Home page logo

nanog logo nanog mailing list archives

Re: NAT for an ISP
From: Andy Dills <andy () xecu net>
Date: Wed, 4 Jun 2003 19:07:28 -0400 (EDT)

On Wed, 4 Jun 2003, David G. Andersen wrote:

On Wed, Jun 04, 2003 at 12:51:51PM -0700, Christopher J. Wolff quacked:


I would like to know if any service providers have built their access
networks out using private IP space.  It certainly would benefit the
global IP pool but it may adversely affect users with special
applications.  At any rate, it sounds like good fodder for a debate.

  I've got a friend who puts all of his internal servers,
routers, and _customers_ on RFC1918 space and pipes them out
thrugh a PNAT.  Fairly small ISP - maybe 15 megabits of bandwidth -
operating at the state local level.

Why on earth would they do this? What you've said implies DS3 level
connectivity, so to skimp on ARIN fees seems a little ridiculous.

It's an interesting setup.  Kind of fun.  The stateful pnat
functionality forces customers to specify exactly what inbound
services they want, which can't hurt security.

It doesn't help security any more than a standard firewall or filter
would. And even then, you'd have to retrain your customers to stick them
behind a firewall. Hell, even without filtering packets towards our
customers, I get three or four tickets a week escalated to me because some
user has been told by some other vendor that we must be filtering packets
because they couldn't get blah blah to work.

Every customer gets a /24 or greater, which helps convenience.

If you say so....

The customer can already achieve this by utilizing NAT themselves.
Convenience is impared by having customers who can't get VoIP, VPN or
Quake to work. Sure, that can be addressed, but this plan is not one with
convenience in mind.

On the other hand, everyone has a NAT in front of them, which means that
they get clients who would have probably been putting a NAT in front of
themselves anyway.  I probably wouldn't use that setup myself, but then
again, I subscribe to nanog...

Yeah, I read you loud and clear. "My friend is a half-baked cluebie using
techniques I'll term fun and later encourage my competitors to employ". :)

Using a technology because it's "possible" is the single stupidest
rationale, probably resulting in almost as much downtime as sheer


Andy Dills
Xecunet, Inc.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]