Port+assignment

=**Issue:** What port assignments will be acceptable across the Nationwide Health Information Network Exchange?=


 * Sponsor(s):** The VA (Tony Mallia), Tom Davidson (SSA)


 * Problem Statement:** Within the VA's internal IT security management group, in order to implement an outbound TCP/IP connection, they have two associated policies and processes (an abbreviated process and a comprehensive process). Specifically, all **outbound** connections require the comprehensive approval process for both the end-point IP address/common name, and the port number **if and only if** the port number is non-standard. However, if the outbound end point port number is a standard port (or port number pre-approved by their comprehensive process), then the VA can employ their abbreviated approval and deployment process, with a substantially shorter timeline. These processes are needed by the VA as their policy is to only allow connections **from** a specific source IP address and port number **to** a specific IP address and port number (this is often known as creating a firewall "pinhole").

On the **inbound** side, the VA only uses port 443 for secure (2-way-TLS) Nationwide Health Information Network web services.

The comprehensive VA port number approval process turnaround time is measured in weeks and months.

The result is that if a UDDI end point is changed in the Nationwide Health Information Network Exchange's services registry, then the VA will be unable to communicate with the new end point until the internal VA process is completed, unless they are given enough advanced notice about the change that they can execute their internal change management process before the UDDI end point is changed.

The SSA has a somewhat different environment. For them, port 443 is reserved for other purposes and as a result the SSA cannot enforce 2-way-TLS on 443 and thus this port cannot be used by them for the Nationwide Health Information Network Exchange. The SSA has stated that they cannot use a different common name/IP address and 443 to enforce 2-way-TLS due to scarcity of IP addresses.


 * Impact:** 1) The VA cannot quickly respond to port changes in the Nationwide Health Information Network Exchange UDDI Service Registry resulting in a service outage, and 2) The VA and SSA are unable to establish an Nationwide Health Information Network Exchange connection with each other.


 * Status:** The Nationwide Health Information Network Exchange Spec Factory's Security and Privacy Workgroup, is __currently initiating the formal proposal approval process for the proposed solution__, documented immediately below. The IANA has been asked to register Nationwide Health Information Network Exchange specific port numbers, but have refused.


 * Proposed Solution:** Support exactly three port numbers for all Nationwide Health Information Network Exchange transactions, 443 plus two other port numbers as documented below. Once selected, all three port numbers will be documented in the Nationwide Health Information Network Exchange's Messaging Platform specification. The updated Messaging Platform specification will enter into normal the Nationwide Health Information Network Exchange specification approval process.

Normative: In the absence of Nationwide Health Information Network policy to the contrary, Nationwide Health Information Network Exchange members MUST support at least one of the specified Internet TCP/IP port numbers for all Nationwide Health Information Network Exchange inbound connections. Nationwide Health Information Network Exchange Members MUST support all three specified port numbers for Nationwide Health Information Network Exchange outbound connections. The specified port numbers are port 443 (designated as the "primary port"), port 4437 (designated as the "secondary port"), and port 14430 (designated as the "tertiary port").
 * Proposed Specification Text:**

Non-normative: The secondary and tertiary ports listed in the above paragraph were selected due to their apparent availability. Specifically, no known official or unofficial use of these ports is known at this time from either legitimate applications, or from security threats. More detailed, and potentially more up-to-date, information on this topic may be found on the Nationwide Health Information Network Exchange Wiki at http://nhin-exchange.wikispaces.com/Port+Assignment.

Please see the below outstanding issues, alternate solutions considered, and next steps.


 * Outstanding Issues:**
 * 1) Do other organizations have this issue or related issues that require or restrict port numbers that can be used for their Nationwide Health Information Network Exchange services?
 * 2) Apparently not.
 * 3) Can we assume that Nationwide Health Information Network deployments use a TCP/IP multiplexer where all Nationwide Health Information Network gateway services listen on a single public IP address/common name and a single port number? Or will we need to have to expose multiple ports, one per listening service?
 * 4) The current consensus is that a single port number will suffice and all services listening on that port will be routed to via a multiplexer.
 * 5) Determine which port (besides 443) should be used for the Nationwide Health Information Network Exchange secondary port?
 * 6) To be determined. IANA automatically assigns port numbers.
 * 7) Determine which ports are commonly blocked by firewalls due to attacks?
 * 8) Eric H. has requested a list from his organization's firewall admin.


 * Possible Resolution (Brainstorming):**

- Doesn't resolve root issues || Low || - May not be possible for all Exchange members to support || High || - Only one port number may be needed for all Nationwide Health Information Network services (due to a multiplexer) || Low || - Would make future port conflicts less likely || - Would give an attacker a much more specific target || High || - High likelihood of ability to support by an Exchange member || - Slightly harder to administer - Only one port number is needed for all Nationwide Health Information Network services (due to a multiplexer) || Low ||
 * ===**Approach Number (in no particular order)**=== || ===**Brief Description**=== || ===**Detailed Description**=== || ===**Pros**=== || ===**Cons**=== || ===**Ranking**=== ||
 * 1 || No change to the Nationwide Health Information Network-E specs or operational procedures || This would effectively push the problem to the Nationwide Health Information Network Exchange members and require that they have internal processes supporting changes to the services locations end points at any time. || - No Nationwide Health Information Network Exchange specification changes || - Burdens Exchange members
 * 2 || Specify port numbers in the Nationwide Health Information Network-E Messaging Platform Spec || Alter Nationwide Health Information Network specs to explicitly (statically) assign allowable port numbers for each service. || - May allow the VA and other Exchange members to gain pre-approval for specific inbound/outbound port numbers || - Doesn't allow UDDI port reassignment
 * 3 || Specify a range of port numbers || Alter Nationwide Health Information Network specs to explicitly list a sequential range of allowable port numbers. The ports would not be explicitly associated with specific services allowing a degree of flexibility. || - May allow the VA and other Exchange members to gain pre-approval for specific inbound/outbound port numbers || - May not be possible for all Exchange members to support
 * 4 || Request official IANA port assignment || If the Nationwide Health Information Network specifies ports or port ranges or groups, then it may be advisable to request that the ports be listed by the official body (IANA) as assigned for Nationwide Health Information Network services use. || - May allow the VA and other Exchange members to gain pre-approval for specific inbound/outbound port numbers
 * 5 || Specify a group of allowable port numbers || Non-sequential range of ports could be selected for use. This is similar to option 3 above, but the ports could be from various areas of the allowed list of ports. || - May allow the VA and other Exchange members to gain pre-approval for specific inbound/outbound port numbers
 * 6 || Use 443 || Require the exclusive use of 443 for all Nationwide Health Information Network Exchange traffic. || - Already assigned by IANA for this purpose || - Not an option for some due to internal policies || High ||
 * 7 || Combination of 443 + TBD other IANA assigned ports || Would allow for some flexibility, plus some pre-planning when 443 is not an option. || - Best of all approaches || - Minor change to the Messaging Platform Spec || Current consensus preferred option ||


 * What Port(s) Should we Request from IANA:**
 * 1) We should support 443 for Nationwide Health Information Network use, but not as an exclusive option.
 * 2) A suggestion was made to use a port above 1023 to avoid problems with firewalls and running as a privileged process.
 * 3) David R. will research the difference between IANA's "well known" and "registered" port ranges (0-1023 vs. 1024-49151). Tom D. will research the difference between IANA "system" and "user" ports.
 * 4) What ports are blocked due to common attacks?


 * Next Steps**
 * 1) Document today's discussion and circulate to the Sec and Priv WG for feedback. (Done.)
 * 2) Provide the potentially revised document to the entire Spec Factory via. Jackie K. (In process.)
 * 3) Finish research as noted above.
 * 4) Get Sec and Privacy WG and Spec Factory agreement on the official secondary port to be used for Nationwide Health Information Network Exchange traffic.
 * 5) Initiate the process of obtaining official port assignment from IANA.
 * 6) Revise the messaging platform spec with requested/supported ports.
 * 7) Begin the change process for the revised spec.


 * From the IANA site:**

code PORT NUMBERS

(last updated 2010-07-07)

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

DCCP Well Known ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9.

The Registered Ports are those from 1024 through 49151

DCCP Registered ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9.

The Dynamic and/or Private Ports are those from 49152 through 65535 code To request a port assignment from IANA: []

Port assignment registration process: The registration procedure is defined in [RFC4340], Section 19.9 []

Empirically determined list of "in use" ports: []

IANA port assignment document: http://www.iana.org/assignments/port-numbers
 * Annotated References**:

Bill Busey Tom Davidson Tony Mallia Mark Hamilton Jackie Key John Moehrke David Roberts Sandy Stewart Pam Waters Nick Venarno Eric Heflin, Nationwide Health Information Network Spec Factory, Security and Privacy Subteam Lead
 * Contributors To This Page:**