Re: Insecure DNS servers on PG infrastructure

On Fri, Jul 25, 2008 at 04:44:32PM -0400, Tom Lane wrote:

> I'm not convinced that that's true.  If the router is trying to forward
> UDP messages arriving from several "inside" IP addresses using only one
> "outside" address, it has to deal with the possibility of collisions,
> ie two "inside" addresses using the same port number at about the same
> time.  

This is true.  They can't arrive at exactly the same time, though,
which means that different strategies can be used.  It's certainly
true, however, that one of the strategies may well be to rewrite port
numbers.

In some sense, rewriting to the same port number makes things quite a
bit worse for the router, because rather than just remembering "oh,
port O1 was port I1 and port O2 was port I2", the router has to
remember which {staticport,Iport} pair belongs with which inside
address.  So more state is needed.  (Now everyone can be amazed at
just how fast a hand can be made to wave.  But this is the gist of the
argument.)

> What I do know is that my own firewall hardware (a Netopia T1 router
> that's two or three years old) *was* rewriting UDP port numbers on
> requests from a machine that was sharing a NAT address with others.

It is a problem, for sure, and the OARC test is a big help.  Yay
OARC (full disclosure: my former employer isa major OARC sponsor).

A

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/