nanog mailing list archives

Re: IPv6 woes - RFC

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 23 Sep 2021 22:06:45 -0400

On Thu, Sep 23, 2021 at 4:13 PM Baldur Norddahl <baldur.norddahl () gmail com>
wrote:



On Thu, 23 Sept 2021 at 21:48, Christopher Morrow <morrowc.lists () gmail com>
wrote:

This sounds like very naive nat state management behavior.
Ideally, you'd  be able to maintain state of:
original-src/dst/ports/proto -> in-interface/external ip/port/proto


What you describe is called symmetric NAT and is the kind which has the
highest impact on customers. Many NAT traversal techniques fail to work
with this type of NAT. STUN does not work with symmetric NAT.

why. (does stun/etc not work, I mean)
Is the answer: "Because to do it right you need an ALG and that's more
costly/problematic."
or is the answer some other thing?

You purposely want a lesser NAT type which makes NAT traversal easy. This
enables more applications to function despite the NAT. Almost every CPE
avoids symmetric NAT for one of the lesser types for this reason.

unless some internal/original src is double using port/proto ... you
should really
have the ability to nat quite a large number of things to a single ipv4
address.


There is no point in optimizing your customer per public CGN IP address
ratio and multiple reasons for not doing so. At some point you will
experience attacks on the CGN address or blacklisting in online games and
so on. Having less customers affected each time that happens is better.

Sorry, my point wasn't: "Oh you should just 1 address!"
For many reasons that's crazy sauce.

I was just pointing out that you'd be ABLE TO, if you wanted, sure more ips
is better though.
mostly the '100 ports per backend address' isn't really correct, if you are
smarter in the nat state management.

In our network approximately 10% of new customers signed up within the last

year have asked to escape the CGN and get a public IP. This means I need
100 IPv4 addresses per 1000 new customers. Plus 4 IPv4 addresses for the
CGN server. What difference would it make if we could optimize those 4
addresses to be just 2 or maybe 1? What if it caused just a couple more
customers to request a public IP address because they got annoyed by a more
restrictive NAT or by failed sessions?

Regards,

Baldur

Current thread:

Re: IPv6 woes - RFC, (continued)
- - - Re: IPv6 woes - RFC Masataka Ohta (Sep 22)
    - Re: IPv6 woes - RFC Baldur Norddahl (Sep 22)
    - Re: IPv6 woes - RFC Colton Conor (Sep 22)
    - Re: IPv6 woes - RFC Mark Andrews (Sep 22)
    - Re: IPv6 woes - RFC Colton Conor (Sep 23)
    - Re: IPv6 woes - RFC Eric Kuhnke (Sep 23)
    - Re: IPv6 woes - RFC Mark Andrews (Sep 23)
    - Re: IPv6 woes - RFC Baldur Norddahl (Sep 23)
    - Re: IPv6 woes - RFC Christopher Morrow (Sep 23)
    - Re: IPv6 woes - RFC Baldur Norddahl (Sep 23)
    - Re: IPv6 woes - RFC Christopher Morrow (Sep 23)
    - Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 22)
    - Re: IPv6 woes - RFC Bjørn Mork (Sep 23)
    - Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 23)
    - Re: IPv6 woes - RFC Brian Johnson (Sep 23)
    - Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 23)
    - Re: IPv6 woes - RFC Brian Johnson (Sep 23)
    - Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 23)
    - Re: IPv6 woes - RFC John Levine (Sep 23)
    - Re: IPv6 woes - RFC Joe Maimon (Sep 23)
    - Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 23)

(Thread continues...)