So don't CGNat? Buy IPv4 addresses at auction?
On 9/11/18 9:28 AM, Ca By wrote:
On Tue, Sep 11, 2018 at 6:04 AM Matt Hoppes
<mailto:mattli...@rivervalleyinternet.net>> wrote:
That isn’t a solution. He still will need to dual stack and CGNat that.
But the flows that ca
On Tue, Sep 11, 2018 at 6:04 AM Matt Hoppes <
mattli...@rivervalleyinternet.net> wrote:
> That isn’t a solution. He still will need to dual stack and CGNat that.
>
But the flows that can support ipv6, will go ipv6 and not be subject to
these abuse triggers.
Look, this list has mon
That isn’t a solution. He still will need to dual stack and CGNat that.
> On Sep 11, 2018, at 08:54, Ca By wrote:
>
>
>
>> On Mon, Sep 10, 2018 at 9:12 PM Darin Steffl wrote:
>> Hello,
>>
>> I have a ticket open with OpenDNS about filtering happening on
On Mon, Sep 10, 2018 at 9:12 PM Darin Steffl
wrote:
> Hello,
>
> I have a ticket open with OpenDNS about filtering happening on some of our
> CGNAT IP space where a customer has "claimed" the IP as theirs so other
> customers using that same IP and OpenDNS are being
Hello,
I have a ticket open with OpenDNS about filtering happening on some of our
CGNAT IP space where a customer has "claimed" the IP as theirs so other
customers using that same IP and OpenDNS are being filtered and not able to
access sites that fall under their chosen filter.
I hav
Thanks for your replies...
In the last week or so I've been testing further...
Using the following items to slow/alleviate the otherwise randomness of ip's
and port's been generated via my cgnat boundary nodes...
APP - Address pooling paired
EIM - Endpoint independent mapping
That would be Sony...
On Sun, Jul 22, 2018, 10:24 AM Ca By wrote:
> On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean <
> na...@radu-adrian.feurdean.net> wrote:
>
> > On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote:
> > > I don't know if it's fixed
On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean <
na...@radu-adrian.feurdean.net> wrote:
> On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote:
> > I don't know if it's fixed on the endpoints, or in the cgnat config or
> what.
>
> Not specific to Juniper, b
On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote:
> I don't know if it's fixed on the endpoints, or in the cgnat config or what.
Not specific to Juniper, but it's NOT fixed.
You'll either start spending time on work-arounds or you start selling a new
service with dedic
>
> I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights
> ago. for the most part it went well. with these couple issues. please let
> me
> know what you know about this and how to fix. I don't know if it's fixed on
> the endpoints, or
(please forgive cross-posting between jnsp and nanog.looking for anyone who
could help shed light)
I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights
ago. for the most part it went well. with these couple issues. please let me
know what you know about this and how to fix
There’s also the issue of what a customer who needs something like GRE or IKE
to work does from behind a CGNAT where there aren’t port numbers available for
multiplexing.
Owen
> On Feb 27, 2018, at 2:42 PM, Lee Howard wrote:
>
>
>
> On 02/27/2018 12:52 PM, Aaron Gould w
n your CGN.
Lee
- Aaron
From: Michael Crapse [mailto:mich...@wi-fiber.io]
Sent: Tuesday, February 27, 2018 11:19 AM
To: Mike Hammett
Cc: Aaron Gould; NANOG list
Subject: Re: cgnat - how do you handle customer issues
For number 2, I'm a fan of what mike suggests. I believe the te
On 02/27/2018 11:30 AM, Aaron Gould wrote:
Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.
1 - for external connectivity to the customers premise devices, not being
able to access web
I utilize A10 CGNAT that allows dynamic NAT logging, since we're in a similar
boat of utilization.
This email has been sent from my phone. Please excuse any brevity, typos, or
lack of formality.
From: Aaron Gould
Sent: Tuesday, February 27, 2018 12:
?
- Aaron
From: Michael Crapse [mailto:mich...@wi-fiber.io]
Sent: Tuesday, February 27, 2018 11:19 AM
To: Mike Hammett
Cc: Aaron Gould; NANOG list
Subject: Re: cgnat - how do you handle customer issues
For number 2, I'm a fan of what mike suggests. I believe the technical term is
> - Original Message -
>
> From: "Aaron Gould"
> To: Nanog@nanog.org
> Sent: Tuesday, February 27, 2018 10:30:21 AM
> Subject: cgnat - how do you handle customer issues
>
> Couple questions please. When you put thousands of customers behind a cgnat
>
Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.
1 - for external connectivity to the customers premise devices, not being
able to access web servers, web cameras, etc, in their premises?
2
From: "Aaron Gould"
To: Nanog@nanog.org
Sent: Tuesday, February 27, 2018 10:30:21 AM
Subject: cgnat - how do you handle customer issues
Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the followi
ax Tulyev wrote:
>>
>>> BTW, does somebody check how implementing a native IPv6 decrease actual
>>> load of CGNAT?
>> Reports are that 30-50% of traffic will be IPv6 when you enable dual
>> stack. This would be traffic that will not traverse your CGNAT.
> My
On Fri, Apr 7, 2017, at 20:03, Mikael Abrahamsson wrote:
> On Fri, 7 Apr 2017, Max Tulyev wrote:
>
> > BTW, does somebody check how implementing a native IPv6 decrease actual
> > load of CGNAT?
>
> Reports are that 30-50% of traffic will be IPv6 when you enable dual
A lot depends on the CGNAT features you are looking to support, some
considerations:
- Are you looking for port block allocation for bulk logging, where a given
subscriber is given a block of source TCP/UDP ports on a translated IP
address
- How many translations and session rate are you looking
Hi Aaron, thanks for the info. I¹m curious what you or others do about
DDoS attacks to CGNAT devices. It seems that a single attack could affect
the thousands of customers that use those devices. Also, do you have
issues detecting attacks vs. legitimate traffic when you have so much
traffic
, 8 Apr 2017 at 06:19 Mikael Abrahamsson wrote:
> On Fri, 7 Apr 2017, Max Tulyev wrote:
>
> > BTW, does somebody check how implementing a native IPv6 decrease actual
> > load of CGNAT?
>
> Reports are that 30-50% of traffic will be IPv6 when you enable dual
> stack. This
Thanks Max, I've thought about that and tested some ipv6 (6vpe, mpls l3vpn
w/ipv6 dual stacked) in my network.
In my CGNAT testing for my 7,000 dsl customers, I've already tested the
inter-vrf route leaks that will be required for ipv6-flow-around to bypass
the IPv4 CGNAT boundary
On Fri, 7 Apr 2017, Max Tulyev wrote:
BTW, does somebody check how implementing a native IPv6 decrease actual
load of CGNAT?
Reports are that 30-50% of traffic will be IPv6 when you enable dual
stack. This would be traffic that will not traverse your CGNAT.
--
Mikael Abrahamssonemail
BTW, does somebody check how implementing a native IPv6 decrease actual
load of CGNAT?
On 06.04.17 23:33, Aaron Gould wrote:
> Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in
> my lab.
>
> I went with MX104/MS-MIC-16G. I love it.
>
> I deployed
by a NAT
boundary*. This would cause the DDoS to not go as far as it did in the
non-nat scenario. ...so with cgnat you've caused your reach of DDoS to be
shortened. ...but of course this doesn't cause the DDoS to not occur and to
not reach the NAT boundary...the attack still arrive
Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in
my lab.
I went with MX104/MS-MIC-16G. I love it.
I deployed (2) MX104's. Each MX104 has a single MX-MIC-16G card in it. I
integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside
vrf. Bo
Hello Ahmad,I am using F5 for CGNAT, right now 250K subscriber
with 28Gbps bandwidth, I will double it with the second appliance easily
soon.Its high performance and I like it.Any time Any QuestionThanks
Hi,
Any recommendation regarding CGNAT appliance who try it and which brand is the
best from his perspective!
The throughput which I want to pass through the CGNAT is about 40Gbits and
number of subscribers are about 40,000 subscribers.
Regards,
Ahmed
I had given some numbers for PBA in
http://puck.nether.net/pipermail/cisco-nsp/2016-February/101908.html
--
Tassos
Adam wrote on 23/11/16 23:17:
> I'm crunching the numbers on the cost effectiveness of implementing CGN vs
> IPv4 auctions. The determining factor is how many ephemeral ports are
>
Don't try detereministic NAT, it's not worth it. You'll waste a lot of
port capacity on most users, and it might still be problematic for power
users.
Just try to match one user to one real IP, many sites/applications don't
like when there are several requests from one user with different IPs.
On Thu, Nov 24, 2016 at 7:05 PM Adam wrote:
> I'm crunching the numbers on the cost effectiveness of implementing CGN vs
> IPv4 auctions. The determining factor is how many ephemeral ports are
> reserved for each customer. This is for a residential broadband
> environment.
>
> Is anybody doing de
I'm crunching the numbers on the cost effectiveness of implementing CGN vs
IPv4 auctions. The determining factor is how many ephemeral ports are
reserved for each customer. This is for a residential broadband environment.
Is anybody doing deterministic NAT/PAT (i.e. each customer gets X ports -
no
On Thu, Sep 22, 2016 at 02:31:12PM +0200, Alexander Maassen wrote:
> Maybe its time then for a global accepted, unified way to send/report abuse???
There are -- see Valdis's followup.
But there's still no viable substitute for a working abuse@ address
with clueful eyeballs on the other side of it
On Mon, Sep 19, 2016 at 09:55:56PM +0200, Florian Weimer wrote:
> Github users create several orders of magnitude more SSH connections
> [snip]
Ah. I didn't know that. Thanks!
> Sure, and people already do this, and are not very flexible about it.
> Support staff isn't briefed, and claim they d
font.
Personally I don’t trash abuse reports that are valid.
--srs
From: Tom Beecher
Date: Thursday, 22 September 2016 at 7:35 PM
To: Brian Rak
Cc: Suresh Ramasubramanian , "nanog@nanog.org"
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses
The for
http://x-arf.org/ ?
--
Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E | also on Signal
On September 22, 2016 5:31:12 AM PDT, Alexander Maassen
wrote:
>Maybe its time then for a global accepted, unified way to send/report
>abuse?
>That should solve most of the i
On Thu, 22 Sep 2016 14:31:12 +0200, Alexander Maassen said:
> Maybe its time then for a global accepted, unified way to send/report abuse?
YOu mean ike these RFCs? (OK, so it's an XML schema. Just be glad
it isn't ASN.1 :)
5070 The Incident Object Description Exchange Format. R. Danyliw, J.
The format of the abuse complaint doesn't mean anything if it still doesn't
contain any relevant data to say what the abuse IS. (Or, even if it IS
abuse at all.)
On Thu, Sep 22, 2016 at 9:37 AM, Brian Rak wrote:
> Single IP per email: automated, zero time at all.
>
> Multiple IPs per email: m
Single IP per email: automated, zero time at all.
Multiple IPs per email: manual process, minutes per IP.
On 9/22/2016 9:34 AM, Suresh Ramasubramanian wrote:
Considering that there are likely to be many such emails - just how
much time is it going to take your abuse desk staffer to just parse
Considering that there are likely to be many such emails - just how much time
is it going to take your abuse desk staffer to just parse out those IPs from
whatever log that they send you?
And how much time would processing say 50 individual emails take compared to 50
IPs in a single email?
--s
On 9/22/2016 8:10 AM, Baldur Norddahl wrote:
On 22 September 2016 at 10:42, Alexander Maassen
wrote:
So you ignore/don't deal with the abuse coz it's shipped in a format you
refuse to handle?
And you don't even bother telling the reporter you would like it in a per
ip format? Or make attemp
> Peplink Certified Engineer
>
> Oorspronkelijk bericht Van: Mark Andrews > Datum: 21-09-16 03:29 (GMT+01:00) Aan: Justin Wilson <
> li...@mtin.net > Cc: NANOG >
> Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses
>
> In message &
Ipv6 is there for 20+ years, cgnat is needed coz the net grows kinda
exponentially due to stuff like IoT/mobiles/m2m, and isp's need to provide
users with the ability to talk ipv4 simply because the other side refuses to
deploy v6 abilities. Do the math if they really care.
Also the se
d Engineer
Oorspronkelijk bericht Van: Baldur Norddahl
Datum: 22-09-16 14:10 (GMT+01:00) Aan:
nanog@nanog.org Onderwerp: Re: PlayStationNetwork blocking of CGNAT public
addresses
On 22 September 2016 at 10:42, Alexander Maassen
wrote:
> So you ignore/don't deal with the abuse coz it
On 22 September 2016 at 10:42, Alexander Maassen
wrote:
> So you ignore/don't deal with the abuse coz it's shipped in a format you
> refuse to handle?
>
> And you don't even bother telling the reporter you would like it in a per
> ip format? Or make attempts to make it work the way they report it
er Maassen"
Cc: "NANOG"
Sent: Thursday, September 22, 2016 3:35:01 AM
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses
Both gamers and content providers do not care. The gamers as they only care
about the game itself and don't care about the technical mumbo j
Cc:
NANOG Onderwerp: Re: PlayStationNetwork blocking of CGNAT
public addresses
I have a hard time accepting that service providers should re-engineer
their networks because other companies cannot properly engineer their abuse
tooling.
On Tue, Sep 20, 2016 at 11:33 AM, Justin Wilson wrote
(GMT+01:00) Aan:
nanog@nanog.org Onderwerp: Re: PlayStationNetwork blocking of CGNAT public
addresses
Hi
We have the opposite problem with PSN: Sometimes they will send abuse
reports with several of our IP addresses listed. The problem with that
is that we can not give data about one custome
er DroneBL-
Peplink Certified Engineer
Oorspronkelijk bericht Van: Mark Andrews
Datum: 21-09-16 03:29 (GMT+01:00) Aan: Justin Wilson Cc:
NANOG Onderwerp: Re: PlayStationNetwork blocking of CGNAT
public addresses
In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net&
I have a hard time accepting that service providers should re-engineer
their networks because other companies cannot properly engineer their abuse
tooling.
On Tue, Sep 20, 2016 at 11:33 AM, Justin Wilson wrote:
> PSN is one reason I am not a fan of CGNAT. All they see are tons of
> conne
On 21 Sep 2016, at 15:37, Baldur Norddahl wrote:
Which means we may ignore it instead.
. . . copy/paste or awk/sed or whatever isn't an option? If not, have
you requested a) separate notifications per source and/or b) a more
textual-manipulation-friendly format? Unless they're sending .gi
Hi
We have the opposite problem with PSN: Sometimes they will send abuse
reports with several of our IP addresses listed. The problem with that
is that we can not give data about one customer to another customer. By
listing multiple IP addresses we are prevented from forwarding the email
to t
On Wed, 21 Sep 2016 11:29:49 +1000, Mark Andrews said:
> What we need is business tech reporters to continually report on
> these failures of content providers to deliver their services over
> IPv6. 20 years lead time should be enough for any service.
Interestingly enough, the Playstation 4 has
Mark Andrews writes:
>
> In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net>, Justin Wilson wri
> te
> s:
> > PSN is one reason I am not a fan of CGNAT. All they see are tons of
> > connections from the same IP. This results in them banning folks. Due
&g
In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net>, Justin Wilson write
s:
> PSN is one reason I am not a fan of CGNAT. All they see are tons of
> connections from the same IP. This results in them banning folks. Due
> to them being hacked so many times getting t
PSN is one reason I am not a fan of CGNAT. All they see are tons of connections
from the same IP. This results in them banning folks. Due to them being
hacked so many times getting them to actually communicate is almost impossible.
My .02 is just get the gamers a true public if at all
We operate an access network with several hundred thousand users.
> Increasingly
> we're putting the users behind CGNAT in order to continue to give them an
> IPv4
> service (we're all dual-stack, so they all get public IPv6 too). Due to the
> demographic of our users, many
* Rich Kulawiec:
> On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote:
>> * Rich Kulawiec:
>>
>> > For example: if the average number of outbound SSH connections
>> > established per hour per host across all hosts behind CGNAT is 3.2,
>> > a
On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote:
> * Rich Kulawiec:
>
> > For example: if the average number of outbound SSH connections
> > established per hour per host across all hosts behind CGNAT is 3.2,
> > and you see a host making 1100/hour: that
...@thebaughers.com]
Sent: Monday, 19 September 2016 12:09 PM
To: valdis.kletni...@vt.edu
Cc: Tony Wicks ; NANOG
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses
So I should try again to get them to tell me what an "Account Takeover Attempt"
is? They ignored my last request
So I should try again to get them to tell me what an "Account Takeover
Attempt" is? They ignored my last request.
It's easy to explain DMCA or spam to an end-user, but it's difficult to
explain to some soccer mom that her kids are doing something to make Sony
mad, when I can't explain to them what
On Mon, 19 Sep 2016 10:41:59 +1200, "Tony Wicks" said:
> Interestingly, Sony (SNEI-NOC-Abuse replied to being forwarded back one of their notification blocks requesting
> more detailed information with a csv file in under an hour!
So I guess name-and-shame *does* work? :)
pgp2syZkWt95D.pgp
Desc
Interestingly, Sony (SNEI-NOC-Abuse - Sony say no, either through silence, or explicitly.
On 9/18/2016 16:26, Larry Sheldon wrote:
On 9/18/2016 08:19, Mike Hammett wrote:
People love to hate incumbent telcos because of their arrogance (and
frankly it's deserved), but people forget that big content can be
just as arrogant and just as deserving of hatred.
I never did see the bene
On 9/18/2016 08:19, Mike Hammett wrote:
People love to hate incumbent telcos because of their arrogance (and
frankly it's deserved), but people forget that big content can be
just as arrogant and just as deserving of hatred.
I never did see the benefit or the approach. To anybody.
--
"Ever
n to source IP
> addresses and destination IP addresses)? Have the anti-abuse
> mechanisms finalyl caught on with CGNAT, or is it possible that the
> PSN operator themselves do not have such detailed data?
99.99% of abuse reports we receive contain the information, but that's because
99.99%
> - User reports they can't reach PSN
> - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked
> us"
> - We say "Okay, that's a CGNAT public IP, can you help us identify the which
> inside user that is - (timestamp,ip,port) lo
* Tom Beecher:
> An email to a user notifying them they're likely compromised costs
> basically nothing.
If this increases the probability that the customer contacts customer
support, in some markets, there is a risk that the account will never
turn profitable during the current contract period.
An email to a user notifying them they're likely compromised costs
basically nothing. An email to their entire subscriber base also costs
nothing. If you find me an ISP that can't afford to notify users, I'll show
you one that shouldn't be in business anyways.
There's this presumption of guilt her
ompromised and we're made aware of it - either through our own
tools, or through 3rd party notifications.
The process with Sony goes something like:
- User reports they can't reach PSN
- We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked
us"
- We
* Tom Beecher:
> Simon's getting screwed because he's not being given any information to try
> and solve the problem, and because his customers are likely blaming him
> because he's their ISP.
We don't know that for sure. Another potential issue is that the ISP
just cannot afford to notify its c
* Rich Kulawiec:
> For example: if the average number of outbound SSH connections
> established per hour per host across all hosts behind CGNAT is 3.2,
> and you see a host making 1100/hour: that's a problem. It might be
> someone who botched a Perl script; or it might be a bot
WISP
- Original Message -
From: "Tom Beecher"
To: "Tom Smyth"
Cc: "NANOG"
Sent: Sunday, September 18, 2016 8:15:08 AM
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses
This is, as many things are, a huge problem in communication.
Sony
1) limit the ratio of users to an external ipv4 address as much as possible
> (which would reduce the impact of one compromised customer bringing down
> play time for other clients behind the same nat
>
> 2)do some "canary in the mine" monitoring for obviously malicious tra
On Sun, Sep 18, 2016 at 01:30:52PM +0100, Tom Smyth wrote:
> 2)do some "canary in the mine" monitoring for obviously malicious traffic
> (loads of SMTP traffic outbound) and lots of connection requests to SSH
> servers ... if you see that traffic from behind your C
2)do some "canary in the mine" monitoring for obviously malicious traffic
(loads of SMTP traffic outbound) and lots of connection requests to SSH
servers ... if you see that traffic from behind your CGNAT device .. just
temporarily block the internal ip of the user until they clea
Simon Lockhart wrote:
Has anyone else come up against the problem, and/or have any suggestions on
how best to resolve it?
The best solution is to have a common practice on a set of public
port numbers assigned to a host behind NAT.
For example, with a practice that, if a port in a range betwe
Another aspect, for those users that need to go the PSN network but experience
issues via the CGNAT, an opt-out solution (giving them public IPv4) may should
mitigate the problem, that PSN network does not support IPv6.
After all what percentage of your total subscribers that uses PSN and are
So the pain has finally flowed down to other parts of the world. (APNIC ran
out of IP's a long time ago, so CGN has been in use here for a lot longer)
This issue is one I have been dealing with for the last four years. Only
with Sony, no other company has caused such a headache in regard to
On Friday, September 16, 2016, Simon Lockhart wrote:
> All,
>
> We operate an access network with several hundred thousand users.
> Increasingly
> we're putting the users behind CGNAT in order to continue to give them an
> IPv4
> service (we're all dual-stack,
via that route...and , if you offer IPv6 native service to end users, ask PSN
when they are going to
be offer an IPv6 service to their users - so this CGNAT stuff can go ;-)
alan
On 16 Sep 2016, at 20:38, Simon Lockhart wrote:
Unless we know what to look for, it's hard to detect and stop it.
It's not just application-layer stuff - they're subject to all sorts of
attacks. Screening out the obvious stuff would certainly help.
The main issue is a dearth of engagemen
On Fri Sep 16, 2016 at 08:32:12PM +0700, Roland Dobbins wrote:
> Another aspect is ensuring that one has the ability to detect, classify,
> traceback, and mitigate outbound badness southbound of the CGN.
Unless PSN can tell us what traffic they consider bad, how can we detect and
classify it? We c
On 16 Sep 2016, at 20:12, Simon Lockhart wrote:
Has anyone else come up against the problem, and/or have any
suggestions on how best to resolve it?
I'm pretty sure that at least part of it has to do with DDoS-related
activity. The best bet is to try and identify and engage with the
relevan
A network that doesn't support IPv6, yet discriminates against CGNAT? That
seems like a promising future.
-
Mike Hammett
Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
- Original Message -
From: "Simon Lockhart"
To: nanog@
All,
We operate an access network with several hundred thousand users. Increasingly
we're putting the users behind CGNAT in order to continue to give them an IPv4
service (we're all dual-stack, so they all get public IPv6 too). Due to the
demographic of our users, many of them are game
101 - 189 of 189 matches
Mail list logo