Re: Survey on IPv4 Scarcity, IPv6 Adoption, Carrier-Grade NAT Deployment
Dear NANOG readers, thank you very much for your participation in this survey. We already received more than 60 replies from ISPs all over the world. If you work for an ISP and didn't answer yet, we would greatly appreciate your response. Link to the survey: http://natsurvey.icsi.berkeley.edu/ (approx. 5 minutes, all questions explicitly optional) thank you! On 08/12/15 00:22, Philipp Richter wrote: > Dear NANOG readers, > > we are a team of researchers from ICSI Berkeley, TU Berlin, TU Munich, > Internet Initiative Japan and UC Berkeley jointly working on a project > to assess the effects of IPv4 address exhaustion. > > As part of our research, we conduct a survey among network operators. > The goal of this survey is to better understand the degree of IPv4 > scarcity that ISPs face and which measures are taken to combat it (IPv4 > Carrier-Grade NAT deployment, IPv4 address markets, and IPv6 transition > mechanisms). > > If you work for an ISP that connects end-users to the Internet, we would > greatly appreciate your response. > > To participate, please visit http://natsurvey.icsi.berkeley.edu/ > > (answering should take about 5 minutes, all questions are explicitly > optional). > > We will make anonymized results of this survey available to the public > in early 2016. > > Thank you very much for your support! > > > If you have questions or concerns, please feel free to contact me > directly at prichter AT icsi DOT berkeley DOT edu. > > -- > Philipp Richter > Research Assistant / PhD Student > TU Berlin / ICSI >
Survey on IPv4 Scarcity, IPv6 Adoption, Carrier-Grade NAT Deployment
Dear NANOG readers, we are a team of researchers from ICSI Berkeley, TU Berlin, TU Munich, Internet Initiative Japan and UC Berkeley jointly working on a project to assess the effects of IPv4 address exhaustion. As part of our research, we conduct a survey among network operators. The goal of this survey is to better understand the degree of IPv4 scarcity that ISPs face and which measures are taken to combat it (IPv4 Carrier-Grade NAT deployment, IPv4 address markets, and IPv6 transition mechanisms). If you work for an ISP that connects end-users to the Internet, we would greatly appreciate your response. To participate, please visit http://natsurvey.icsi.berkeley.edu/ (answering should take about 5 minutes, all questions are explicitly optional). We will make anonymized results of this survey available to the public in early 2016. Thank you very much for your support! If you have questions or concerns, please feel free to contact me directly at prichter AT icsi DOT berkeley DOT edu. -- Philipp Richter Research Assistant / PhD Student TU Berlin / ICSI
Re: Carrier Grade NAT
On 7/30/14 3:45 PM, joshua rayburn jbrayb...@gmail.com wrote: Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server. http://tools.ietf.org/html/rfc6056 documents a security concern with bulk port assignments. Lee
Re: Carrier Grade NAT
Slightly off-topic but what are people using as a cpe device in a dual-stack scenario like this? On Friday, August 1, 2014, Lee Howard l...@asgard.org wrote: On 7/30/14 3:45 PM, joshua rayburn jbrayb...@gmail.com javascript:; wrote: Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server. http://tools.ietf.org/html/rfc6056 documents a security concern with bulk port assignments. Lee
Re: Carrier Grade NAT
In message CAMfXtQwmpEqBk9CKRq2MpW15tRcuicZ_3DoJUsTBAM4=503...@mail.gmail.com, Gary Buhrmaster writes: On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong o...@delong.com wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: . Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but Iâm not 100% convinced that it is true. For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)! Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%. Gary (*) If we are going to make up statistics, four significant digits looks better than one. Enable IPv6 at home and measure the traffic. I did, which is why I say 50%. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Carrier Grade NAT
The only actual residential data I can offer is my own. I am fully dual stack and about 40% of my traffic is IPv6. I am a netflix subscriber, but also an amazon prime member. I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Other than amazon and my financial institutions and Kaiser, living without IPv4 wouldn't actually pose a hardship as near as I can tell from my day without v4 experiment on June 6. I know Kaiser is working on it. Amazon apparently recently hired Yuri Rich to work on their issues. So that would leave my financial institutions. I think we are probably less than 5 years from residential IPv4 becoming a service that carries a surcharge, if available. Owen On Jul 29, 2014, at 22:42, Julien Goodwin na...@studio442.com.au wrote: On 29/07/14 22:22, Owen DeLong wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: In message 20140729225352.go7...@hezmatt.org, Matt Palmer writes: On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I’m not 100% convinced that it is true. Though it will be an increasing percentage over time. Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem. Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai Facebook all having a significant amount of their services v6 native. I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
Re: Carrier Grade NAT
There¹s still a lot of websites that are not with the times. No ipv6 on CNN, FOX, or NBC news websites. Slashdot.org shame on you! Comcast and ATT work, but not Verizon. No surprise there. Power company nope. I think CGN is fine for 99% of customers out there. Until the iPhone came out Verizon Wireless had natted all their blackberry customers and saved million¹s of IP¹s. Then Apple and Google blew a hole into that plan. Then again I¹m for IPv4 just running out and finally pushing people to adopt. The US Govt has done a better job of moving to IPv6 than private industry which frankly is amazing all things considered. Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix. On 7/30/14, 9:45 AM, Owen DeLong o...@delong.com wrote: The only actual residential data I can offer is my own. I am fully dual stack and about 40% of my traffic is IPv6. I am a netflix subscriber, but also an amazon prime member. I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Other than amazon and my financial institutions and Kaiser, living without IPv4 wouldn't actually pose a hardship as near as I can tell from my day without v4 experiment on June 6. I know Kaiser is working on it. Amazon apparently recently hired Yuri Rich to work on their issues. So that would leave my financial institutions. I think we are probably less than 5 years from residential IPv4 becoming a service that carries a surcharge, if available. Owen On Jul 29, 2014, at 22:42, Julien Goodwin na...@studio442.com.au wrote: On 29/07/14 22:22, Owen DeLong wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: In message 20140729225352.go7...@hezmatt.org, Matt Palmer writes: On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I¹m not 100% convinced that it is true. Though it will be an increasing percentage over time. Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem. Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai Facebook all having a significant amount of their services v6 native. I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
Re: Carrier Grade NAT
Once upon a time, Corey Touchet corey.touc...@corp.totalserversolutions.com said: Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix. One thing to remember about the video services that do support IPv6 is that a lot of end users, even if they have IPv6 in the home, won't see them over IPv6. Many people watch Netflix and such from TV-connected devices like DVD/Blu-Ray players, smart TVs, Xboxes, TiVos, etc. Many (most?) of these devices don't support IPv6, and many never will (because they don't get firmware updates much after release). -- Chris Adams c...@cmadams.net
Re: Carrier Grade NAT
On Wed, Jul 30, 2014 at 11:45 AM, Owen DeLong o...@delong.com wrote: SNIP Amazon apparently recently hired Yurie Rich insert: and John Spence to work on their issues. /SNIP And Yurie recently posted an opening for an IPv6 Engineer at same ... for any so inclined. /TJ
Re: Carrier Grade NAT
On 07/30/2014 09:16 AM, Chris Adams wrote: Once upon a time, Corey Touchet corey.touc...@corp.totalserversolutions.com said: Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix. One thing to remember about the video services that do support IPv6 is that a lot of end users, even if they have IPv6 in the home, won't see them over IPv6. Many people watch Netflix and such from TV-connected devices like DVD/Blu-Ray players, smart TVs, Xboxes, TiVos, etc. Many (most?) of these devices don't support IPv6, and many never will (because they don't get firmware updates much after release). In the game console market, from what I could see from some quick searches, Xbox and Wii do v6, but PS4 does not. And as time goes on more things will do v6, not less. :) The time for using $FOO does not support IPv6, so I don't have to enable it as an excuse is way past over. Doug
Re: Carrier Grade NAT
On Jul 30, 2014, at 8:45 AM, Owen DeLong o...@delong.com wrote: I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Per Microsoft public statements, they are now moving address space allocated them in Brazil to the US to fill a major service shortfall in Azure. They’re not the only kids on the block with that problem, but are perhaps the one most publicly reported. To my way of thinking, having services like that adopt IPv6 and tell their customers that they need to access the service using IPv6 would go a lot farther that residential service in pushing enterprise adoption. http://tools.ietf.org/html/draft-anderson-siit-dc gives a fairly clever way to make it possible for the service itself to be IPv6-only and yet provide IPv4 access, and preserve IPv4 addresses in the process. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Carrier Grade NAT
On Tue, Jul 29, 2014 at 11:56 PM, Mark Andrews ma...@isc.org wrote: In message CAMfXtQwmpEqBk9CKRq2MpW15tRcuicZ_3DoJUsTBAM4=503...@mail.gmail.com, Gary Buhrmaster writes: On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong o...@delong.com wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: . Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I’m not 100% convinced that it is true. For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)! Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%. Gary (*) If we are going to make up statistics, four significant digits looks better than one. Enable IPv6 at home and measure the traffic. I did, which is why I say 50%. Orange Poland deployed 464XLAT on mobile and is seeing 62% native IPv6 and 38% NAT64 (slide 26) http://www.data.proidea.org.pl/plnog/12edycja/day2/track4/01_ipv6_implementation.pdf I don't have good measurements on this, but i assume the 11 million 464XLAT subscribers on T-Mobile US show a similar profile, possibly higher due to Netflix now supporting IPv6 on Android. CB Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Carrier Grade NAT
On Jul 30, 2014, at 8:45 AM, Owen DeLong o...@delong.com wrote: I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Someone that works for Amazon once told me that they are primed for it now; the question is whether their customers tick the box appropriately. Per Microsoft public statements, they are now moving address space allocated them in Brazil to the US to fill a major service shortfall in Azure. They’re not the only kids on the block with that problem, but are perhaps the one most publicly reported. To my way of thinking, having services like that adopt IPv6 and tell their customers that they need to access the service using IPv6 would go a lot farther than residential service in pushing enterprise adoption. http://tools.ietf.org/html/draft-anderson-siit-dc gives a fairly clever way to make it possible for the service itself to be IPv6-only and yet provide IPv4 access, and preserve IPv4 addresses in the process. If I’m not mistaken, it’s pretty much what Facebook and others like them have implemented, with a view to being internally IPv6-only within a relatively short timeframe. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Carrier Grade NAT
You can utilize an ASR 1006 / 1013 with an ESP card for CGN functionality. Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server. On Tue, Jul 29, 2014 at 10:45 AM, Colton Conor colton.co...@gmail.com wrote: We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Re: Carrier Grade NAT
On 07/30/2014 11:41 AM, Fred Baker (fred) wrote: Someone that works for Amazon once told me that they are primed for it now Pun intended? :)
Re: Carrier Grade NAT
In message 53d96dbd.3070...@dougbarton.us, Doug Barton writes: On 07/30/2014 11:41 AM, Fred Baker (fred) wrote: Someone that works for Amazon once told me that they are primed for it now Pun intended? :) The best thing Amazon could do would be to stop stocking IPv4 only CPE devices. I know this is a hard ask. The second best thing would be to warn that a CPE device was IPv4 only and won't work with the new IPv6 Internet. They could also ship dual stack images for all the Kindle models they have released. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Carrier Grade NAT
On Jul 30, 2014, at 11:41 AM, Fred Baker (fred) f...@cisco.com wrote: On Jul 30, 2014, at 8:45 AM, Owen DeLong o...@delong.com wrote: I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Someone that works for Amazon once told me that they are primed for it now; the question is whether their customers tick the box appropriately. Owens-MacBook-Pro:toneAC owendelong$ host www.amazon.com www.amazon.com has address 72.21.215.232 Owens-MacBook-Pro:toneAC owendelong$ host www.google.com www.google.com has address 74.125.239.145 www.google.com has address 74.125.239.146 www.google.com has address 74.125.239.148 www.google.com has address 74.125.239.144 www.google.com has address 74.125.239.147 www.google.com has IPv6 address 2607:f8b0:4005:802::1010 It appears to me that they have failed to tick their own box correctly. I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I don’t know to what extent AWS would swing the percentage. Owen
Re: Carrier Grade NAT
On Wed, 30 Jul 2014 16:39:14 -0700, Owen DeLong said: I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I dont know to what extent AWS would swing the percentage. There's probably not much stuff that individually is in the Alexa top 100, but collectively AWS probably has a half million or so hosted entities that together would end up at the bottom end of the Top 50 if not better. Of course, then the question becomes what percentage of those half million entities are ready to go once AWS flips the switch pgpZniV_uLp5_.pgp Description: PGP signature
Re: Carrier Grade NAT
On Jul 30, 2014, at 3:55 PM, Mark Andrews ma...@isc.org wrote: In message 53d96dbd.3070...@dougbarton.us, Doug Barton writes: On 07/30/2014 11:41 AM, Fred Baker (fred) wrote: Someone that works for Amazon once told me that they are primed for it now Pun intended? :) The best thing Amazon could do would be to stop stocking IPv4 only CPE devices. I know this is a hard ask. The second best thing would be to warn that a CPE device was IPv4 only and won't work with the new IPv6 Internet. They could also ship dual stack images for all the Kindle models they have released. In terms of biggest impact, sure. In terms of the biggest impact to effort ratio, I would argue that for amazon.com would be huge. Owen
Re: Carrier Grade NAT
On Wed, Jul 30, 2014 at 08:05:28PM -0400, valdis.kletni...@vt.edu wrote: On Wed, 30 Jul 2014 16:39:14 -0700, Owen DeLong said: I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I dont know to what extent AWS would swing the percentage. There's probably not much stuff that individually is in the Alexa top 100, but collectively AWS probably has a half million or so hosted entities that together would end up at the bottom end of the Top 50 if not better. Of course, then the question becomes what percentage of those half million entities are ready to go once AWS flips the switch Given that almost all of them will be using ELB, which is just a reverse proxy, where AWS controls the A records that get returned, I'd say that most of them would Just Work. The ones that don't will fail only because they're assuming that the IP address they get sent via HTTP header is IPv4, but plenty of sites don't even look, and most of the rest wouldn't need much more than a regex update and/or DB column size change. - Matt -- The real art of conversation is not only to say the right thing at the right place but to leave unsaid the wrong thing at the tempting moment. -- Dorothy Nevill
Carrier Grade NAT
We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Re: Carrier Grade NAT
Colton Conor colton.co...@gmail.com writes: We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address? Right now I'm using A10 for NAT. I can't say enough good things about these dudes. But as far as DMCA takedowns are concerned, we're in the habit of casually ignoring them unless they come through our custodian of records. That would be an excellent question for your SE. And I'm kind of curious myself now. -Daniel
Re: Carrier Grade NAT
On Tue, 29 Jul 2014, Colton Conor wrote: How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address? You ask them to provide port numbers. If they can't, then you can't identify a single subscriber. If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Carrier Grade NAT
I searched carrier grade NAT in google, and A10 came up a lot. I thought they just had good SEO going on, but it seems they have a good product as well! Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to handle carrier grade NAT on an access network right? On Tue, Jul 29, 2014 at 10:00 AM, Daniel Corbe co...@corbe.net wrote: Colton Conor colton.co...@gmail.com writes: We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address? Right now I'm using A10 for NAT. I can't say enough good things about these dudes. But as far as DMCA takedowns are concerned, we're in the habit of casually ignoring them unless they come through our custodian of records. That would be an excellent question for your SE. And I'm kind of curious myself now. -Daniel
Re: Carrier Grade NAT
On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote: If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load. There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris
Re: Carrier Grade NAT
On Tue, 29 Jul 2014 11:42:31 -0500, Chris Boyd said: There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. See the various lawsuits against the NSA - the vast majority have been summarily dismissed because the plaintiffs couldn't produce evidence their communications had in fact been intercepted, and thus they didn't have standing to sue. pgp5ng26N7lp_.pgp Description: PGP signature
Re: Carrier Grade NAT
On Jul 29, 2014, at 9:42 AM, Chris Boyd cb...@gizmopartners.com wrote: On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote: If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load. There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. Owen
Re: Carrier Grade NAT
On 7/29/2014 12:42 PM, Chris Boyd wrote: There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case. Usually the window they give is ~ 3-5 seconds so they're pretty specific.
Re: Carrier Grade NAT
On Tue, 29 Jul 2014 09:57:54 -0700, Owen DeLong said: As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. Does the *other* provider in your area have a more liberal policy? pgpFZVOkelKin.pgp Description: PGP signature
Re: Carrier Grade NAT
On Jul 29, 2014, at 10:10 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Tue, 29 Jul 2014 09:57:54 -0700, Owen DeLong said: As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. Does the *other* provider in your area have a more liberal policy? None of the providers in my area are currently doing CGN to the best of my knowledge. Owen
Re: Carrier Grade NAT
On Jul 29, 2014, at 10:00 AM, Robert Drake rdr...@direcpath.com wrote: On 7/29/2014 12:42 PM, Chris Boyd wrote: There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case. Usually the window they give is ~ 3-5 seconds so they're pretty specific. This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds (not necessarily a safe assumption in all cases). Further, in a CGN environment, it’s unlikely you would not have multiple customers using the same IP address even down to the single second. Owen
Re: Carrier Grade NAT
Not exactly what you probably want. But it´s actually working for me: http://ipv6netro.blogspot.de/2013/10/asamap-application-capability-in-wide.html http://enog.jp/~masakazu/vyatta/map/ Am 29.07.2014 16:45, schrieb Colton Conor: We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Re: Carrier Grade NAT
Le 2014-07-29 13:19, Owen DeLong a écrit : Usually the window they give is ~ 3-5 seconds so they're pretty specific. This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds Not really, since usually port blocks are not immediately reallocated to a different user. There's some timeout involved. RFC 6888 recommends 120 seconds. Simon
Re: Carrier Grade NAT
On 7/29/14, 12:57 PM, Owen DeLong o...@delong.com wrote: As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. Relevant: http://comcast6.net/images/files/revolt.jpg ;-) - Jason
Re: Carrier Grade NAT
As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. My local DSL provider does CGN. I switched to cable, but because it was faster, not because of the addressing. They would assign you a global static IP just by calling up and asking for it. When I left, I think they'd assigned 18 static addresses out of several thousand customers. Most consumer ISP customers don't run servers visible from outside, and don't care about CGN. Really. It's not because they're stupid, it's because it has no effect on their day to day usage. R's, John PS: End to end, is that a subchannel of Redtube?
Re: Carrier Grade NAT
On Tue, Jul 29, 2014 at 12:57 PM, Owen DeLong o...@delong.com wrote: As an ISP customer, would you really accept not being supplied a globally unique address? Really? Hi Owen, I wouldn't, but outside of the folks I know in this forum, few would notice or care. So long as the ISP has an alternative available for those who do care (such as an existing static IP request mechanism) CGNs are low-risk from a customer-acceptance position. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ Can I solve your unusual networking challenges?
Re: Carrier Grade NAT
On 7/29/14 1:00 PM, Robert Drake rdr...@direcpath.com wrote: On 7/29/2014 12:42 PM, Chris Boyd wrote: There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case. If your CGN logs destination IP, then you are tracking every site your customer visits. Geoff posits that this is valuable information, but some of the likeliest buyers aren't interested. You'll want to find some buyers, because you'll need to defray the cost of your logging. Do some back-of-the-envelope math on the storage required per user per day if you log the 5-tuple. The alternative is logging of address and source ports only, keeping logs equivalent to your DHCP logs now. I've also heard law enforcement say they're not necessarily keen to ask, Which of your customers accessed this web site at this time? Sometimes it's awkward. They're much more likely to say, Who was using this address (and source port) at this time? If they can't tell you the source port, you have two options: 1. Give them the names of all customers using that address at that time. How many--10? 50? 100? 2. Tell them their subpoena is too broad, and you cannot respond. I suggest you consult with counsel to determine your response. Lee
Re: Carrier Grade NAT
Colton Conor colton.co...@gmail.com writes: I searched carrier grade NAT in google, and A10 came up a lot. I thought they just had good SEO going on, but it seems they have a good product as well! Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to handle carrier grade NAT on an access network right? They don't have an IPAM built in. IPAMs are usually a back office thing. It's a deeply personal choice usually made by the very same monkey in your organization responsible for managing IP allocations. You can toss IP pool management (in your case, DHCP) at your A10s, but I don't. You can also do some interesting things with DNS on the boxes if you have a software load that supports load balancing. But you don't need that for NAT. Nor is it wise to put all your eggs into one magical packet-routing basket. -Daniel
Re: Carrier Grade NAT
On Tue, Jul 29, 2014 at 11:42:31AM -0500, Chris Boyd wrote: On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote: If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load. There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. Then you'll no doubt be happy to know that you're very, very unlikely to ever find out. - Matt
RE: Carrier Grade NAT
OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6). 1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option. 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. 4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit. 5. NAT translation timeouts are important, XBOX and PlayStation suck. 6. 10,000 customers= approximately 200,000 active translations and 1-2 /24's to be comfortable 7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often. 9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead. 10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice. cheers
Re: Carrier Grade NAT
On Jul 29, 2014, at 11:54 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Tue, 29 Jul 2014 11:42:31 -0500, Chris Boyd said: There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. See the various lawsuits against the NSA - the vast majority have been summarily dismissed because the plaintiffs couldn't produce evidence their communications had in fact been intercepted, and thus they didn't have standing to sue. True, but there is a difference in this case, since I could probably find a way to do discovery of the warrant/subpoena that was delivered to the ISP--assuming it's not an NSL. I would assume that going into court with evidence of the warrant/subpoena would be sufficient to grant standing. Or the notice of intercepted communications that I've seen a few times would work too. In $DAYJOB, we're all colo/cloud, so the stuff we get specifies a specific date. Have not come across any that specify a few seconds of time as another poster noted. In any case IANAL, so who knows until the cases start showing up on the dockets. --Chris
Re: Carrier Grade NAT
Thanks for sharing your experience; it's very unusual to get the perspective of an operator running CGN (on a broadband ISP; wireless has always had it). On 7/29/14 5:28 PM, Tony Wicks t...@wicks.co.nz wrote: OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6). 1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option. Eh, a bit over US$7 now, but whatever. Higher in APNIC. 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) It's viable, it's just not a substitute for IPv4 yet. Except for specific scenarios. For instance, you mention gaming below; if two users are playing on Xbox ONE, they can use IPv6 and they're off the CGN. Or if a bank has blacklisted an IPv4 address on the CGN, but the bank is dual-stack, some users can still get there. Of course, that snowballs. 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. Surprised it's that high. 4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit. Can you quantify? The log entry has to be at least: 32 bits source address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text. As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if active indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users. By the way, if that's 8MB of syslog, that's 32Mbps just of logging data. Average, not peak. Maybe the actual log rate is 8MB per five minutes? That's only 400GB for six months. I'm really interested in what your actual log rate is. 5. NAT translation timeouts are important, XBOX and PlayStation suck. At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care? 6. 10,000 customers= approximately 200,000 active translations and 1-2 /24's to be comfortable So you've cut your address expense to US$0.50 per user. Definitely better. (500*$10/1) 7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often. Between #7 and #8, do they balance out? 9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead. As long as you have a tool to query your logging system, should be fine. 10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice. Really? Seems like those would be some of the loudest users. I've always suggested adding IPv6 as an outlet, so that if someone complains about something not working through CGN, you can tell them to deploy IPv6. Thanks again for this perspective. Lee
Re: Carrier Grade NAT
On Tue, Jul 29, 2014 at 06:19:31PM -0400, Lee Howard wrote: Thanks for sharing your experience; it's very unusual to get the perspective of an operator running CGN (on a broadband ISP; wireless has always had it). On 7/29/14 5:28 PM, Tony Wicks t...@wicks.co.nz wrote: OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6). 1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option. Eh, a bit over US$7 now, but whatever. Higher in APNIC. 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) It's viable, it's just not a substitute for IPv4 yet. Except for specific scenarios. For instance, you mention gaming below; if two users are playing on Xbox ONE, they can use IPv6 and they're off the CGN. Or if a bank has blacklisted an IPv4 address on the CGN, but the bank is dual-stack, some users can still get there. Of course, that snowballs. 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. Surprised it's that high. 4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit. Can you quantify? The log entry has to be at least: 32 bits source address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text. You can get it down a bit smaller, if you're OK with having to find the records again to update them at the end of the connection (either TCP FIN, or UDP mapping timeout): 32 bits NAT endpoint ip 16 bits NAT endpoint port 32 bits dest ip 16 bits dest port 32 bits start timestamp 32 bits end timestamp 16 bits customer ID (you could store the customer's internal IP, but that's bigger) That's 22 bytes per flow (maybe 24 if you're planning on having more than 64ki customers in your CGNAT's lifetime). You could drop the timestamps by another 16 bits each if you don't mind reducing granularity (if you guarantee you won't reuse a given IP/port pair for, say, 30 seconds, you can define the timestamp to be, say, 15 second increments) and/or changing the epoch -- 15 second granularity + rolling epoch every week = 16 bit timestamps do just fine. As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if active indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users. Of course, getting anything back *out* of that again in any sort of reasonable timeframe would be... optimistic. I suppose if you're storing it all in hadoop you can map/reduce your way out of trouble, but that's going to mean a lot of equipment sitting around doing nothing for 99.99% of the time. Perhaps mine litecoin between searches? 7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often. Between #7 and #8, do they balance out? I'd doubt it. A customer getting DDoS'd counts against their usage limit; you can't bill traffic pointed at a CGNAT address against any particular customer. grin - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
Re: Carrier Grade NAT
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider. 5. NAT translation timeouts are important, XBOX and PlayStation suck. Do they suck, or do they just not misbehave in a way that plays nicely with your CGNAT? 10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice. Is this cluelessness, or just reacting to a usage pattern which overwhelmingly screams abuse that your CGNAT happens to emulate? From my experience, I've blocked a lot more abusive sources than NATs by blocking IPs that originate a lot of connections with varying UAs, for example. If you walk like a duck and quack like a duck, it isn't only clueless people who will call you a duck. - Matt -- Python is a rich scripting language offering a lot of the power of C++ while retaining the ease of use of VBscript. -- The PyWin32 documentation
Re: Carrier Grade NAT
On 7/29/2014 6:42 PM, Matt Palmer wrote: Of course, getting anything back*out* of that again in any sort of reasonable timeframe would be... optimistic. I suppose if you're storing it all in hadoop you can map/reduce your way out of trouble, but that's going to mean a lot of equipment sitting around doing nothing for 99.99% of the time. Perhaps mine litecoin between searches? The timestamp is a natural index. You shouldn't need to run a distributed query for finding information about a specific incident. You would have to write your own custom tools to access and manage the db, so that's just impractical. The timestamp as well as most of the other fields should be fairly easily compressible since most of the bits are the same. You might as well use a regular plaintext logfile and gzip it.
Re: Carrier Grade NAT
In message 20140729225352.go7...@hezmatt.org, Matt Palmer writes: On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider. Like modems that introduce 2 second queuing delays the moment you have a upstream transfer like a icloud backup. Buffer @!#$!@#$! bloat! -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
RE: Carrier Grade NAT
3. 99.99% of customers don't notice they are transiting CGNAT, it just works. Surprised it's that high. So was I to be honest, but in general It Just Works. 4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit. Can you quantify? The log entry has to be at least: 32 bitssource address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp The issue with the Cisco NAT Translation flow is that as soon as you set the nat mode to CGN it no longer sends the Pre Nat IP (100.64.x.x), which makes it useless for matching against radius to identify the user. Several weeks of arguing with TAC engineers got nowhere. TAC said, no that can't be done, but could not explain why it worked fine with syslog translation logging. --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text. As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if active indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users. That is 200,000 active translations, not 200,000 per second. The ESP40 can handle 2,000,000 active translations. By the way, if that's 8MB of syslog, that's 32Mbps just of logging data. Average, not peak. Maybe the actual log rate is 8MB per five minutes? That's only 400GB for six months. I'm really interested in what your actual log rate is. Per 10,000 customers we are getting about 2,000,000 records per day in the database real world. We first in first out these after three months. How much bandwidth ? Don't know, I have not actually looked. 5. NAT translation timeouts are important, XBOX and PlayStation suck. At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care? Few CPE routers support native v6 (we are a low cost, BYO router ISP) 7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often. Between #7 and #8, do they balance out? Yes, you just need to treat DDOS mitigation a little differently, you can't just upstream block your destination ip as that can randomly nuke thousands of customer translations. You need to remove the target IP from your CGANT pool first. 9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead. As long as you have a tool to query your logging system, should be fine. Yes, it doesn't take a lot to develop the tool. Most of the work is in educating the authorities that they need to supply the exact source/destination ip, destination port and timestamps if they want any data back . 10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice. Really? Seems like those would be some of the loudest users. I've always suggested adding IPv6 as an outlet, so that if someone complains about something not working through CGN, you can tell them to deploy IPv6. Yes, there are only been a few websites that have caused some issues over the last two years, nowhere near as bad as I expected it to be. Thanks again for this perspective. Lee Happy to help. People tend to panic about the unknown. And in this case it's really not as scary as people think, in general it just works and pretty much no standard residential customers notice.
Re: Carrier Grade NAT
In message 004601cfab84$19ef4e20$4dcdea60$@wicks.co.nz, Tony Wicks writes: 5. NAT translation timeouts are important, XBOX and PlayStation suck. At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care? Few CPE routers support native v6 (we are a low cost, BYO router ISP) Actually they are becoming much more common and the additional cost is not that much, basically the cost of the better WiFi radios. If you make IPv6 available and recommend that people buy a IPv6 capable router next time they upgrade they will switch over. You won't find IPv6 in 802.11[bg] only routers but it is in the ones with newer WiFi radios. e.g. NETGEAR WNDR3800 N600 is AUD$80 [mwave.com.au] + shipping and supports IPv6. The price point has come down dramatically from several years ago. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Carrier Grade NAT
On Jul 29, 2014, at 10:59 AM, William Herrin b...@herrin.us wrote: On Tue, Jul 29, 2014 at 12:57 PM, Owen DeLong o...@delong.com wrote: As an ISP customer, would you really accept not being supplied a globally unique address? Really? Hi Owen, I wouldn't, but outside of the folks I know in this forum, few would notice or care. So long as the ISP has an alternative available for those who do care (such as an existing static IP request mechanism) CGNs are low-risk from a customer-acceptance position. Sure, but I didn’t ask the question of the general public… I asked it of the people on this list. I suspect most of the membership of this list would opt out of CGN one way or another. In my case, my provider is IPv6 capable and I’d simply move my tunnels from IPv4 to IPv6 rather than subject myself to CGN if necessary. Owen
Re: Carrier Grade NAT
On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: In message 20140729225352.go7...@hezmatt.org, Matt Palmer writes: On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I’m not 100% convinced that it is true. Though it will be an increasing percentage over time. Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem. 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider. Like modems that introduce 2 second queuing delays the moment you have a upstream transfer like a icloud backup. Buffer @!#$!@#$! bloat! Among other things. 99.99% of customers don’t now how to isolate the fault of such a thing to their ISP or how to properly complain about it in my experience. For the 0.01% who do, 99% of them don’t know how to get past the ISP’s first-line “let’s reboot your modem and when you call back afterwards, you won’t be my problem any more”. Owen
Re: Carrier Grade NAT
On 29/07/14 22:22, Owen DeLong wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: In message 20140729225352.go7...@hezmatt.org, Matt Palmer writes: On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the solution for today's internet access) Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*. Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I’m not 100% convinced that it is true. Though it will be an increasing percentage over time. Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem. Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai Facebook all having a significant amount of their services v6 native. I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
Re: Carrier Grade NAT
On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong o...@delong.com wrote: On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote: . Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1. That would be nice, but I’m not 100% convinced that it is true. For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)! Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%. Gary (*) If we are going to make up statistics, four significant digits looks better than one.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17/01/2013 14:29, Brandon Ross br...@pobox.com wrote: AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. Indeed, the Wii-U launched less than a month ago doesn't have V6 support either. Regards, Neil.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 18/01/2013 17:48, Joe Maimon jmai...@ttec.com wrote: Suppose a provider fully deploys v6, they will still need CGN so long as they have customers who want to access the v4 internet. Yes indeed, and the smart folks who thought (clearly didn't!) about how the best way to manage IPV6 and IPV4 in the access network have made this really quite difficult. Much more so than it had to be.
RE: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
-Original Message- From: Jeff Kell [mailto:jeff-k...@utc.edu] Sent: Thursday, January 17, 2013 7:30 PM [snip] Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff Really? We get a lot of students complaining about PS3s and Xboxes and giving us documentation for various games indicating that either NAT(PAT) must support UPnP or statically mapped inbound connections, or the game won't work. On the other hand, multi-player games are about the only thing that our users are actually telling us isn't working, we haven't heard any complaints about Skype, Vonage, or other VoIP or IM products. Reference: http://support.xbox.com/en-US/xbox-live/connecting/nat-type-strict -- Toivo Voll Network Engineer Information Technology Communications University of South Florida (Not speaking for my employer.)
RE: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] On Fri, 18 Jan 2013 09:03:31 -0500, William Herrin said: On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Corporate enterprises have been pushing GPO to the desktop for more than a decade as well. Feel free to try to push GPO to Joe Sixpack's PC, let me know how that works out for you. We don't even do NAT here. Our corporate parent has PI space that they've had since the Jurassic period of the internet and we mostly live on that (there are spots of 1918 addresses, but not for NAT purposes, think temporary networks in lab spaces). Access to the internet at large is all via proxy, there is no direct way out. Jamie
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Fri, Jan 18, 2013 at 9:02 PM, Constantine A. Murenin muren...@gmail.com wrote: The killer app of the internet is called p2p. P2p is not an app, it's a technique for implementing an app. There are few apps which require p2p and can't be trivially redesigned not to. If you'll pardon me saying so (and even if you won't) those few boil down to bit torrent and its cousins: used almost exclusively for unlawful activities by cheapskates whose wallets are too few and too small to drive the system. that's the inefficiency of capitalism. I wouldn't put it that way but yeah, that's the gist of it. There's an unambiguous and very strong capitalist profit incentive to make your new technology work with IPv4 and NAT. The comparable profit incentive to make it work with IPv6 is weak almost to the point of non-existence. And there is a severe shortage of networking staff capable of implementing technologies that are different than what an organization has implemented before. That market push facilitates deployment of CGNs while sucking manpower away from IPv6. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Sat, 19 Jan 2013 06:26:53 +, Mike Jones said: Potentially another source of IPv4 addresses - every content network (/hosting provider/etc) that decides they don't want to give their customers IPv6 reachability is a future bankrupt ISP with a load of IPv4 to sell off :) The problem is that content networks tend to be a lot smaller than eyeball networks. Even AS15169 fits inside a single /12. How long will that sustain the average IPv6-adverse eyeball network? pgp9xAdX4B8Hz.pgp Description: PGP signature
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/18/13, David Swafford da...@davidswafford.com wrote: There is no suckerage to V6. Really, it's not that hard. While CGN is the reality, we need to keep focused on the ultimate goal -- a Correct. CGN may be part of a transition towards IPv6.Not all providers are necessarily going to see it that way. It's a non-resolutely answered question, whether IPv4+CGN will win, and it will become the new common delivery of IP, or if IPv6 will win. What will be the ultimate cost, for a provider choosing to implement only IPv4 CGN, and completely eschew/ignore IPv6, if IPv6, gets massive buy-in and becomes a predominant IP networking technology, in demand, adopted by all their competitors Potential loss of much business for the service provider, due to competitive disadvantage. Versus cost of careful design and building in IPv6 together with CGN rollouts, so there is onemajor redesign, to prepare for transition, and not two separate rollouts one for CGN and one later to completely rethink for IPv6... In either scenario 1 ISP network implementation project for 1 wrong technology for dealing with IP exhaustion (IPv6 or CGN), and not recognizing the problem early is a disaster -- business goes to the competition. 2 ISP network implementation projects; first 1 technology, then the other, after discovering, the wrong technology was chosen, is an improvement (but still expensive) -- network redesign is time consuming, network devices and software are expensive, and business lost to the competition, at least until redesign is completed. 1 implementation of 1 right technology (IPv6 or CGN) and never the other is ideal -- cost implementing CGN (or IPv6) is avoided, if the technology never became necessary.(It's an unlikely scenario after IP exhaustion, however, that either will be unnecessary.) 1 up front preparation/implementation of 2 technologies, in time for IP exhaustion, has high upfront cost, but alleviates the high risk of the first 2 scenarios. single long term solution. Imagine a day where there is no dual stack, no IPv4, and no more band-aids. It will be amazing. It's probably about 20 years away. david. -- -JH
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin muren...@gmail.com wrote: IPv6 is obviously the solution, but I think CGN poses more technological and legal problems for the carriers as opposed to their clients or the general-purpose non-server non-p2p application developers. Correct. The most significant challenges to CGN are legal compliance issues. NAT complicates the process of determining who did what using the public IP at this timestamp. CGN developers have designed some novel solutions to that problem, such as dedicating port ranges to particular interior addresses and logging the range once instead of trying to log every connection. So, don't expect it to be a show stopper for long. On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever. Also correct. The primary impacts from CGN are folks who want to host a game server, folks running bit torrent and folks who want to use Skype. Skype's not stupid and voip relays are easy so after minor growing pains that'll cease to be an issue too. Make opting out of CGN simple and cheap. The relatively few folks who would be impacted will opt out with no particular animus towards you and you'll recover the IP addresses you had dedicated to the rest. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 18-1-2013 15:03, William Herrin wrote: On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin muren...@gmail.com wrote: On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Well yeah, but everything is under control of the IT department to setup rules and forwards. That's not the same as a end user that wants a port forward to host a xbox 360 game on their fiber connection and can't set it up. I've tried getting the firewall disabled that denies ALL incoming traffic on my 3G stick and it's simply not possible, that is the sort of flexibility that the market is selling. Most of the ISPs I have personally and professionally worked with have the flexibility of a piece of mahogany. I'm pretty sure that some of the dedicated online game hosters are looking forward to this. Those investments should turn out great. Regards, Seth
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
(resending with nanog-approved address..) On 18. jan. 2013 01:30, Jeff Kell wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Your users must have fairly low expectations :-) That snide comment aside, a single level of NAT44 works OK now for most current consumer level applications. But this is about multiple levels of NAT, where the usual hacks with UPNP IGD/NAT-PMP to get inbound ports are not likely to work. Even if you dont support these tricks on your end today, its likely that it is supported at the other side. Most p2p traffic like Skype only needs the mapping to work at one end, as they have to signal/negotiate addresses and portnumbers through some third party anyway. So currently, even double NAT at one end, it is likely to work out (within the current expectations of users.) When CGN gets to critical mass, where both ends of a connection is likely to be even more crippled than today*, things change. Now you have to bounce all the data of some third party, like a DC, maybe not even on the same continent. When Skype fails to map ports at both ends today the experience is pretty horrible actually, at least over here, even with the backing of Microsofts infrastructure. Also makes me wonder how expensive running such services will become (Only feasable for Google and Microsoft?) * Some support for mapping ports at CGN is in development, but requires new or updated CPE/home gateways, software support/awareness and support for it in the CGN (riiight.)
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Owen DeLong wrote: Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. Yes, we can dedicate thousands more developer hours to making yet more extensions to code to work around yet more NAT and maybe make it sort of kind of work almost as poorly as it does now. Or we could pour a fraction of those developer hours into implementing IPv6 in those same applications and have the problem solved in perpetuity. There is no we People will follow their personal motivations. If that includes improving their application experience in the face of prevalent CGN technology, I expect many of them to decide to put in the effort no matter what either your or I have to say about it. My hope is that we will realize at some point that this is a badly loosing proposition, but, my fear is that we will actually find ways to make it work and worse yet, dedicate resources to doing so. IMHO, having it fail miserably is the best case scenario. The alternatives are far worse. See above. The internet is not top down. It is a potpourri of interacting influences. Nobody takes marching orders from either of us. I'd believe 50% or maybe even 65%, but 75% stretches credibility. See above for a partial list of the various things I expect they are doing with those addresses. So a provider to have a one to one relationship between infrastructure addresses and subscribers is somehow plausible to you? Anyone else? Not to me. Not even if you count every single employees and every single corporate server and device, of which the vast majority are not even using globally unique addresses. Which is what we are discussing. And suppose they are. A corporation like that can re-use 50% of their IPv4 by converting internally to NAT (and IPv6 we hope). How about much simpler math. Assume 75% IP in any provider organization are for subscribers. Assume an average 5-10 subscribers per CGN IP. I don't believe the first assumption and I think that more than about 3 is rather optimistic for the second one, actually. Especially in the face of dedicated port range CGN proposed by most of the ISPs I know have real plans to implement CGN rather than just a yeah, we'll do that when we have to approach. Most NAT44 implementations have absolutely no issue scaling to low hundreds of users with ONE IP address. 3 is absolutely ridiculously low. 3 of the above, maybe. However, even at 3, that means that they can double their subscriber base with their existing addresses. So unless their existing base took 2 months to acquire, that is a deal more than 4 month stop gap you claim. And since you believe that it is plausible for such an organization to have a one to one infrastructure/subscriber relationship, going private (and we hope ipv6) internally, gives them another 3x subscriber base. Clearly, CGN can provide enough address re-use to stave off exhausting in a provider's subscriber base for years. But only if the technology scales and is not immediately rejected by 30-60% of the subscriber base. This is why we view the testing of CGN as newsworthy. Clearly, that organization's subscriber growth will be limited by CGN technology, not by address scarcity. Why? Does it not scale linearly? If not, why not? I dont particularly like a multilayered NAT internet any more than you. However it is coming and will stay for as long as it is needed and useful for those who operate it. Which is likely to be far longer then either of us like. We only differ in one point. You believe it will be so bad that it will immediately drive ipv6 adoption and be viewed as a short term expensive boondoggle of a misguided experiment. I am not so confident in its failure. I think we are heading toward a new norm. Think locally for a bit. Addresses are not instantaneously fungible across the internet. Any provider who can pull this off will have far more then a 4-month stop-gap. They may even have enough to peddle on the market. I think that's very optimistic. With your numbers, a provider can double or triple (actually quadruple or sextuple using your ratio) their subscriber base by converting to CGN. Were you being overly optimistic? Or were my estimates, starting at quadrupling or more, overly optimistic? I'm not sure why you say they are not instantaneously fungible. Owen Because nobody deploying CGN is going to flag day convert entire subscriber bases. Because the addresses they free up will be reused internally. Because if you are not one of these entities with low hanging fruit such as easily convertible to CGN subscriber bases, you are NOT going to directly benefit from the efforts of those who do. Unless they peddle it (or return it). Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/13 6:21 PM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard l...@asgard.org wrote: On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted. Hi Lee, Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. CGNs are not identical to home NAT functionality. Home NATs are frequently restricted cone NATs, which is why uPNP or manual port-forwarding are required. CGNs for residential deployments are full cone NATs, so that this problematic applications are less problematic. See http://en.wikipedia.org/wiki/Network_address_translation and draft-donley-nat444-impacts. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. I doubt that very much, and look forward to your analysis supporting that statement. If you have the data I'll be happy to crunch it but I'm afraid I'll have to leave the data collection to someone who is paid to do that very exhaustive work. I don't have any data that might support your assertion, which is why I'm calling you on it. Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. Netflix seems to have some funny interactions with some gateways and CGN. [nat444-impacts] What about p2p? I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? The same number: 0. I don't know how many addresses VZW has, but I could look it up in Whois if I knew the orgID. How'd you get 75%? If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year. You're going with linear growth? See nro.net/statistics. Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. Example: An 10,000-user ISP is growing at 10% annually. They have 1,000 addresses left, so they implement CGN. You say to assuming 90% of them can be NATted, so next year, 100 get a unique IPv4 address, the other 900 share 90 addresses. At 190 addresses per year, CGN bought you five years. I think your 90% is high. If it's 70%, you burn 370 per year. That doesn't include the fact the increased support costs, or alienated customer cancellations, or any of the stuff I talked about in TCO of CGN. Lee
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/18/13 9:03 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin muren...@gmail.com wrote: IPv6 is obviously the solution, but I think CGN poses more technological and legal problems for the carriers as opposed to their clients or the general-purpose non-server non-p2p application developers. Correct. The most significant challenges to CGN are legal compliance issues. NAT complicates the process of determining who did what using the public IP at this timestamp. CGN developers have designed some novel solutions to that problem, such as dedicating port ranges to particular interior addresses and logging the range once instead of trying to log every connection. So, don't expect it to be a show stopper for long. Many servers don't log source port. Doesn't matter if the CGN operator has a log, if you can't provide enough data to find the right entry in the log. On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Even if the implementation was the same (it's not), that doesn't mean the operation is the same in a a different environment. Residential users have different applications and expectations than enterprise users (not a lot of game consoles or BitTorrent on corporate networks). The legal issue is different, too: a different level of response is appropriate from a corporate net admin than an ISP. CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever. Also correct. The primary impacts from CGN are folks who want to host a game server, folks running bit torrent and folks who want to use Skype. Skype's not stupid and voip relays are easy so after minor growing pains that'll cease to be an issue too. voip relays are easy? To what scale, for a free service? Make opting out of CGN simple and cheap. The relatively few folks who would be impacted will opt out with no particular animus towards you and you'll recover the IP addresses you had dedicated to the rest. You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Also, spending money on CGN seems misguided; if you agree that you're going to deploy IPv6 anyway, why spend the money for IPv6 *and also* for CGN? Lee
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Sent from my iPad On Jan 18, 2013, at 4:03 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin muren...@gmail.com wrote: IPv6 is obviously the solution, but I think CGN poses more technological and legal problems for the carriers as opposed to their clients or the general-purpose non-server non-p2p application developers. Correct. The most significant challenges to CGN are legal compliance issues. NAT complicates the process of determining who did what using the public IP at this timestamp. CGN developers have designed some novel solutions to that problem, such as dedicating port ranges to particular interior addresses and logging the range once instead of trying to log every connection. So, don't expect it to be a show stopper for long. On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Yes it is... In the enterprise, whatever the security team decides isn't supposed to be supported on the enterprise LAN, the end-users just sort of have to accept. In the residential ISP world, unless every ISP in a given service area degrades all of their customers in the exact same way, you have a very different situation. CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever. Also correct. The primary impacts from CGN are folks who want to host a game server, folks running bit torrent and folks who want to use Skype. Skype's not stupid and voip relays are easy so after minor growing pains that'll cease to be an issue too. Make opting out of CGN simple and cheap. The relatively few folks who would be impacted will opt out with no particular animus towards you and you'll recover the IP addresses you had dedicated to the rest. An interesting theory, but I don't think it will be so few. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Lee Howard wrote: You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Also, spending money on CGN seems misguided; if you agree that you're going to deploy IPv6 anyway, why spend the money for IPv6 *and also* for CGN? Lee Suppose a provider fully deploys v6, they will still need CGN so long as they have customers who want to access the v4 internet. Unfortunately, that may have the side effect of undercutting some portion of v6's value proposition, inversely related to its suckage. Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Sent from my iPad On Jan 18, 2013, at 5:57 AM, Joe Maimon jmai...@ttec.com wrote: Owen DeLong wrote: Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. Yes, we can dedicate thousands more developer hours to making yet more extensions to code to work around yet more NAT and maybe make it sort of kind of work almost as poorly as it does now. Or we could pour a fraction of those developer hours into implementing IPv6 in those same applications and have the problem solved in perpetuity. There is no we People will follow their personal motivations. If that includes improving their application experience in the face of prevalent CGN technology, I expect many of them to decide to put in the effort no matter what either your or I have to say about it. There most certainly is a WE. WE may not get to make the decision about how any of this turns out, but WE will suffer the consequences of those collective decisions. My hope is that we will realize at some point that this is a badly loosing proposition, but, my fear is that we will actually find ways to make it work and worse yet, dedicate resources to doing so. IMHO, having it fail miserably is the best case scenario. The alternatives are far worse. See above. The internet is not top down. It is a potpourri of interacting influences. Nobody takes marching orders from either of us. Right, but everybody suffers the consequences of the decisions made by those interacting influences. As such, I am at least attempting to educate as many of the decision makers along the way in the hopes of getting some reasonable outcome somewhere down the road rather than watching the internet fall to pieces in NAT hell. I'd believe 50% or maybe even 65%, but 75% stretches credibility. See above for a partial list of the various things I expect they are doing with those addresses. So a provider to have a one to one relationship between infrastructure addresses and subscribers is somehow plausible to you? Anyone else? Subscribers, no, subscriber addresses in a wireless environment, yeah. Not to me. Not even if you count every single employees and every single corporate server and device, of which the vast majority are not even using globally unique addresses. Which is what we are discussing. And suppose they are. A corporation like that can re-use 50% of their IPv4 by converting internally to NAT (and IPv6 we hope). There are many ways we can sabotage our infrastructure in order to squeeze more NAT out of many places. Personally, I would not advocate putting that effort into such an obviously losing proposition, but obviously I may well be in the minority there. How about much simpler math. Assume 75% IP in any provider organization are for subscribers. Assume an average 5-10 subscribers per CGN IP. I don't believe the first assumption and I think that more than about 3 is rather optimistic for the second one, actually. Especially in the face of dedicated port range CGN proposed by most of the ISPs I know have real plans to implement CGN rather than just a yeah, we'll do that when we have to approach. Most NAT44 implementations have absolutely no issue scaling to low hundreds of users with ONE IP address. We're not talking NAT44... We're talking NAT444 and you don't get nearly the multiplier at the second layer that you can get at the first level. You've already concentrated those low hundreds of users into the port range of a single address at the first level. Now you're inflicting a second level where you can't get nearly that level of compression. 3 is absolutely ridiculously low. 3 of the above, maybe. However, even at 3, that means that they can double their subscriber base with their existing addresses. So unless their existing base took 2 months to acquire, that is a deal more than 4 month stop gap you claim. Or not. At 3 they can double their subscriber base if they don't need any additional external facing infrastructure to support all of this and get a 100% efficient conversion of users from their existing connectivity to CGN. And since you believe that it is plausible for such an organization to have a one to one infrastructure/subscriber relationship, going private (and we hope ipv6) internally, gives them another 3x subscriber base. Clearly, CGN can provide enough address re-use to stave off exhausting in a provider's subscriber base for years. But only if the technology scales and is not immediately rejected by 30-60% of the subscriber base. Which assumes many facts not in evidence and is contrary to the research and testing that has been done so far. This is why we view the testing of CGN as newsworthy. draft-donnely anyone? Clearly, that organization's subscriber growth will be limited by CGN technology, not by address scarcity. Why? Does it not scale
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Sent from my iPad On Jan 18, 2013, at 7:48 AM, Joe Maimon jmai...@ttec.com wrote: Lee Howard wrote: You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Also, spending money on CGN seems misguided; if you agree that you're going to deploy IPv6 anyway, why spend the money for IPv6 *and also* for CGN? Lee Suppose a provider fully deploys v6, they will still need CGN so long as they have customers who want to access the v4 internet. Actually, NAT64/DNS64 is a much better alternative in that situation. The bigger issue is customers who still have v4-only devices and some reasonable expectation that those will continue to be supported. Unfortunately, that may have the side effect of undercutting some portion of v6's value proposition, inversely related to its suckage. Which is why I consider the consumer electronics industry to be the important frontier in getting IPv6 support at this point. All of these smart TVs, DVD players, receivers, etc. that don't support IPv6 are going to be the real problem in deploying non-IPv4 service to residential customers in the coming years. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Lee Howard wrote: If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. Example: An 10,000-user ISP is growing at 10% annually. They have 1,000 addresses left, so they implement CGN. You say to assuming 90% of them can be NATted, so next year, 100 get a unique IPv4 address, the other 900 share 90 addresses. At 190 addresses per year, CGN bought you five years. I think your 90% is high. If it's 70%, you burn 370 per year. That doesn't include the fact the increased support costs, or alienated customer cancellations, or any of the stuff I talked about in TCO of CGN. Lee 2-5 years from a currently one year supply? Factor in the current base and growth for at least another decade is assured. If it works for the new subscribers, it will work for the existing ones. Does anybody doubt that successful CGN deployment easily translates into many years more of v4? We understand that there are hosts of theoretical and practical impacts. What we do not yet know is how the public and providers at large will react or adapt to these impacts. If just the right balance of CGN negativity and resulting v6 adoption is the result, then we will all muddle through more or less ok. Otherwise we will be seeing either frantic v6 migration everywhere or even slower pace then what we have now. Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Fri, Jan 18, 2013 at 12:20 PM, Lee Howard l...@asgard.org wrote: On 1/17/13 6:21 PM, William Herrin b...@herrin.us wrote: Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. CGNs are not identical to home NAT functionality. Didn't say they were. What I said was that claiming NAT has no security impact was false on its face. Home NATs are frequently restricted cone NATs, which is why uPNP or manual port-forwarding are required. CGNs for residential deployments are full cone NATs, CGNs are most certainly not full cone NATs. Full cone NATs guarantee that any traffic which arrives at the external address is mapped to the internal address at the same port, functionality which requires a 1:1 mapping between external addresses and active internal addresses. Were they full-cone, with a 1:1 IP address mapping, CGNs would be completely useless for the stated purpose of reducing consumption of global addresses. I'm given to understand that they do try to restrict a given internal address to emitting packets on a particular range of ports on a particular external address but that's functionality on top of a restricted-port cone NAT, not a fundamentally different kind of NAT. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. Netflix seems to have some funny interactions with some gateways and CGN. [nat444-impacts] Some NATs have serious bugs that aren't obvious until you try to stack them. What about p2p? If it worked with CGNs there'd be a whole lot less than 1 in 10 folks needing to opt out. How'd you get 75%? It's a SWAG, hence an assumption. You're going with linear growth? See nro.net/statistics. I'm guessing sublinear given the major backpressure from having to purchase or transfer IP addresses from other uses instead of getting fresh ones from a registry but the evidence isn't in yet so I'll conservatively estimate it at linear. Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. So at 10:1 you get 9/10ths of an address back from each of the 9 in 10 eyeballs who converts to NAT. At a more likely ratio of 30:1 you get 29/30ths back. I'd have to rerun my numbers but that shaves something on the order of 1 year off my 37 year estimate. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Sent from my iPad On Jan 18, 2013, at 8:06 AM, William Herrin b...@herrin.us wrote: On Fri, Jan 18, 2013 at 12:20 PM, Lee Howard l...@asgard.org wrote: On 1/17/13 6:21 PM, William Herrin b...@herrin.us wrote: Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. CGNs are not identical to home NAT functionality. Didn't say they were. What I said was that claiming NAT has no security impact was false on its face. Even I have never claimed that. I think everyone pretty well understands at this point just how injurious NAT is to actual security. CGNs are most certainly not full cone NATs. Full cone NATs guarantee that any traffic which arrives at the external address is mapped to the internal address at the same port, functionality which requires a 1:1 mapping between external addresses and active internal addresses. Were they full-cone, with a 1:1 IP address mapping, CGNs would be completely useless for the stated purpose of reducing consumption of global addresses. I'm given to understand that they do try to restrict a given internal address to emitting packets on a particular range of ports on a particular external address but that's functionality on top of a restricted-port cone NAT, not a fundamentally different kind of NAT. Actually, as I understand it, it's a hybrid. It's full cone (sort of) in that any packet that arrives within the port range will be translated to the corresponding internal address. It's restricted cone in that it's a port range instead of all ports. I'm not sure how the interior device is constrained to emitting only within the port range unless they are customizing all of the CPE in order to support that. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. Netflix seems to have some funny interactions with some gateways and CGN. [nat444-impacts] Some NATs have serious bugs that aren't obvious until you try to stack them. Which in itself is a pretty strong argument against CGN. What about p2p? If it worked with CGNs there'd be a whole lot less than 1 in 10 folks needing to opt out. So you are assuming 10% of the internet currently uses any p2p technology? Interesting. You're going with linear growth? See nro.net/statistics. I'm guessing sublinear given the major backpressure from having to purchase or transfer IP addresses from other uses instead of getting fresh ones from a registry but the evidence isn't in yet so I'll conservatively estimate it at linear. I don't think that backpressure really works against having new subscribers or towards reducing churn in the market place where there is competition. As such, I don't see how that would apply. Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. So at 10:1 you get 9/10ths of an address back from each of the 9 in 10 eyeballs who converts to NAT. At a more likely ratio of 30:1 you get 29/30ths back. I'd have to rerun my numbers but that shaves something on the order of 1 year off my 37 year estimate. Actually, at 10:1, you get back 10/11ths, not 9/10ths. However, if CGN's limitations pick up some bad press in the early days, that ratio may well convert to more like 1:10 where you get back 1/11th instead of 10/11ths. This all remains to be seen. Remember, the public will go much more with the emotional reaction to the first press accounts than it will go with rational or well thought out technical argument. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/18/13 12:48 PM, Joe Maimon jmai...@ttec.com wrote: Lee Howard wrote: You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Also, spending money on CGN seems misguided; if you agree that you're going to deploy IPv6 anyway, why spend the money for IPv6 *and also* for CGN? Lee Suppose a provider fully deploys v6, they will still need CGN so long as they have customers who want to access the v4 internet. Not necessarily. Maybe they need CGN, but they need NAT64, not NAT44. Or IVI. Or maybe they should just hold their noses and buy addresses for a year or a few. What they need a transition strategy; it doesn't necessarily have to be CGN. Years ago, I asked, Why are we stuck with NAT? I still ask that. I believe that the reason we're stuck with it is that so many of us believe we're stuck with it--we're resigned to failure, so we don't do anything about it. One of the largest problems we have with this transition is that no one believes they have any influence on it: I'm stuck with IPv4 until every single other host on the Internet is using IPv6, and maybe for a while after that, depending on happy eyeballs. There are many levers of influence, but the most important ones to use are those that shift externalities. The cost in transition, either in IPv6 or in CGN (or both) will be incurred disproportionately by ISPs. Content providers who care most about quality experience (and usefulness of IP address information) now support IPv6. If you think creatively, you might come up with several levers that could shift the expense from it's up to ISPs to translate to content and devices manufacturer businesses are at risk if they don't support IPv6. Then there's the question--how do you know when you're done? Every single host on the Internet is running IPv6? All but 100? A million? A billion? Probably somewhere in between, but each operator has to decide. Everyone else has to decide when to support IPv6--and hope it's before operators call the transition complete, because then it's too late, because consumers will choose the competitor's product or service that works (on IPv6). If Wordpress doesn't work because there's no IPv6, but Blogspot and Blogger do, maybe consumers just switch. Lee
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/18/13 1:03 PM, Joe Maimon jmai...@ttec.com wrote: Lee Howard wrote: If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. Example: An 10,000-user ISP is growing at 10% annually. They have 1,000 addresses left, so they implement CGN. You say to assuming 90% of them can be NATted, so next year, 100 get a unique IPv4 address, the other 900 share 90 addresses. At 190 addresses per year, CGN bought you five years. I think your 90% is high. If it's 70%, you burn 370 per year. That doesn't include the fact the increased support costs, or alienated customer cancellations, or any of the stuff I talked about in TCO of CGN. Lee 2-5 years from a currently one year supply? Factor in the current base and growth for at least another decade is assured. If it works for the new subscribers, it will work for the existing ones. It is difficult to change an existing customer's service. Good luck. Does anybody doubt that successful CGN deployment easily translates into many years more of v4? Yes, I doubt it. Although if you define successful as many more years of IPv4 my doubts vanish solipsistically. We understand that there are hosts of theoretical and practical impacts. What we do not yet know is how the public and providers at large will react or adapt to these impacts. If just the right balance of CGN negativity and resulting v6 adoption is the result, then we will all muddle through more or less ok. Otherwise we will be seeing either frantic v6 migration everywhere or even slower pace then what we have now. Fear, uncertainty, doubt. Possible frantic migration. These sound bad to me. Lee Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013 18:21:28 -0500, William Herrin said: Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. Oddly enough, the drop in portscanning attacks maps even more closely to the shipping of XP SP2, which turned on the onboard firewall by default. Remember that some of the really big worm hits were when they managed to get loose inside corporate networks behind the NAT... Also, a NAT doesn't stop a Java or Adobe exploit in the least, as anybody with security clue will tell you pgpvpOLTHF9Gk.pgp Description: PGP signature
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Fri, 18 Jan 2013 09:03:31 -0500, William Herrin said: On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Corporate enterprises have been pushing GPO to the desktop for more than a decade as well. Feel free to try to push GPO to Joe Sixpack's PC, let me know how that works out for you. pgp81csYx_pei.pgp Description: PGP signature
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Should NAT become prevalent and prevent innovation because of its limitations, this means that innovation will happen only with IPv6 which means the next must have viral applications will require IPv6 and this may spur the move away from an IPv4 that has been crippled by NAT everywhere.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Fri, Jan 18, 2013 at 1:28 PM, Lee Howard l...@asgard.org wrote: Years ago, I asked, Why are we stuck with NAT? I still ask that. I believe that the reason we're stuck with it is that so many of us believe we're stuck with it--we're resigned to failure, so we don't do anything about it. Hi Lee, We're stuck with NAT because -enterprise- network security folks universally accept NAT's efficacy as a lynchpin component in their system security architecture. They accept it because the reasoning in support of the proposition makes sense and they consider the fact of its efficacy to have been satisfactorily demonstrated in practice. You can chase any other reasons for using NAT to the ends of the Earth and you'll never achieve a network where NAT's use can be discontinued. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Fri, Jan 18, 2013 at 4:46 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: Should NAT become prevalent and prevent innovation because of its limitations, this means that innovation will happen only with IPv6 which means the next must have viral applications will require IPv6 and this may spur the move away from an IPv4 that has been crippled by NAT everywhere. It won't happen and I'll tell you why not. Client to client communication block diagrams: Without NAT: Client-Router-Router-Router-Router-Router-Client With NAT: Client-Router-Router-Relay-Router-Router-Client At a high level, the two communication diagrams are virtually identical. Add killer app. By it's nature, a killer app is something folks will pay good money for. This means that 100% of killer apps have sufficient funding to install those specialty relays. Odds of a killer app where one router can't be replaced with a specialty relay while maintaining the intended function: not bloody likely. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 13-01-18 17:00, William Herrin wrote: Odds of a killer app where one router can't be replaced with a specialty relay while maintaining the intended function: not bloody likely. Back in the late 1980s, large computer manufacturers such as Digital, HP, IBM were pressured to adopt the future in networking: OSI as transport and X.400 for emails. These stacks were eventually developped and implemented. However, the much simpler and more cost effective Internet ended up winning and it didn't take that long for governments to remove the requirements to be OSI compliant and accepted IPv4 and SMTP as the new standard. OSI and X.400 never gained much of a foothole and the millenium generation probably never heard of them. Is it possible that the same fate awaits IPv6 ? There is pressure to go to IPv6, but if solutions are found for IPv4 which are simpler and more easily deployed, won't that kill any/all efforts to move to IPv6 ?
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 18 January 2013 14:00, William Herrin b...@herrin.us wrote: On Fri, Jan 18, 2013 at 4:46 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: Should NAT become prevalent and prevent innovation because of its limitations, this means that innovation will happen only with IPv6 which means the next must have viral applications will require IPv6 and this may spur the move away from an IPv4 that has been crippled by NAT everywhere. It won't happen and I'll tell you why not. Client to client communication block diagrams: Without NAT: Client-Router-Router-Router-Router-Router-Client With NAT: Client-Router-Router-Relay-Router-Router-Client At a high level, the two communication diagrams are virtually identical. Add killer app. By it's nature, a killer app is something folks will pay good money for. This means that 100% of killer apps have sufficient funding to install those specialty relays. Odds of a killer app where one router can't be replaced with a specialty relay while maintaining the intended function: not bloody likely. Regards, Bill Herrin The killer app of the internet is called p2p. Don't we already have a shortage of IPv4 addresses to start abandoning p2p, and requiring every service to be server-based, wasting extra precious IPv4 addresses? Where's the logic behind this: make it impossible for two computers to community directly because we have a shortage of addresses, yet introduce a third machine with, again, rather limited resources, to waste another IPv4 address? Wasting all kinds of extra resources and adding extra latency? That's not a killer app, that's the inefficiency of capitalism. C.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 16 January 2013 08:12, fredrik danerklint fredan-na...@fredan.se wrote: From the article: Faced with the shortage of IPv4 addresses and the failure of IPv6 to take off, British ISP PlusNet is testing carrier-grade network address translation CG-NAT, where potentially all the ISP's customers could be sharing one IP address, through a gateway. The move is controversial as it could make some Internet services fail, but PlusNet says it is inevitable, and only a test at this stage. http://tech.slashdot.org/story/13/01/16/1417244/uk-isp-plusnet-testing-carrier-grade-nat-instead-of-ipv6 I'm only here to bring you the news. So don't complain to me... It is obvious that implementing CGN requires a lot of extra resources and a lot of hardware/firmware support for both CPE and operator equipment (the latter from both technical and legal-compliance reasons, and both the former and the latter in order to implement some kind of UPnP-compatible support to still allow some kind of p2p apps to somehow function). And this is at a time when a lot of the world internet traffic has already moved to IPv6, and all major content providers that account for most of the traffic today already support native IPv6: Google, YouTube and FB. Wouldn't it be better instead of the untested, unscalable and dead-end IPv4 CGN to massively start implementing single-stacked IPv6 with NAT64 at the ISP and *464XLAT* within the CPE RG? (With 464XLAT, you wouldn't even need a potentially troublesome DNS64.) This way, instead of having to account for subscriber growth presenting scalability issues on your limited IPv4 resources and CGN-related concerns, you can instead account for the content growth of IPv6-enabled sites, and, basically, have to plan for just about no extra IPv4 scaling budget whatsoever, since with every X subscribers that still need IPv4, you'll have every XX old subscribers that will be moving closer to being IPv6-only. And with every year, a single IPv4 address used for NAT64 will be perfectly able to scale up to serve more and more customers, since fewer and fewer people will need IPv4 connections. So: With CGN, we get to the same old chicken-and-egg story: lack of IPv6 deployment and content/app support, yet an even more imminent shortage of IPv4 addresses (and with every new customer you'll be so much more closer to it) and the scalability and legal issues. With 464XLAT on the CPE RG and NAT64 at the carrier instead, you get all the benefits of CGN (namely, all non-p2p IPv4-only apps and services will still work perfectly fine), but only a couple of the drawbacks. And it'll actually put the correct pressure for both content and application developers to immediately switch to IPv6, and avoid you, the operator, from having to be spending the extra resources and having extra headaches on the IPv4 address shortage. It really makes no sense that any company would still want to invest a single dime into CGN when instead they could be investing in IPv6 with NAT64 and CPE RGs with 464XLAT. I honestly think that 464XLAT can potentially solve all the chicken and egg problems that the big players have been having. Supposedly, that's how T-Mobile USA is planning to move their network forward. (I'm certainly looking towards the day when I could finally enable IPv6 on a Google Nexus on T-Mo.) On the other hand, it's really strange that 464XLAT is so brand bloody new when IPv6 itself, as well as even NAT64 and DNS64, have been there for ages. The idea of 464XLAT is just so ingeniously straight and simple! Somewhat similar to 6rd, I guess. I think that instead of any kind of CGN, all residential (and mobile) broadband connections should be IPv6-only with NAT64 and 464XLAT. That'll basically solve all the actual problems with one stone: lack of IPv6 deployment from content publishers and IPv6 application support (from app developers with no IPv6), and the immediate shortage of the IPv4 addresses. Cheers, Constantine.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Constantine, On Fri, Jan 18, 2013 at 6:56 PM, Constantine A. Murenin muren...@gmail.com wrote: On 16 January 2013 08:12, fredrik danerklint fredan-na...@fredan.se wrote: From the article: Faced with the shortage of IPv4 addresses and the failure of IPv6 to take off, British ISP PlusNet is testing carrier-grade network address translation CG-NAT, where potentially all the ISP's customers could be sharing one IP address, through a gateway. The move is controversial as it could make some Internet services fail, but PlusNet says it is inevitable, and only a test at this stage. http://tech.slashdot.org/story/13/01/16/1417244/uk-isp-plusnet-testing-carrier-grade-nat-instead-of-ipv6 I'm only here to bring you the news. So don't complain to me... It is obvious that implementing CGN requires a lot of extra resources and a lot of hardware/firmware support for both CPE and operator equipment (the latter from both technical and legal-compliance reasons, and both the former and the latter in order to implement some kind of UPnP-compatible support to still allow some kind of p2p apps to somehow function). And this is at a time when a lot of the world internet traffic has already moved to IPv6, and all major content providers that account for most of the traffic today already support native IPv6: Google, YouTube and FB. Wouldn't it be better instead of the untested, unscalable and dead-end IPv4 CGN to massively start implementing single-stacked IPv6 with NAT64 at the ISP and *464XLAT* within the CPE RG? (With 464XLAT, you wouldn't even need a potentially troublesome DNS64.) This way, instead of having to account for subscriber growth presenting scalability issues on your limited IPv4 resources and CGN-related concerns, you can instead account for the content growth of IPv6-enabled sites, and, basically, have to plan for just about no extra IPv4 scaling budget whatsoever, since with every X subscribers that still need IPv4, you'll have every XX old subscribers that will be moving closer to being IPv6-only. And with every year, a single IPv4 address used for NAT64 will be perfectly able to scale up to serve more and more customers, since fewer and fewer people will need IPv4 connections. So: With CGN, we get to the same old chicken-and-egg story: lack of IPv6 deployment and content/app support, yet an even more imminent shortage of IPv4 addresses (and with every new customer you'll be so much more closer to it) and the scalability and legal issues. With 464XLAT on the CPE RG and NAT64 at the carrier instead, you get all the benefits of CGN (namely, all non-p2p IPv4-only apps and services will still work perfectly fine), but only a couple of the drawbacks. And it'll actually put the correct pressure for both content and application developers to immediately switch to IPv6, and avoid you, the operator, from having to be spending the extra resources and having extra headaches on the IPv4 address shortage. It really makes no sense that any company would still want to invest a single dime into CGN when instead they could be investing in IPv6 with NAT64 and CPE RGs with 464XLAT. Brilliant so far ... I honestly think that 464XLAT can potentially solve all the chicken and egg problems that the big players have been having. Supposedly, that's how T-Mobile USA is planning to move their network forward. (I'm certainly looking towards the day when I could finally enable IPv6 on a Google Nexus on T-Mo.) OK... i am wading into dangerous territory now: Why are you waiting? This page has the 464XLAT software and procedure for Nexus S, Galaxy Nexus, as well as apk for any rooted Android that can handle IPv6 on cellular http://dan.drown.org/android/clat/ Or for the more pure IPv6-only NAT64/DNS64 out-of-the-box experience https://sites.google.com/site/tmoipv6/lg-mytouch On the other hand, it's really strange that 464XLAT is so brand bloody new when IPv6 itself, as well as even NAT64 and DNS64, have been there for ages. The idea of 464XLAT is just so ingeniously straight and simple! Somewhat similar to 6rd, I guess. Well, i certainly fought it as long as i could. I was really drinking the Kool-Aid that apps that could not support IPv6 would be de-selected since they were unfit for the internet. I figured evolution would win, but inertia was certainly making things too slow, thus we needed a way to make IPv4-apps (cough cough Skype, Netflix Android App, ...) work on IPv6. I think that instead of any kind of CGN, all residential (and mobile) broadband connections should be IPv6-only with NAT64 and 464XLAT. That'll basically solve all the actual problems with one stone: lack of IPv6 deployment from content publishers and IPv6 application support (from app developers with no IPv6), and the immediate shortage of the IPv4 addresses. Cheers, Constantine. Rock on. I have been on IPv6-only + NAT64/DNS64 for 2 years on mobile full-time, works fine
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
There is no suckerage to V6. Really, it's not that hard. While CGN is the reality, we need to keep focused on the ultimate goal -- a single long term solution. Imagine a day where there is no dual stack, no IPv4, and no more band-aids. It will be amazing. david. On Fri, Jan 18, 2013 at 9:48 AM, Joe Maimon jmai...@ttec.com wrote: Lee Howard wrote: You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Also, spending money on CGN seems misguided; if you agree that you're going to deploy IPv6 anyway, why spend the money for IPv6 *and also* for CGN? Lee Suppose a provider fully deploys v6, they will still need CGN so long as they have customers who want to access the v4 internet. Unfortunately, that may have the side effect of undercutting some portion of v6's value proposition, inversely related to its suckage. Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 01/18/2013 02:07 PM, Jean-Francois Mezei wrote: OSI and X.400 never gained much of a foothole and the millenium generation probably never heard of them. Is it possible that the same fate awaits IPv6 ? There is pressure to go to IPv6, but if solutions are found for IPv4 which are simpler and more easily deployed, won't that kill any/all efforts to move to IPv6 ? No, because NAT-like solutions to perpetuate v4 only handle the client side of the transaction. At some point there will not be any more v4 address to assign/allocate to content provider networks. They have seen the writing on the wall, and many of the largest (both by traffic and market share) have already moved to providing their content over v6. Doug
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 19 January 2013 04:48, Doug Barton do...@dougbarton.us wrote: No, because NAT-like solutions to perpetuate v4 only handle the client side of the transaction. At some point there will not be any more v4 address to assign/allocate to content provider networks. They have seen the writing on the wall, and many of the largest (both by traffic and market share) have already moved to providing their content over v6. Potentially another source of IPv4 addresses - every content network (/hosting provider/etc) that decides they don't want to give their customers IPv6 reachability is a future bankrupt ISP with a load of IPv4 to sell off :) - Mike
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
i am not network engineer, but I follow this list to be updated about important news that affect internet stability. NAT is already a problem for things like videogames. You want people to be able to host a multiplayer game, and have his friends to join the game. A free to play MMO may want to make a ban for a bad person permanent, and for this banning a IP is useful, if a whole range of players use a ip, it will be harder to stop these people from disrupting other people fun. Players that can't connect to the other players whine on the forums, and ask the game devs to fix the problem, costing these people money. People that can't connect to other players, for a problem that is not in his side, or under his control, get frustrated. This type of problems are hard to debug for users. The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. -- -- ℱin del ℳensaje.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 10:06, . oscar.vi...@gmail.com wrote: i am not network engineer, but I follow this list to be updated about important news that affect internet stability. NAT is already a problem for things like videogames. You want people to be able to host a multiplayer game, and have his friends to join the game. A free to play MMO may want to make a ban for a bad person permanent, and for this banning a IP is useful, if a whole range of players use a ip, it will be harder to stop these people from disrupting other people fun. Players that can't connect to the other players whine on the forums, and ask the game devs to fix the problem, costing these people money. People that can't connect to other players, for a problem that is not in his side, or under his control, get frustrated. This type of problems are hard to debug for users. The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. If you follow this list then you should already know the answer, functional* IPv6 deployments. - Mike *Some ISPs have some very weird ideas that I hope never catch on.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Mike Jones wrote: If you follow this list then you should already know the answer, functional* IPv6 deployments. AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 15:29, Brandon Ross br...@pobox.com wrote: .. AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. Ok. I will pass the message. Some of them ( FOSS guys) already did http://ioquake3.org/2008/04/21/ioquake3-now-ipv6-capable/ For most commercial projects it don't have my hopes very high. Most game software development are rushed to release. -- -- ℱin del ℳensaje.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. I doubt that very much, and look forward to your analysis supporting that statement. Lee Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard l...@asgard.org wrote: On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted. Hi Lee, Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. I doubt that very much, and look forward to your analysis supporting that statement. If you have the data I'll be happy to crunch it but I'm afraid I'll have to leave the data collection to someone who is paid to do that very exhaustive work. Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year. From my assumption, 25% of the addresses are consumed by non-eyeball customers who will continue consuming them at 1/(18*4)= 1/72 of the address space per year. Assuming that server ops still need that many addresses when acquiring them is not so close to free. From my assumptions 75% * 0.9 = 67.5% of the addresses are currently consumed by eyeball customers who can convert to NAT. Match the previous paragraph's math at 49/72's of the address space recoverable at some cost that while not trivial is also not exorbitant. Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1 in 10 needs a global address that slows to 3/720's. 13/720's per year consumes 490/720's after 37 years. 37 years. So, where am I wrong? Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. Is the current use pattern more like 50/50 between server users and eyeball users? That'd cut things closer to a decade and a half but what data I've glanced at from CAIDA, ARIN and the like doesn't seem to support a belief that eyeballs aren't the major direct user of IPv4 addresses. Perhaps consumption is accelerating, but a lot of that has been low-key hoarding during the past 5 years or so. Even with accelerating consumption we're still looking at a couple decades before we have to really scrape for IPv4 addresses. Perhaps I fouled the math itself. I've been known to miscarry a 1. All the same, the sky doesn't seem to be falling. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. The reality is that they do not. CGN is a substantially more degraded form of internet access than current traditional per-site NAT. 1. The end-site does not control the NAT box. 2. UPnP and NAT-PMP do NOT work through CGN. 3. There is no other provision in most CGNs to allow for inbound connection trickery that allows many of today's applications to function in spite of NAT. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, voyage and netflix variety who are basically not impacted by NAT. Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? Are you sure that 75% of VZW's IP addresses are assigned to end-customer devices? I am not. If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year. I'll leave the obvious math error in this assumption as an exercise for the reader. From my assumption, 25% of the addresses are consumed by non-eyeball customers who will continue consuming them at 1/(18*4)= 1/72 of the address space per year. Assuming that server ops still need that many addresses when acquiring them is not so close to free. This assumption ignores non-customer use of addresses which, while minor, is not insignificant. From my assumptions 75% * 0.9 = 67.5% of the addresses are currently consumed by eyeball customers who can convert to NAT. Match the previous paragraph's math at 49/72's of the address space recoverable at some cost that while not trivial is also not exorbitant. This makes a rather absurd assumption that the majority of those eyeball addresses are not already assigned to eyeball NAT pools. This is the second place where your assumptions run wildly off the rails IMHO. Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1 in 10 needs a global address that slows to 3/720's. While the math works, it would be a lot more clear to say 1/4 * 3/18 = 3/72. 13/720's per year consumes 490/720's after 37 years. 37 years. So, where am I wrong? Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. First, it's more like 1/100 customers that are not already behind NAT of some form, so your 37 years drops to 0.37 years (a little more than 4 months). This seems very disruptive and rather heavy on the overhead for a 4-month stop-gap. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
I'll agree there, as developers have built in some tricks to work around NAT issues. But in reality doing away with NAT is a much better alternative for the long haul. So you are both right, but I'll side with Owen when doing network deployments as to ease my future headaches. Sent from my iPhone On Jan 17, 2013, at 7:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) NAT yes. NAT + NAT (NAT444 or CGN which is what we are talking about here), not so much. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 17:17, Owen DeLong o...@delong.com wrote: On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) NAT yes. NAT + NAT (NAT444 or CGN which is what we are talking about here), not so much. Owen Once you are doing NAT and your immediate gateway does not supports UPnP, what's the difference if it's NAT44 or NAT444? I'm currently using NAT44, with at least two layers of 802.11g WiFi and 5 routers that seem to be doing independent NAT. Two of them are mine, then the other 3 are of the ISP, to whom I connect through 802.11g, and it generally works just fine; traceroute on the final hosts shows 5 first hops being in various separate 192.168.0.0/16 and 10.0.0.0/8 networks. iChat works. SIP works, too (for both incoming and outgoing voice call). Even ssh connections stay alive for more than 24h with a mere 240s keepalive setting. IPv6 is obviously the solution, but I think CGN poses more technological and legal problems for the carriers as opposed to their clients or the general-purpose non-server non-p2p application developers. CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever. C.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Constantine A. Murenin wrote: I'm currently using NAT44, with at least two layers of 802.11g WiFi and 5 routers that seem to be doing independent NAT. Two of them are mine, then the other 3 are of the ISP, to whom I connect through 802.11g, and it generally works just fine; traceroute on the final hosts shows 5 first hops being in various separate 192.168.0.0/16 and 10.0.0.0/8 networks. Is the output of traceroute you reference above what you base your supposition on that you are behind multiple NATs? Or do you have some other information indicating so? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Owen DeLong wrote: And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. To the extent that CGN functions like the clueless linksys daisy-chain, then yes it does. The reality is that they do not. CGN is a substantially more degraded form of internet access than current traditional per-site NAT. 1. The end-site does not control the NAT box. The vast majority of end site today either do not control the NAT box or do not know how to control the NAT box. 2. UPnP and NAT-PMP do NOT work through CGN. And without this wondrous technology, nothing works behind a NAT! Whatever did we do before the invention and mass adoption of UPnP and NAT-PMP! 3. There is no other provision in most CGNs to allow for inbound connection trickery that allows many of today's applications to function in spite of NAT. Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. We will have to wait and see on this one. There is a complex interaction between protocol development, application deployment, cpe technology and user behavior all influenced by the NAT reality we are all witness to. Will this interaction adopt and adapt CGN? Clearly your opinion is not, but its only an opinion. Wireless has - remind me - how many /8's compared to, say, Google? Are you sure that 75% of VZW's IP addresses are assigned to end-customer devices? I am not. No, actually, I believe what he said is that OF the Addresses ASSIGNED to devices, 75% are end-customers. Far more are likely not in use by any specific device at any given point in time. And what else exactly would VZW be doing with those addresses? Running more servers and infrastructure then wireless clients to use them? First, it's more like 1/100 customers that are not already behind NAT of some form, so your 37 years drops to 0.37 years (a little more than 4 months). Rather disingenuous of you. We are not addressing some form of nat. We are addressing the specific form of CGN. Of which far fewer then 1/100 customers are behind. How about much simpler math. Assume 75% IP in any provider organization are for subscribers. Assume an average 5-10 subscribers per CGN IP. Clearly, that organization's subscriber growth will be limited by CGN technology, not by address scarcity. This seems very disruptive and rather heavy on the overhead for a 4-month stop-gap. Owen Think locally for a bit. Addresses are not instantaneously fungible across the internet. Any provider who can pull this off will have far more then a 4-month stop-gap. They may even have enough to peddle on the market. Joe
