* Sander Steffann >> IPv6 client:port Public v4:port Dest v4:port #1: >> [2001:db8::1]:60000 -> 192.0.2.1:54321 -> ebay.co.uk:443 #2: >> [2001:db8::a]:40000 -> 192.0.2.1:54321 -> amazon.com:443 #n: >> [.................] -> 192.0.2.1:54321 -> [............] > > Technically possible, but in our case we want/need to log the BIB > entries so that if abuse is detected we can trace it back to the > originator. And we explicitly don't want to log where the user is > connecting to (privacy), only which IPv6 user got which IPv4 > address+port at which point in time.
Right. A variant of this could possibly be to allow re-use of IPv4 transport addresses only for connections originating from the same client: IPv6 client:port Public v4:port Dest v4:port [2001:db8::1]:60000 -> 192.0.2.1:54321 -> ebay.co.uk:443 [2001:db8::1]:50000 -> 192.0.2.1:54321 -> amazon.com:443 [2001:db8::a]:40000 -> 192.0.2.1:43210 -> ebay.co.uk:443 [2001:db8::a]:30000 -> 192.0.2.1:43210 -> amazon.com:443 [.................] -> 192.0.2.1:54321 -> [............] Or possibly aggregate it so that all individual IPv6 clients within the same /64 or /48 or whatever can re-use the same external IPv4 address:port tuple(s). Then you'd only need to log the assignment of the public_v4:port to the given IPv6 client/prefix for abuse purposes, yet still get the benefit of being able to overcommit the public IPv4 pool compared to standard NAT64. The public_v4:port assignments to new IPv6 clients/prefixes could even be done in batches of N at a time, to further reduce the amount of logs you need to retain. (At the expense of further reducing the amount of overcommitment you can do, of course.) Lots of things that could possibly be done here, glad I won't be the one to implement them though. ;-) Tore _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
