[OpenAFS] AFS-Client behind masquerading firewall

aeneous@speakeasy.org aeneous@speakeasy.org
Thu, 04 Jan 2001 21:45:22 -0500

> Ok, the client can't know when the NAT-box changes IP.  But certainly
> the server can notice a new IP is talking to it.  And if we add a
> method for client authentication that's not based on IP then surely we
> can weather the NAT-box IP change without losing our marbles.  What
> would it take to implement something like this?  Didn't Transarc
> recently add support for multi-homed clients?  Isn't there something
> from that work that can be leveraged here?

Hm.  The server notices a new** IP address, and makes an InitCallbackState call.  The client discards all callbacks from that server.  So that clears things up just fine. 

The problem is that there is an interval between (1) the time the NAT box's IP address changes and (2) the time the CM decides it needs to call the server (possibly up to 10 minutes or more).  During that interval, changes by other clients, to files held by this CM, will generate callbacks to the old, and now "wrong" IP address.  

Nothing that you can do at either endpoint can detect an IP address change 
until some contact is made.  Therefore, we have only two choices:
A. ignore this race condition
B. implement something on the NAT box itself.

One cheap hack would be for the NAT box to keep track of the file server IP addresses used, and then, when its IP address changes, make InitCallBack calls.
It would work for the OP.  


** one small problem.  If the address isn't actually new, but one that had been in use by some other client until just recently, then we get screwed.  The fileserver won't make initcallbackstate calls in that case.  I'm not too happy with that scenario -- it's the sort of thing that causes weird cache inconsistencies that are impossible to debug.