Matthew Petach wrote:
Hi Masataka,
Hi,
One quick question. If every host is granted a range of public port numbers on the static stateful NAT device, what happens when two customers need access to the same port number?
I mean static outgoing port number, but your concern should be well known incoming port number, which is an issue not specific to "static stateful" NAT.
Because there's no way in a DNS NS entry to specify a port number, if I need to run a DNS server behind this static NAT, I *have* to be given port 53 in my range; there's no other way to make DNS work.
And SMTP, as is explained in draft-ohta-e2e-nat-00: A server port number different from well known ones may be specified through mechanisms to specify an address of the server, which is the case of URLs. However, port numbers for DNS and SMTP are, in general, implicitly assumed by DNS and are not changeable. Or, a NAT gateway may receive packets to certain ports and behave as an application gateway to end hosts, if request messages to the server contains information, such as domain names, which is the case with DNS, SMTP and HTTP, to demultiplex the request messages to end hosts. However, for an ISP operating the NAT gateway, it may be easier to operate independent servers at default port for DNS, SMTP, HTTP and other applications for their customers than operating application relays. Though the draft is for E2ENAT, situation is same for any kind of NAT.
This means that if I have two customers that each need to run a DNS server, I have to put them on separate static NAT boxes--because they can't both get access to port 53.
See above for other possibilities.
This limits the effectiveness of a stateful static NAT box
For incoming port, static stateful NAT is no worse than dynamic NAT. Both may be configured to map certain incoming ports to certain local ports and addresses statically or dynamically with, say, UPnP. The point of static stateful NAT is for outgoing port that it does not require logging.
tl;dr -- "if only we'd thought of putting a port number field in the NS records in DNS back in 1983..."
And, MX. As named has "-p" option, I think some people were already aware of uselessness of the option in 1983. But, putting a port number field at that time is overkill. Masataka Ohta