[OpenAFS] AFS-Client behind masquerading firewall

Derek Atkins warlord@MIT.EDU
04 Jan 2001 21:49:59 -0500

Mitch Collinsworth <mitch@ccmr.cornell.edu> writes:

> I agree that NAT is not the greatest thing to come down the road, but
> it's already here.  The battle to prevent it was lost a long time ago.
> It's going to be with us for a while and there are lots of people for
> whom it's going to be a fact of life.  Some of them are even going to
> turn out to be important to your or my or someone else's livelihood
> here and it would be better for most of us if we figured out a way to
> make it work.  I'd like to see us take this sort of thing as a
> challenge to improve the software rather than write off the whole idea.

The problem is that OpenAFS _must_ remain wire-compatible with
Transarc/IBM AFS.  This implies that we can't just go change the wire
protocol or how it behaves.

> Ok, the client can't know when the NAT-box changes IP.  But certainly
> the server can notice a new IP is talking to it.  And if we add a
> method for client authentication that's not based on IP then surely we
> can weather the NAT-box IP change without losing our marbles.  What
> would it take to implement something like this?  Didn't Transarc
> recently add support for multi-homed clients?  Isn't there something
> from that work that can be leveraged here?

Yes, the server can notice a new IP..  But do the NAT mappings still
work?  Does the server respond to the same port numbers?

> -Mitch


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available