[OpenAFS-devel] Re: fileserver -> client NAT ping

Andrew Deason adeason@sinenomine.net
Wed, 14 Aug 2013 13:53:31 -0500


On Wed, 14 Aug 2013 14:39:51 -0400
Jeffrey Altman <jaltman@your-file-system.com> wrote:

> > So can we send it to only NAT clients? We can't detect NATed clients
> > with perfect accuracy, but I think we can make a guess, with little
> > chance for false positives, since we have the alleged local IPs for
> > the client from TellMeAboutYourself.
> 
> Given that the TellMeAboutYourself addresses cannot be trusted and
> there are still many file servers out in the wild that do trust them
> and block try to send packets to them, I want the clients to stop
> sending addresses entirely.

That's fine; in fact, that's even better. Newer clients don't need this
reverse NAT ping; if we make newer clients not respond with TMAY
addresses, then the proposed heuristic will not turn on reverse NAT ping
for them.

> I believe that end users that are having trouble with NATs should
> upgrade their clients.

For many of them, this isn't their problem, so I don't see much pressure
for them to upgrade or even realize that this is happening. The people
that notice are those that are generating the callback breaks, or the
server operators. Currently those generating the callback breaks can't
do anything about this, and the best the server operator can do is play
firewall whack-a-mole, which is a losing battle. That's why I think
doing something about this on the server side is valuable.

-- 
Andrew Deason
adeason@sinenomine.net