Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 May 1996 17:10:43 -0700
From:      bmah@cs.berkeley.edu (Bruce A. Mah)
To:        "Gary Palmer" <gpalmer@freebsd.org>
Cc:        Tony Kimball <alk@think.com>, bmah@cs.berkeley.edu, questions@freebsd.org
Subject:   Re: ip masquerading 
Message-ID:  <199605210010.RAA11094@premise.CS.Berkeley.EDU>
In-Reply-To: Your message of "Mon, 20 May 1996 23:34:58 BST." <22593.832631698@palmer.demon.co.uk> 

next in thread | previous in thread | raw e-mail | index | archive | help
"Gary Palmer" writes:
> Tony Kimball wrote in message ID
> <199605201848.NAA16883@compound.Think.COM>:

[snip]

> >    1.  It introduces hard state in the gateway machine.  If the gateway 
> >    goes down and comes back up, you lose all the connections through it.  
> >    Note that some other approaches such as application-specific gateways 
> >    have this problem too.
> 
> > To my knowledge no solution is proposed which does not.  I think
> > that an RFC on the subject is needed, frankly, to update
> > requirements in a manner which removes the need for gateway state.
> > This point is an argument against solving the problem, not against
> > solving it by masquerade.
> 
> No thankyou. TCP is inherintely non-stateless (heck, it has a state
> machine as part of it's basic operation). Putting in non-stateless
> hacks will just really screw things up. Do you know why Sun's NFS is
> so poor performance wise? One reason (among many) - the server cannot
> keep any state information about the clients...

I'm going to use "stateful" == "non-stateless", to eliminate a double 
negative.  :-)  Making gateways stateful goes against one of the basic 
design principles of the Internet, which calls for having as little 
"hard state" as possible.  In other words, if you need to maintain 
state in your network, make sure your network won't break if it goes 
away.  This has allowed the Internet routing infrastructure to be 
extremely adaptable to various failures (including downtime of 
gateways).

Putting all of this stuff in a gateway is going to be difficult to do 
cleanly, since you're subjected to the disadvantages of both 
"religions".

> >    4.  It's not a general purpose solution (e.g. ICMP doesn't work, UDP 
> >    support is a hack).  For example, how would I ping outside my local 
> >    network to track down problems?
> 
> > From the masquerade host.  ICMP works fine, to the network
> > interface of the *system*.  UDP is not a host requirement.
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To Tony:  Are you saying that just because FTP, telnet, and Web don't 
run over UDP it's not important?  I respectfully disagree.

> One reason for having masquerade is to allow you to offload shell
> processing load from the gateway. You are promptly putting that load
> back on. Garrett has his reasons for not liking masquerading, I have
> mine.

Hadn't thought about this...I guess if your machine is CPU-challenged 
this could be an issue.

Bruce.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605210010.RAA11094>