Understanding the RPC ALG

JUNOS software supports basic Remote Procedure Call Application Layer Gateway (RPC ALG) services. RPC is a protocol that allows an application running in one address space to access the resources of applications running in another address space as if the resources were local to the first address space. The RPC ALG is responsible for RPC packet processing.

The RPC ALG in JUNOS software supports the following services and features:

• Sun Microsystems RPC Open Network Computing (ONC)
• Microsoft RPC Distributed Computing Environment (DCE)
• Dynamic port negotiation
• Ability to allow and deny specific RPC services
• Static NAT and source NAT (with no port translation)
• RPC applications in security policies

Use the RPC ALG if you need RPC-based applications, such as NFS or Microsoft Outlook from the J-series device. The RPC ALG functionality is enabled by default.

The RPC ALG can be applied by using:

• ALG Default Application

  Use the default application set:

  • application-set junos-sun-rpc (for control sessions)
  • application-set junos-sun-rpc-portmap (for data sessions)

  In the policy, use the predefined application set for Control and Data Connections.

• Default Control Application

  Use the predefined control via junos-sun-rpc:

  • Create an application for Data USER_DEFINED_DATA. You can make a set of your own data (for example, my_rpc_application_set)and use it in the policy.
  • In the policy, use the predefined application set for Control and Customized Data Application.
    • junos-sun-rpc
    • USER_DEFINED_DATA
• Custom Control And Custom Data Application

  Use the customized application:

  • Create an application for Control USER_DEFINED_CONTROL and Data USER_DEFINED_DATA
  • In the policy, use the user-defined application set for Control and Customized Data Application:
    • USER_DEFINED_CONTROL
    • USER_DEFINED_DATA

This topic covers:

• Sun RPC ALG
• Microsoft RPC ALG
• Related Topics

Sun RPC ALG

Sun Microsystems Remote Procedure Call—also known as Open Network Computing Remote Procedure Call (ONC RPC)—provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

J-series devices running JUNOS software support the Sun RPC as a predefined service and allow and deny traffic based on a security policy you configure. The Application Layer Gateway (ALG) provides the functionality for J-series devices to handle the dynamic transport address negotiation mechanism of the Sun RPC and to ensure program number-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific program number. The ALG also supports route and NAT mode for incoming and outgoing requests. The following SUN RPC topics are addressed in this section:

•  Typical RPC Call Scenario
•  Sun RPC Services
•  Customizing Sun RPC Services

Typical RPC Call Scenario

When an application or a PC client calls a remote service, it needs to find the transport address of the service. In the case of TCP/UDP, the address is a port number. A typical procedure for this case is as follows:

1. The client sends the GETPORT message to the RPCBIND service on the remote machine. The GETPORT message contains the program number, and version and procedure number of the remote service it is attempting to call.
2. The RPCBIND service replies with a port number.
3. The client calls the remote service using the port number returned.
4. The remote service replies to the client.

A client also can use the CALLIT message to call the remote service directly, without determining the port number of the service. In this case, the procedure is as follows:

1. The client sends a CALLIT message to the RPCBIND service on the remote machine. The CALLIT message contains the program number, and the version and procedure number of the remote service it attempting to call.
2. RPCBIND calls the service for the client.
3. RCPBIND replies to the client if the call has been successful. The reply contains the call result and the services's port number.

Sun RPC Services

Table 86 lists predefined Sun RPC services.

Table 86: Predefined Sun RPC Services

Customizing Sun RPC Services

All Sun RPC applications can be customized by using a predefined application set. For example, an application can be customized to open the control session only and not allow any data sessions:

application-set junos-sun-rpc {

application junos-sun-rpc-tcp;

application junos-sun-rpc-udp;

}

In the following example, the predefined application set allows data sessions only. It will not work without the control session.

application-set junos-sun-rpc-portmap {

application junos-sun-rpc-portmap-tcp;

application junos-sun-rpc-portmap-udp;

}

To customize all Sun RPC applications with predefined application sets, use both application sets in the policy:

application-set [junos-sun-rpc junos-sun-rpc-portmap]

Note: Microsoft Remote Procedure Call (MS RPC) applications are customized in the same way as SUN RPC applications.

Microsoft RPC ALG

Microsoft Remote Procedure Call (MS RPC) is the Microsoft implementation of the Distributed Computing Environment (DCE) RPC. Like the Sun RPC (see Sun RPC ALG), MS RPC provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

J-series device running JUNOS software support MS RPC as a predefined service and allow and deny traffic based on a policy you configure. The ALG provides the functionality for J-series Services devices to handle the dynamic transport address negotiation mechanism of the MS RPC, and to ensure UUID-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific UUID number. The ALG also supports route and NAT mode for incoming and outgoing requests.

MS RPC Services in Security Policies

• 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde
• 1453c42c-0fa6-11d2-a910-00c04f990f3b
• 10f24e8e-0fa6-11d2-a910-00c04f990f3b
• 1544f5e0-613c-11d1-93df-00c04fd7bd09

The corresponding TCP/UDP ports are dynamic. To permit them, you use a set applications application-name term term-name uuid hex-number statement for each number. The ALG maps the program numbers into dynamically negotiated TCP/UDP ports based on these four UUIDs and permits or denies the service based on a policy you configure.

Predefined Microsoft RPC Services

Table 87 lists predefined Microsoft services, parameters associated with each service, and a brief description of each service. Parameters include Universal Unique Identifiers (UUIDs) and TCP/UDP source and destination ports. A UUID is a 128-bit unique number generated from a hardware address, a timestamp, and seed values.

Table 87: Predefined Microsoft RPC Services

Related Topics

• Understanding the SIP ALG
• Understanding the SCCP ALG
• Understanding the MGCP ALG
• Disabling and Enabling RPC ALG
• Verifying the RPC ALG Tables