On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > draft-ohta-urlsrv-00.txt > > DNS SRV RRs of a domain implicitly specify servers and port numbers > corresponding to the domain. > > By combining URLs and SRV RRs, no port numbers have to be specified > explicitly in URLs, even if non-default port numbers are used, which > makes URLs more concise for port based virtual and real hosting, > where port based real hosting means that multiple servers sharing an > IP address are distinguished by port numbers to give service for > different URLs, which is the case for port forwarded servers behind > NAT and servers with realm specific IP. >
It seems to me that this will create all sorts of headaches for firewall ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for example, the devices would need to inspect traffic on all ports and perform DPI. This is not as much of a problem on the firewall protecting the servers (you know what ports to inspect), but will require a lot more processing power on the client-side NAT firewall. Jonesy