Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port ranges should be limited to OS port limits #1772

Open
IvanDrag0 opened this issue Apr 24, 2023 · 5 comments
Open

Port ranges should be limited to OS port limits #1772

IvanDrag0 opened this issue Apr 24, 2023 · 5 comments
Labels
bug

Comments

@IvanDrag0
Copy link

Describe the bug

Currently, the OSCAL schema allows the user to add a network port range (part of the oscal-implementation-common) model. However, an OS (Windows and Linux) has a logical port range of 0-65535, while the schema allows for any number. The schema should be edited to bound the port range to what an OS can utilize.

Who is the bug affecting

Component and POAM writers. This "bug" is more of a sanity check than anything else.

What is affected by this bug

Metaschema, Modeling

How do we replicate this issue

Set the protocol port range to any number.

Expected behavior (i.e. solution)

The protocol port range should only allow whole numbers between 0 and 65535.

Other comments

No response

Revisions

No response
@IvanDrag0 IvanDrag0 added the bug label Apr 24, 2023
@GaryGapinski
Copy link

This is an apt observation.

I will add that the "obvious" reserved ports (see IANA Service Name and Transport Protocol Port Number Registry) should be excluded (namely, 0, 1023, 1024, 49151). I say "obvious" because other port reservations are dependent on transport type as well as historic IANA actions.

See also #1674.

@IvanDrag0
Copy link
Author

So does that mean that the current OSCAL schema already support this feature? Since #1674 has been merged.

Except port 0 (since it's a wildcard port), I don't think it would be a good idea to exclude known protocols since some systems could use those ports for something else (even though they shouldn't).

Also, I'm not sure if it's possible to do with a JSON/XML schema, but adding a check to make sure that multiple components dont have the same ports/port ranges, might be a good idea.

@GaryGapinski
Copy link

GaryGapinski commented Apr 24, 2023
edited
Loading

So does that mean that the current OSCAL schema already support this feature? Since #1674 has been merged.

As of pre-release v1.0.5 there are no [edit: additional] constraints — in the schema — on start and end.

Placing the constraints I mentioned is possible.

@GaryGapinski
Copy link

Also, I'm not sure if it's possible to do with a JSON/XML schema, but adding a check to make sure that multiple components dont have the same ports/port ranges, might be a good idea.

Such is not possible with a simple schema. It is possible using Schematron for XML.

Components may share port usage. For example, multiple components using the HTTPS protocol might all declare the use of port 443.

Worthy of note:component/protocol/port-range does not denote the nature (client or service) of the component.

@IvanDrag0
Copy link
Author

Worthy of note:component/protocol/port-range does not denote the nature (client or service) of the component.

This is actually a good point. With the current rise of web-based applications and interfaces, it might be a good idea to include a client/server tag and/or add network direction (ingress/egress/both).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
NIST OSCAL Work Board
Status: Further Analysis Needed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GaryGapinski @IvanDrag0