[150239] in North American Network Operators' Group
Re: Common operational misconceptions
daemon@ATHENA.MIT.EDU (Andrew Jones)
Sun Feb 19 23:10:30 2012
Date: Mon, 20 Feb 2012 15:09:34 +1100
From: Andrew Jones <aj@jonesy.com.au>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <4F41AD3C.9070302@necom830.hpcl.titech.ac.jp>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
<mohta@necom830.hpcl.titech.ac.jp> wrote:
> draft-ohta-urlsrv-00.txt
>
> DNS SRV RRs of a domain implicitly specify servers and port numbers
> corresponding to the domain.
>
> By combining URLs and SRV RRs, no port numbers have to be specified
> explicitly in URLs, even if non-default port numbers are used, which
> makes URLs more concise for port based virtual and real hosting,
> where port based real hosting means that multiple servers sharing an
> IP address are distinguished by port numbers to give service for
> different URLs, which is the case for port forwarded servers behind
> NAT and servers with realm specific IP.
>
It seems to me that this will create all sorts of headaches for firewall
ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
example, the devices would need to inspect traffic on all ports and perform
DPI. This is not as much of a problem on the firewall protecting the
servers (you know what ports to inspect), but will require a lot more
processing power on the client-side NAT firewall.
Jonesy
