On Fri, Apr 1, 2022 at 6:37 AM Masataka Ohta < mo...@necom830.hpcl.titech.ac.jp> wrote:
> > If you make the stateful NATs static, that is, each > private address has a statically configured range of > public port numbers, it is extremely easy because no > logging is necessary for police grade audit trail > opacity. Masataka Ohta > Hi Masataka, One quick question. If every host is granted a range of public port numbers on the static stateful NAT device, what happens when two customers need access to the same port number? Because there's no way in a DNS NS entry to specify a port number, if I need to run a DNS server behind this static NAT, I *have* to be given port 53 in my range; there's no other way to make DNS work. This means that if I have two customers that each need to run a DNS server, I have to put them on separate static NAT boxes--because they can't both get access to port 53. This limits the effectiveness of a stateful static NAT box to the number of customers that need hard-wired port numbers to be mapped through; which, depending on your customer base, could end up being all of them, at which point you're back to square one, with every customer needing at least 1 IPv4 address dedicated to them on the NAT device. Either that, or you simply tell your customers "so sorry you didn't get on the Internet soon enough; you're all second class citizens that can't run your own servers; if you need to do that, you can go pay Amazon to host your server needs." And perhaps that's not as unreasonable as it first sounds; we may all start running IPv4-IPv6 application gateways on Amazon, so that IPv6-only networks can still interact with the IPv4-only internet, and Amazon will be the great glue that holds it all together. tl;dr -- "if only we'd thought of putting a port number field in the NS records in DNS back in 1983..." Matt