2, and close wait before being reusable.
The client also has to notice a server dropping or network going bad. The only way I know of to actively detect stale connections is
to actively "ping" the connection. If the server needs to actively "ping" the client to ensure that it hasn't dropped.
Finally, TAO is liable to open multiple client connections to the same server. For example a multithreaded client wants to send two
requests at the same time, the second thread will open a new connection if the existing connection is busy. Of course this behavior
is configurable, but it would be absolutely overridden if the client had to bind to an already used port.
I think many times the client is some type of GUI that wants to receive asynchronous updates from the server via a single callback
object. I have created clients with multiple callback objects using other proprietary protocols where the client used multiple
client-to-server connection as its callback connection, but I would hope that bidirectional IIOP would work in this case...never
tried that.


<off-topic>
The long HTTP poll approach that today's "Comet" applications use with HTTP + Ajax has one advantage that if the connection goes bad
(network glitch say), the server state has to be setup for the client to reconnect and continue on. That may encourage more robust
logic. It suffers though from server timeouts forcing the client to reconnect and browser connection limits. Can you think of other
pluses and minuses?
No, CORBA didn't flourish because MS didn't back it. And MS didn't back it because it was an open standard. The firewall issue and
the definition of bidir was addressed fairly quickly, but CORBA wasn't invented as an Internet infrastructure to begin with.
Unfortunately it has been overtaken by events, and so that's why firewall tunneling hasn't been given the full treatment it
requires. At one point, there was a push to make a new "CORBA/i" specification which was to collect the particular details for using
CORBA in a broad Internet distribution. However I've never seen anything beyond the initial announcement for that.
I think CORBA is still about the most mature and feature-complete multi-lingual messaging layer out there. Google Protocol Buffers
and the like don't address the full solution like CORBA has. (CORBA could use a refresh on the Java bindings though or a more
flexible bindings scheme similar to JAXB and JAXWS.)
The JRE version of CORBA in general is pathetic, which is why JacORB and other Java ORBs are so useful.
Yes, it would be nice if the JDK just adopted JacORB as the Java ORB. Then bidirectional IIOP would be fully supported as well as
all the other nice features and robustness.

Perhaps with the modularization of the JRE in Java 8, it will be easier to replace the default ORB.

</off-topic>

Thanks,

Rob
Phil Mesnier
2011-09-19 12:01:24 UTC
Permalink
Hi Rob,
Post by Rob Ratcliff
Phil,
Thanks for the nice explanation on inner workings of bidirectional IIOP. (I've been meaning to buy a copy of Stevens' books as well.)
You're welcome!
Post by Rob Ratcliff
Just to clarify, when I mentioned inbound it is the server attempting to connect to the client's socket not vice-a-verse. I believe
most firewalls will allow you to poke a hole in it by port number and then redirect the request to some internal server with a given
port and internal IP address.
OK, That's a typical NAT firewall configuration. In this case the
-ORBListenEndpoints command line argument is useful on the client side.
In fact, there is an additional option, hostname_in_ior=<alias> that
allow you to put some arbitrary host address in the published IOR. So
lets say your server is running on some machine 10.20.30.40, and you
have a firewall configured as mytunnel.company.com, you can use

-ORBListenEndpoint iiop://:12345/hostname_in_ior=mytunnel.company.com

to have the published IOR contain mytunnel.company.com:12345 as the
endpoint. Of course the restriction is that the NAT port and the actual
port must be the same.
Post by Rob Ratcliff
I think many times the client is some type of GUI that wants to receive asynchronous updates from the server via a single callback
object. I have created clients with multiple callback objects using other proprietary protocols where the client used multiple
client-to-server connection as its callback connection, but I would hope that bidirectional IIOP would work in this case...never
tried that.
I think this is the primary reason why bidir IIOP was created. A lot of
times firewalls are configured to prevent connections _to_ arbitrary
external ports, although they usually allow connections _from_ arbitrary
external ports. Typically outgoing connections are limited to just ports
for HTTP, FTP, and selected others.

So with bidir, and the usecase you cite, a client can connect to a
specific port on the server's NAT firewall, which forwards the
connection to the actual server. Then with bidir, requests can flow in
both directions.
Post by Rob Ratcliff
<off-topic>
The long HTTP poll approach that today's "Comet" applications use with HTTP + Ajax has one advantage that if the connection goes bad
(network glitch say), the server state has to be setup for the client to reconnect and continue on. That may encourage more robust
logic. It suffers though from server timeouts forcing the client to reconnect and browser connection limits. Can you think of other
pluses and minuses?
I'm not familiar with Comet (there is a C ORB that Redhat used to
maintain called Comet) but you may be interested to know that TAO has an
HTTP-based protocol called HTIOP. This protocol makes use of HTTP gets
and posts to tunnel through protocol-restricting proxies such as Squid.
The protocol is asynchronous, in that servers "inside" a proxy defended
enclave will retain connection status so that an "outside" client can
reconnect. Check out $TAO_ROOT/orbsvcs/tests/HTIOP to see some examples
of use.

Best regards,
Phil
--
Phil Mesnier
Principal Software Engineer and Partner, http://www.ociweb.com
Object Computing, Inc. +01.314.579.0066 x225
Continue reading on narkive:
Loading...