AND we spells it gooad twooz! On Wed, Oct 28, 2009 at 5:39 PM, Tom DeReggi <wirelessn...@rapiddsl.net>wrote:
> Matt, > > I find it incredably interesting and clever that you have managed to > operate > your network on private IP addresses. > However, the problem you are running into now is one common reason others > have given in to using public IP addresses. > > Having public IPs throughout your transport network is not necessary, we > use > all private IPs for all our radios. > But there is a large risk not giving end users, or small groups of end > users > their own public IP space. > The inherent problem is, that if one person causes an AUP violation, it > risks ALL subs. > There becomes a point where you grow large enough that your volume then > increases the chances of someone making a violation, where that risk puts > to > many existing customers at risk to everyone else. > > The two most common situations are... > Sending Email. and > Reported as a BitTorrent users. > > Large ISPs are becomming much quicker to simply immediately block an IP > assumed to be a potential threat. > > The risk can be reduced by devidign your network into multiple smaller > groups and assigning multiple public IPs each to one of these groups. > Now when there is a problem, fewer customers are effected, and lower odds > that group will have one detected. > > I can tell you in our world, if we have a business sub get their traffic > blocked/compromised because of the usage of another business, it quickly > leads to letter of cancellation. Its a common reason that WISPs will > eventually convert to public IPs, and leverage BGP to bypass being held > hostage by upstream providers. > But even still it adds a level of inflexibilty for internal network IP > assignment. > > Ironically, you probably have less BitTorrent problems, considering your > Private IP sceam. > > What this really is is a NetNeutrality issue. Yahoo,Google, and Hotmail > have > the rights to methods of Network Management. And there is a concensus > between them that this method of network management is an acceptable best > practice, and its your problem if you NAT all your users to a few IPs. > > You'll also see problems with poor rankings with "IP Reputation" methods of > Anti-spam. > > Another issue to consider is that Hotmail, Yahoo, and Google prefer to know > exactly where the end user resides, so they can better direct > advertisement. > NATing your customer base to a single NOC location, is distruptive to their > long term advertizing goals for target marketing. Its likely this battle > wont end here with this insodent. > > IF your problems are primarilly Email related, you can try to signup for > feedback loops to help, and make sure SPF records are valid, valid PTRs and > stuff. But if just to web sites, well, not sure their is an answer other > than to change the source IP address for the traffic. In that scenario you > may want to setup some sort of load balancing routine, to redirect > outbound > sessions to different source IPs or Proxy servers. > > A problem where we see it is with Hotels. We'll give a few IPs to the > Hotel, > and then NAT to all their rooms. When one of the overnight guests decides > to > download a copyrighted movie, we get an AUP notice, and ahve to react. > Obviously for a Hotel, we ahve no way to contact that subscriber or know > who > it is for Hotel confidentiality reasons. Sometimes upstreams might just > block that Public IP that serves them, if they didn't like our answer. Then > the whole Hotel will have problems. (The preferred solution is for us to > block access to the offending host site). This is one reason many Hotel > Hotspot providers try to ask for full Class C PUBLIC IP blocks for their > circuits. Then only the one room gets blocked if they violate AUP. This > has > not been a big problem, because my upstream is easy to work with and rarely > blocks traffic. But this situation demonstrates my point. > > Good luck with it. > > Tom DeReggi > RapidDSL & Wireless, Inc > IntAirNet- Fixed Wireless Broadband > > > ----- Original Message ----- > From: "Matt Larsen - Lists" <li...@manageisp.com> > To: "WISPA General List" <wireless@wispa.org> > Sent: Wednesday, October 28, 2009 3:22 PM > Subject: Re: [WISPA] NAT issue with Hotmail/Yahoo/Google > > > >I believe that we have fixed this by using the StarOS policy routing to > > split up some of our subnets to SourceNAT through a different IP address > > on our NAT server. > > > > If we are going to get into the public vs. privates discussion, well.... > > > > I have used NAT for customer IP addresses from day 1. I used to use > > publics, but it was a tremendous pain in the ass, and would be very > > difficult to implement on my current network design (routed subnets at > > every single location) so I have no interest in giving each customer > > their own public IP address. There are about 160 private subnets on > > the access points in my network, so I have no intention of switching to > > publics anytime soon. I also loathe PPPoE and have worked with a > > couple of people who tried to convert to it and converted back as soon > > as they could because it just didn't work as well as advertised. YMMV, > > but I'm just fine not using it. > > > > NAT has been very beneficial to my customers as a whole, since they are > > not directly exposed to the Internet and we have far fewer > > virus/trojan/backdoor issues because of it. We do have a few folks > > who need a public IP, and route several subnets of public IP addresses > > out to towers where public IP addresses are needed. That is fine with > > me, because we charge extra for the IP addresses. Just another reason > > for power users to move up the pricing ladder if they want the extras. > > > > Not using publics has also been a godsend as far as maintaining > > flexibility between backbone providers and utilization of secondary > > links in the event of failures. Sometime in the next month, I'm > > switching my primary backbone to go through a new provider that is > > delivering 50meg for the same price that I was previously paying for 15. > > Moving traffic to that backbone will be as simple as changing one line > > in a policy routing statement. If I was using publics, I would still > > be stuck with the previous provider. I don't like being hostage to > > outside network providers if I can avoid it. In addition to my primary > > backbone link, I also have backbone links with two other neighboring > > WISPs and the ability to route traffic to the Internet through them in > > the event of an outage on my network between my APs and my NOC. They > > can do the same thing through my network. Just last week, a set of > > rolling power outages took out two towers that were the redundant paths > > to five APs on the far eastern side of my network. OSPF figured it out > > and routed them out through my neighbor's network until the towers came > > back up and it switched back. Same thing happened on his network last > > month, and we handled the majority of his traffic until his backbone > > link was back up. That is not a very simple thing to implement with > > public IP addresses, but it was pretty easy to make it happen with > > privates. > > > > So yeah, I have my reasons for using NAT. Switching to publics is a > > rhetorical answer, not a useful one. > > > > Matt Larsen > > vistabeam.com > > > > > > > > Mike Hammett wrote: > >> I believe Matt has around 5k subs, maybe I'm wrong. At 5k subs, his > cost > >> per year per IP address is $0.45. That's under $0.04/month. I'd > >> consider > >> that a reasonable expense. > >> > >> > >> ----- > >> Mike Hammett > >> Intelligent Computing Solutions > >> http://www.ics-il.com > >> > >> > >> > >> -------------------------------------------------- > >> From: "Scott Reed" <scottr...@onlyinternet.net> > >> Sent: Wednesday, October 28, 2009 1:23 PM > >> To: "WISPA General List" <wireless@wispa.org> > >> Subject: Re: [WISPA] NAT issue with Hotmail/Yahoo/Google > >> > >> > >>> <RANT> > >>> So, as with so much that goes on the lists, not just this one, "oh, you > >>> aren't doing it my way so the fix is do it my way." What a bunch of > >>> baloney!! > >>> There are lots of ways to do almost everything we do as ISPs. What > >>> really needs to happen is for people to read the post, think about what > >>> the real question is and then, if and only if, the can pose a solution > >>> to the real problem, post a suggestion. > >>> > >>> But, since the only posts I have seen to Matt's is give everyone a > >>> public address, I have a few questions: > >>> > >>> So, who is going to buy Matt a block of IPs to fix this non-NAT issue? > >>> I ask, because I do as Matt does and if that is the fix, I need someone > >>> to buy me a block as well. > >>> But the issue isn't really NAT, is it? > >>> The real question is how does he deal with the current issue on his > >>> current network? > >>> > >>> </RANT> > >>> > >>> Matt Larsen - Lists wrote: > >>> > >>>> We are having a problem with certain sites that are rejecting our > >>>> customers because they say the IP address has sent too much traffic > >>>> over > >>>> the last 24 hours. This is a problem, as 98% of our customers are > >>>> behind a single NATted IP address. I am just changing the IP address > >>>> of the NAT server every 12 hours now, but am looking for a better > >>>> solution. Anyone have any similar issues? > >>>> > >>>> Matt Larsen > >>>> vistabeam.com > >>>> > >>>> > >>>> > >>>> > -------------------------------------------------------------------------------- > >>>> WISPA Wants You! Join today! > >>>> http://signup.wispa.org/ > >>>> > -------------------------------------------------------------------------------- > >>>> > >>>> WISPA Wireless List: wireless@wispa.org > >>>> > >>>> Subscribe/Unsubscribe: > >>>> http://lists.wispa.org/mailman/listinfo/wireless > >>>> > >>>> Archives: http://lists.wispa.org/pipermail/wireless/ > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> > >>>> No virus found in this incoming message. > >>>> Checked by AVG - www.avg.com > >>>> Version: 8.5.423 / Virus Database: 270.14.36/2465 - Release Date: > >>>> 10/28/09 09:34:00 > >>>> > >>>> > >>>> > >>> -- > >>> Scott Reed > >>> Sr. Systems Engineer > >>> GAB Midwest > >>> 1-800-363-1544 x4000 > >>> Cell: 260-273-7239 > >>> > >>> > >>> > >>> > -------------------------------------------------------------------------------- > >>> WISPA Wants You! Join today! > >>> http://signup.wispa.org/ > >>> > -------------------------------------------------------------------------------- > >>> > >>> WISPA Wireless List: wireless@wispa.org > >>> > >>> Subscribe/Unsubscribe: > >>> http://lists.wispa.org/mailman/listinfo/wireless > >>> > >>> Archives: http://lists.wispa.org/pipermail/wireless/ > >>> > >>> > >> > >> > >> > -------------------------------------------------------------------------------- > >> WISPA Wants You! Join today! > >> http://signup.wispa.org/ > >> > -------------------------------------------------------------------------------- > >> > >> WISPA Wireless List: wireless@wispa.org > >> > >> Subscribe/Unsubscribe: > >> http://lists.wispa.org/mailman/listinfo/wireless > >> > >> Archives: http://lists.wispa.org/pipermail/wireless/ > >> > >> > > > > > > > > > -------------------------------------------------------------------------------- > > WISPA Wants You! Join today! > > http://signup.wispa.org/ > > > -------------------------------------------------------------------------------- > > > > WISPA Wireless List: wireless@wispa.org > > > > Subscribe/Unsubscribe: > > http://lists.wispa.org/mailman/listinfo/wireless > > > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > -- > > Internal Virus Database is out-of-date. > > Checked by AVG. > > Version: 7.5.560 / Virus Database: 270.12.26/2116 - Release Date: > > 5/15/2009 6:16 AM > > > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/