[45362] in North American Network Operators' Group
Re: SlashDot: "Comcast Gunning for NAT Users"
daemon@ATHENA.MIT.EDU (Keith Woodworth)
Thu Jan 31 17:03:51 2002
Date: Thu, 31 Jan 2002 14:02:38 -0800 (PST)
From: Keith Woodworth <kwoody@citytel.net>
To: David Charlap <David.Charlap@marconi.com>
Cc: nanog@merit.edu
In-Reply-To: <3C59BADB.AAEA69E9@marconi.com>
Message-ID: <Pine.BSI.4.05L.10201311356290.4456-100000@gumby.citytel.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 31 Jan 2002, David Charlap wrote:
|+
|+Keith Woodworth wrote:
|+>
|+> From a technical standpoint how does one detect NAT users over the
|+> network?
|+
|+You can't deterministically do so, but there are some telltale signs.
|+NAT implementations (at least the ones I've seen) tend to choose very
|+large port numbers (above 30,000) for the ports that they generate.
That was my understanding.
|+Anybody who tries to detect NAT through these kinds of heuristic methods
|+will end up with a lot of false positives and false negatives. And if
|+it becomes a problem, the NAT implementors will simply alter their code
|+to make it impossible to distinguish from a single host's traffic.
Thats sort of what I thought. Ive looked at some tcpdumps that are coming
from a FreeBSD machine doing NAT a while ago to see what was in the
packets exactly and I could not see how you could tell that box was doing
NAT really. But I'm not completely proficient in deciphering packets so I
may have missed something along the way.
Keith
