On Fri, Apr 1, 2022 at 6:37 AM Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
If you make the stateful NATs static, that is, each
private address has a statically configured range of
public port numbers, it is extremely easy because no
logging is necessary for police grade audit trail
opacity.Masataka Ohta
Hi Masataka,One quick question. If every host is granted a range of public portnumbers on the static stateful NAT device, what happens whentwo customers need access to the same port number?
Because there's no way in a DNS NS entry to specify aport number, if I need to run a DNS server behind thisstatic NAT, I *have* to be given port 53 in my range;there's no other way to make DNS work. This meansthat if I have two customers that each need to run aDNS server, I have to put them on separate staticNAT boxes--because they can't both get access toport 53.
This limits the effectiveness of a stateful static NATbox to the number of customers that need hard-wiredport numbers to be mapped through; which, dependingon your customer base, could end up being all of them,at which point you're back to square one, with everycustomer needing at least 1 IPv4 address dedicatedto them on the NAT device.
Either that, or you simply tell your customers "so sorryyou didn't get on the Internet soon enough; you're allsecond class citizens that can't run your own servers;if you need to do that, you can go pay Amazon to hostyour server needs."
And perhaps that's not as unreasonable as it first sounds;we may all start running IPv4-IPv6 application gatewayson Amazon, so that IPv6-only networks can still interactwith the IPv4-only internet, and Amazon will be the greatglue that holds it all together.
tl;dr -- "if only we'd thought of putting a port number fieldin the NS records in DNS back in 1983..."
Matt