Re: CGNAT Solutions
Ca By wrote: The proper number to be considered should be percentage of IPv6 hosts which can not communicate with IPv4 only hosts. Isn't it 0%? I think you agree with me, here. For those of us running networks, especially growing networks, uniquely numbering hosts is our goal and ipv6 fits that task. Then, you should be running some isolated network. In this thread, we, except you, are discussing how to uniquely identify customers, not hosts, without (much) logging. For many networks, rfc1918 space is not sufficiently large to number end-points. Around the world, there are many networks that fit this. The global address space of IPv4 with NAT is combination of IPv4 address and part of port number spaces, which should be enough to identify customers and, maybe, hosts. and is much larger than private space of rfc1918. > So far, i just talked about why eyeball networks deploy ipv6 — which is > basic and sensible engineering and economics. A similar set of forces are > at work on the content / cloud / iot side. Perfect argument for OSI. Masataka Ohta
Re: CGNAT Solutions
And more and more CPE providers support it. See RFC8585. I inititally started using OpenWRT, but now I already got samples from several vendors. Regards, Jordi @jordipalet El 30/4/20 6:16, "NANOG en nombre de Ca By" escribió: On Wed, Apr 29, 2020 at 7:17 PM Brandon Martin wrote: On 4/29/20 10:12 PM, William Herrin wrote: >> What allows them to work with v6 in such an efficient manner? > A piece of client software is installed on every phone that presents > an IPv4 address to the phone and then translates packets to IPv6 for > relay over the network. This works because T-Mobile has considerable > control over the phone. FWIW, this software component (the CLAT) can also be on the CPE edge router which many ISPs either control outright these days or at least can influence. -- Brandon Martin Correct, and T-Mobile uses this 464xlat approach for their home broadband product as well ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: CGNAT Solutions
On Wed, Apr 29, 2020 at 7:17 PM Brandon Martin wrote: > On 4/29/20 10:12 PM, William Herrin wrote: > >> What allows them to work with v6 in such an efficient manner? > > A piece of client software is installed on every phone that presents > > an IPv4 address to the phone and then translates packets to IPv6 for > > relay over the network. This works because T-Mobile has considerable > > control over the phone. > > FWIW, this software component (the CLAT) can also be on the CPE edge > router which many ISPs either control outright these days or at least > can influence. > -- > Brandon Martin Correct, and T-Mobile uses this 464xlat approach for their home broadband product as well >
Re: CGNAT Solutions
On Wed, Apr 29, 2020 at 7:46 PM Masataka Ohta < mo...@necom830.hpcl.titech.ac.jp> wrote: > Ca By wrote: > > >>>You can't eliminate that unless the CPE also knows what internal > port > >>> range it's mapped to so that it restricts what range it uses. If you > >>> can do that, you can get rid of the programmatic state tracking > entirely > >>> and just use static translations for TCP and UDP which, while nice, is > >>> impractical. You're about 95% of the way to LW4o6 or MAP at that > point. > >> > >> Interesting. Then, if you can LW4o6 or MAP, you are about 95% of the > >> way to E2ENAT with complete end to end transparency using IPv4 only, > >> which means we don't need IPv6 with 4to6 NAT lacking the transparency. > >> > >> https://tools.ietf.org/html/draft-ohta-e2e-nat-00 > >> > >> Masataka Ohta > > > Since we are talking numbers ans hard facts > > I'm rather interested in not numbers but facts on the E2E > transparency, because, without the transparency, legacy > NAT44 should be enough. > > But, as you insist on numbers: > > > 42% of usa accesses google on ipv6 > > > > https://www.google.com/intl/en/ipv6/statistics.html > > The proper number to be considered should be percentage of IPv6 > hosts which can not communicate with IPv4 only hosts. > > Isn't it 0%? For those of us running networks, especially growing networks, uniquely numbering hosts is our goal and ipv6 fits that task. For many networks, rfc1918 space is not sufficiently large to number end-points. Around the world, there are many networks that fit this. For those same network, nat44 scale is also a painful and costly effort. To that end, ipv6 / 464xlat provides the one-two punch of uniquely numbering nodes and by-passing NAT44 or NAT64 for the majority of traffic we see (google, fb, netflix ...) Being able to offer a product that disallows access to ipv4 is a non-goal So far, i just talked about why eyeball networks deploy ipv6 — which is basic and sensible engineering and economics. A similar set of forces are at work on the content / cloud / iot side. > > Masataka Ohta >
Re: CGNAT Solutions
Ca By wrote: You can't eliminate that unless the CPE also knows what internal port range it's mapped to so that it restricts what range it uses. If you can do that, you can get rid of the programmatic state tracking entirely and just use static translations for TCP and UDP which, while nice, is impractical. You're about 95% of the way to LW4o6 or MAP at that point. Interesting. Then, if you can LW4o6 or MAP, you are about 95% of the way to E2ENAT with complete end to end transparency using IPv4 only, which means we don't need IPv6 with 4to6 NAT lacking the transparency. https://tools.ietf.org/html/draft-ohta-e2e-nat-00 Masataka Ohta Since we are talking numbers ans hard facts I'm rather interested in not numbers but facts on the E2E transparency, because, without the transparency, legacy NAT44 should be enough. But, as you insist on numbers: 42% of usa accesses google on ipv6 https://www.google.com/intl/en/ipv6/statistics.html The proper number to be considered should be percentage of IPv6 hosts which can not communicate with IPv4 only hosts. Isn't it 0%? Masataka Ohta
Re: CGNAT Solutions
On 4/29/20 10:12 PM, William Herrin wrote: What allows them to work with v6 in such an efficient manner? A piece of client software is installed on every phone that presents an IPv4 address to the phone and then translates packets to IPv6 for relay over the network. This works because T-Mobile has considerable control over the phone. FWIW, this software component (the CLAT) can also be on the CPE edge router which many ISPs either control outright these days or at least can influence. -- Brandon Martin
Re: CGNAT Solutions
On Wed, Apr 29, 2020 at 5:27 PM Thomas Scott wrote: > > cell-phone environment. A classic small ISP fills a different niche. > > I've dealt with traditional cable and fiber SP environments, but I'm curious > how the architecture differs so drastically with T-Mobile to allow v6 to work > so seamlessly. From working with their techs when turning up circuits, I > don't feel like their architecture and the ones I've worked in differ too > dramatically. My private cell service is through a tmo reseller, and I've > only ever had a public v6 address on them. > > What allows them to work with v6 in such an efficient manner? A piece of client software is installed on every phone that presents an IPv4 address to the phone and then translates packets to IPv6 for relay over the network. This works because T-Mobile has considerable control over the phone. https://www.internetsociety.org/resources/deploy360/2014/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/ Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: CGNAT Solutions
On Wed, Apr 29, 2020 at 7:19 AM Ca By wrote: > Since we are talking numbers ans hard facts > > 42% of usa accesses google on ipv6 > > https://www.google.com/intl/en/ipv6/statistics.html Be careful with those stats; they might not be telling you what you think they are. For example, phone clients are characteristically different than classic ISP clients. A substantial portion, perhaps majority of Google's use comes from phone clients but the numbers aren't broken out in those roll-up stats. Among others, T-Mobile has demonstrated that a v6-only infrastructure (with some v4 and NAT at the border) is credible and achievable in a cell-phone environment. A classic small ISP fills a different niche. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
RE: CGNAT Solutions
In testing, I observed opening a website, for instance cnn.com can cause >200 ports/sessions to fire off. Although, many are short-lived sessions, but, ports requests nonetheless. Overall, I use about 1,500 public ip's for 50,000 private ip customers I allow 3,000 ports per customer ... 30 blocks of 100 each We started our port blocks at a nice round number, so that each pba dynamic assignment results in nice 100-199, next 200-299 good for parsing, grep'ing logs for doing subpoena info look-ups, etc. I see most customers hover well below 1,000 ports/sessions active, and what appear to be misbehaving hosts (malware, infected, bots, etc, unsure) hit up at the 3,000 max and trigger a ports exceeded error message. I see the 3k port limit as putting a cap on free-running suspicious hosts. We can then investigate and contact customer of the concern. -Aaron -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Blayzor Sent: Wednesday, April 29, 2020 9:14 AM To: nanog@nanog.org Subject: Re: CGNAT Solutions On 4/28/20 11:01 PM, Brandon Martin wrote: > Depending on how many IPs you need to reclaim and what your target > IP:subscriber ratio is, you may be able to eliminate the need for a lot > of logging by assigning a range of TCP/UDP ports to a single inside IP > so that the TCP/UDP port number implies a specific subscriber. > > You can't get rid of all the state tracking without also having the CPE > know which ports to use (in which case you might as well use LW4o6 or > MAP), but at least you can get it down to where you really only need to > log (or block and dole out public IPs as needed) port-less protocols. I'm wondering if there are any real world examples of this, namely in the realm of subscriber to IP and range of ports required, etc. ie: Is is a range of 1000 ports enough for one residential subscriber? How about SMB where no global IP is required. One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/
Re: CGNAT Solutions
On Wed, 29 Apr 2020, Robert Blayzor wrote: So as a happy medium of about 2048 ports per subscriber, that's roughly a 32:1 NAT/IP over-subscription ? Yes, around that. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: CGNAT Solutions
Thank you everyone for the suggestions. To clarify small ISP. 12K subscribers 35 Gigs traffic at peak. Growing about 500 megs per month traffic. John On Tue, Apr 28, 2020 at 3:12 PM John Alcock wrote: > Afternoon, > > I run a small ISP in Tennessee. COVID has forced a lot of people to work > from home. I am starting to run low on IP's and need to consider CGNAT. > > I do have IPV6 space, but we all know that until we force everyone to move > to IPV6, we need to keep IPV4 up and running. > > I could buy more space, but I am really wondering if that is the > best option. It is expensive. I know CGNAT devices are expensive as well, > but it looks like I could stretch it out a bit. > > My thinking is to convert about 50% of my subscribers to CGNAT. > > I am interested in vendors or devices you have used in the past. I > already know about the pitfalls many of my subscribers will have with CGNAT > such as VPN's, Gamers, etc. > > What are your thoughts on CGNAT vendors? > > A10Networks > F5Networks > Others? >
Re: CGNAT Solutions
On 4/29/20 10:29 AM, Mikael Abrahamsson wrote: > There are some numbers in there for instance talking about 1024 ports > per subscriber as a good number. In presentations I have seen over time, > people typically talk about 512-4096 as being a good number for the bulk > port allocation size. So as a happy medium of about 2048 ports per subscriber, that's roughly a 32:1 NAT/IP over-subscription ? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/
Re: CGNAT Solutions
I haven't used them, but 6-WIND is pretty proud of their CGNAT performance. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "John Alcock" To: nanog@nanog.org Sent: Tuesday, April 28, 2020 2:12:29 PM Subject: CGNAT Solutions Afternoon, I run a small ISP in Tennessee. COVID has forced a lot of people to work from home. I am starting to run low on IP's and need to consider CGNAT. I do have IPV6 space, but we all know that until we force everyone to move to IPV6, we need to keep IPV4 up and running. I could buy more space, but I am really wondering if that is the best option. It is expensive. I know CGNAT devices are expensive as well, but it looks like I could stretch it out a bit. My thinking is to convert about 50% of my subscribers to CGNAT. I am interested in vendors or devices you have used in the past. I already know about the pitfalls many of my subscribers will have with CGNAT such as VPN's, Gamers, etc. What are your thoughts on CGNAT vendors? A10Networks F5Networks Others?
Re: CGNAT Solutions
On Wed, 29 Apr 2020, Robert Blayzor wrote: One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-best-practices.html There are some numbers in there for instance talking about 1024 ports per subscriber as a good number. In presentations I have seen over time, people typically talk about 512-4096 as being a good number for the bulk port allocation size. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: CGNAT Solutions
How big is your ip pool for CGNAT? On Wed, Apr 29, 2020 at 10:17 AM Robert Blayzor wrote: > On 4/28/20 11:01 PM, Brandon Martin wrote: > > Depending on how many IPs you need to reclaim and what your target > > IP:subscriber ratio is, you may be able to eliminate the need for a lot > > of logging by assigning a range of TCP/UDP ports to a single inside IP > > so that the TCP/UDP port number implies a specific subscriber. > > > > You can't get rid of all the state tracking without also having the CPE > > know which ports to use (in which case you might as well use LW4o6 or > > MAP), but at least you can get it down to where you really only need to > > log (or block and dole out public IPs as needed) port-less protocols. > > > I'm wondering if there are any real world examples of this, namely in > the realm of subscriber to IP and range of ports required, etc. ie: Is > is a range of 1000 ports enough for one residential subscriber? How > about SMB where no global IP is required. > > One would think a 1000 ports would be enough, but if you have a dozen > devices at home all browsing and doing various things, and with IOT, > etc, maybe not? > > > -- > inoc.net!rblayzor > XMPP: rblayzor.AT.inoc.net > PGP: https://pgp.inoc.net/rblayzor/ > -- Sent from Gmail Mobile
Re: CGNAT Solutions
hey, I'm wondering if there are any real world examples of this, namely in the realm of subscriber to IP and range of ports required, etc. ie: Is is a range of 1000 ports enough for one residential subscriber? How about SMB where no global IP is required. One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? 1000 ports doesn't mean you can have at max 1000 layer-4 sessions at once. It means you can have 1000 sessions to single destination IP+port. You can reuse same source port numbers for different destination IP or even destination port. We are seeing very good results with 256 ports per subscriber in the mobile scenario where consumer is mobile handset. So not directly translatable to broadband setup but still good datapoint. If you must go CGNAT today it's only reasonable to use PBA (so you log only block allocations) or pure deterministic where you have strict mapping between inside IP and outside IP+portrange so you don't need any logs at all. -- tarko
Re: CGNAT Solutions
On Wed, Apr 29, 2020 at 1:06 AM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
> Brandon Martin wrote:
>
> >> If you mean getting rid of logging, not necessarily. It is enough if
> >> CPEs are statically allocated ranges of external port numbers.
> >
> > Yes, you can get rid of the logging by statically allocating ranges of
> > port numbers to a particular customer.
>
> And, that was the original concern.
>
> > What I was referring to, though, was the programmatic state tracking of
> > the {external IP, external port}-{internal IP, internal port} mappings.
>
> OK.
>
> > You can't eliminate that unless the CPE also knows what internal port
> > range it's mapped to so that it restricts what range it uses. If you
> > can do that, you can get rid of the programmatic state tracking entirely
> > and just use static translations for TCP and UDP which, while nice, is
> > impractical. You're about 95% of the way to LW4o6 or MAP at that point.
>
> Interesting. Then, if you can LW4o6 or MAP, you are about 95% of the
> way to E2ENAT with complete end to end transparency using IPv4 only,
> which means we don't need IPv6 with 4to6 NAT lacking the transparency.
>
> https://tools.ietf.org/html/draft-ohta-e2e-nat-00
>
> Masataka Ohta
>
Since we are talking numbers ans hard facts
42% of usa accesses google on ipv6
https://www.google.com/intl/en/ipv6/statistics.html
>
Re: CGNAT Solutions
On 4/28/20 11:01 PM, Brandon Martin wrote: > Depending on how many IPs you need to reclaim and what your target > IP:subscriber ratio is, you may be able to eliminate the need for a lot > of logging by assigning a range of TCP/UDP ports to a single inside IP > so that the TCP/UDP port number implies a specific subscriber. > > You can't get rid of all the state tracking without also having the CPE > know which ports to use (in which case you might as well use LW4o6 or > MAP), but at least you can get it down to where you really only need to > log (or block and dole out public IPs as needed) port-less protocols. I'm wondering if there are any real world examples of this, namely in the realm of subscriber to IP and range of ports required, etc. ie: Is is a range of 1000 ports enough for one residential subscriber? How about SMB where no global IP is required. One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/
Re: CGNAT Solutions
Brandon Martin wrote:
If you mean getting rid of logging, not necessarily. It is enough if
CPEs are statically allocated ranges of external port numbers.
Yes, you can get rid of the logging by statically allocating ranges of
port numbers to a particular customer.
And, that was the original concern.
What I was referring to, though, was the programmatic state tracking of
the {external IP, external port}-{internal IP, internal port} mappings.
OK.
You can't eliminate that unless the CPE also knows what internal port
range it's mapped to so that it restricts what range it uses. If you
can do that, you can get rid of the programmatic state tracking entirely
and just use static translations for TCP and UDP which, while nice, is
impractical. You're about 95% of the way to LW4o6 or MAP at that point.
Interesting. Then, if you can LW4o6 or MAP, you are about 95% of the
way to E2ENAT with complete end to end transparency using IPv4 only,
which means we don't need IPv6 with 4to6 NAT lacking the transparency.
https://tools.ietf.org/html/draft-ohta-e2e-nat-00
Masataka Ohta
Re: CGNAT Solutions
On 4/29/20 2:35 AM, Masataka Ohta wrote:
If you mean getting rid of logging, not necessarily. It is enough if
CPEs are statically allocated ranges of external port numbers.
Yes, you can get rid of the logging by statically allocating ranges of
port numbers to a particular customer.
What I was referring to, though, was the programmatic state tracking of
the {external IP, external port}-{internal IP, internal port} mappings.
You can't eliminate that unless the CPE also knows what internal port
range it's mapped to so that it restricts what range it uses. If you
can do that, you can get rid of the programmatic state tracking entirely
and just use static translations for TCP and UDP which, while nice, is
impractical. You're about 95% of the way to LW4o6 or MAP at that point.
--
Brandon Martin
Re: CGNAT Solutions
Brandon Martin wrote: You can't get rid of all the state tracking without also having the CPE know which ports to use If you mean getting rid of logging, not necessarily. It is enough if CPEs are statically allocated ranges of external port numbers. Masataka Ohta
Re: CGNAT Solutions
On 4/28/20 4:53 PM, William Herrin wrote: How small is small? Up to a certain size regular NAT with enough logging to trace back abusers will tend to work fine. if we're talking single-digit gbps, it may not be worth the effort to consider the wonderful world of CGNAT. Depending on how many IPs you need to reclaim and what your target IP:subscriber ratio is, you may be able to eliminate the need for a lot of logging by assigning a range of TCP/UDP ports to a single inside IP so that the TCP/UDP port number implies a specific subscriber. You can't get rid of all the state tracking without also having the CPE know which ports to use (in which case you might as well use LW4o6 or MAP), but at least you can get it down to where you really only need to log (or block and dole out public IPs as needed) port-less protocols. -- Brandon Martin
Re: CGNAT Solutions
Take a look at DANOS for CG-NAT as a free solution or Netgate's TNSR has a CG-NAT feature https://www.tnsr.com/features On Tue, Apr 28, 2020 at 2:57 PM JORDI PALET MARTINEZ via NANOG < nanog@nanog.org> wrote: > I will say it is much better to consider 464XLAT with NAT64, if the CPEs > allow it. > > > > https://datatracker.ietf.org/doc/rfc8683/ > > > > I’m right now doing a deployment for 25.000.000 customers of an ISP (GPON, > DLS and cellular mix), all the testing has been done, and all doing fine. > > > > I’ve done it already for smaller ISPs, but the size of this project is > more interesting to better demonstrate that it just works. > > > > I plan to do a presentation when the information can be made public … bit > delay because the Covid-19 confinement. > > > > Regards, > > Jordi > > @jordipalet > > > > > > > > El 28/4/20 21:15, "NANOG en nombre de John Alcock" < > nanog-boun...@nanog.org en nombre de j...@alcock.org> escribió: > > > > Afternoon, > > > > I run a small ISP in Tennessee. COVID has forced a lot of people to work > from home. I am starting to run low on IP's and need to consider CGNAT. > > > > I do have IPV6 space, but we all know that until we force everyone to move > to IPV6, we need to keep IPV4 up and running. > > > > I could buy more space, but I am really wondering if that is the > best option. It is expensive. I know CGNAT devices are expensive as well, > but it looks like I could stretch it out a bit. > > > > My thinking is to convert about 50% of my subscribers to CGNAT. > > > > I am interested in vendors or devices you have used in the past. I > already know about the pitfalls many of my subscribers will have with CGNAT > such as VPN's, Gamers, etc. > > > > What are your thoughts on CGNAT vendors? > > > > A10Networks > > F5Networks > > Others? > > ** > IPv4 is over > Are you ready for the new Internet ? > http://www.theipv6company.com > The IPv6 Company > > This electronic message contains information which may be privileged or > confidential. The information is intended to be for the exclusive use of > the individual(s) named above and further non-explicilty authorized > disclosure, copying, distribution or use of the contents of this > information, even if partially, including attached files, is strictly > prohibited and will be considered a criminal offense. If you are not the > intended recipient be aware that any disclosure, copying, distribution or > use of the contents of this information, even if partially, including > attached files, is strictly prohibited, will be considered a criminal > offense, so you must reply to the original sender to inform about this > communication and delete it. > >
Re: CGNAT Solutions
I will say it is much better to consider 464XLAT with NAT64, if the CPEs allow it. https://datatracker.ietf.org/doc/rfc8683/ I’m right now doing a deployment for 25.000.000 customers of an ISP (GPON, DLS and cellular mix), all the testing has been done, and all doing fine. I’ve done it already for smaller ISPs, but the size of this project is more interesting to better demonstrate that it just works. I plan to do a presentation when the information can be made public … bit delay because the Covid-19 confinement. Regards, Jordi @jordipalet El 28/4/20 21:15, "NANOG en nombre de John Alcock" escribió: Afternoon, I run a small ISP in Tennessee. COVID has forced a lot of people to work from home. I am starting to run low on IP's and need to consider CGNAT. I do have IPV6 space, but we all know that until we force everyone to move to IPV6, we need to keep IPV4 up and running. I could buy more space, but I am really wondering if that is the best option. It is expensive. I know CGNAT devices are expensive as well, but it looks like I could stretch it out a bit. My thinking is to convert about 50% of my subscribers to CGNAT. I am interested in vendors or devices you have used in the past. I already know about the pitfalls many of my subscribers will have with CGNAT such as VPN's, Gamers, etc. What are your thoughts on CGNAT vendors? A10Networks F5Networks Others? ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: CGNAT Solutions
On Tue, Apr 28, 2020 at 12:12 PM John Alcock wrote: > I run a small ISP in Tennessee. I am starting to run low on IP's and need to > consider CGNAT. Hi John, How small is small? Up to a certain size regular NAT with enough logging to trace back abusers will tend to work fine. if we're talking single-digit gbps, it may not be worth the effort to consider the wonderful world of CGNAT. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
RE: CGNAT Solutions
Hi John, I run a small/medium ISP in Texas. A few years ago, needing to do the same thing you are speaking of, I lab evaluated the Cisco ASR9k VSM-500 and Juniper MX104 MS-MIC-16G… in the end I went with Juniper. No regrets, been good and holding strong. I’ve scaled it way beyond what I originally envisioned. (but bought more as well) I slow started my CGNat deployment, like with most things, baby-steps when doing something as extreme as taking away the public ip address from my isp residential customers… so yeah, slow-start… DSL was my first target. One DSLAM at a time, waiting for issues to arise and dealing with them along the way, the best I could. …until we had 6,000 dsl customers behind a pair of Juniper MX104’s with MS-MIC-16G cards, running fine. (all done via mpls l3vpn for virtual L3 routing into and out of the nat boundary… so one vrf for inside, and one vrf for outside)…peak load as I recall was about 3 gbps on each MX104, so 6 gbps total. Next, about a year or so later, we went after Cable Modem CMTS communities. But, added MS-MPC-128G modules to a pair of our mpls 100 gig ring MX960 nodes. This was another 5,000 subs or so. (this was about 2 or 3 years ago). Learned a lot during that one. A lot about ecmp, inet.3 mp-ibgp route choices, (set protocols ldp track-igp-metric… is your friend), app, eim, eif, ams/mams interfaces and load-balancing on the source-ip…. Let that ride for a year or so…then… …went after our FTTH communities. Probably about 30 or 40 thousand ip’s were recoup’d here. FTTH was nat’d behind (4) additional MS-MPC-128G modules in (4) other 100 gig mpls ring mx960 nodes. There have been recent concerns about uPNP not working behind the cgnat’s. All in all, we are getting lots of use out of our Juniper CGNat solution. All told, it’s about 50,000 customers behind the (2) MX104’s and (6) MX960’s getting nat’d. -Aaron From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Alcock Sent: Tuesday, April 28, 2020 2:12 PM To: nanog@nanog.org Subject: CGNAT Solutions Afternoon, I run a small ISP in Tennessee. COVID has forced a lot of people to work from home. I am starting to run low on IP's and need to consider CGNAT. I do have IPV6 space, but we all know that until we force everyone to move to IPV6, we need to keep IPV4 up and running. I could buy more space, but I am really wondering if that is the best option. It is expensive. I know CGNAT devices are expensive as well, but it looks like I could stretch it out a bit. My thinking is to convert about 50% of my subscribers to CGNAT. I am interested in vendors or devices you have used in the past. I already know about the pitfalls many of my subscribers will have with CGNAT such as VPN's, Gamers, etc. What are your thoughts on CGNAT vendors? A10Networks F5Networks Others?
Re: CGNAT Solutions
Just go with Linux and iptables. It is by far the cheapest option and it just works. tir. 28. apr. 2020 21.13 skrev John Alcock : > Afternoon, > > I run a small ISP in Tennessee. COVID has forced a lot of people to work > from home. I am starting to run low on IP's and need to consider CGNAT. > > I do have IPV6 space, but we all know that until we force everyone to move > to IPV6, we need to keep IPV4 up and running. > > I could buy more space, but I am really wondering if that is the > best option. It is expensive. I know CGNAT devices are expensive as well, > but it looks like I could stretch it out a bit. > > My thinking is to convert about 50% of my subscribers to CGNAT. > > I am interested in vendors or devices you have used in the past. I > already know about the pitfalls many of my subscribers will have with CGNAT > such as VPN's, Gamers, etc. > > What are your thoughts on CGNAT vendors? > > A10Networks > F5Networks > Others? >
CGNAT Solutions
Afternoon, I run a small ISP in Tennessee. COVID has forced a lot of people to work from home. I am starting to run low on IP's and need to consider CGNAT. I do have IPV6 space, but we all know that until we force everyone to move to IPV6, we need to keep IPV4 up and running. I could buy more space, but I am really wondering if that is the best option. It is expensive. I know CGNAT devices are expensive as well, but it looks like I could stretch it out a bit. My thinking is to convert about 50% of my subscribers to CGNAT. I am interested in vendors or devices you have used in the past. I already know about the pitfalls many of my subscribers will have with CGNAT such as VPN's, Gamers, etc. What are your thoughts on CGNAT vendors? A10Networks F5Networks Others?
