Home page logo
/

nanog logo nanog mailing list archives

Re: couple of questions regarding 'lifeline' and large scale nat...
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Sat, 11 Feb 2012 09:19:46 +0900

Leo Bicknell wrote:

UPNP, NAT-PMP, the ability to enter static bypasses (DMZ's, NAT
passthrough), combined with the problems of some applications that
make thousands of TCP connections in a short order eating up ports
makes it a nightmare to manage and debug.

The applications can simply be debugged to use socket option
of REUSEPORT.

I pointed it out so along with static port mapping at the last
meeting in "Track: IPv4 runout, Doing More with Less".

Of course, if they are
doing illegal things you'd better keep some detailed records of who did
what when a LEO comes knocking.

Are you saying we MUST record all the IP addresses and
port numbers of all peers of your customers to prevent
illegal things?

If so, we have to do so, even if you are not using NAT,
I'm afraid.

If not and we only have to have information on which
port is used by which customer, static port mapping
is just fine.

Anyway, developers of virus software will be quite
cooperative to use REUSEPORT, to hide symptoms that
the virus software is installed.

The key to a low cost service is making it as low cost as possible,
moving the NAT inside the carrier will had a huge amount of headache and
support costs, not what you want.

Use NAT with static port mapping (and same port numbers are used
in and out), there is no headache and support cost caused by NAT.

A possibly relevant question with IPv4 exhaustion coming is could you
make this service IPv6 only so you don't have to find IPv4 addresses for
it.

IPv6 means considerably more amount of headache and
support costs than using NAT cleverly and simply.

                                                Masataka Ohta


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault