Re: Typical additional latency for CGN?

[Mark Andrews <marka () isc org>]

In message <Pine.LNX.4.61.1210100920590.26706 () soloth lewis org>, Jon Lewis writ
es:
> I just spent a few minutes looking into this again, and figured out the 
> problem.  AT&T has apparently changed the way their CGN works.  I use a 
> form of port knocking to restrict access to SSHd from "foreign" networks. 
> It used to work fine from my phone.  Now, the port knocking request from 
> the phone and the ssh connection are being NAT'd to different public IPs, 
> so my system is allowing ssh access to one AT&T IP, and then the ssh 
> connection comes from a nearby but different IP.

Which is a badly designed CGN.  I turns singly homed clients into
multi-homed client where the client has no control over the source
address selection. At least with real multi-homed clients they have
the ability to force source addresses to match.

> On Wed, 10 Oct 2012, Owen DeLong wrote:
>
> > The day before I left the US, it was still working on my iPad.
> >
> > Owen
> >
> > On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdeesha () gmail com> wrote:
> >
> > > On 10/7/2012 9:22 PM, Jon Lewis wrote:
> > > > has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con
> nections?
> > > Not here, have an SSH session open on my phone on port 22 as we speak. I'm
>  on an android on ATT's 3G network in central indiana, if that matters.
> > > --
> > > Jon Sands
> > > Fohdeesha Media
> > > http://fohdeesha.com/
>
> ----------------------------------------------------------------------
>   Jon Lewis, MCP :)           |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org