Matthew Petach wrote:
Hi Masataka,
Hi,
One quick question. If every host is granted a range of public port
numbers on the static stateful NAT device, what happens when
two customers need access to the same port number?
I mean static outgoing port number, but your concern
should be well known incoming port number, which is
an issue not specific to "static stateful" NAT.
Because there's no way in a DNS NS entry to specify a
port number, if I need to run a DNS server behind this
static NAT, I *have* to be given port 53 in my range;
there's no other way to make DNS work.
And SMTP, as is explained in draft-ohta-e2e-nat-00:
A server port number different from well known ones may be specified
through mechanisms to specify an address of the server, which is the
case of URLs. However, port numbers for DNS and SMTP are, in general,
implicitly assumed by DNS and are not changeable.
Or, a NAT gateway may receive packets to certain ports and behave as
an application gateway to end hosts, if request messages to the
server contains information, such as domain names, which is the case
with DNS, SMTP and HTTP, to demultiplex the request messages to end
hosts. However, for an ISP operating the NAT gateway, it may be
easier to operate independent servers at default port for DNS, SMTP,
HTTP and other applications for their customers than operating
application relays.
Though the draft is for E2ENAT, situation is same
for any kind of NAT.
This means
that if I have two customers that each need to run a
DNS server, I have to put them on separate static
NAT boxes--because they can't both get access to
port 53.
See above for other possibilities.
This limits the effectiveness of a stateful static NAT
box
For incoming port, static stateful NAT is no worse than
dynamic NAT. Both may be configured to map certain
incoming ports to certain local ports and addresses
statically or dynamically with, say, UPnP.
The point of static stateful NAT is for outgoing port
that it does not require logging.
tl;dr -- "if only we'd thought of putting a port number field
in the NS records in DNS back in 1983..."
And, MX.
As named has "-p" option, I think some people were already
aware of uselessness of the option in 1983. But, putting
a port number field at that time is overkill.
Masataka Ohta
