Hi, Matt: 1) The challenge that you described can be resolved as one part of the benefits from the EzIP proposal that I introduced to this mailing list about one month ago. That discussion has gyrated into this thread more concerned about IPv6 related topics, instead. If you missed that introduction, please have a look at the following IETF draft to get a feel of what could be done: https://datatracker.ietf.org/doc/html/draft-chen-ati-adaptive-ipv4-address-s... 2) With respect to the specific case you brought up, consider the EzIP address pool (240/4 netblock with about 256M addresses) as the replacement to that of CG-NAT (100.64/10 netblock with about 4M addresses). This much bigger (2^6 times) pool enables every customer premises to get a static IP address from the 240/4 pool to operate in simple router mode, instead of requesting for a static port number and still operates in NAT mode. Within each customer premises, the conventional three private netblocks may be used to handle the hosts (IoTs). 3) There is a whitepaper that presents an overview of other possibilities based on EzIP approach: https://www.avinta.com/phoenix-1/home/RevampTheInternet.pdf Hope the above makes sense to you. Regards, Abe (2022-04-02 23:10) On 2022-04-02 16:25, Matthew Petach wrote:
On Fri, Apr 1, 2022 at 6:37 AM Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
If you make the stateful NATs static, that is, each private address has a statically configured range of public port numbers, it is extremely easy because no logging is necessary for police grade audit trail opacity.
Masataka Ohta
Hi Masataka, One quick question. If every host is granted a range of public port numbers on the static stateful NAT device, what happens when two customers need access to the same port number?
Because there's no way in a DNS NS entry to specify a port number, if I need to run a DNS server behind this static NAT, I *have* to be given port 53 in my range; there's no other way to make DNS work. This means that if I have two customers that each need to run a DNS server, I have to put them on separate static NAT boxes--because they can't both get access to port 53.
This limits the effectiveness of a stateful static NAT box to the number of customers that need hard-wired port numbers to be mapped through; which, depending on your customer base, could end up being all of them, at which point you're back to square one, with every customer needing at least 1 IPv4 address dedicated to them on the NAT device.
Either that, or you simply tell your customers "so sorry you didn't get on the Internet soon enough; you're all second class citizens that can't run your own servers; if you need to do that, you can go pay Amazon to host your server needs."
And perhaps that's not as unreasonable as it first sounds; we may all start running IPv4-IPv6 application gateways on Amazon, so that IPv6-only networks can still interact with the IPv4-only internet, and Amazon will be the great glue that holds it all together.
tl;dr -- "if only we'd thought of putting a port number field in the NS records in DNS back in 1983..."
Matt
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus