I have recently discovered ip masquerading.
My question is simple: if routers actually map hosts ports to their own ports, what if they run out of ports ? Suppose the network has got 4 hosts on IPs 192.168.0.{2,3,4,5}, each using 20000 ports, how does a router map 80000 ports to his 65000.
Although I couldn't find any information on this, I am guessing masquerading occurs on traffic only, thus there shouldn't be 20k ports to map per host, but why not ? I can't figure it out.
It depends what you mean by 'using 20000 ports'. If you had an application which was listening on 20000 ports on each of 192.168.0.{2,3,4,5} (perhaps allocating the external mapping dynamically using UPnP, it would exhaust the available ports eventually. It's possible that a quota would prevent anywhere near 65000 being allocated. See https://www.rfc-editor.org/rfc/rfc6887#section-17.2
However, you are probably talking about connections out from 192.168.0.{2,3,4,5} to the wider Internet. In this case, no ~65000 limit would apply because a socket is a defined based on the {source ip, source port, dest ip and dest port}. N.B. It's possible to open more than ~65000 sockets from a single server (assuming the OS is so configured), and therefore it's also possible, in theory, to do so with IP masquerading.
A more comprehensive answer is here:
https://serverfault.com/questions/541699/nat-gateway-maximum-connection-limit
Related
I was wondering, admitting an address system translation which uses public address in order to offer an access to Internet to 15 computers, how could I find the maximum of simultaneous TCP connections supportable by this system please?
I am beginner with network and not able to find an answer to that, although I was thinking, a TCP connection can handle 65 535 simultaneous connections, since there is 15 computers then I get : 65 535/15 = 4369, is that correct?
Thanks a lot in advance
The things you called "address system translation" always named as NAT(Netowrk Address Translation) devices such as routers.
A network connection is checked by the tuple of five elements: Source IP, Source Port, Destination IP, Destination Port, and Protocol. So the limitation of connection numbers is decided by these elements.
You said 65536 connetions, this is the limitation of ports.
For a Circumstance like you said, 1 router with 1 external IP, for every one of the 15 PC inside of the NAT LAN, the circumstances is like:
Source IP is the router's external IP
Source Port has at max 65536 choices
Destination IP is limited by the IPV4 or IPV6 address length
Destination Port is limited by 65536
Protocol can choose TCP/UDP
So you can see, in theory we can have millions of connections for every PC. But the thing is that we need to consider the limitation of hardware, OS and virtual memory, so we can't have so much.
I am trying to understand the concept of port number. As much as I know it identifies a specific process or a network service.
Can anyone give me a real life example. So, it could be easier to understand.
Some doubts that I currently have-
I heard, there are 65536 ports. Does, that mean, a system can identify 65536 processes simultaneously?
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
What is the command to know which port numbers are free or to use?
What is the command to know which port numbers are not free and what are they used for?
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
If possible please share a link. I am currently getting confused with too much technical theory. Thank you!!!
I heard, there are 65536 ports.
You heard wrong. There are 65535: 1 .. 65535. Zero is not a valid port number.
Does, that mean, a system can identify 65536 processes simultaneously?
It means a system can identify 65535 ports simultaneously.
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
That is the meaning of the word 'reserve'.
What is the command to know which port numbers are free or to use?
It isn't a command. It is either a search at the IETF website for reserved ports or the use of the number zero, which means the next available port.
What is the command to know which port numbers are not free and what are they used for?
It isn't necessarily a command. It is a search at the IETF website for reserved ports, or the netstat command for ports actively in use on the localhost.
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
The port number that you're trying to connect to in the remote system.
Here is more clarification:
I heard, there are 65536 ports.
A port is 16 bit i.e. 2^16 =65536 so right
"Port Zero does not officially exist. It is defined as an invalid port number. But valid Internet packets can be formed and sent over the wire to and from port 0 just as with any other ports." https://www.grc.com/port_0.htm
Does, that mean, a system can identify 65536 processes simultaneously?
You do not care about a system, you care about an IP. For every Ip you can use 65536 processes simultaneously.
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
Of course, otherwise there will be a port conflict.
What is the command to know which port numbers are free or to use?
Refer my post here https://stackoverflow.com/a/54760498/2197108
Netstat: in Linux and Windows displays connections and ports
What is the command to know which port numbers are not free and what are they used for?
It should be clear now
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
Remote desktop asks for IP address of the remote machine. However, it may ask for user credentials of the remote machine.
In case it asks for IP and Port it means IP and Port of the remote desktop software (server) in the remote machine.
I need to simulate a massive amount of TCP/IP ethernet traffic. For example, I want to simulate the environment that an ISP has where there might be 40,000 different IP addresses sending TCP/UDP IP traffic to different remote hosts. This is my ideal setup:
Traffic generator - > the device I want to test (one inbound interface and one outbound interface) - > traffic receiver.
The device I want to test is a network traffic monitor/QOS appliance. It effectively sits 'in-line', one interface would be connected to the traffic generator and the other interface connected to the traffic receiver. This in-line interface is effectively a bridge and is not assigned an IP address. It can monitor & apply QOS rules on all traffic passing over that bridge interface.
Layer 4 control is important, so that I can set port numbers (80, 443, 22 etc). Layer 7 application information would be ideal as the device I am testing also does deep packet inspection.
Methods I have already tried include using iperf but in order to simulate 40,000 IP addresses I would need to configure 40,000 virtual interfaces on both the traffic generator and the traffic receiver manually, and I have found that iperf is limited to about 1000 simultaneous connections(on my set up). I have also tried replaying large PCAP files, but then I do not have control over the packets to test QOS capabilities.
Other software/solutions I have looked into are:
http://mininet.org/ (can't handle the amount of connections I need).
ns-3
I am looking for someone to point me in the right direction. Thank you.
There are commercial products for this kind of thing. Short of a home-brew setup with a combination of apache bench, siege, and tcpreplay (which would take significant effort to implement).
See www.spirent.com or www.ixiacom.com.
I made a tcp/ip echo server by using kqueue on a unix(OSX) machine.It desinged to open 100 tcp/ip ports and accept 4000 clients per port.I made about 230,000 connections by using 15 another machines. ( 4000 conn per single process, and 4 process per box)
It seems that the server could accept more than that but the problem was the client side.There is a limitation to make much connections. Such as Windows XP - 3000, Windows7 & Unix - 16384 ..
Is the limitation right ? did I wrong ? I want to make as much connections as I can on a single client, such as 500,000 / Machine.
How could I overcome ?
You can configure multiple IPv4 address on the client machine. Process that runs on client should receive source IP address as parameter, and bind connect socket to it. So with 10 IP addresses you can easily reach 400000 connections.
I want to make as much connections as I can on a single client, such as 500,000 / Machine.
You can't. A TCP connection is identified by the tuple {protocol, source address, source port, target address, target port}. Four of these five elements are fixed. The remaining element, source port, can only have 65535 distinct values at the most, as a port number has 16 bits and cannot be zero.
So your expectation of 500,000 connnections to the same client is over-optimistic by a factor of about 10.
Assuming infinite performance from hardware, can a Linux box support >65536 open TCP connections?
I understand that the number of ephemeral ports (<65536) limits the number of connections from one local IP to one port on one remote IP.
The tuple (local ip, local port, remote ip, remote port) is what uniquely defines a TCP connection; does this imply that more than 65K connections can be supported if more than one of these parameters are free. e.g. connections to a single port number on multiple remote hosts from multiple local IPs.
Is there another 16 bit limit in the system? Number of file descriptors perhaps?
A single listening port can accept more than one connection simultaneously.
There is a '64K' limit that is often cited, but that is per client per server port, and needs clarifying.
Each TCP/IP packet has basically four fields for addressing. These are:
source_ip source_port destination_ip destination_port
<----- client ------> <--------- server ------------>
Inside the TCP stack, these four fields are used as a compound key to match up packets to connections (e.g. file descriptors).
If a client has many connections to the same port on the same destination, then three of those fields will be the same - only source_port varies to differentiate the different connections. Ports are 16-bit numbers, therefore the maximum number of connections any given client can have to any given host port is 64K.
However, multiple clients can each have up to 64K connections to some server's port, and if the server has multiple ports or either is multi-homed then you can multiply that further.
So the real limit is file descriptors. Each individual socket connection is given a file descriptor, so the limit is really the number of file descriptors that the system has been configured to allow and resources to handle. The maximum limit is typically up over 300K, but is configurable e.g. with sysctl.
The realistic limits being boasted about for normal boxes are around 80K for example single threaded Jabber messaging servers.
If you are thinking of running a server and trying to decide how many connections can be served from one machine, you may want to read about the C10k problem and the potential problems involved in serving lots of clients simultaneously.
If you used a raw socket (SOCK_RAW) and re-implemented TCP in userland, I think the answer is limited in this case only by the number of (local address, source port, destination address, destination port) tuples (~2^64 per local address).
It would of course take a lot of memory to keep the state of all those connections, and I think you would have to set up some iptables rules to keep the kernel TCP stack from getting upset &/or responding on your behalf.