[OpenAFS-devel] nat mode

Thu, 16 Feb 2006 10:53:45 +0100

--Apple-Mail-21-715151801
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Hi Jeff!

On 15 Feb 2006, at 16:12, Jeffrey Altman wrote:

> Derek Atkins wrote:
>> Quoting Jeffrey Altman <jaltman@secure-endpoints.com>:
>> True, but a) that assumes multiple clients behind a NAT (which  
>> isn't always
>> the case), and b) server support to track by port was added a  
>> while ago,
>> even if there are still bugs in it.
>
> The port tracking code was broken enough that it might as well have  
> not
> been there.  Once the connection dropped the server would always  
> attempt
> to contact the client on port 7001 regardless of what port was used.
>
> If you had more than one client behind a NAT, only one of the clients
> would ever get callback breaks.
>
> I haven't thought through all of the ramifications of decreasing the
> time between pings for a large number of clients.  Too be honest, I
> don't want to.  My head hurts enough already.
>
It seems like this UDP-based NAT has a lot more problems than I was  
aware of. If the firewall were to do NAT based on the RX connections  
instead, would that work? What I have in mind is a scheme where a  
(potentially large) number of clients are behind a firewall which  
looks to a server like a single client with very many open RX  
connections, all on port 7001. Are there limitations? Does anybody  
know of a RX-aware connection tracking code?

Ciao,
                     Roland

--
TU Muenchen, Physik-Department E18, James-Franck-Str., 85748 Garching
Telefon 089/289-12575; Telefax 089/289-12570
--
CERN office: 892-1-D23 phone: +41 22 7676540 mobile: +41 76 487 4482
--
UNIX was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things.
	-Doug Gwyn
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P+++ L+++ E(+) W+ !N K- w--- M 
+ !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++
------END GEEK CODE BLOCK------

--Apple-Mail-21-715151801
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iD8DBQFD9EutI4MWO8QIRP0RAg5sAKCjwKB+s0BOz3QDvQ6mjDZUhco0KwCdE7ng
eh63Kd6CYknSnUaJqe2Nx0M=
=Oi3j
-----END PGP SIGNATURE-----

--Apple-Mail-21-715151801--