Augment criteria to keep/select port allocator

[Fredi-raspall]

In stateful (source) NAT, a distinct port allocator should be kept per:

• src-ip
• dst-ip
• protocol
• dst-port
• dst-vpcid

Currently, the dst-ip and dst-port are not considered. This means that we limit the number of ports (and hence possible flows) between one or more vpcs trying to "connect" to some "serving" VPC without considering that the serving vpc may expose the service over multiple ip addresses and ports, which would allow it to scale nearly endlessly.

see #1098

[qmonnet]

Note: This may collide with some of the RFC requirements for CG-NAT.

For example, REQ-2 from RFC 6888 (Common Requirements for Carrier-Grade NATs (CGNs)) says:

A CGN MUST have a default "IP address pooling" behavior of "Paired"

which is defined as using “the same external IP address mapping for all sessions associated with the same internal IP address”. The motivation for this requirement is to avoid breaking applications that depend on the external address being constant.

Also, REQ-1 in both RFC 4787 (Network Address Translation (NAT) Behavioral Requirements for Unicast UDP) and RFC 5382 (NAT Behavioral Requirements for TCP) says:

A NAT MUST have an "Endpoint-Independent Mapping" behavior.

meaning that “The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to any external IP address and port.”

[Fredi-raspall]

Note: This may collide with some of the RFC requirements for CG-NAT.

For example, REQ-2 from RFC 6888 (Common Requirements for Carrier-Grade NATs (CGNs)) says:

A CGN MUST have a default "IP address pooling" behavior of "Paired"

which is defined as using “the same external IP address mapping for all sessions associated with the same internal IP address”. The motivation for this requirement is to avoid breaking applications that depend on the external address being constant.

Also, REQ-1 in both RFC 4787 (Network Address Translation (NAT) Behavioral Requirements for Unicast UDP) and RFC 5382 (NAT Behavioral Requirements for TCP) says:

A NAT MUST have an "Endpoint-Independent Mapping" behavior.

meaning that “The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to any external IP address and port.”

I don't see how. Can you elaborate?

[qmonnet]

If you're constrained to use the same source IP address mapping for a given external destination IP, then you cannot at the same time use all the available space of allocatable addresses for this given external destination IP, as you suggest in this issue?

Probably best discussed over diagrams during a call, anyway.

[Fredi-raspall]

If you're constrained to use the same source IP address mapping for a given external destination IP, then you cannot at the same time use all the available space of allocatable addresses for this given external destination IP, as you suggest in this issue?

Probably best discussed over diagrams during a call, anyway.

Yeah, I don't get it ;-)