[45363] in North American Network Operators' Group
Re: SlashDot: "Comcast Gunning for NAT Users"
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jan 31 17:06:44 2002
Date: Thu, 31 Jan 2002 17:02:40 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: David Charlap <David.Charlap@marconi.com>
Cc: nanog@merit.edu
Message-ID: <20020131220240.GB22554@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3C59BADB.AAEA69E9@marconi.com>
Errors-To: owner-nanog-outgoing@merit.edu
how to identify non-host based devices:
1) check out mac-address ranges
2) count flows/ip to determine if this
pattern appears to be legit. (this in theory could also be done
to prevent file sharing systems that keep a large number of
peer-to-peer connections)
3) port/ip based filtering
I suspect that for the people who went out and
bought the linksys/other routers that want to link up their
two home computers you will see a few that just say "hey, it's just
another $5/mo and i don't have to worry about this device i got
at frys/best buy/compusa/whatnot that i don't really understand".
there's [almost alyways] a way to beat any system. I think
they are just trying to reduce the support costs of people with
these devices at a time when they are getting bad PR (at least here in
MI) about the switchover from @home-> comcast.
the uninitiated will blame comcast when it's their
router/nat/whatnot unit.
- jared
On Thu, Jan 31, 2002 at 04:44:59PM -0500, David Charlap wrote:
>
> Keith Woodworth wrote:
> >
> > From a technical standpoint how does one detect NAT users over the
> > network?
>
> You can't deterministically do so, but there are some telltale signs.
> NAT implementations (at least the ones I've seen) tend to choose very
> large port numbers (above 30,000) for the ports that they generate.
>
> Of course, this can happen without NAT. And it is possible to write NAT
> stacks that choose low-numbered ports (it's trivially easy to make this
> change in the Linux IPMASQ code, for instance.)
>
> Anybody who tries to detect NAT through these kinds of heuristic methods
> will end up with a lot of false positives and false negatives. And if
> it becomes a problem, the NAT implementors will simply alter their code
> to make it impossible to distinguish from a single host's traffic.
>
> -- David
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
