Re: NAPT - NAT Port selection

[Harald Welte <laforge () netfilter org>]

On Fri, Aug 20, 2004 at 09:05:37AM +0530, ravivsn () www rocsys com wrote:

> Internally, among developers, we discussed this issue and we came out with
> one suggestion - Reusage of NAT port in multiple sessions, as long as
> atleast one of 5 tuples is different - Since source IP is same (public IP
> address), destination IP or destination port has to be different.

yes, this is what every linux 2.4.x and linux 2.6.x based system does
(linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))

> I solicit your feedback on this.
>      -  Is it good for NAPT device to use same NAT port for different
> sessions, if they are  going to different destination (based on
> Destination IP and Port)?  Do you see any problems associated with
> this apart one mentioned above?

It is questionable whether it is 'good'.  I (as one of the netfilter
authors) think it is good as in 
        - tries to preserve port numbers as much as possible and not 
          make applications relying on portnumber persistency break
        - minimun use of ressources (i.e. more than 64k sessions).

However, there is a group working on a NAT Behaviour draft within the
IETF that discourages this (they call it 'port overloading'), since it
creates less deterministic behaviour.

>      - Any experiences?

no problems whatsoever.  Please keep in mind the number of linux
installations, especially in embedded devices sold as WLAN and DSL
'Routers'.

> Thanks in advance
> Ravi

-- 
- Harald Welte <laforge () netfilter org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: signature.asc
Description: Digital signature