[144284] in North American Network Operators' Group
RE: NAT444 or ?
daemon@ATHENA.MIT.EDU (Leigh Porter)
Wed Sep 7 16:04:49 2011
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: Seth Mos <seth.mos@dds.nl>, NANOG <nanog@nanog.org>
Date: Wed, 7 Sep 2011 20:05:08 +0000
In-Reply-To: <7315DFDF-C5D2-4894-8980-F3E44C355D28@dds.nl>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Seth Mos [mailto:seth.mos@dds.nl]
> Sent: 07 September 2011 20:26
> To: NANOG
> Subject: Re: NAT444 or ?
>=20
> I think you have the numbers off, he started with 1000 users sharing
> the same IP, since you can only do 62k sessions or so and with a
> "normal" timeout on those sessions you ran into issues quickly.
>=20
> The summary is that with anything less then 20 tcp sessions per user
> simultaneous google maps or earth was problematic. From 15 and
> downwards almost unsable.
>=20
> He deducted from testing that about 10 users per IP was a more
> realistic limit without taking out the entire CGN "experience".
>=20
> On a personal note, this isn't even taking into question things like
> broken virus scanners or other software updates that will happily try
> to do 5 sessions per second, or a msn client lost trying to do 10 per
> second. The most the windows IP stack will allow on client versions.
>=20
> The real big issue that will be the downfall of NAT444 is the issue
> with ACLS and automatic blocklists and the loss of granular access
> control on that which the ISP has no control of. Which roughly
> estimates to the internet.
>=20
> Regards,
>=20
> Seth
I was thinking of an average of around 100 sessions per user for working o=
ut how things scale to start with. It would also be handy to be able to ap=
ply sensible limits to new sessions, say limit the number of sessions to a=
single destination IP address and apply an overall session limit of perha=
ps 200 sessions per source IP address.
ACLs and blocklists are going to be a problem, perhaps, as LSN becomes mor=
e and more common, such things will gradually die out.
Considering that offices, schools etc regularly have far more than 10 user=
s per IP, I think this limit is a little low. I've happily had around 300 =
per public IP address on a large WiFi network, granted these are all diffe=
rent kinds of users, it is just something that operational experience will=
have to demonstrate.
I would love to avoid NAT444, I do not see a viable way around it at the m=
oment. Unless the Department of Work and Pensions release their /8 that is=
;-)
--
Leigh
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email=20
______________________________________________________________________
