Re: [fw-wiz] NAPT - NAT Port selection

• Previous message: Matt Curtin: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
• In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
• Next in thread: hermit921: "[fw-wiz] VPN endpoints"
• Reply: hermit921: "[fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <ravivsn@www.rocsys.com>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 20 Aug 2004 09:45:46 -0700

Hi Ravi,
     Your customer requirement and what your thought process is correct.
     Note that, for a given connection, 5 tuples need to be different. So, your
     NAPT device can reuse the source port as long as destination IP address
     or destination port is different. That is the only way, firewall devices
     support multiple (more than 64K) sessions.

     Coming to port forwarders, as you mentioned, is not a problem. I don't see
     that kind of deployment. Typically, either the connections are forwarded to
     new machines Or new ports. In the worst case, port forwarders need to ensure
     that source port is different and may need to do SNAT on source port and that
     is what typically is done by many of commercial load balancer products.

     Note that, application firewalls, running as proxies also need to make multiple
     connections (some times more than 64K) and many TCP/IP stacks (including
     Linux) support reuse of source port as long as 5 tuples are different.

     Also look at rfc3022. For P2P applications to work, it does suggest that to use
     same public IP address and port for a given internal host and port.

     In summary, I don't see any problem in reusing the source port as long as 5 tuples
     which make a connection are unique.

Srini

----- Original Message -----
From: <ravivsn@www.rocsys.com>
To: <firewall-wizards@honor.icsalabs.com>
Cc: <ravivsn@rocsys.com>
Sent: Thursday, August 19, 2004 8:35 PM
Subject: [fw-wiz] NAPT - NAT Port selection

> Hi,
> NAPT devices allow access to internet by internal machines having
> private IP addresses using one or more public IP addresses.
>
> We are vendors of security devices and these have NAPT feature
> and we allow upto 63K TCP connections from internal machines at any
> time. 63K limit comes from number of unique source ports that can be
> assigned as NAT ports.
>
> Our customer, who is one of small ISPs, wanted to use these devices. This
> ISP gives private IP addresses to their customers and using NAPT provides
> internet access to its customers. The ISP has limited number of public IP
> addresses and it wants us to increase the number of TCP connection for each
> public IP address to go from 63K to very high number.
>
> Internally, among developers, we discussed this issue and we came out with
> one suggestion - Reusage of NAT port in multiple sessions, as long as
> atleast one of 5 tuples is different - Since source IP is same (public IP
> address), destination IP or destination port has to be different.
>
> It means that, on the Internet side, it is possible to have following
> (example):
> Source_IP Destination_IP Protocol Source_Port Destination_Port
> 66.10.5.10 70.1.2.5 TCP 2000 80
> 66.10.5.10 70.1.5.6 TCP 2000 80
>
>
>
> One of our Engineers points out that, port forwarders on the receiving end
> might be assuming that for a given source IP, source port would always
> be different. His point is that, if both 70.1.2.5 and 70.1.5.6 belong to
> same webhosting server and if a port-forwarder forwards traffic from
> these two IP addresses to the same internal server, then internal server
> might drop one connection.
>
>
> Some of us feel that, this would be very rare condition and if it happens,
> port forwarders are intelligent enough detect this and forward the
> connection to next server and gracefullty shutdown second connection.
>
> I solicit your feedback on this.
> - Is it good for NAPT device to use same NAT port for different
> sessions, if they are going to different destination (based on
> Destination IP and Port)? Do you see any problems associated with
> this apart one mentioned above?
> - Any experiences?
>
> Thanks in advance
> Ravi
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Matt Curtin: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
• In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
• Next in thread: hermit921: "[fw-wiz] VPN endpoints"
• Reply: hermit921: "[fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]