Home page logo
/

nanog logo nanog mailing list archives

Re: couple of questions regarding 'lifeline' and large scale nat...
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Sat, 11 Feb 2012 17:19:57 +0900

Leo Bicknell wrote:

The applications can simply be debugged to use socket option
of REUSEPORT.

"Simple" is subjective. 

To "the problems of some applications that make thousands of
TCP connections in a short order eating up ports makes it a
nightmare to manage and debug", I gave you an objectively
simple answer.

Keep in mind many users will have a home
gateway which also does NAT.  And indeed double NAT in the home (router
doing NAT, third party device doing NAT) is depressingly common.

Double NAT does not make things worse, as long as "static
bypasses" exist, which is your assumption.

OTOH, the double NAT, some of which may or may not IPv6 capable,
makes IPv6 deployment hard, if not impossible.

That
means some of the troubleshooting will be via a triple-NAT if the
carrier is performing the conversion.

The carrier should have a trouble shooting equipment within
its private network, which means trouble shooting over
the double NAT with IPv4 is much easier than with IPv6.

Are you saying we MUST record all the IP addresses and
port numbers of all peers of your customers to prevent
illegal things?

If the carrier NAT's, maybe.

Today port information need not be stored, because an IP is assigned
to a customer.

Wrong.

With your requirement to record IP address of peers, a carrier
must record port numbers of peers of its customer, if some
carriers of the peers use NAT.

Note that there already are carriers who use NAT.

Note also that, recording peers' IPv4 address needs 4Bs,
recording peers' IPv4 addresses and port numbers needs 6Bs
and recording peers' IPv6 addresses needs 16Bs.

Law enforcement can come request who was using an
IP, and be given the customer information.  It's what everyone has
come to expect.

That's completely different from recording information of peers
of your customer.

Large operations tend to find that having a cost effective and staff
time effective way to deal with law enforcement is very important.

True. And, see the double NAT example you mentioned.

IPv6 means considerably more amount of headache and
support costs than using NAT cleverly and simply.

When IPv4 addresses are selling for $100 an address that equation
changes quickly.  That day may be only a few months or years off.

Sorry, are you seriously saying that paying $100 once for a
customer is so much expense for a carrier?

Even if so, the carrier should deploy NAT, because $100 is
paid only once for hundreds of customers.

Moreover, wide deployment of NAT will further reduce prices
of IPv4 addresses.


                                                Masataka Ohta


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]