Received: from localhost (unknown [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id 6BD2565021F
	for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 19:04:57 -0300 (ADT)
Received: from postgresql.org ([200.46.204.86])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024)
	with ESMTP id 87534-02 for <pgsql-www-postgresql.org@postgresql.org>;
	Fri, 25 Jul 2008 19:04:50 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from lists.commandprompt.com (host-159.commandprompt.net
	[207.173.203.159])
	by postgresql.org (Postfix) with ESMTP id D003B6501F3
	for <pgsql-www@postgresql.org>; Fri, 25 Jul 2008 19:04:53 -0300 (ADT)
Received: from commandprompt.com
	(CPE001b63afe888-CM001adea9c5a6.cpe.net.cable.rogers.com
	[99.236.211.160]) (authenticated bits=0)
	by lists.commandprompt.com (8.13.8/8.13.8) with ESMTP id m6PM7In3030068
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <pgsql-www@postgresql.org>; Fri, 25 Jul 2008 15:07:21 -0700
Date: Fri, 25 Jul 2008 18:04:48 -0400
From: Andrew Sullivan <ajs@commandprompt.com>
To: pgsql-www@postgresql.org
Subject: Re: Insecure DNS servers on PG infrastructure
Message-ID: <20080725220448.GJ29775@commandprompt.com>
References: <26210.1216998123@sss.pgh.pa.us>
	<20080725154048.GE29775@commandprompt.com>
	<572.1217018672@sss.pgh.pa.us>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <572.1217018672@sss.pgh.pa.us>
User-Agent: Mutt/1.5.17 (2007-11-01)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(lists.commandprompt.com [207.173.203.159]);
	Fri, 25 Jul 2008 15:07:22 -0700 (PDT)
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=0 tagged_above=0 required=5 tests=none
X-Spam-Level: 
X-Archive-Number: 200807/135
X-Sequence-Number: 15565

On Fri, Jul 25, 2008 at 04:44:32PM -0400, Tom Lane wrote:

> I'm not convinced that that's true.  If the router is trying to forward
> UDP messages arriving from several "inside" IP addresses using only one
> "outside" address, it has to deal with the possibility of collisions,
> ie two "inside" addresses using the same port number at about the same
> time.  

This is true.  They can't arrive at exactly the same time, though,
which means that different strategies can be used.  It's certainly
true, however, that one of the strategies may well be to rewrite port
numbers.

In some sense, rewriting to the same port number makes things quite a
bit worse for the router, because rather than just remembering "oh,
port O1 was port I1 and port O2 was port I2", the router has to
remember which {staticport,Iport} pair belongs with which inside
address.  So more state is needed.  (Now everyone can be amazed at
just how fast a hand can be made to wave.  But this is the gist of the
argument.)

> What I do know is that my own firewall hardware (a Netopia T1 router
> that's two or three years old) *was* rewriting UDP port numbers on
> requests from a machine that was sharing a NAT address with others.

It is a problem, for sure, and the OARC test is a big help.  Yay
OARC (full disclosure: my former employer isa major OARC sponsor).

A

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/