Border Agent / Firewall Ports

[milas]

I'm new to Thread/OT/OTBR, so apologies in advance for any misunderstandings.

While my goal here is to assist with packaging OTBR for NixOS, my questions are actually about open ports for the purpose of firewall configuration, so I won't ask anything Nix-specific:

• openthread-border-router: init at unstable-2024-10-18 NixOS/nixpkgs#332296

As I understand it, the Border Router will advertise its UDP service over mDNS, and so the system should accept UDP traffic to this port (i.e. need to allow through firewall). In code, this is controlled by OPENTHREAD_CONFIG_BORDER_AGENT_UDP_PORT, which is a compile time config defaulted to 0, i.e. a dynamically-assigned port. It doesn't appear to be possible to change/set this value at runtime currently. I think ultimately, it'd be nice to be able to otbr-agent --rest-port 8081 --border-agent-port 12345 so that I could pair it with a firewall rule for inbound udp/12345. Would PR(s) be welcome to enable that?

Additionally, there's a couple other services that listen on start for OTBR:

Bbr-----------: Start listening on port 61631
SrpServer-----: Start listening on port 53546

In code, BBR is hardcoded to 61631 and SRP is allowed the range 53545-53555 IIRC.

Should inbound UDP traffic also be allowed to these port [ranges]?

[abtink]

In code, this is controlled by OPENTHREAD_CONFIG_BORDER_AGENT_UDP_PORT, which is a compile-time config defaulted to 0, i.e., a dynamically-assigned port. It doesn't appear to be possible to change/set this value at runtime currently. 

@milas, this is all correct. It can be set using the BORDER_AGENT_UDP_PORT at build time. There is an API to get the UDP port: otBorderAgentGetUdpPort(). There is no API to set this at run time, but it can be added easily. 

However, I would suggest, if possible, checking otBorderAgentGetUdpPort() to learn the current port and then updating the firewall code dynamically.

One thing to note is that when ephemeral key mode is enabled/used (otBorderAgentSetEphemeralKey()), the Border Agent can use a new port number. The otBorderAgentSetEphemeralKey() API allows the port number to be specified (which is then used while ephemeral key mode is active), or zero can be passed for BA to pick one. Ideally, the ephemeral key mode should use a different port number than the one used with regular PSKc by BA. The API otBorderAgentSetEphemeralKeyCallback() can be used to register a callback to be notified of changes related to ephemeral key use.

[milas]

Thank you for the helpful and quick reply!

Thanks for the pointers to the APIs - that certainly makes sense in terms of integrating OT + ot-br-posix as library components.

From a practicality standpoint, when running otbr-agent as a binary, that's why it'd be convenient to pass it in via CLI flag similar to the REST API and web ports, which requires a runtime setter.

For ephemeral key mode, whoever is using the D-Bus API to trigger it should make sure they provide a known available/open port upfront if they have firewall restrictions or let OTBR pick - that current behavior makes sense. (Also - this is ePSKc for Thread 1.4, yes? Trying to make sure I do in fact have some idea what I'm talking about 😅)

[abtink]

Also - this is ePSKc for Thread 1.4, yes? Trying to make sure I do in fact have some idea what I'm talking about

Yes. This is ePSKc.