Re: OpenDNS CGNAT Issues

So don't CGNat? Buy IPv4 addresses at auction? On 9/11/18 9:28 AM, Ca By wrote: On Tue, Sep 11, 2018 at 6:04 AM Matt Hoppes <mailto:mattli...@rivervalleyinternet.net>> wrote: That isn’t a solution. He still will need to dual stack and CGNat that. But the flows that ca

Re: OpenDNS CGNAT Issues

On Tue, Sep 11, 2018 at 6:04 AM Matt Hoppes < mattli...@rivervalleyinternet.net> wrote: > That isn’t a solution. He still will need to dual stack and CGNat that. > But the flows that can support ipv6, will go ipv6 and not be subject to these abuse triggers. Look, this list has mon

Re: OpenDNS CGNAT Issues

That isn’t a solution. He still will need to dual stack and CGNat that. > On Sep 11, 2018, at 08:54, Ca By wrote: > > > >> On Mon, Sep 10, 2018 at 9:12 PM Darin Steffl wrote: >> Hello, >> >> I have a ticket open with OpenDNS about filtering happening on

Re: OpenDNS CGNAT Issues

On Mon, Sep 10, 2018 at 9:12 PM Darin Steffl wrote: > Hello, > > I have a ticket open with OpenDNS about filtering happening on some of our > CGNAT IP space where a customer has "claimed" the IP as theirs so other > customers using that same IP and OpenDNS are being

OpenDNS CGNAT Issues

Hello, I have a ticket open with OpenDNS about filtering happening on some of our CGNAT IP space where a customer has "claimed" the IP as theirs so other customers using that same IP and OpenDNS are being filtered and not able to access sites that fall under their chosen filter. I hav

RE: issues through CGNat (juniper ms-mpc-128g in mx960)

Thanks for your replies... In the last week or so I've been testing further... Using the following items to slow/alleviate the otherwise randomness of ip's and port's been generated via my cgnat boundary nodes... APP - Address pooling paired EIM - Endpoint independent mapping

Re: issues through CGNat (juniper ms-mpc-128g in mx960)

That would be Sony... On Sun, Jul 22, 2018, 10:24 AM Ca By wrote: > On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean < > na...@radu-adrian.feurdean.net> wrote: > > > On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > > > I don't know if it's fixed

Re: issues through CGNat (juniper ms-mpc-128g in mx960)

On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean < na...@radu-adrian.feurdean.net> wrote: > On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > > I don't know if it's fixed on the endpoints, or in the cgnat config or > what. > > Not specific to Juniper, b

Re: issues through CGNat (juniper ms-mpc-128g in mx960)

On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > I don't know if it's fixed on the endpoints, or in the cgnat config or what. Not specific to Juniper, but it's NOT fixed. You'll either start spending time on work-arounds or you start selling a new service with dedic

Re: issues through CGNat (juniper ms-mpc-128g in mx960)

> > I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights > ago. for the most part it went well. with these couple issues. please let > me > know what you know about this and how to fix. I don't know if it's fixed on > the endpoints, or

issues through CGNat (juniper ms-mpc-128g in mx960)

(please forgive cross-posting between jnsp and nanog.looking for anyone who could help shed light) I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights ago. for the most part it went well. with these couple issues. please let me know what you know about this and how to fix

Re: cgnat - how do you handle customer issues

There’s also the issue of what a customer who needs something like GRE or IKE to work does from behind a CGNAT where there aren’t port numbers available for multiplexing. Owen > On Feb 27, 2018, at 2:42 PM, Lee Howard wrote: > > > > On 02/27/2018 12:52 PM, Aaron Gould w

Re: cgnat - how do you handle customer issues

n your CGN. Lee - Aaron From: Michael Crapse [mailto:mich...@wi-fiber.io] Sent: Tuesday, February 27, 2018 11:19 AM To: Mike Hammett Cc: Aaron Gould; NANOG list Subject: Re: cgnat - how do you handle customer issues For number 2, I'm a fan of what mike suggests. I believe the te

Re: cgnat - how do you handle customer issues

On 02/27/2018 11:30 AM, Aaron Gould wrote: Couple questions please. When you put thousands of customers behind a cgnat boundary, how do you all handle customer complaints about the following. 1 - for external connectivity to the customers premise devices, not being able to access web

Re: cgnat - how do you handle customer issues

I utilize A10 CGNAT that allows dynamic NAT logging, since we're in a similar boat of utilization. This email has been sent from my phone. Please excuse any brevity, typos, or lack of formality. From: Aaron Gould Sent: Tuesday, February 27, 2018 12:

RE: cgnat - how do you handle customer issues

? - Aaron From: Michael Crapse [mailto:mich...@wi-fiber.io] Sent: Tuesday, February 27, 2018 11:19 AM To: Mike Hammett Cc: Aaron Gould; NANOG list Subject: Re: cgnat - how do you handle customer issues For number 2, I'm a fan of what mike suggests. I believe the technical term is

Re: cgnat - how do you handle customer issues

> - Original Message - > > From: "Aaron Gould" > To: Nanog@nanog.org > Sent: Tuesday, February 27, 2018 10:30:21 AM > Subject: cgnat - how do you handle customer issues > > Couple questions please. When you put thousands of customers behind a cgnat >

cgnat - how do you handle customer issues

Couple questions please. When you put thousands of customers behind a cgnat boundary, how do you all handle customer complaints about the following. 1 - for external connectivity to the customers premise devices, not being able to access web servers, web cameras, etc, in their premises? 2

Re: cgnat - how do you handle customer issues

From: "Aaron Gould" To: Nanog@nanog.org Sent: Tuesday, February 27, 2018 10:30:21 AM Subject: cgnat - how do you handle customer issues Couple questions please. When you put thousands of customers behind a cgnat boundary, how do you all handle customer complaints about the followi

Re: CGNAT

ax Tulyev wrote: >> >>> BTW, does somebody check how implementing a native IPv6 decrease actual >>> load of CGNAT? >> Reports are that 30-50% of traffic will be IPv6 when you enable dual >> stack. This would be traffic that will not traverse your CGNAT. > My

Re: CGNAT

On Fri, Apr 7, 2017, at 20:03, Mikael Abrahamsson wrote: > On Fri, 7 Apr 2017, Max Tulyev wrote: > > > BTW, does somebody check how implementing a native IPv6 decrease actual > > load of CGNAT? > > Reports are that 30-50% of traffic will be IPv6 when you enable dual

Re: CGNAT

A lot depends on the CGNAT features you are looking to support, some considerations: - Are you looking for port block allocation for bulk logging, where a given subscriber is given a block of source TCP/UDP ports on a translated IP address - How many translations and session rate are you looking

Re: CGNAT

Hi Aaron, thanks for the info. I¹m curious what you or others do about DDoS attacks to CGNAT devices. It seems that a single attack could affect the thousands of customers that use those devices. Also, do you have issues detecting attacks vs. legitimate traffic when you have so much traffic

Re: CGNAT

, 8 Apr 2017 at 06:19 Mikael Abrahamsson wrote: > On Fri, 7 Apr 2017, Max Tulyev wrote: > > > BTW, does somebody check how implementing a native IPv6 decrease actual > > load of CGNAT? > > Reports are that 30-50% of traffic will be IPv6 when you enable dual > stack. This

RE: CGNAT

Thanks Max, I've thought about that and tested some ipv6 (6vpe, mpls l3vpn w/ipv6 dual stacked) in my network. In my CGNAT testing for my 7,000 dsl customers, I've already tested the inter-vrf route leaks that will be required for ipv6-flow-around to bypass the IPv4 CGNAT boundary

Re: CGNAT

On Fri, 7 Apr 2017, Max Tulyev wrote: BTW, does somebody check how implementing a native IPv6 decrease actual load of CGNAT? Reports are that 30-50% of traffic will be IPv6 when you enable dual stack. This would be traffic that will not traverse your CGNAT. -- Mikael Abrahamssonemail

Re: CGNAT

BTW, does somebody check how implementing a native IPv6 decrease actual load of CGNAT? On 06.04.17 23:33, Aaron Gould wrote: > Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in > my lab. > > I went with MX104/MS-MIC-16G. I love it. > > I deployed

RE: CGNAT

by a NAT boundary*. This would cause the DDoS to not go as far as it did in the non-nat scenario. ...so with cgnat you've caused your reach of DDoS to be shortened. ...but of course this doesn't cause the DDoS to not occur and to not reach the NAT boundary...the attack still arrive

RE: CGNAT

Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in my lab. I went with MX104/MS-MIC-16G. I love it. I deployed (2) MX104's. Each MX104 has a single MX-MIC-16G card in it. I integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside vrf. Bo

Re: CGNAT

Hello Ahmad,I am using F5 for CGNAT, right now 250K subscriber with 28Gbps bandwidth, I will double it with the second appliance easily soon.Its high performance and I like it.Any time Any QuestionThanks

CGNAT

Hi, Any recommendation regarding CGNAT appliance who try it and which brand is the best from his perspective! The throughput which I want to pass through the CGNAT is about 40Gbits and number of subscribers are about 40,000 subscribers. Regards, Ahmed

Re: CGNAT - Seeking Real World Experience

I had given some numbers for PBA in http://puck.nether.net/pipermail/cisco-nsp/2016-February/101908.html -- Tassos Adam wrote on 23/11/16 23:17: > I'm crunching the numbers on the cost effectiveness of implementing CGN vs > IPv4 auctions. The determining factor is how many ephemeral ports are >

Re: CGNAT - Seeking Real World Experience

Don't try detereministic NAT, it's not worth it. You'll waste a lot of port capacity on most users, and it might still be problematic for power users. Just try to match one user to one real IP, many sites/applications don't like when there are several requests from one user with different IPs.

Re: CGNAT - Seeking Real World Experience

On Thu, Nov 24, 2016 at 7:05 PM Adam wrote: > I'm crunching the numbers on the cost effectiveness of implementing CGN vs > IPv4 auctions. The determining factor is how many ephemeral ports are > reserved for each customer. This is for a residential broadband > environment. > > Is anybody doing de

CGNAT - Seeking Real World Experience

I'm crunching the numbers on the cost effectiveness of implementing CGN vs IPv4 auctions. The determining factor is how many ephemeral ports are reserved for each customer. This is for a residential broadband environment. Is anybody doing deterministic NAT/PAT (i.e. each customer gets X ports - no

Re: PlayStationNetwork blocking of CGNAT public addresses

On Thu, Sep 22, 2016 at 02:31:12PM +0200, Alexander Maassen wrote: > Maybe its time then for a global accepted, unified way to send/report abuse??? There are -- see Valdis's followup. But there's still no viable substitute for a working abuse@ address with clueful eyeballs on the other side of it

Re: PlayStationNetwork blocking of CGNAT public addresses

On Mon, Sep 19, 2016 at 09:55:56PM +0200, Florian Weimer wrote: > Github users create several orders of magnitude more SSH connections > [snip] Ah. I didn't know that. Thanks! > Sure, and people already do this, and are not very flexible about it. > Support staff isn't briefed, and claim they d

Re: PlayStationNetwork blocking of CGNAT public addresses

font. Personally I don’t trash abuse reports that are valid. --srs From: Tom Beecher Date: Thursday, 22 September 2016 at 7:35 PM To: Brian Rak Cc: Suresh Ramasubramanian , "nanog@nanog.org" Subject: Re: PlayStationNetwork blocking of CGNAT public addresses The for

Re: PlayStationNetwork blocking of CGNAT public addresses

http://x-arf.org/ ? -- Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E   | also on Signal On September 22, 2016 5:31:12 AM PDT, Alexander Maassen wrote: >Maybe its time then for a global accepted, unified way to send/report >abuse?  >That should solve most of the i

Re: PlayStationNetwork blocking of CGNAT public addresses

On Thu, 22 Sep 2016 14:31:12 +0200, Alexander Maassen said: > Maybe its time then for a global accepted, unified way to send/report abuse? YOu mean ike these RFCs? (OK, so it's an XML schema. Just be glad it isn't ASN.1 :) 5070 The Incident Object Description Exchange Format. R. Danyliw, J.

Re: PlayStationNetwork blocking of CGNAT public addresses

The format of the abuse complaint doesn't mean anything if it still doesn't contain any relevant data to say what the abuse IS. (Or, even if it IS abuse at all.) On Thu, Sep 22, 2016 at 9:37 AM, Brian Rak wrote: > Single IP per email: automated, zero time at all. > > Multiple IPs per email: m

Re: PlayStationNetwork blocking of CGNAT public addresses

Single IP per email: automated, zero time at all. Multiple IPs per email: manual process, minutes per IP. On 9/22/2016 9:34 AM, Suresh Ramasubramanian wrote: Considering that there are likely to be many such emails - just how much time is it going to take your abuse desk staffer to just parse

Re: PlayStationNetwork blocking of CGNAT public addresses

Considering that there are likely to be many such emails - just how much time is it going to take your abuse desk staffer to just parse out those IPs from whatever log that they send you? And how much time would processing say 50 individual emails take compared to 50 IPs in a single email? --s

Re: PlayStationNetwork blocking of CGNAT public addresses

On 9/22/2016 8:10 AM, Baldur Norddahl wrote: On 22 September 2016 at 10:42, Alexander Maassen wrote: So you ignore/don't deal with the abuse coz it's shipped in a format you refuse to handle? And you don't even bother telling the reporter you would like it in a per ip format? Or make attemp

Re: PlayStationNetwork blocking of CGNAT public addresses

> Peplink Certified Engineer > > Oorspronkelijk bericht Van: Mark Andrews > Datum: 21-09-16 03:29 (GMT+01:00) Aan: Justin Wilson < > li...@mtin.net > Cc: NANOG > > Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses > > In message &

Re: PlayStationNetwork blocking of CGNAT public addresses

Ipv6 is there for 20+ years, cgnat is needed coz the net grows kinda exponentially due to stuff like IoT/mobiles/m2m, and isp's need to provide users with the ability to talk ipv4 simply because the other side refuses to deploy v6 abilities. Do the math if they really care. Also the se

Re: PlayStationNetwork blocking of CGNAT public addresses

d Engineer Oorspronkelijk bericht Van: Baldur Norddahl Datum: 22-09-16 14:10 (GMT+01:00) Aan: nanog@nanog.org Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses On 22 September 2016 at 10:42, Alexander Maassen wrote: > So you ignore/don't deal with the abuse coz it

Re: PlayStationNetwork blocking of CGNAT public addresses

On 22 September 2016 at 10:42, Alexander Maassen wrote: > So you ignore/don't deal with the abuse coz it's shipped in a format you > refuse to handle? > > And you don't even bother telling the reporter you would like it in a per > ip format? Or make attempts to make it work the way they report it

Re: PlayStationNetwork blocking of CGNAT public addresses

er Maassen" Cc: "NANOG" Sent: Thursday, September 22, 2016 3:35:01 AM Subject: Re: PlayStationNetwork blocking of CGNAT public addresses Both gamers and content providers do not care. The gamers as they only care about the game itself and don't care about the technical mumbo j

Re: PlayStationNetwork blocking of CGNAT public addresses

Cc: NANOG Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses I have a hard time accepting that service providers should re-engineer their networks because other companies cannot properly engineer their abuse tooling. On Tue, Sep 20, 2016 at 11:33 AM, Justin Wilson wrote

Re: PlayStationNetwork blocking of CGNAT public addresses

(GMT+01:00) Aan: nanog@nanog.org Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses Hi We have the opposite problem with PSN: Sometimes they will send abuse reports with several of our IP addresses listed. The problem with that is that we can not give data about one custome

Re: PlayStationNetwork blocking of CGNAT public addresses

er DroneBL- Peplink Certified Engineer Oorspronkelijk bericht Van: Mark Andrews Datum: 21-09-16 03:29 (GMT+01:00) Aan: Justin Wilson Cc: NANOG Onderwerp: Re: PlayStationNetwork blocking of CGNAT public addresses In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net&

Re: PlayStationNetwork blocking of CGNAT public addresses

I have a hard time accepting that service providers should re-engineer their networks because other companies cannot properly engineer their abuse tooling. On Tue, Sep 20, 2016 at 11:33 AM, Justin Wilson wrote: > PSN is one reason I am not a fan of CGNAT. All they see are tons of > conne

Re: PlayStationNetwork blocking of CGNAT public addresses

On 21 Sep 2016, at 15:37, Baldur Norddahl wrote: Which means we may ignore it instead. . . . copy/paste or awk/sed or whatever isn't an option? If not, have you requested a) separate notifications per source and/or b) a more textual-manipulation-friendly format? Unless they're sending .gi

Re: PlayStationNetwork blocking of CGNAT public addresses

Hi We have the opposite problem with PSN: Sometimes they will send abuse reports with several of our IP addresses listed. The problem with that is that we can not give data about one customer to another customer. By listing multiple IP addresses we are prevented from forwarding the email to t

Re: PlayStationNetwork blocking of CGNAT public addresses

On Wed, 21 Sep 2016 11:29:49 +1000, Mark Andrews said: > What we need is business tech reporters to continually report on > these failures of content providers to deliver their services over > IPv6. 20 years lead time should be enough for any service. Interestingly enough, the Playstation 4 has

Re: PlayStationNetwork blocking of CGNAT public addresses

Mark Andrews writes: > > In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net>, Justin Wilson wri > te > s: > > PSN is one reason I am not a fan of CGNAT. All they see are tons of > > connections from the same IP. This results in them banning folks. Due &g

Re: PlayStationNetwork blocking of CGNAT public addresses

In message <09342130-874f-4fa4-b410-b7b66a75f...@mtin.net>, Justin Wilson write s: > PSN is one reason I am not a fan of CGNAT. All they see are tons of > connections from the same IP. This results in them banning folks. Due > to them being hacked so many times getting t

Re: PlayStationNetwork blocking of CGNAT public addresses

PSN is one reason I am not a fan of CGNAT. All they see are tons of connections from the same IP. This results in them banning folks. Due to them being hacked so many times getting them to actually communicate is almost impossible. My .02 is just get the gamers a true public if at all

Re: PlayStationNetwork blocking of CGNAT public addresses

We operate an access network with several hundred thousand users. > Increasingly > we're putting the users behind CGNAT in order to continue to give them an > IPv4 > service (we're all dual-stack, so they all get public IPv6 too). Due to the > demographic of our users, many

Re: PlayStationNetwork blocking of CGNAT public addresses

* Rich Kulawiec: > On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote: >> * Rich Kulawiec: >> >> > For example: if the average number of outbound SSH connections >> > established per hour per host across all hosts behind CGNAT is 3.2, >> > a

Re: PlayStationNetwork blocking of CGNAT public addresses

On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote: > * Rich Kulawiec: > > > For example: if the average number of outbound SSH connections > > established per hour per host across all hosts behind CGNAT is 3.2, > > and you see a host making 1100/hour: that&#

RE: PlayStationNetwork blocking of CGNAT public addresses

...@thebaughers.com] Sent: Monday, 19 September 2016 12:09 PM To: valdis.kletni...@vt.edu Cc: Tony Wicks ; NANOG Subject: Re: PlayStationNetwork blocking of CGNAT public addresses So I should try again to get them to tell me what an "Account Takeover Attempt" is? They ignored my last request

Re: PlayStationNetwork blocking of CGNAT public addresses

So I should try again to get them to tell me what an "Account Takeover Attempt" is? They ignored my last request. It's easy to explain DMCA or spam to an end-user, but it's difficult to explain to some soccer mom that her kids are doing something to make Sony mad, when I can't explain to them what

Re: PlayStationNetwork blocking of CGNAT public addresses

On Mon, 19 Sep 2016 10:41:59 +1200, "Tony Wicks" said: > Interestingly, Sony (SNEI-NOC-Abuse replied to being forwarded back one of their notification blocks requesting > more detailed information with a csv file in under an hour! So I guess name-and-shame *does* work? :) pgp2syZkWt95D.pgp Desc

RE: PlayStationNetwork blocking of CGNAT public addresses

Interestingly, Sony (SNEI-NOC-Abuse - Sony say no, either through silence, or explicitly.

Re: PlayStationNetwork blocking of CGNAT public addresses

On 9/18/2016 16:26, Larry Sheldon wrote: On 9/18/2016 08:19, Mike Hammett wrote: People love to hate incumbent telcos because of their arrogance (and frankly it's deserved), but people forget that big content can be just as arrogant and just as deserving of hatred. I never did see the bene

Re: PlayStationNetwork blocking of CGNAT public addresses

On 9/18/2016 08:19, Mike Hammett wrote: People love to hate incumbent telcos because of their arrogance (and frankly it's deserved), but people forget that big content can be just as arrogant and just as deserving of hatred. I never did see the benefit or the approach. To anybody. -- "Ever

Re: PlayStationNetwork blocking of CGNAT public addresses

n to source IP > addresses and destination IP addresses)? Have the anti-abuse > mechanisms finalyl caught on with CGNAT, or is it possible that the > PSN operator themselves do not have such detailed data? 99.99% of abuse reports we receive contain the information, but that's because 99.99%

Re: PlayStationNetwork blocking of CGNAT public addresses

> - User reports they can't reach PSN > - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked > us" > - We say "Okay, that's a CGNAT public IP, can you help us identify the which > inside user that is - (timestamp,ip,port) lo

Re: PlayStationNetwork blocking of CGNAT public addresses

* Tom Beecher: > An email to a user notifying them they're likely compromised costs > basically nothing. If this increases the probability that the customer contacts customer support, in some markets, there is a risk that the account will never turn profitable during the current contract period.

Re: PlayStationNetwork blocking of CGNAT public addresses

An email to a user notifying them they're likely compromised costs basically nothing. An email to their entire subscriber base also costs nothing. If you find me an ISP that can't afford to notify users, I'll show you one that shouldn't be in business anyways. There's this presumption of guilt her

Re: PlayStationNetwork blocking of CGNAT public addresses

ompromised and we're made aware of it - either through our own tools, or through 3rd party notifications. The process with Sony goes something like: - User reports they can't reach PSN - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked us" - We

Re: PlayStationNetwork blocking of CGNAT public addresses

* Tom Beecher: > Simon's getting screwed because he's not being given any information to try > and solve the problem, and because his customers are likely blaming him > because he's their ISP. We don't know that for sure. Another potential issue is that the ISP just cannot afford to notify its c

Re: PlayStationNetwork blocking of CGNAT public addresses

* Rich Kulawiec: > For example: if the average number of outbound SSH connections > established per hour per host across all hosts behind CGNAT is 3.2, > and you see a host making 1100/hour: that's a problem. It might be > someone who botched a Perl script; or it might be a bot

Re: PlayStationNetwork blocking of CGNAT public addresses

WISP - Original Message - From: "Tom Beecher" To: "Tom Smyth" Cc: "NANOG" Sent: Sunday, September 18, 2016 8:15:08 AM Subject: Re: PlayStationNetwork blocking of CGNAT public addresses This is, as many things are, a huge problem in communication. Sony

Re: PlayStationNetwork blocking of CGNAT public addresses

1) limit the ratio of users to an external ipv4 address as much as possible > (which would reduce the impact of one compromised customer bringing down > play time for other clients behind the same nat > > 2)do some "canary in the mine" monitoring for obviously malicious tra

Re: PlayStationNetwork blocking of CGNAT public addresses

On Sun, Sep 18, 2016 at 01:30:52PM +0100, Tom Smyth wrote: > 2)do some "canary in the mine" monitoring for obviously malicious traffic > (loads of SMTP traffic outbound) and lots of connection requests to SSH > servers ... if you see that traffic from behind your C

Re: PlayStationNetwork blocking of CGNAT public addresses

2)do some "canary in the mine" monitoring for obviously malicious traffic (loads of SMTP traffic outbound) and lots of connection requests to SSH servers ... if you see that traffic from behind your CGNAT device .. just temporarily block the internal ip of the user until they clea

Re: PlayStationNetwork blocking of CGNAT public addresses

Simon Lockhart wrote: Has anyone else come up against the problem, and/or have any suggestions on how best to resolve it? The best solution is to have a common practice on a set of public port numbers assigned to a host behind NAT. For example, with a practice that, if a port in a range betwe

RE: PlayStationNetwork blocking of CGNAT public addresses

Another aspect, for those users that need to go the PSN network but experience issues via the CGNAT, an opt-out solution (giving them public IPv4) may should mitigate the problem, that PSN network does not support IPv6. After all what percentage of your total subscribers that uses PSN and are

RE: PlayStationNetwork blocking of CGNAT public addresses

So the pain has finally flowed down to other parts of the world. (APNIC ran out of IP's a long time ago, so CGN has been in use here for a lot longer) This issue is one I have been dealing with for the last four years. Only with Sony, no other company has caused such a headache in regard to

Re: PlayStationNetwork blocking of CGNAT public addresses

On Friday, September 16, 2016, Simon Lockhart wrote: > All, > > We operate an access network with several hundred thousand users. > Increasingly > we're putting the users behind CGNAT in order to continue to give them an > IPv4 > service (we're all dual-stack,

Re: PlayStationNetwork blocking of CGNAT public addresses

via that route...and , if you offer IPv6 native service to end users, ask PSN when they are going to be offer an IPv6 service to their users - so this CGNAT stuff can go ;-) alan

Re: PlayStationNetwork blocking of CGNAT public addresses

On 16 Sep 2016, at 20:38, Simon Lockhart wrote: Unless we know what to look for, it's hard to detect and stop it. It's not just application-layer stuff - they're subject to all sorts of attacks. Screening out the obvious stuff would certainly help. The main issue is a dearth of engagemen

Re: PlayStationNetwork blocking of CGNAT public addresses

On Fri Sep 16, 2016 at 08:32:12PM +0700, Roland Dobbins wrote: > Another aspect is ensuring that one has the ability to detect, classify, > traceback, and mitigate outbound badness southbound of the CGN. Unless PSN can tell us what traffic they consider bad, how can we detect and classify it? We c

Re: PlayStationNetwork blocking of CGNAT public addresses

On 16 Sep 2016, at 20:12, Simon Lockhart wrote: Has anyone else come up against the problem, and/or have any suggestions on how best to resolve it? I'm pretty sure that at least part of it has to do with DDoS-related activity. The best bet is to try and identify and engage with the relevan

Re: PlayStationNetwork blocking of CGNAT public addresses

A network that doesn't support IPv6, yet discriminates against CGNAT? That seems like a promising future. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Simon Lockhart" To: nanog@

PlayStationNetwork blocking of CGNAT public addresses

All, We operate an access network with several hundred thousand users. Increasingly we're putting the users behind CGNAT in order to continue to give them an IPv4 service (we're all dual-stack, so they all get public IPv6 too). Due to the demographic of our users, many of them are game

<    1   2