[OpenAFS-devel] Rx over TCP to solve some NAT & Firewall issues?
Jim Rees
rees@umich.edu
Thu, 20 Nov 2003 07:33:53 -0500
I think rx over tcp is the way to go. In addition to the nat benefits, you
also get all the latest congestion control tweaks. I think nfs has shown
that this can work well. In fact nfs v4 will only run over tcp.
The usual suggestion is to open ports 7000-7009 and increase udp timeouts.
10 minutes timeouts should be plenty, that's how often the cache manager
pings active servers. The usual el-cheapo nat has 30-60 second timeouts,
and that's too short.
The problem is that the client often has no control over the nat.
My own laptop is set up with two important anti-nat features. One is that
it uses a small mtu, I think currently it's 576. Sending frags through a
nat is suicide. The other feature is that it pings the servers once a
minute. I've had no trouble with this setup, and have run several of these
at the local coffee shop simultaneously. There is some server bug that gets
in the way (see my message of a few days ago) but the client is in good
shape.
My laptop also has an important mobility feature. When I disconnect from a
network I close down all rx connections first. That's partly so the cache
manager won't get confused when I reconnect elsewhere, and partly to be nice
to other clients that might want to write to files I have callbacks on.
The problem is how to selectively turn these features on. You don't want
them all the time. One idea is to turn them on if the client has a Marsnet
address, but this doesn't work for firewalls, and what if your server is on
Mars too? Another idea is to turn them on if rx connections keep getting
lost, but this requires lengthy and annoying timeouts. I think a manual
switch is the most reasonable way to do it, although that has problems too
(how do you document it?).