Firewall Wizards mailing list archives

NAPT - NAT Port selection

From: <ravivsn () www rocsys com>
Date: Fri, 20 Aug 2004 09:05:37 +0530 (IST)

Hi,
NAPT devices allow access to internet by internal machines having
private IP addresses using one or more public IP addresses.

We are vendors of security devices and these have NAPT feature
and we allow upto 63K TCP connections from internal machines at any
time. 63K limit comes from number of unique source ports that can be
assigned as NAT ports.

Our customer, who is one of  small ISPs, wanted to use these devices. This
ISP gives private IP addresses to their customers and using NAPT provides
internet access to its customers. The ISP has limited number of public IP
addresses and it wants us to increase the number of TCP connection for each
public IP address to go from 63K to very high number.

Internally, among developers, we discussed this issue and we came out with
one suggestion - Reusage of NAT port in multiple sessions, as long as
atleast one of 5 tuples is different - Since source IP is same (public IP
address), destination IP or destination port has to be different.

It means that, on the Internet side, it is possible to have following
(example):
 Source_IP     Destination_IP   Protocol    Source_Port    Destination_Port
 66.10.5.10    70.1.2.5              TCP            2000               80
 66.10.5.10    70.1.5.6              TCP            2000               80



One of our Engineers points out that, port forwarders on the receiving end
 might be assuming that  for a given source IP, source port would always
be different. His point is that, if both 70.1.2.5 and 70.1.5.6 belong to
same webhosting server and if a port-forwarder forwards traffic from
these two IP addresses to the same internal server, then internal server
might drop one connection.


Some of us feel that, this would be very rare condition and if it happens,
port forwarders are intelligent enough detect this and forward the
connection to next server and gracefullty shutdown  second connection.

I solicit your feedback on this.
     -  Is it good for NAPT device to use same NAT port for different
sessions, if they are  going to different destination (based on
Destination IP and Port)?  Do you see any problems associated with
this apart one mentioned above?
     - Any experiences?

Thanks in advance
Ravi



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NAPT - NAT Port selection ravivsn (Aug 20)
- RE: NAPT - NAT Port selection Bill Royds (Aug 20)
- RE: NAPT - NAT Port selection Orca (Aug 22)
- Re: NAPT - NAT Port selection Srini (Aug 22)
  - VPN endpoints hermit921 (Aug 25)
    - Re: VPN endpoints Kevin Sheldrake (Aug 26)
    - Re: VPN endpoints Mason Schmitt (Aug 26)
- Re: NAPT - NAT Port selection Devdas Bhagat (Aug 22)
- Re: NAPT - NAT Port selection Harald Welte (Aug 25)