On 06/15/2009 06:58:33 AM, Claudio Jeker wrote:
On Sun, Jun 14, 2009 at 11:28:31PM -0500, Karl O. Pinc wrote:
> Hi,
>
> It occurs to me that multipath routing
> (http://www.openbsd.org/faq/faq6.html#Multipath)
> might not play nicely with ftp-proxy on a firewall
> because passive ftp sessions could multiplex the
> data and control connections via different ISPs.
> My assumption here is that if you're using
> multipath routing and 2 ISPs then your NATting,
> so the ftp server on the Internet would see
> the control connection from one ISP and the
> data connection from another, leading to failure.
>
> Is this a correct analysis or am I missing something?
>
This could only happen if you created such a freak setup that only a
few
people manage to setup. The multipath code uses a hash over src and
destination IP to decide wich link it will take. So it should be
almost impossible to get a mixup of ftp session to the same host.
Thanks. I was confused about 2 things: The RFC referenced in the
multipath FAQ refesr only to flows, and it was not clear whether
the hash that determined path was only over source
and destination IP or also included the source
and destination port. 2nd I somehow missed the NAT-ting of the
passive data connection to the ftp-proxy source address (doh).
You cleared these up for me.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
