[Click] NAT changes
Eddie Kohler
kohler at cs.ucla.edu
Sat Jul 31 11:03:43 EDT 2004
Hi all,
Currently IPRewriter will not reuse a source port until the connection using
that source port goes away. This is harsher than necessary; in particular,
IPRewriter could reuse the same source port for different destination
addresses and/or ports, which would really raise the best-case number of
concurrent connections supported.
IPRewriter also allocates source ports sequentially. It would be better to
allocate them randomly to reduce the risk of blind TCP attacks.
I'd like to address both of these issues. But it may make IPRewriter a bit
slower. (Currently IPRewriter can tell immediately whether or not "the
current" source port is used, although it may take 2^16 tries to find an
unused source port. In the new design, it will require a hash lookup to tell
whether or not a source port is used, and it may still take 2^16 tries to find
an unused source port. But the new design will use a bit less memory.) Any
comments?
Eddie
More information about the click
mailing list