At 08:39 PM 2000-02-28 +0100, lmb wrote:
>On the other hand, dynamic NAT (masquerading, the LinuxVirtualServer etc) and
>stateful packet filtering aren't that easy. The firewalls need to share
state
>one way or the other. Alan pointed out that two basic methods exist:
>
>1. share data by passing it around.
> If you establish a connection, send a notice to the other box to permit it
> there too etc. (This would best be done from userspace)
>
>2. "share" data by computing it from the connection parameters in a
> deterministic way.
>
> For example: Hashing (src port, src ip, dest port, dest ip) into the port
> number for n:1 NAT and so on.
There is a third method: have the standby router snoop what the active
router did.
This requires enough 'intelligence' in the standby to match each packet it
sees on
the LAN side with the correct corresponding packet on the WAN side. For
basic NAT
etc. this shouldn't be too hard.
The third method has something in common with the second: matching packets
requires
an understanding of how they _might have been_ transformed by the active
router;
which is similar to, but slightly easier than, knowing _a priori_ exactly
how they
_must have been_ transformed (down to specific addresses, port numbers,
etc. which
are dynamically assigned in what may not be a completely deterministic
fashion).
The third method also _may_ have something in common with the first: an
active router
which knows it is being snooped by a standby router, and which wants to be
cooperative,
might do some things slightly differently, in order to provide more 'hints'
to the
snooping standby.
No, I am _not_ trying anything like this, but am working in several related
areas.
------------------------------------------------------------------------
Stuart W. Card, Chief Scientist & Vice-Pres., Critical Technologies Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica NY 13501
315-793-0248 FAX -9710 <stu@xxxxxxxxxxxx> http://www.critical.com
|