[159711] in North American Network Operators' Group
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 18 13:27:56 2013
In-Reply-To: <CAP-guGUO9f0R0NFsSTE6ewiAHvhRUs6F6b+Whx9SeaaKyr3aHg@mail.gmail.com>
From: Owen DeLong <owen@delong.com>
Date: Fri, 18 Jan 2013 08:24:39 -1000
To: William Herrin <bill@herrin.us>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sent from my iPad
On Jan 18, 2013, at 8:06 AM, William Herrin <bill@herrin.us> wrote:
> On Fri, Jan 18, 2013 at 12:20 PM, Lee Howard <Lee@asgard.org> wrote:
>> On 1/17/13 6:21 PM, "William Herrin" <bill@herrin.us> wrote:
>>> Then it's a firewall that mildly enhances protection by obstructing
>>> 90% of the port scanning attacks which happen against your computer.
>>> It's a free country so you're welcome to believe that the presence or
>>> absence of NAT has no impact on the probability of a given machine
>>> being compromised. Of course, you're also welcome to join the flat
>>> earth society. As for me, the causative relationship between the rise
>>> of the "DSL router" implementing negligible security except NAT and
>>> the fall of port scanning as a credible attack vector seems blatant
>>> enough.
>>=20
>> CGNs are not identical to home NAT functionality.
>=20
> Didn't say they were. What I said was that claiming NAT has no
> security impact was false on its face.
>=20
Even I have never claimed that. I think everyone pretty well understands at t=
his point just how injurious NAT is to actual security.
> CGNs are most certainly not full cone NATs. Full cone NATs guarantee
> that any traffic which arrives at the external address is mapped to
> the internal address at the same port, functionality which requires a
> 1:1 mapping between external addresses and active internal addresses.
> Were they full-cone, with a 1:1 IP address mapping, CGNs would be
> completely useless for the stated purpose of reducing consumption of
> global addresses.
>=20
> I'm given to understand that they do try to restrict a given internal
> address to emitting packets on a particular range of ports on a
> particular external address but that's functionality on top of a
> restricted-port cone NAT, not a fundamentally different kind of NAT.
>=20
Actually, as I understand it, it's a hybrid. It's full cone (sort of) in tha=
t any packet that arrives within the port range will be translated to the co=
rresponding internal address. It's restricted cone in that it's a port range=
instead of all ports. I'm not sure how the interior device is constrained t=
o emitting only within the port range unless they are customizing all of the=
CPE in order to support that.
>>> I assume that fewer than 1 in 10 eyeballs would find Internet service
>>> behind a NAT unsatisfactory. Eyeballs are the consumers of content,
>>> the modem, cable modem, residential DSL customers. Some few of them
>>> are running game servers, web servers, etc. but 9 in 10 are the email,
>>> vonage and netflix variety who are basically not impacted by NAT.
>>=20
>> Netflix seems to have some funny interactions with some gateways and CGN.=
>> [nat444-impacts]
>=20
> Some NATs have serious bugs that aren't obvious until you try to stack the=
m.
>=20
Which in itself is a pretty strong argument against CGN.
>> What about p2p?
>=20
> If it worked with CGNs there'd be a whole lot less than 1 in 10 folks
> needing to opt out.
>=20
So you are assuming <10% of the internet currently uses any p2p technology? I=
nteresting.
>> You're going with linear growth? See nro.net/statistics.
>=20
> I'm guessing sublinear given the major backpressure from having to
> purchase or transfer IP addresses from other uses instead of getting
> fresh ones from a registry but the evidence isn't in yet so I'll
> conservatively estimate it at linear.
I don't think that backpressure really works against having new subscribers o=
r towards reducing churn in the market place where there is competition. As s=
uch, I don't see how that would apply.
>>> Is it more like 1 in 5 customers would cough up
>>> an extra $5 rather than use a NAT address? The nearest comparable
>>> would be your ratio of dynamic to static IP assignments. Does your
>>> data support that being higher than 1 in 10? I'd bet the broad data
>>> sets don't.
>>=20
>> If an ISP is so close to running out of addresses that they need CGN,
>> let's say they have 1 year of addresses remaining. Given how many ports
>> apps use, recommendations are running to 10:1 user:address (but I could
>> well imagine that increasing to 50:1). That means that for every user yo=
u
>> NAT, you get 1/10 of an address.
>=20
> So at 10:1 you get 9/10ths of an address back from each of the 9 in 10
> eyeballs who converts to NAT. At a more likely ratio of 30:1 you get
> 29/30ths back. I'd have to rerun my numbers but that shaves something
> on the order of 1 year off my 37 year estimate.
Actually, at 10:1, you get back 10/11ths, not 9/10ths.
However, if CGN's limitations pick up some bad press in the early days, that=
ratio may well convert to more like 1:10 where you get back 1/11th instead o=
f 10/11ths. This all remains to be seen. Remember, the public will go much m=
ore with the emotional reaction to the first press accounts than it will go w=
ith rational or well thought out technical argument.
Owen
