On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
draft-ohta-urlsrv-00.txt
DNS SRV RRs of a domain implicitly specify servers and port numbers corresponding to the domain.
By combining URLs and SRV RRs, no port numbers have to be specified explicitly in URLs, even if non-default port numbers are used, which makes URLs more concise for port based virtual and real hosting, where port based real hosting means that multiple servers sharing an IP address are distinguished by port numbers to give service for different URLs, which is the case for port forwarded servers behind NAT and servers with realm specific IP.
It seems to me that this will create all sorts of headaches for firewall ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for example, the devices would need to inspect traffic on all ports and perform DPI. This is not as much of a problem on the firewall protecting the servers (you know what ports to inspect), but will require a lot more processing power on the client-side NAT firewall. Jonesy