In testing, I observed opening a website, for instance cnn.com can cause >200 ports/sessions to fire off. Although, many are short-lived sessions, but, ports requests nonetheless. Overall, I use about 1,500 public ip's for 50,000 private ip customers I allow 3,000 ports per customer ... 30 blocks of 100 each We started our port blocks at a nice round number, so that each pba dynamic assignment results in nice 100-199, next 200-299 .... good for parsing, grep'ing logs for doing subpoena info look-ups, etc. I see most customers hover well below 1,000 ports/sessions active, and what appear to be misbehaving hosts (malware, infected, bots, etc, unsure) hit up at the 3,000 max and trigger a ports exceeded error message. I see the 3k port limit as putting a cap on free-running suspicious hosts. We can then investigate and contact customer of the concern. -Aaron -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Robert Blayzor Sent: Wednesday, April 29, 2020 9:14 AM To: nanog@nanog.org Subject: Re: CGNAT Solutions On 4/28/20 11:01 PM, Brandon Martin wrote:
Depending on how many IPs you need to reclaim and what your target IP:subscriber ratio is, you may be able to eliminate the need for a lot of logging by assigning a range of TCP/UDP ports to a single inside IP so that the TCP/UDP port number implies a specific subscriber.
You can't get rid of all the state tracking without also having the CPE know which ports to use (in which case you might as well use LW4o6 or MAP), but at least you can get it down to where you really only need to log (or block and dole out public IPs as needed) port-less protocols.
I'm wondering if there are any real world examples of this, namely in the realm of subscriber to IP and range of ports required, etc. ie: Is is a range of 1000 ports enough for one residential subscriber? How about SMB where no global IP is required. One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/