[OpenAFS] effects of NAT

Christof Hanke hanke@csc.fi
Wed, 26 Mar 2008 19:24:27 +0200 (EET)


On Wed, March 26, 2008 7:15 pm, David Bear wrote:
> I know there have been some outspoken voices on issues related to NAT.
>
>
> I think my rather simple question might have a complex answer... but the
> game is afoot. Our university is now talking about putting EVERYONE (end
> user computings) in a NAT'ed network.
>
> I am wondering what kinds of issues we should be aware of (or watching
> for) as it relates to AFS -- and possibly kerberos.
>
> I know this is very vague becuase we still have no idea if our kdc's and
> file servers will placed within the nat'ed scopes or not -- but if we can
> affect the architecture to avoid issues with afs we need to know what
> those issues might be.
>
> Anyone have advice?
For now, it's really best to push for real IP-addresses for the servers.
There was a small discussion about mobile servers earlier on.
Given static server-IP-adresses, most of the requests are initiated from
the client.
The only thing I can think of is the callback from the fileserver to the
client. You need to make the lifetime of the NAT-entry long enough to
allow the fileserver talking to the client. I think the actual time is
some 5 min.
The point here is that this may result in quasi-static NAT-entries ( # of
fileserver x # of clients) in your NAT-box.
 This number maybe quite high.

HTH,

T/Christof