Common operational misconceptions
aj at jonesy.com.au
Mon Feb 20 04:09:34 UTC 2012
On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
<mohta at necom830.hpcl.titech.ac.jp> wrote:
> DNS SRV RRs of a domain implicitly specify servers and port numbers
> corresponding to the domain.
> By combining URLs and SRV RRs, no port numbers have to be specified
> explicitly in URLs, even if non-default port numbers are used, which
> makes URLs more concise for port based virtual and real hosting,
> where port based real hosting means that multiple servers sharing an
> IP address are distinguished by port numbers to give service for
> different URLs, which is the case for port forwarded servers behind
> NAT and servers with realm specific IP.
It seems to me that this will create all sorts of headaches for firewall
ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
example, the devices would need to inspect traffic on all ports and perform
DPI. This is not as much of a problem on the firewall protecting the
servers (you know what ports to inspect), but will require a lot more
processing power on the client-side NAT firewall.
More information about the NANOG