Dantz Retrospect, Piton multicast, security, and XP SP2

[John Faughnan]

Dantz appears to take an interesting approach to client identification
with Dantz Professional 6.0 for Windows, a package I use to backup my
XP, 2K and OS X clients at home. [1]

Retrospect apparently clients communicate their IP addresses to Dantz
(224.1.0.38) over port 497. Dantz stores this IP address. The
Retrospect server then requests addresses and uses that data to locate
its clients. They call this the Piton naming service and the protocol
is proprietary. (Dantz sells a higher cost license that allows other
means of client discovery, it is not a part of the default
configuration.)

This raises some obvious question. They're so obvious I'm sure some
readers here can point me to the answers fairly quickly; they must
have been raised long ago.

1. If this IP address were to become unavailable (denial of service,
network issues, Dantz goes bankrupt) would all Dantz backup systems
stop working?

2. Many sysadmins are adverse to sharing internal IP addresses,
opening firewall ports, etc. How are their concerns addressed?

thanks!

john

meta: jfaughnan, jgfaughnan, security, OS X, XP, Win2K, Windows,
Dantz, Retrospect, backup

[1] http://www.dantz.com/en/support/kbase.dtml?id=27474

 

[Barry Margolin]

Dantz appears to take an interesting approach to client identification
with Dantz Professional 6.0 for Windows, a package I use to backup my
XP, 2K and OS X clients at home. [1]

Retrospect apparently clients communicate their IP addresses to Dantz
(224.1.0.38) over port 497. Dantz stores this IP address. The
Retrospect server then requests addresses and uses that data to locate
its clients. They call this the Piton naming service and the protocol
is proprietary. (Dantz sells a higher cost license that allows other
means of client discovery, it is not a part of the default
configuration.)

This raises some obvious question. They're so obvious I'm sure some
readers here can point me to the answers fairly quickly; they must
have been raised long ago.

1. If this IP address were to become unavailable (denial of service,
network issues, Dantz goes bankrupt) would all Dantz backup systems
stop working?

That IP address is a multicast address. Since most ISPs don't pass
multicast traffic over their backbones, it's clearly not intended to go
to Dantz's own servers. It's presumably a multicast address that your
local Retrospect server listens on. This avoids you having to configure
a server address in every client machine -- they send to this address,
and it automatically gets to the appropriate machine on your LAN.

2. Many sysadmins are adverse to sharing internal IP addresses,
opening firewall ports, etc. How are their concerns addressed?

It doesn't need to go through the firewall.

 

[John Faughnan]

That IP address is a multicast address. Since most ISPs don't pass
multicast traffic over their backbones, it's clearly not intended to go
to Dantz's own servers. It's presumably a multicast address that your
local Retrospect server listens on. This avoids you having to configure
a server address in every client machine -- they send to this address,
and it automatically gets to the appropriate machine on your LAN.

A little knowledge is a dangerous thing. The little knowledge being
mine of course. I pinged 224.1.0.38 and it resolves to the internal
address of my iBook!

Thanks for helping me see the light. By way of compensation, some
notes for those who may come later.

Dantz's explanation is not too helpful.

"Address 224.1.0.38 does not refer to any node on your network. It is
our Class D multicast address, assigned to Dantz by the Internet
Assigned Numbers Authority and listed in their registration database
at:
http://www.isi.edu/in-notes/iana/assignments/multicast-addresses
Sending a packet to a multicast address is how Retrospect locates its
clients using our Piton Name Service.
IANA's assignment of port 497 to Dantz is listed on their site at:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
There should be no traffic on the Internet using port 497 that's not
using Retrospect."

The multicast list has address has moved from the one Dantz gave. It's
now:

http://www.iana.org/assignments/multicast-addresses

and the Dantz address is on the list.

There I read:

"The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive,
is reserved for the use of routing protocols and other low-level
topology discovery or maintenance protocols, such as gateway discovery
and group membership reporting. Multicast routers should not forward
any multicast datagram with destination addresses in this range,
regardless of its TTL."

So, as you implied, a well behaved router doesn't forward a datagram
with an address like this -- irregardless of the TTL.

Likewise http://www.iana.org/assignments/port-numbers lists "497/tcp
dantz", and there I read:

"Ports are used in the TCP [RFC793] to name the ends of logical
connections which carry long term conversations. For the purpose of
providing services to unknown callers, a service contact port is
defined. This list specifies the port used by the server process as
its contact port. The contact port is sometimes called the
"well-known port"."

Multicasting is a topic beyond the old TCP/IP books in my home, on the
net ...

For a very technical discussion (by my standards) see:

http://www.cse.ohio-state.edu/~jain/cis788-97/ftp/ip_multicast/index.htm

and for a less technical discussion see:

http://gaia.cs.umass.edu/kurose/network/mcast/mcast.htm

--
Thanks again for clearing this up!

john

meta: jfaughnan, jgfaughnan, multicast, igmp, networking, firewall,
security

 

[Barry Margolin]

A little knowledge is a dangerous thing. The little knowledge being
mine of course. I pinged 224.1.0.38 and it resolves to the internal
address of my iBook!

Thanks for helping me see the light. By way of compensation, some
notes for those who may come later.

Dantz's explanation is not too helpful.

"Address 224.1.0.38 does not refer to any node on your network. It is

What they mean is that it's not an IP address assigned specifically to a
device on your network. It's a multicast address that all Retrospect
servers adopt when they're running.

our Class D multicast address, assigned to Dantz by the Internet
Assigned Numbers Authority and listed in their registration database
at:
http://www.isi.edu/in-notes/iana/assignments/multicast-addresses
Sending a packet to a multicast address is how Retrospect locates its
clients using our Piton Name Service.
IANA's assignment of port 497 to Dantz is listed on their site at:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
There should be no traffic on the Internet using port 497 that's not
using Retrospect."

The multicast list has address has moved from the one Dantz gave. It's
now:

http://www.iana.org/assignments/multicast-addresses

and the Dantz address is on the list.

There I read:

"The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive,
is reserved for the use of routing protocols and other low-level
topology discovery or maintenance protocols, such as gateway discovery
and group membership reporting. Multicast routers should not forward
any multicast datagram with destination addresses in this range,
regardless of its TTL."

So, as you implied, a well behaved router doesn't forward a datagram
with an address like this -- irregardless of the TTL.

The Dantz address isn't in that range. However, unless you've
specifically arranged with your ISP for multicast routing on their
backbone, your Internet router won't forward it because it doesn't know
where to send it to.

And I expect that Retrospect sets the TTL to 1 to prevent their traffic
from being routed anyway (or maybe they set it to a low number, to
support enterprises with internal routing, and the Retrospect server on
a different subnet from the clients).

Multicasting is a topic beyond the old TCP/IP books in my home, on the
net ...

There's a decent discussion of it in the TCP/IP Guide
<http://www.tcpipguide.com/free/>.

 

[John Faughnan]

What they mean is that it's not an IP address assigned specifically to a
device on your network. It's a multicast address that all Retrospect
servers adopt when they're running.

Yes, I see that now. The Dantz explanation reads like it was written
by someone with a good technical understanding -- not necessarily
someone writing for relative novices.

The Dantz address isn't in that range. However, unless you've
specifically arranged with your ISP for multicast routing on their
backbone, your Internet router won't forward it because it doesn't know
where to send it to.
And I expect that Retrospect sets the TTL to 1 to prevent their traffic
from being routed anyway (or maybe they set it to a low number, to
support enterprises with internal routing, and the Retrospect server on
a different subnet from the clients).

With your hints it was easy to find this referece.

http://www.sgr.nada.kth.se/mac/docs/retrospect_ttl.html.en saying they
use a TTL of 1.

So they use a multicast IP address, but the packets will either die on
my AirPort router, or at my ISP's router. They mention "port 497"
packets on the Internet -- would that fit with an enterprise doing
backup across the Internet? The enterprise would configure their
router to pass that packet to another router they owned across the
internet?

There's a decent discussion of it in the TCP/IP Guide
<http://www.tcpipguide.com/free/>.

Super! Esp. http://www.tcpipguide.com/free/t_IPMulticasting.htm. I'm
surprised this doesn't show higher in Google.

This discussion will be a handy reference for me and others going
forward -- thanks be to google for indexing usenet.

john
meta: jfaughnan, jgfaughnan, dantz, backup, multicasting, TTL, TCP/IP,
tutorial, reference, IGMP

 

[Barry Margolin]

With your hints it was easy to find this referece.

http://www.sgr.nada.kth.se/mac/docs/retrospect_ttl.html.en saying they
use a TTL of 1.

So they use a multicast IP address, but the packets will either die on
my AirPort router, or at my ISP's router. They mention "port 497"
packets on the Internet -- would that fit with an enterprise doing
backup across the Internet? The enterprise would configure their
router to pass that packet to another router they owned across the
internet?

Port numbers are used to identify applications and client processes;
their use of port 497 is analogous to the way HTTP uses port 80 and DNS
uses port 53.

Since the packets have TTL of 1, they don't ever go through routers, so
there's no need to configure the routers to pass this port.