Re: Insecure DNS servers on PG infrastructure

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Andrew Sullivan <[email protected]>
To: [email protected]
Subject: Re: Insecure DNS servers on PG infrastructure
Date: Fri, 25 Jul 2008 18:04:48 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

On Fri, Jul 25, 2008 at 04:44:32PM -0400, Tom Lane wrote:

> I'm not convinced that that's true.  If the router is trying to forward
> UDP messages arriving from several "inside" IP addresses using only one
> "outside" address, it has to deal with the possibility of collisions,
> ie two "inside" addresses using the same port number at about the same
> time.  

This is true.  They can't arrive at exactly the same time, though,
which means that different strategies can be used.  It's certainly
true, however, that one of the strategies may well be to rewrite port
numbers.

In some sense, rewriting to the same port number makes things quite a
bit worse for the router, because rather than just remembering "oh,
port O1 was port I1 and port O2 was port I2", the router has to
remember which {staticport,Iport} pair belongs with which inside
address.  So more state is needed.  (Now everyone can be amazed at
just how fast a hand can be made to wave.  But this is the gist of the
argument.)

> What I do know is that my own firewall hardware (a Netopia T1 router
> that's two or three years old) *was* rewriting UDP port numbers on
> requests from a machine that was sharing a NAT address with others.

It is a problem, for sure, and the OARC test is a big help.  Yay
OARC (full disclosure: my former employer isa major OARC sponsor).

A

-- 
Andrew Sullivan
[email protected]
+1 503 667 4564 x104
http://www.commandprompt.com/

view thread (11+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Insecure DNS servers on PG infrastructure
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox