Re: Large ISPs doing NAT?
On Fri, 3 May 2002, Avleen Vig wrote: Ha! I've been in Burbank (in the Valley north of LA) for 7 months now, I moved here from London. I've looked and looked and looked for *ANYTHING* other than the odd gas station or supermarket open passed 9pm! ?? Plenty of gas stations around here open after 9, some all night long. Same with groceries. Drugstores close pretty early though. Coming from a place where restaurants are regularly open until 3am, even far into the suburbs, this is a serious culture shock :-/ -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: Large ISPs doing NAT?
On Thu, May 02, 2002 at 05:09:15PM -0700, [EMAIL PROTECTED] said: [snip] Mobile-IP devices are all about bringing the Internet to your pocket. That doesn't mean just the web! The web is UI optimized for a desktop machine. Who knows what specific applications might be developed for a user accessing the Internet from a device the size of a bar of soap? What if I want to write CUSeeMe for mobile phones? Or a scavanger hunt game? Something that takes advantage of the mobility rarely found by a desktop user? It is these _form factor specific_ applications that will drive the sales of devices that utilize this new network. Surfing the web is just the tip of the iceberg that everyone already understands. If that's the only application enabled by GPRS, then I don't forsee GPRS phones selling in leaps and bounds. It seems like providers would be spending a whole lot of money to upgrade their network for just one new application that only a few customers are asking for. Good points here. I think sometimes we miss the future direction and possibilities that technology may take in our focus on making things work in the present. The presumption of the first several responders was that it was to conserve addresses, which they pointed out is not actually necessary. I'm hoping that was the case, and that maybe the choice of NAT can be revisited... As I wrote to another poster, it's possible that I may have been too quick to jump on the conservation bandwagon. I was directed to http://www.caida.org/outreach/resources/learn/ipv4space/ which, although possibly dated, shows that plenty of space is available. Whether or not this is easily assigned/accessible space is something else. I think merely reclaiming some of the legacy A blocks assigned years ago that are being used sparsely, if at all, would eliminate any lingering doubts about space, at least for the time being. The chances of companies giving up their unused blocks, or trading for smaller ones, is probably pretty slim though. -pmb -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01432/pgp0.pgp Description: PGP signature
Re: Large ISPs doing NAT?
On Thu, May 02, 2002 at 04:44:28PM -0700, [EMAIL PROTECTED] said: At 01:20 AM 5/2/2002 -0700, Scott Francis wrote: The average customer buying a web-enabled phone doesn't need a publicly-routeable IP. I challenge anybody to demonstrate why a cell phone needs a public IP. It's a PHONE, not a server. I'm not buying a phone I can't run ssh from. End of story. My current phone does all that and more. Why step back into the dark ages of analog-type services? *grin* Mine runs ssh too. :) I just wish I had time/talent enough to hack it to do key-based auth and ssh v2. Note my use of the phrase 'average customer' though. Readers of this list probably do not qualify as such. Best Regards, Simon -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01433/pgp0.pgp Description: PGP signature
Re: Large ISPs doing NAT?
On Thu, May 02, 2002 at 04:56:40PM -0700, [EMAIL PROTECTED] said: [snip] I'm not buying a phone I can't run ssh from. End of story. My current phone does all that and more. Why step back into the dark ages of analog-type services? The average customer doesn't even know what telnet is, let alone ssh. All they care about is browsing pr0n. Your phone can surf porn? Maybe the technology revolution has finally arrived after all ... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-] -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01434/pgp0.pgp Description: PGP signature
RE: Large ISPs doing NAT?
do you think fufme (http://www.fu-fme.com/) would work well over nat? : -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Scott Francis [mailto:[EMAIL PROTECTED]] Sent: 3. mája 2002 9:13 To: Dan Hollis Cc: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? On Thu, May 02, 2002 at 04:56:40PM -0700, [EMAIL PROTECTED] said: [snip] I'm not buying a phone I can't run ssh from. End of story. My current phone does all that and more. Why step back into the dark ages of analog-type services? The average customer doesn't even know what telnet is, let alone ssh. All they care about is browsing pr0n. Your phone can surf porn? Maybe the technology revolution has finally arrived after all ... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-] -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
Re: DDOS attacks and Large ISPs doing NAT?
A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request. A NAT is not a firewall. A firewall is not a NAT. Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP. Please stop perpetuating the myth that a NAT is a security device. It is not a myth; NAT (PNAT, to be correct) just allow internal users to have SECURE access to the outer world without a reverce access (it is 50 - 60% of the firewall functionality). So, NAT is equal to the firewall for the outgoing calls. Of course, static NAT does not provide any firewall functionality, and NAT do nothing to protect inbound services, so to pprotect such services (if any exist) you need _real_ firewall. To protect internal network, there is not a best way than to have a NAT (of course, firewall with NAT is better, and all modern devices provide botjh functionality, but if I select what's better - NAT device without firewall or firewall without the NAT, and I'll have only outbound calls, I'll choose a NAT).
Re: Large ISPs doing NAT?
On Fri, May 03, 2002 at 08:29:32AM -0400, [EMAIL PROTECTED] said:
On Fri, 03 May 2002 00:12:34 PDT, Scott Francis said:
Your phone can surf porn? Maybe the technology revolution has finally arriv=
ed
after all ...
No, it's still in the dancing bear stage. There's the question of whether
it's worth doing on that class display device
On the other hand, if somebody's looking for a *business* opportunity, I
could see a *big* market for Where do I find? databases for GPS-capable
phones - I think somebody already did a public restrooms in Manhattan,
and I know I've been in strange cities, known there was a specific restraunt
or store somewhere within 10 blocks, and been willing to pay for a reliable
hint for the parking garage nearest...
that is an excellent idea. I know one thing I would LOVE to have is a search
engine that can answer my question, Where can I find a coffee house
{optionally: with 802.11b} open after midnight during the week in Los
Angeles {optionally: the Valley}?
No good answers so far ... at least, none that involve driving less than 30
minutes. :)
--
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
msg01444/pgp0.pgp
Description: PGP signature
Re: Large ISPs doing NAT?
On Fri, 3 May 2002, Scott Francis wrote:
that is an excellent idea. I know one thing I would LOVE to have is a search
engine that can answer my question, Where can I find a coffee house
{optionally: with 802.11b} open after midnight during the week in Los
Angeles {optionally: the Valley}?
No good answers so far ... at least, none that involve driving less than 30
minutes. :)
Ha! I've been in Burbank (in the Valley north of LA) for 7 months now, I
moved here from London. I've looked and looked and looked for *ANYTHING*
other than the odd gas station or supermarket open passed 9pm!
Coming from a place where restaurants are regularly open until 3am, even
far into the suburbs, this is a serious culture shock :-/
Re: OT: Mobile Directories WAS: Large ISPs doing NAT?
On Fri, May 03, 2002 at 12:11:33PM -0700, Rowland, Alan D wrote: You would think the phone companies who already have most of the necessary resources, i.e. the yellow pages/directory listings, would be all over this idea as a way to sell thier device/generate even more listing revenue. Killer app: Cell Phone/PDA/GPSw Mapping,routing in a Palm form factor. Just my 2¢. The delete key is your friend. I can probably name you half a dozen companies which are, or were, all over this sort of thing, and at least two of them are Bell/YP shops. I used to work for one of the others (prior to the usual dot-com implosion). Right now, they seem to expect you to 411 it, instead, and let the low-wage humans on the other end of the line make a guess. And remember: just because it's a killer app doesn't mean anyone is willing to pay for it. -- *** Joel Baker System Administrator - lightbearer.com [EMAIL PROTECTED] http://users.lightbearer.com/lucifer/
Re: Large ISPs doing NAT?
On Wed, May 01, 2002 at 04:07:34PM -0700, [EMAIL PROTECTED] said: [snip] As long as it is _clear_ from the get-go that customers behind NAT are getting that service, and not publicly-routable IP space, I don't see the problem. If they don't like it, they don't have to sign up to begin with - as long as there is no doubt as to what kind of service they're getting, there shouldn't be a problem (legally, at any rate). You've got to be kidding. Do you think it's clear to the average consumer buying a GPRS phone what NAT is, and why they might or might not want it? The average customer buying a web-enabled phone doesn't need a publicly-routeable IP. I challenge anybody to demonstrate why a cell phone needs a public IP. It's a PHONE, not a server. Do you think the use of NAT will be explained to these customers? Or clearly stated in 5pt text on page 17 of the service agreement? There's enough other fine print that adding this in somewhere should not be an issue. IMHO, as one of the people who will likely be using Cingular's GPRS network with a Danger HipTop, I _strongly_ hope they choose to use routable address space instead of NAT. I would hate for NAT to be an impediment to some cool new app no one has thought of yet because these gizmos aren't in widespread use yet. I am totally in favor of public IPs being an _option_ for use with PDAs, phones and the like - but for the average user, I do not see it being a necessity, or even really a benefit. This is not to say that if, as Eliot posits, the next Big Thing on the market requires public IPs that your customer base won't all jump ship. That's a risk that providers will have to weigh against the benefits of NAT. I'm more concerned that if the major metropolitan markets deploying GPRS all use NAT, then the Next Big Thing won't ever happen on GPRS devices. Customers won't jump ship if they have no where to jump to. That might sound attractive to the bean counters, but think of the customers you might never get in the first place. Also, I don't see how deploying NAT could be a cost savings over requesting real IP space. I'm not saying it's the best course of action necessarily; I was trying to make the best tool for the job argument. There are cases where NAT is a definite advantage, or where having a public IP offers no clear benefits, if not any obvious risks. Until the model changes drastically, I just don't see the average phone/wireless PDA user needing a public IP for every device she/he has. But it should definitely remain an option - just like static IPs on DSL is an option with most providers. -pmb -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01353/pgp0.pgp Description: PGP signature
Re: Large ISPs doing NAT?
### On Thu, 2 May 2002 01:20:40 -0700, Scott Francis
### [EMAIL PROTECTED] casually decided to expound upon Peter Bierman
### [EMAIL PROTECTED] the following thoughts about Re: Large ISPs
### doing NAT?:
SF The average customer buying a web-enabled phone doesn't need a
SF publicly-routeable IP. I challenge anybody to demonstrate why a cell phone
SF needs a public IP. It's a PHONE, not a server.
Time to start thinking a little further down the line. What if the phone
actually becomes an wireless IP gateway router? It routes packets from a
PAN (personal area network) riding on top of Bluetooth or 802.11{a,b} to the
3G network for transit. NAT would certainly become very messy.
--
/*===[ Jake Khuon [EMAIL PROTECTED] ]==+
| Packet Plumber, Network Engineers /| / [~ [~ |) | | --- |
| for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S |
+=*/
RE: Large ISPs doing NAT?
-Original Message-
From: Jake Khuon [mailto:[EMAIL PROTECTED]]
Sent: 2. mája 2002 10:32
To: [EMAIL PROTECTED]
Subject: Re: Large ISPs doing NAT?
Time to start thinking a little further down the line. What
if the phone actually becomes an wireless IP gateway router?
It routes packets from a PAN (personal area network) riding
on top of Bluetooth or 802.11{a,b} to the 3G network for
transit. NAT would certainly become very messy.
grat
and what if one of the devices behind that phone would also be a personal ip gateway
router (or how you call that)... you could recursively iterate as deep as your mail
size allows you to...
hope this thread will not end in a router behind a router that serves as a router
seving as a router to another router which has some other routers connected...
--
/*===[ Jake Khuon [EMAIL PROTECTED]
]==+
| Packet Plumber, Network Engineers /| / [~ [~ |) | |
--- |
| for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N
E T W O R K S |
+=
*/
--
Tomas Daniska
systems engineer
Tronet Computer Networks
Plynarenska 5, 829 75 Bratislava, Slovakia
tel: +421 2 58224111, fax: +421 2 58224199
A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
Re: Large ISPs doing NAT?
### On Thu, 2 May 2002 10:42:01 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT and what if one of the devices behind that phone would also be a personal DT ip gateway router (or how you call that)... you could recursively iterate DT as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. DT hope this thread will not end in a router behind a router that serves as a DT router seving as a router to another router which has some other routers DT connected... God forbid! We might have a network on our hands! -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Re: Large ISPs doing NAT?
On Thu, May 02, 2002 at 01:32:16AM -0700, [EMAIL PROTECTED] said:
### On Thu, 2 May 2002 01:20:40 -0700, Scott Francis
### [EMAIL PROTECTED] casually decided to expound upon Peter Bierman
### [EMAIL PROTECTED] the following thoughts about Re: Large ISPs
### doing NAT?:
SF The average customer buying a web-enabled phone doesn't need a
SF publicly-routeable IP. I challenge anybody to demonstrate why a cell phone
SF needs a public IP. It's a PHONE, not a server.
Time to start thinking a little further down the line. What if the phone
actually becomes an wireless IP gateway router? It routes packets from a
PAN (personal area network) riding on top of Bluetooth or 802.11{a,b} to the
3G network for transit. NAT would certainly become very messy.
*nod* NAT is a solution for current problems, in some situations. It may or
may not create more problems in the future than it solves in the present
(sign me up for one of those gateway router phones though - mmm...)
Again, while I'm not predicting what kind of network landscape we may see in
the future, NAT _does_ appear to solve problems in the present under certain
situations, and IMHO should not be dismissed out of hand just because it's
not pure IP.
Forward thinking is critical - but those who do it at the expense of current
issues are called researchers and scientists, and generally are not running
production networks. :)
--
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
msg01361/pgp0.pgp
Description: PGP signature
RE: Large ISPs doing NAT?
-Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 10:51 To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. no eye-shutting. it's just about considering HOW MANY (or WHAT PART) of your users will need the 'full' service. if you have 95% of bfu's with web+mail phones or pda's then nat is completely ok for them. and those 5% (if so many ever) phreaks - give them an opportunity to have public ip with no nat for a few bucks more you will end up with exactly two exactly specified services... not that bad, is it? -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
Re: Large ISPs doing NAT?
At 1:20 AM -0700 5/2/02, Scott Francis wrote: On Wed, May 01, 2002 at 04:07:34PM -0700, [EMAIL PROTECTED] said: You've got to be kidding. Do you think it's clear to the average consumer buying a GPRS phone what NAT is, and why they might or might not want it? The average customer buying a web-enabled phone doesn't need a publicly-routeable IP. I challenge anybody to demonstrate why a cell phone needs a public IP. It's a PHONE, not a server. And what if I want to invent the next big thing? A game, that people play in real time, with their palm-sized gizmo. What if that game can't be made scalable unless those devices have real IPs? What if that game is the catalyst that causes a million more customers to go buy a gizmo from Cingular? If providers assume that GPRS devices are all just web-enabled phones, then that's all they will _ever_ be, and no one will care, and no one will buy them. If all I want is a PHONE, not a server, I can buy that today (and Cingular doesn't have to spend millions to deply a whole new backend.) IMHO, the attitude of we already know what services you want is at odds with the intent of the Internet, and exactly the BS that Telcos have been feeding customers for years. I have yet to see any good argument for why mobile-IP providers should use NAT instead of routable space. And no, because they might get rooted is not a good reason. That's the responsibility of the device designers, NOT THE NETWORK. -pmb
RE: Large ISPs doing NAT?
At 11:15 AM +0200 5/2/02, Daniska Tomas wrote: no eye-shutting. it's just about considering HOW MANY (or WHAT PART) of your users will need the 'full' service. if you have 95% of bfu's with web+mail phones or pda's then nat is completely ok for them. and those 5% (if so many ever) phreaks - give them an opportunity to have public ip with no nat for a few bucks more you will end up with exactly two exactly specified services... not that bad, is it? If no applications need the few bucks more service, no one will pay for it. If no one pays for it, no one will write applications that need it. Chicken or Egg? You decide. -pmb
Re: Large ISPs doing NAT?
### On Thu, 2 May 2002 11:15:00 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT you will end up with exactly two exactly specified services... not that DT bad, is it? Nope... and that was my point. I was simply trying to address a statement that might pidgeonhole the role of a 3G/GPRS device. I think we all should know better than to assume something will never happen. -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Re: Large ISPs doing NAT?
On Thu, 02 May 2002 01:50:50 PDT, Jake Khuon [EMAIL PROTECTED] said: God forbid! We might have a network on our hands! That's called wearable computing. And it goes in your pocket so your hands are free, ;) msg01377/pgp0.pgp Description: PGP signature
RE: DDOS attacks and Large ISPs doing NAT?
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm -Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 1:51 AM To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? ### On Thu, 2 May 2002 10:42:01 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. DT hope this thread will not end in a router behind a router that DT serves as a router seving as a router to another router which has DT some other routers connected... God forbid! We might have a network on our hands! -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | += */
RE: DDOS attacks and Large ISPs doing NAT?
jon, 1000x ack and for all: i think this MOTD is something very close to the isp nat thread :) There are only 10 types of people in this world: those who understand binary, and those who don't. (Credits to Theodore Tzevelekis/Cisco) deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Mansey, Jon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 19:31 To: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm
Re: DDOS attacks and Large ISPs doing NAT?
NAT will not help you this case; in opposition, NAT will create the SINGLE bottleneck (NAT router itself) which can not be easily upgraded (you can install 10 web servers instead of one; but you can not install 10 NAT's). NAT is a good for the outgoing calls or to allow single service be visible outside of your network. But it's useless for the broadband service - static NAT is equivalent to the simple filtering out all unused ports on your server. You can think about NAT + DNS combination (so that your IP address migrates and DDOS attack can not succeed without consulting DNS); NAT itself (as IP / port + IP translation) can not prevent DDOS because DDOS is directed to the service point (IP + protocol + port) which should be well known to allow service itself. - Original Message - From: Mansey, Jon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 02, 2002 10:30 AM Subject: RE: DDOS attacks and Large ISPs doing NAT? To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm -Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 1:51 AM To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? ### On Thu, 2 May 2002 10:42:01 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. DT hope this thread will not end in a router behind a router that DT serves as a router seving as a router to another router which has DT some other routers connected... God forbid! We might have a network on our hands! -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | += */
RE: DDOS attacks and Large ISPs doing NAT?
Unless Im mistaken (entirely possible), an IP enabled phone has 2 distinct and separate stacks, the IP stack and the phone stack. As I said, in a NAT'd scenario the IP stack will never see an unsolicited request and hence not respond to it. The phone side of course will ring when called. Duh. GPRS VoIP (yet) Jm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 11:26 AM To: Mansey, Jon Cc: [EMAIL PROTECTED] Subject: Re: DDOS attacks and Large ISPs doing NAT? On Thu, 02 May 2002 11:06:33 PDT, Mansey, Jon said: The DDOS discussion is specifically referring to a live syn or syn/ack attack from hosts that respond to connection requests. A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request. *RING*!! *RING*!! Oh, I'm sorry, that was the clue phone ringing - it couldn't be your phone, since it wouldn't answer an unsolicited connection request You were saying? (To fill in the blanks - get a trojan loaded into the cellphone/PDA combo, and then send it a page telling it who/what to attack). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
RE: DDOS attacks and Large ISPs doing NAT?
-Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 20:00 To: Mansey, Jon Cc: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? Who says a NATed host can not be a zombie? Get the NATed host to read an email virus. The virus then coonects to an IRC channel that tells the zombie when to spew. recursion again. the point was just about minimizing, not about completely avoiding. for every solution you do a new exploit will be invented in a short time, no matter how great the patch is Each phone would not spew much, but imagine you got 100M phones to do your DDoS for you... it's not about the number of phones but about capacity of the network even if you have 1k phones on one gsm sector they still only can generate as much as the radio allows for. how many channels you suppose to be available for gprs for the whole sector? three? four? several? maybe if you're optimistic enough. i definitely would not consider gprs being a broadband service. then - there are loads of different portable device on the market now and the diversity will increase. how would you manage to load your ddos clients to all these kinds of devices? in the end you maybe will get a few % (if lucky and tricky enough) of the portables. compare it to the aggregate traffic the whole gprs network could generate (not that much) and i don't think you can talk about a ddos in scale we are used to today -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
Re: DDOS attacks and Large ISPs doing NAT?
On Thu, 02 May 2002 11:32:48 PDT, Mansey, Jon said: As I said, in a NAT'd scenario the IP stack will never see an unsolicited request and hence not respond to it. The phone side of course will ring when called. Duh. That's the *point*. You hand the phone a trojan/virus/whatever when it's making an OUTBOUND connection on the NAT side (for instance, if the PDA side is checking mail, feed it a trojaned piece of mail). You then have the trojan drop you a note Oh, and my phone number is XXX-. Then, when it's time to attack somebody, you send the phone a page that tells the trojan Hey XXX-, wake up and pound on victim address whatever. With proper encoding of the page, the phone's owner may even just say Damn, more bleeping Korean spam in characters I can't read, and not notice that 45 seconds later, the phone starts chirping away by itself The point is that you can contact the phone via *non-NAT* means and have it launch an attack - the fact you can't wake it up via NAT can be worked around. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg01417/pgp0.pgp Description: PGP signature
Re: Large ISPs doing NAT?
On Wed, 1 May 2002 11:00:01 -0400 (EDT) mike harrison [EMAIL PROTECTED] wrote: Almost? I'd say it's hands down an EXCELLENT reason. In some configs though, the NAT'd people can still see each other and cause problems, but it still cuts down the exposure. As well as perpetuates the neglect for fixing the real problem. John
Re[2]: DDOS attacks and Large ISPs doing NAT?
On Thu, 2 May 2002 15:40:57 -0400 Bradley Dunn [EMAIL PROTECTED] wrote: Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP. some vendors actually sell NAT devices that say firewall on the outside of the box. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
Re: Large ISPs doing NAT?
At 01:20 AM 5/2/2002 -0700, Scott Francis wrote: The average customer buying a web-enabled phone doesn't need a publicly-routeable IP. I challenge anybody to demonstrate why a cell phone needs a public IP. It's a PHONE, not a server. I'm not buying a phone I can't run ssh from. End of story. My current phone does all that and more. Why step back into the dark ages of analog-type services? Best Regards, Simon -- ###
Re: Large ISPs doing NAT?
At 11:34 AM -0700 5/2/02, Scott Francis wrote: And what if I want to invent the next big thing? A game, that people play in real time, with their palm-sized gizmo. What if that game can't be made scalable unless those devices have real IPs? What if that game is the catalyst that causes a million more customers to go buy a gizmo from Cingular? That's a lot of ifs. As one other person wrote, IPv6 will probably be the answer here - the only question is, how long it will be before it becomes de facto (i.e. all standard networks support and transit it, by default), and how much pain we will have to endure before this is the case. Well, I'm looking at it from Cingular's perspective. They want to roll out a new service. They want to make more money off it than from the old service. They're willing to invest a bunch of money in new equipment if it means they'll get enough people to sign up to pay for it. This service is called GPRS. If IPv6 is the answer, and it isn't available until the _next_ itteration of this process, then _this_ itteration isn't going to be as profitable as it could be. Cingular isn't going to redesign their backend a year from now just because IPv6 is suddenly usable. Mobile-IP devices are all about bringing the Internet to your pocket. That doesn't mean just the web! The web is UI optimized for a desktop machine. Who knows what specific applications might be developed for a user accessing the Internet from a device the size of a bar of soap? What if I want to write CUSeeMe for mobile phones? Or a scavanger hunt game? Something that takes advantage of the mobility rarely found by a desktop user? It is these _form factor specific_ applications that will drive the sales of devices that utilize this new network. Surfing the web is just the tip of the iceberg that everyone already understands. If that's the only application enabled by GPRS, then I don't forsee GPRS phones selling in leaps and bounds. It seems like providers would be spending a whole lot of money to upgrade their network for just one new application that only a few customers are asking for. I have yet to see any good argument for why mobile-IP providers should use NAT instead of routable space. And no, because they might get rooted is not a good reason. That's the responsibility of the device designers, NOT THE NETWORK. And I still have yet to hear a convincing argument for why _right now_, NAT is not, at the least, a workable solution to this issue. It can surely hold us for a year or three until IPv6 has become the standard. (that timeframe may be a bit optimistic ...) Given current devices and technology, why is NAT not a temporary solution? A temporary solution to what problem? Assuming the network can distribute NATed addresses, why can't it distribute real ones? Maybe I'm missing something. John Beckmeyer didn't say why they were looking into using NAT, he only asked if anyone else was using it on this scale. The presumption of the first several responders was that it was to conserve addresses, which they pointed out is not actually necessary. I'm hoping that was the case, and that maybe the choice of NAT can be revisited... -pmb
Re: Large ISPs doing NAT?
On Thu, 2 May 2002, Jake Khuon wrote: Time to start thinking a little further down the line. What if the phone actually becomes an wireless IP gateway router? Yuck. Current WAP-based phones can't even do websites well. I've not been privy to 3G tests, so I don't know if GPRS/CDMA 1x does better. Of course, some of that is phone-specific. My Verizon Wireless Qualcomm 860's web browser always responded much more quickly than my current VZW Nokia 3285's, and both phones feature microbrowsers authored by the same company (Phone.com/Openwave). -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: Large ISPs doing NAT?
I don't know if this is an annual argument yet, but the frog is in the pot, and the flame is on. Guess who's playing the part of the frog? Answer: ISPs who do this sort of thing. Value added security is a nice thing. Crippling Internet connections will turn the Internet into the phone company, where only the ISP gets to say what services are good and which ones are bad. While an ISP might view it appealing to be a baby bell, remember from whence we all come: the notion that the middle should not inhibit the endpoints from doing what they want. You find this to be a support headache? Offer a deal on Norton Internet Security or some such. Offer to do rules merges. Even offer a provisioning interface to some access-lists. Just make sure that when that next really fun game is delivered on a play station that speaka de IP your customers can play it, and that you haven't built a business model around them not being able to play it. Eliot mike harrison wrote: On Monday, 2002-04-29 at 08:43 MST, Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? Tony Rall: If you're NATing your customers you're no longer an ISP. You're a sort-of-tcp-service-provider (maybe a little udp too). NAT (PAT even more Depends on scale and application. We have lots of customers that we NAT, one way or another. And a lot more that we don't. Some customers WANT to 'just see out' and they like all the 'weird stuff turned off'. Sometimes it's a box at the customers end, sometimes it's nat'd IP's on the dial-up/ISDN/FracT1/T1/Wireless connection itself. Saying we are not an ISP because we do some NAT is a little harsh. Giving the customer options and making things work (when done right, and explained properly we have no sales droids) is good business and I think good for the 'net. It gives the clueless (and sometimes cluefull) just a little more isolation. What is wrong is NAT'ing when you should not.
Re: Large ISPs doing NAT?
On Wed, 01 May 2002 14:55:02 PDT, Eliot Lear said: some access-lists. Just make sure that when that next really fun game is delivered on a play station that speaka de IP your customers can play it, and that you haven't built a business model around them not being able to play it. There was a reason I said *ALMOST*. ;) Thanks, Eliot. msg01308/pgp0.pgp Description: PGP signature
Re: Large ISPs doing NAT?
At 3:03 PM -0700 5/1/02, Scott Francis wrote: On Wed, May 01, 2002 at 02:55:02PM -0700, [EMAIL PROTECTED] said: I don't know if this is an annual argument yet, but the frog is in the pot, and the flame is on. Guess who's playing the part of the frog? Answer: ISPs who do this sort of thing. Value added security is a nice thing. Crippling Internet connections will turn the Internet into the phone company, where only the ISP gets to say what services are good and which ones are bad. While an ISP might view it appealing to be a baby bell, remember from whence we all come: the notion that the middle should not inhibit the endpoints from doing what they want. You find this to be a support headache? Offer a deal on Norton Internet Security or some such. Offer to do rules merges. Even offer a provisioning interface to some access-lists. Just make sure that when that next really fun game is delivered on a play station that speaka de IP your customers can play it, and that you haven't built a business model around them not being able to play it. As long as it is _clear_ from the get-go that customers behind NAT are getting that service, and not publicly-routable IP space, I don't see the problem. If they don't like it, they don't have to sign up to begin with - as long as there is no doubt as to what kind of service they're getting, there shouldn't be a problem (legally, at any rate). You've got to be kidding. Do you think it's clear to the average consumer buying a GPRS phone what NAT is, and why they might or might not want it? Do you think the use of NAT will be explained to these customers? Or clearly stated in 5pt text on page 17 of the service agreement? IMHO, as one of the people who will likely be using Cingular's GPRS network with a Danger HipTop, I _strongly_ hope they choose to use routable address space instead of NAT. I would hate for NAT to be an impediment to some cool new app no one has thought of yet because these gizmos aren't in widespread use yet. This is not to say that if, as Eliot posits, the next Big Thing on the market requires public IPs that your customer base won't all jump ship. That's a risk that providers will have to weigh against the benefits of NAT. I'm more concerned that if the major metropolitan markets deploying GPRS all use NAT, then the Next Big Thing won't ever happen on GPRS devices. Customers won't jump ship if they have no where to jump to. That might sound attractive to the bean counters, but think of the customers you might never get in the first place. Also, I don't see how deploying NAT could be a cost savings over requesting real IP space. -pmb -- Ring around the Internet, | Peter Bierman [EMAIL PROTECTED] Packet with a bit not set | http://www.sfgoth.com/pmb/ SYN ACK SYN ACK, |Nobody realizes that some people expend We all go down. -A. Stern | tremendous energy merely to be normal.-Al Camus
Re: Large ISPs doing NAT?
I think a lot of the GRPS stuff is heading towards IPv6 w/IPv4 gatewaying. The NAT issue has certainly resulted in a quite a few disgruntled satellite customers (I'm thinking here primarily of direcpc.com) who're willing to put up with the large latencies, but get really irate when their apps won't work via NAT, or who want to run RFC1918 space for a LAN at home, then find out that lots of stuff can't stand being NATted twice. -- Roland Dobbins [EMAIL PROTECTED] // 650.776.1024 voice Central databases already exist. Privacy is already gone. -- Larry Ellison, CEO of Oracle Corporation On Wed, 2002-05-01 at 16:07, Peter Bierman wrote: At 3:03 PM -0700 5/1/02, Scott Francis wrote: On Wed, May 01, 2002 at 02:55:02PM -0700, [EMAIL PROTECTED] said: I don't know if this is an annual argument yet, but the frog is in the pot, and the flame is on. Guess who's playing the part of the frog? Answer: ISPs who do this sort of thing. Value added security is a nice thing. Crippling Internet connections will turn the Internet into the phone company, where only the ISP gets to say what services are good and which ones are bad. While an ISP might view it appealing to be a baby bell, remember from whence we all come: the notion that the middle should not inhibit the endpoints from doing what they want. You find this to be a support headache? Offer a deal on Norton Internet Security or some such. Offer to do rules merges. Even offer a provisioning interface to some access-lists. Just make sure that when that next really fun game is delivered on a play station that speaka de IP your customers can play it, and that you haven't built a business model around them not being able to play it. As long as it is _clear_ from the get-go that customers behind NAT are getting that service, and not publicly-routable IP space, I don't see the problem. If they don't like it, they don't have to sign up to begin with - as long as there is no doubt as to what kind of service they're getting, there shouldn't be a problem (legally, at any rate). You've got to be kidding. Do you think it's clear to the average consumer buying a GPRS phone what NAT is, and why they might or might not want it? Do you think the use of NAT will be explained to these customers? Or clearly stated in 5pt text on page 17 of the service agreement? IMHO, as one of the people who will likely be using Cingular's GPRS network with a Danger HipTop, I _strongly_ hope they choose to use routable address space instead of NAT. I would hate for NAT to be an impediment to some cool new app no one has thought of yet because these gizmos aren't in widespread use yet. This is not to say that if, as Eliot posits, the next Big Thing on the market requires public IPs that your customer base won't all jump ship. That's a risk that providers will have to weigh against the benefits of NAT. I'm more concerned that if the major metropolitan markets deploying GPRS all use NAT, then the Next Big Thing won't ever happen on GPRS devices. Customers won't jump ship if they have no where to jump to. That might sound attractive to the bean counters, but think of the customers you might never get in the first place. Also, I don't see how deploying NAT could be a cost savings over requesting real IP space. -pmb -- Ring around the Internet, | Peter Bierman [EMAIL PROTECTED] Packet with a bit not set | http://www.sfgoth.com/pmb/ SYN ACK SYN ACK, |Nobody realizes that some people expend We all go down. -A. Stern | tremendous energy merely to be normal.-Al Camus
RE: Large ISPs doing NAT?
On Wed, 1 May 2002, Deepak Jain wrote: I'm more concerned that if the major metropolitan markets deploying GPRS all use NAT, then the Next Big Thing won't ever happen on GPRS devices. Customers won't jump ship if they have no where to jump to. The only people who'd be deploying GPRS are GSM cellular providers, no? Verizon and Sprint PCS, in particular, are not using GPRS, but migrating to CDMA-based 3G cellular technologies. I don't know that those technologies use CDMA. And of course, there are still markets like my very own hometown (2nd largest city in Ohio) that don't have GSM yet (even though #1 and #3 do). VoiceStream is supposedly launching their GSM network in Cleveland (*snort* I've heard that before). But they're not here yet, ATT is nowhere near doing GSM here as far as I know, and Cingular's network here (former AmeriBlech Cellular) is TDMA. I could be completely off base, of course. Being a customer of Sprint PCS and Verizon, and a former customer of Alltel and Northcoast PCS, I've not had much reason to follow GSM developments; every one of the companies I've used runs CDMA. Feel free to correct me if I am wrong. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net The Indians are unfolding into the 2002 season like a lethal lawn chair. (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
Re: Large ISPs doing NAT?
On Wednesday, May 1, 2002, at 10:33 , Steven J. Sobol wrote: On Wed, 1 May 2002, Deepak Jain wrote: I'm more concerned that if the major metropolitan markets deploying GPRS all use NAT, then the Next Big Thing won't ever happen on GPRS devices. Customers won't jump ship if they have no where to jump to. The only people who'd be deploying GPRS are GSM cellular providers, no? The concern exists regardless of the specifics of the always-on, cellular packet radio protocols being used, surely? [GSM coverage is patchy in the US] It's prevalent elsewhere. I'd be surprised if there aren't more GSM subscribers in the world than non-GSM subscribers. Joe
Re: Large ISPs doing NAT?
It's a lack of IP Address Space - and the numbers I gave - 10's of thousands are probably a bit on the small side - in short order it will be multiples of 100,000 IP addresses. That's a small quantity. Just fill our your RIR's form, and if you need the space, you'll get it. There's no lack. -Bill
Re: Large ISPs doing NAT?
On Monday, 2002-04-29 at 08:43 MST, Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? I hope not. If you're NATing your customers you're no longer an ISP. You're a sort-of-tcp-service-provider (maybe a little udp too). NAT (PAT even more so) breaks so many things that it would be unconscionable to advertise as an ISP. Even some tcp apps fail under NAT. The NAT box may include a number of fix-ups but such will never be equivalent to giving the customer a public address. An Internet Service Provider gives the customer a full connection to the Internet. All IP protocols should work. I'm in favor of using NAT only where there is a good argument for it and the customers are given the straight story about what they're buying and what it won't be able to do. Don't call yourself an ISP. Tony Rall
RE: Large ISPs doing NAT?
-Original Message- From: Tony Rall [mailto:[EMAIL PROTECTED]] Sent: 30. apríla 2002 19:59 To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? On Monday, 2002-04-29 at 08:43 MST, Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? I hope not. If you're NATing your customers you're no longer an ISP. You're a sort-of-tcp-service-provider (maybe a little udp too). NAT (PAT even more so) breaks so many things that it would be unconscionable to advertise as an ISP. Even some tcp apps fail under NAT. The NAT box may include a number of fix-ups but such will never be equivalent to giving the customer a public address. well.. yes and no. depends on definition and how you set the services. i don't know how you treat this in u.s. but in europe gprs is mostly considered being a value-added service to gsm instead of a real internet connectivity replacement. if you think of gprs a bit it will never have enough capabilities to serve as a full-time inet service. it's a great solution for accessing your data remotely but it's very limited in means of capacity and then you have those 'pdp-contexts' or how they call it. it's just another acronym for a vpn... if a corporate user requires full ip connectivity then why not give him a vpn uplink directly to their hq and the users can safely use private addresses according to corporate policy. in this way gprs is very similar to mpls. i have worked on gprs-mpls vpn integration and it works just fine. An Internet Service Provider gives the customer a full connection to the Internet. All IP protocols should work. you also may give the [common] user an opportunity to have 'limited' service set (so you can use private addresses + nat/pat) for lower price or pay a bit more for 'full' service. i think the 'limited' in real life can safely cover requirements of 95% of the customers. do you think they will download mp3's and avi's via gprs? how? :)) from my point of view if you cover http, e-mail and various similar services you will provide most user with more than they ever would expect, wouldn't you? I'm in favor of using NAT only where there is a good argument for it and the customers are given the straight story about what they're buying and what it won't be able to do. Don't call yourself an ISP. ... Tony Rall deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
Re: Large ISPs doing NAT?
On Monday, 2002-04-29 at 08:43 MST, Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? Tony Rall: If you're NATing your customers you're no longer an ISP. You're a sort-of-tcp-service-provider (maybe a little udp too). NAT (PAT even more Depends on scale and application. We have lots of customers that we NAT, one way or another. And a lot more that we don't. Some customers WANT to 'just see out' and they like all the 'weird stuff turned off'. Sometimes it's a box at the customers end, sometimes it's nat'd IP's on the dial-up/ISDN/FracT1/T1/Wireless connection itself. Saying we are not an ISP because we do some NAT is a little harsh. Giving the customer options and making things work (when done right, and explained properly we have no sales droids) is good business and I think good for the 'net. It gives the clueless (and sometimes cluefull) just a little more isolation. What is wrong is NAT'ing when you should not.
Large ISPs doing NAT?
Is anybody here doing NAT for their customers? I'm looking at a situation where I may have to provide NAPT for tens of thousands of users and am curious as to what hardware is being used, how well it scales, what kind of loads it takes such as: throughput, max simultaneous sessions experienced, session establishment rates, avg # of sessions per user, ALGs you've found necessary, number of sessions supported per public realm IP in reality. I've done a survey of firewall, switch, and router companies so I have their reported numbers and I've done a bit of testing in my lab and have found that reported numbers do not necessarily translate into what the box will experience in something resembling a production network. This is why I'm asking this group - reality can bite! A second area of concern I have is how to enforce AUPs when your users appearance can be *very* transitive making tracking back the offender nearly impossible. Any small piece of help, advice, or pointer would be most appreciated. Thanks most much. John Beckmeyer [EMAIL PROTECTED]
Re: Large ISPs doing NAT?
On Mon, 29 Apr 2002 08:43:11 -0700 Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? I'm looking at a situation where I may have to provide NAPT for tens of thousands of users and am curious as to what hardware is being used, how well it scales, what kind of loads it takes such as: throughput, max simultaneous sessions experienced, session establishment rates, avg # of sessions per user, ALGs you've found necessary, number of sessions supported per public realm IP in reality. I've done a survey of firewall, switch, and router companies so I have their reported numbers and I've done a bit of testing in my lab and have found that reported numbers do not necessarily translate into what the box will experience in something resembling a production network. This is why I'm asking this group - reality can bite! A second area of concern I have is how to enforce AUPs when your users appearance can be *very* transitive making tracking back the offender nearly impossible. Any small piece of help, advice, or pointer would be most appreciated. Thanks most much. Is the whole problem just a lack of address space, or is there something more you are trying to do ? Regards Marshall Eubanks John Beckmeyer [EMAIL PROTECTED]
Re: Large ISPs doing NAT?
Marshall et al, It's a lack of IP Address Space - and the numbers I gave - 10's of thousands are probably a bit on the small side - in short order it will be multiples of 100,000 IP addresses. To start with, I'm willing to think in terms of 10's of thousands spread over a handful of POPs. The application is GPRS (aka 2.5/3G cellular) and each Internet connected user or some major subset of them will likely wind up with an address on their mobile device. - JB
Re: Large ISPs doing NAT?
On Mon, 29 Apr 2002 09:08:16 -0700 Beckmeyer [EMAIL PROTECTED] wrote: Marshall et al, Dear JB; 1.) Dare I suggest that you use IPv6 ? It should make a great NAT. 2.) If you are interested in having content put on your wireless devices I would like to talk off line. Regards Marshall Eubanks It's a lack of IP Address Space - and the numbers I gave - 10's of thousands are probably a bit on the small side - in short order it will be multiples of 100,000 IP addresses. To start with, I'm willing to think in terms of 10's of thousands spread over a handful of POPs. The application is GPRS (aka 2.5/3G cellular) and each Internet connected user or some major subset of them will likely wind up with an address on their mobile device. - JB
