nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Common operational misconceptions

From: Andrew Jones <aj () jonesy com au>
Date: Mon, 20 Feb 2012 15:09:34 +1100
On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
<mohta () necom830 hpcl titech ac jp> wrote:

   draft-ohta-urlsrv-00.txt

   DNS SRV RRs of a domain implicitly specify servers and port numbers
   corresponding to the domain.

   By combining URLs and SRV RRs, no port numbers have to be specified
   explicitly in URLs, even if non-default port numbers are used, which
   makes URLs more concise for port based virtual and real hosting,
   where port based real hosting means that multiple servers sharing an
   IP address are distinguished by port numbers to give service for
   different URLs, which is the case for port forwarded servers behind
   NAT and servers with realm specific IP.



It seems to me that this will create all sorts of headaches for firewall
ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
example, the devices would need to inspect traffic on all ports and perform
DPI. This is not as much of a problem on the firewall protecting the
servers (you know what ports to inspect), but will require a lot more
processing power on the client-side NAT firewall.

Jonesy
Previous By Date Next
Previous By Thread Next

Current thread: