[OpenAFS-devel] Stop me before I NAT again...

Derrick J Brashear shadow@dementia.org
Tue, 30 Sep 2003 10:25:41 -0400 (EDT)


On Tue, 30 Sep 2003, Mitch Collinsworth wrote:

> In general this sounds like a great idea.  I'm not certain about the
> run-time configuration idea though.  Again, what about mobile clients
> that may pop up behind a NAT one time and on their own IP the next?
> I think we need to decide that either a) it's ok to make this change
> global for all clients, or b) it's not ok, only NAT-bound clients should
> do this, and therefore the client should somehow auto-discover if it's
> NAT-bound dynamically and adjust its behavior accordingly.  Then it will

I think b) is the right answer, but I'm unsure if there's any useful way
to discover we're NATd. I can't think of any that doesn't involve being
helped by new code in some remote agent.


> be safe to let users install the client w/o a sysadmin having to watch
> over their shoulder to make sure they don't screw up.  Or worse, if the
> wrong installation options being chosen means the clients can DOS the cell
> then it's only a matter of time before someone does this malitiously
> rather than accidentally...

Well, they can do it now.