[OpenAFS] AFS-Client behind masquerading firewall

[Mitch Collinsworth]

On 4 Jan 2001, Derek Atkins wrote:

> Just keep in mind that AFS
> was not designed with NAT in mind (NAT is an abomination).  The fact
> that it works across NAT is just luck.  AFS barely copes when your own
> IP address changes, but at least the AFS client KNOWS when this change
> happens.  The client cannot know when the NAT-box changes IP Address.

I agree that NAT is not the greatest thing to come down the road, but
it's already here.  The battle to prevent it was lost a long time ago.
It's going to be with us for a while and there are lots of people for
whom it's going to be a fact of life.  Some of them are even going to
turn out to be important to your or my or someone else's livelihood
here and it would be better for most of us if we figured out a way to
make it work.  I'd like to see us take this sort of thing as a
challenge to improve the software rather than write off the whole idea.

Ok, the client can't know when the NAT-box changes IP.  But certainly
the server can notice a new IP is talking to it.  And if we add a
method for client authentication that's not based on IP then surely we
can weather the NAT-box IP change without losing our marbles.  What
would it take to implement something like this?  Didn't Transarc
recently add support for multi-homed clients?  Isn't there something
from that work that can be leveraged here?

-Mitch