Re: [fw-wiz] NAPT - NAT Port selection

From: Harald Welte (laforge_at_netfilter.org)
Date: 08/24/04

  • Next message: hermit921: "[fw-wiz] VPN endpoints"
    To: ravivsn@www.rocsys.com
    Date: Tue, 24 Aug 2004 11:54:19 +0200
    
    
    

    On Fri, Aug 20, 2004 at 09:05:37AM +0530, ravivsn@www.rocsys.com wrote:

    > Internally, among developers, we discussed this issue and we came out with
    > one suggestion - Reusage of NAT port in multiple sessions, as long as
    > atleast one of 5 tuples is different - Since source IP is same (public IP
    > address), destination IP or destination port has to be different.

    yes, this is what every linux 2.4.x and linux 2.6.x based system does
    (linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))

    > I solicit your feedback on this.
    > - Is it good for NAPT device to use same NAT port for different
    > sessions, if they are going to different destination (based on
    > Destination IP and Port)? Do you see any problems associated with
    > this apart one mentioned above?

    It is questionable whether it is 'good'. I (as one of the netfilter
    authors) think it is good as in
            - tries to preserve port numbers as much as possible and not
              make applications relying on portnumber persistency break
            - minimun use of ressources (i.e. more than 64k sessions).

    However, there is a group working on a NAT Behaviour draft within the
    IETF that discourages this (they call it 'port overloading'), since it
    creates less deterministic behaviour.

    > - Any experiences?

    no problems whatsoever. Please keep in mind the number of linux
    installations, especially in embedded devices sold as WLAN and DSL
    'Routers'.

    > Thanks in advance
    > Ravi

    -- 
    - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
    ============================================================================
      "Fragmentation is like classful addressing -- an interesting early
       architectural error that shows how much experimentation was going
       on while IP was being designed."                    -- Paul Vixie
    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: hermit921: "[fw-wiz] VPN endpoints"