Common operational misconceptions

Andrew Jones aj at jonesy.com.au
Sun Feb 19 22:09:34 CST 2012


On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
<mohta at necom830.hpcl.titech.ac.jp> wrote:
>    draft-ohta-urlsrv-00.txt
> 
>    DNS SRV RRs of a domain implicitly specify servers and port numbers
>    corresponding to the domain.
> 
>    By combining URLs and SRV RRs, no port numbers have to be specified
>    explicitly in URLs, even if non-default port numbers are used, which
>    makes URLs more concise for port based virtual and real hosting,
>    where port based real hosting means that multiple servers sharing an
>    IP address are distinguished by port numbers to give service for
>    different URLs, which is the case for port forwarded servers behind
>    NAT and servers with realm specific IP.
> 

It seems to me that this will create all sorts of headaches for firewall
ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
example, the devices would need to inspect traffic on all ports and perform
DPI. This is not as much of a problem on the firewall protecting the
servers (you know what ports to inspect), but will require a lot more
processing power on the client-side NAT firewall.

Jonesy



More information about the NANOG mailing list