[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why does Debian allow all incoming traffic by default

On Sat, 22 Sep 2018 17:07:59 +0200
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

> PPTP does require specific NAT support for the GRE protocol.
> Use case : two clients of the same PPTP server share the same public
> IP address.

It doesn't work, see below. And yes, I do know, it was a common
question on the MS Small Business Server Usenet group. The second
person to make the attempt could not make contact until about two
minutes after the first had disconnected.

> The server sends a GRE packet to the public IP address. How does the
> NAT device know which client the packet must be forwarded to ?

Because NAT requires the maintenance of a table of connections, with
source and destination IP addresses, which is exactly what is required
by both stateful firewalling and connection tracking. In this case, for
the first GRE packet, it is connection tracking which uses the table
data to route the packet to the machine with an existing TCP/1723
connection from the same source address.

What you can't do with PPTP is make multiple connections between the
same two NAT machines, for this same reason, because GRE doesn't have
the means for being tied to one particular TCP/1723 path. It doesn't
carry the same meta information as does the TCP protocol. It is here
that IPSec is used, almost always between the network default gateways,
to avoid messy routing updates to workstations. FTP doesn't have this
problem, because its two paths are both TCP, and can be uniquely paired
by connection tracking.

There is provision in the PPTP protocol for multiple GRE connections to
be handled by one TCP/1723 control channel, but I'm not aware that this
has ever been implemented. That would still be a server-to-server
protocol, not a multiple-workstation-to-server one.


Reply to: