[45359] in North American Network Operators' Group
Re: SlashDot: "Comcast Gunning for NAT Users"
daemon@ATHENA.MIT.EDU (David Charlap)
Thu Jan 31 16:46:48 2002
Message-ID: <3C59BADB.AAEA69E9@marconi.com>
Date: Thu, 31 Jan 2002 16:44:59 -0500
From: David Charlap <David.Charlap@marconi.com>
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Keith Woodworth wrote:
>
> From a technical standpoint how does one detect NAT users over the
> network?
You can't deterministically do so, but there are some telltale signs.
NAT implementations (at least the ones I've seen) tend to choose very
large port numbers (above 30,000) for the ports that they generate.
Of course, this can happen without NAT. And it is possible to write NAT
stacks that choose low-numbered ports (it's trivially easy to make this
change in the Linux IPMASQ code, for instance.)
Anybody who tries to detect NAT through these kinds of heuristic methods
will end up with a lot of false positives and false negatives. And if
it becomes a problem, the NAT implementors will simply alter their code
to make it impossible to distinguish from a single host's traffic.
-- David
