[OpenAFS] AFS over NAT
Derek Atkins
warlord@MIT.EDU
07 Aug 2002 09:40:26 -0400
Leif Johansson <leifj@it.su.se> writes:
> Or you give your AFS-NAT enough keys to decrypt-modify-encrypt the RPCs.
I do not expect my Cisco, Linksys, or Apple Airport NAT gateway to
ever support this functionality, nor would I trust it with my AFS key!
> >The right approach is to not use NAT... Or use ipv6 (not that AFS
> >supports that, yet, but getting AFS to support ipv6 is probably a more
> >useful use of your time than creating a NAT filter that can't work).
> >
> I believe most applications on the internet should find a way to work both
> with NATs and ipv6. There will probably be lots of NATs around long after
> ipv6 is widely deployed!
Perhaps. We can certainly argue this point, but this is probably not
the right venue. I hope we can agree that ipv6 support should take a
highter priority than (some) NAT support. Getting the fileserver to
advertize a 'fake' address is relatively easy and I personally have no
objection, but I'd rather see people work on ipv6 support than a NAT
Gateway device/application.
> For instance: can you place replica fileservers behind a NAT used in
> front of a
> cluster while the "rest" of the cell sits outside?
You could, but clients may not necessarily choose the "correct" server
first. Clients outside the NAT may choose the (inaccessible) server,
and clients behind the NAT may choose the servers outside the NAT.
Also, all clients (and all servers) need to be able to access all DB
servers (because you don't know which one will be the sync site).
> MVH leifj
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available