Home page logo

nanog logo nanog mailing list archives

Re: NAT for an ISP
From: Andy Dills <andy () xecu net>
Date: Wed, 4 Jun 2003 19:24:29 -0400 (EDT)

On Wed, 4 Jun 2003, Dan Armstrong wrote:

More stuff to manage if we push it out to the CPE.

I know this is mean to say, but most customers are STUPID and keeping it
centralized reduces our support load.  Give them enough rope, they hang
themselves.  We used to do lots more on the CPE, but between bad power
supplies, lost passwords, software upgrades, "power users",  etc. we find our
time is better spent managing it all centrally.

Well, wait. You either manage their router or you don't. I'm not
following...so in your new setup where YOUR routers manage NAT, you now
refuse to fix a problem on the CPE? If you manage the router, so they
don't get a password, then do NAT there, at the CPE. If you don't manage
the router, not having NAT on the CPE does nothing for you anyway, you
still have the issue of stupid users breaking things.

Also, customers might exist in several locations, we can give them the same
1918 network in all locations, run NAT for them, do VPNs for them, bring
L2TP DSL into the fray, and only bill them for traffic that goes "out to the
Internet" quite easily.

Why would you want to only bill them for the egress bandwidth? You should
be finding reasons to make that impossible, not the other way around. You
running a non-profit over there? You seem to assume a network with a
single NOC...I don't want to pay to backhaul Joe's file and print sharing
between states so that he won't have to.

As for the other reasons, still not convinced. This isn't as whacky as the
guy who runs his entire ISP behind a NAT box, but I still don't see what
efficiency you've created. The things you mention could be solved in other

(apologies to vendors watching) but I really think this "push intelligence
out to the edge" concept is entirely vendor invented to sell more stuff.
There are more edge devices than core devices.....

How do you figure? The customer needs a router, period. Whether or not you
do NAT on your router or their router should be a function of how much
other stuff your router does.

If the customer needs a router regardless, there are no more devices being

If you have to fix CPE problems unrelated to NAT _anyway_, why create
potential problems at your edge (let's set ourselves up for a multi-day
outage for most of our high-margin customers!) by doing the NAT for them,
when you could push that to their router?

Hell, unless there is a DOS underway, we make our customers filter there
own packets too. Why? That's the way it should be done.

I'll repeat your last sentence: "There are more edge devices than core
devices"...yes, and more CPEs than edge devices. That's hierarchy at
work...the point is that "work" (anything other than forwarding packets)
must be pushed as far away from the core as possible.

Furthermore, there's a general principle of "easy to manage, easy to
break" at work here. Implement NAT in one box, if NAT breaks, every single
customer attached dies. Implement NAT in one box for each customer, and if
NAT breaks, a single customer dies.


Andy Dills
Xecunet, Inc.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]