Service providers that NAT their whole network?
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers. I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...). Can anyone give me some names of providers that do this? Can anyone point me at any documents that indicate how common this practice is? - Philip (*) Some IETF documents that mention this practice: - RFC 3489 - draft-ietf-sipping-nat-scenarios-00.txt (now expired, but available at http://www.ietf.org/proceedings/02jul/I-D/draft-ietf-sipping-nat-scenarios-0...
On Fri, Apr 15, 2005 at 03:39:56PM -0400, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
Can anyone give me some names of providers that do this?
Rose.net, the municipal provider in Thomasville GA. They'll assign you a fixed public address which can be gotten back through if you ask, for extra money, but your interface address will still be in 1918 space. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On Fri, 15 Apr 2005, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
Didn't some of the African ISPs claim that they were forced to do this by ILEC/monopoly providers who would not give them the IP space they needed, resulting in ARIN allowing a minimum ISP allocation of /24 for the African region which is now AfriNIC? http://www.arin.net/policy/proposals/2003_15.html http://archives.afnog.org/msg02339.html goes into much more detail ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
"Philip" == Philip Matthews <matthews@nimcatnetworks.com> writes:
Philip> A number of IETF documents(*) state that there are some Philip> service providers that place a NAT box in front of their Philip> entire network, so all their customers get private addresses Philip> rather than public address. It is often stated that these Philip> are primarily cable-based providers. Philip> I am trying to get a handle on how common this practice is. Philip> No one that I have asked seems to know any provider that does Philip> this, fastweb.it in Italy, and the Direcway satellite system in the US are the most obvious examples that I know of. I'm sure there are more. -- Andrew, Supernews http://www.supernews.com
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
We nat a portion of our residentail users -- not all of our network. As I recall our current nat pools are comprised of a /21 --sjk
On 4/15/05, Philip Matthews <matthews@nimcatnetworks.com> wrote:
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
There was a MA based provided that catered towards municipalities that did this. I was a volunteer on our local IT comittee and was shocked to see this in action :) After a few requests they eventually did assign a public address to the router, but I think it was SOP to NAT everything. -Steve
> A number of IETF documents(*) state that there are some service providers > that place a NAT box in front of their entire network, so all their > customers get private addresses rather than public address. > It is often stated that these are primarily cable-based providers. > I am trying to get a handle on how common this practice is. It's not uncommon among smaller providers in developing countries. International transit providers, particularly those that use satellite for "local loop" seem to be pretty miserly with IP addresses, leading their customer-ISPs to use NAT more broadly than is healthy. Obviously this makes it very difficult to multi-home, which reinforces the upstream's position. -Bill
On Fri, 15 Apr 2005, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
In my experience many cellular providers (at least in the US) do this as well. A GPRS connection to Cingular, even from a laptop device, will get a 1918 address. I don't mind since my phone runs linux with no root password (thanks motorola). -Scott
On Fri, Apr 15, 2005 at 01:40:12PM -0700, Scott Call wrote:
On Fri, 15 Apr 2005, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
In my experience many cellular providers (at least in the US) do this as well. A GPRS connection to Cingular, even from a laptop device, will get a 1918 address. I don't mind since my phone runs linux with no root password (thanks motorola).
Must depend on the service. My CDPD and the 1X-RTT that replaced it, both from Verizontal, had public addresses, though they grew incoming filters around the Code Red days... Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
While not "big" by any sense of the word, we NAT [almost] all of our internal network. It wasn't initially a matter of choice, but rather of necessity. We had a sprinklings of small netblocks in the old legacy C swamp, mostly in the old SURAnet/BBN allocation, and after the Genuity takeover they yanked our routes on short notice (actually, our upstream didn't notify us until the last minute). We had to NAT into a new temporary allocation from an upstream, and later renumbered into a portable block for multihoming. There are still some old Genuity addresses in use inside (renumbering is easier said than done) but we're slowly cleaning them up. NAT seemed to be the best option at the time, especially since we had no portable allocation. We used to overload, but talk about overhead... Jeff
Apologies for the late reply, but T-Mobile's US GPRS network hands out RFC1918 space as well. -C On Fri, Apr 15, 2005 at 01:40:12PM -0700, Scott Call wrote:
On Fri, 15 Apr 2005, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
In my experience many cellular providers (at least in the US) do this as well. A GPRS connection to Cingular, even from a laptop device, will get a 1918 address. I don't mind since my phone runs linux with no root password (thanks motorola).
-Scott
On Apr 22, 2005, at 1:14 PM, Chris Woodfield wrote:
Apologies for the late reply, but T-Mobile's US GPRS network hands out RFC1918 space as well.
Ah, that depends on if you're on WAP, T-Mobile Internet or T-Mobile VPN. The VPN service is exactly the same as the Internet one, except that it gives you non-NAT'd address space for VPN compatibility. (APN internet3.voicestream.com, everything else is the same). Note that you have to be provisioned on each APN now, you can't jump around like you used to be able to.
-C
On Fri, Apr 15, 2005 at 01:40:12PM -0700, Scott Call wrote:
On Fri, 15 Apr 2005, Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
In my experience many cellular providers (at least in the US) do this as well. A GPRS connection to Cingular, even from a laptop device, will get a 1918 address. I don't mind since my phone runs linux with no root password (thanks motorola).
-Scott
Thanks to everyone who replied to my question about NAT usage in service providers (see original posting below). I got a lot of private replies, as well as those who posted to the list. To summarize: It seems that there are quite a few providers who do this. I was told of at least 24 providers in the U.S., as well as providers in Canada, in Central America, in Europe, and in Africa which which do this. It was suggested by a number of people that this was quite common on WiFi access and for data services on cell phones. I also heard about a number of cable access providers that do this, and its use on DSL access was mentioned a couple of times. (Many people didn't say what access types were affected, so I don't feel I can derive any meaningful statistics). A number of smaller providers told me that they do it because they simply cannot get enough routable IP addresses from their upstream providers. If I was to speculate, I would guess that the practice might be more common amongst newer providers, and with newer access methods on more established providers. - Philip Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
Can anyone give me some names of providers that do this?
Can anyone point me at any documents that indicate how common this practice is?
- Philip
(*) Some IETF documents that mention this practice: - RFC 3489 - draft-ietf-sipping-nat-scenarios-00.txt (now expired, but available at
http://www.ietf.org/proceedings/02jul/I-D/draft-ietf-sipping-nat-scenarios-0...
That makes very little sense to me since the smaller providers can get a /22 directly from ARIN. I, personaly, would never purchase service from a provider that insisted on sticking me behind NAT. SPRINT PCS does not NAT my cellphone. I receive a dynamic address at connection time, but, it is a real address. What they do that annoys me is they block UDP Port 53 to non-sprint nameservers, and, the phone browser is hard-coded to a particular sprint HTTP Proxy server. If the practice is becoming more common, that is very unfortunate. Owen --On Tuesday, April 19, 2005 9:09 AM -0400 Philip Matthews <matthews@nimcatnetworks.com> wrote:
Thanks to everyone who replied to my question about NAT usage in service providers (see original posting below). I got a lot of private replies, as well as those who posted to the list.
To summarize: It seems that there are quite a few providers who do this. I was told of at least 24 providers in the U.S., as well as providers in Canada, in Central America, in Europe, and in Africa which which do this.
It was suggested by a number of people that this was quite common on WiFi access and for data services on cell phones. I also heard about a number of cable access providers that do this, and its use on DSL access was mentioned a couple of times. (Many people didn't say what access types were affected, so I don't feel I can derive any meaningful statistics).
A number of smaller providers told me that they do it because they simply cannot get enough routable IP addresses from their upstream providers.
If I was to speculate, I would guess that the practice might be more common amongst newer providers, and with newer access methods on more established providers.
- Philip
Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
Can anyone give me some names of providers that do this?
Can anyone point me at any documents that indicate how common this practice is?
- Philip
(*) Some IETF documents that mention this practice: - RFC 3489 - draft-ietf-sipping-nat-scenarios-00.txt (now expired, but available at
http://www.ietf.org/proceedings/02jul/I-D/draft-ietf-sipping-nat-scenari os-00.txt
-- If it wasn't crypto-signed, it probably didn't come from me.
On Apr 19, 2005, at 5:25 PM, Owen DeLong wrote:
That makes very little sense to me since the smaller providers can get a /22 directly from ARIN.
Sometimes resources that are come from a regional registry are not welcomed by a national operator. This can go for AS numbers as well as addresses. And sometimes a national operator is the only way out. I doubt that this becoming more common; sadly, it's probably not becoming less common either. TV
I, personaly, would never purchase service from a provider that insisted on sticking me behind NAT.
SPRINT PCS does not NAT my cellphone. I receive a dynamic address at connection time, but, it is a real address. What they do that annoys me is they block UDP Port 53 to non-sprint nameservers, and, the phone browser is hard-coded to a particular sprint HTTP Proxy server.
If the practice is becoming more common, that is very unfortunate.
Owen
--On Tuesday, April 19, 2005 9:09 AM -0400 Philip Matthews <matthews@nimcatnetworks.com> wrote:
Thanks to everyone who replied to my question about NAT usage in service providers (see original posting below). I got a lot of private replies, as well as those who posted to the list.
To summarize: It seems that there are quite a few providers who do this. I was told of at least 24 providers in the U.S., as well as providers in Canada, in Central America, in Europe, and in Africa which which do this.
It was suggested by a number of people that this was quite common on WiFi access and for data services on cell phones. I also heard about a number of cable access providers that do this, and its use on DSL access was mentioned a couple of times. (Many people didn't say what access types were affected, so I don't feel I can derive any meaningful statistics).
A number of smaller providers told me that they do it because they simply cannot get enough routable IP addresses from their upstream providers.
If I was to speculate, I would guess that the practice might be more common amongst newer providers, and with newer access methods on more established providers.
- Philip
Philip Matthews wrote:
A number of IETF documents(*) state that there are some service providers that place a NAT box in front of their entire network, so all their customers get private addresses rather than public address. It is often stated that these are primarily cable-based providers.
I am trying to get a handle on how common this practice is. No one that I have asked seems to know any provider that does this, and a search of a few FAQs plus about an hour of Googling hasn't turned up anything definite (but maybe I am using the wrong keywords ...).
Can anyone give me some names of providers that do this?
Can anyone point me at any documents that indicate how common this practice is?
- Philip
(*) Some IETF documents that mention this practice: - RFC 3489 - draft-ietf-sipping-nat-scenarios-00.txt (now expired, but available at
http://www.ietf.org/proceedings/02jul/I-D/draft-ietf-sipping-nat- scenari os-00.txt
-- If it wasn't crypto-signed, it probably didn't come from me.
On 4/20/05, Tom Vest <tvest@pch.net> wrote:
On Apr 19, 2005, at 5:25 PM, Owen DeLong wrote:
That makes very little sense to me since the smaller providers can get a /22 directly from ARIN.
Sometimes resources that are come from a regional registry are not welcomed by a national operator. This can go for AS numbers as well as addresses. And sometimes a national operator is the only way out.
Not welcomed as in, filtered out / these providers refuse to route them? Or do they kick up a fuss on the lines of "you should approach only me, or failing that the LIR, for IPs, don't let me catch you running to the RIR next time" srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Apr 19, 2005, at 10:24 PM, Suresh Ramasubramanian wrote:
On 4/20/05, Tom Vest <tvest@pch.net> wrote:
On Apr 19, 2005, at 5:25 PM, Owen DeLong wrote:
That makes very little sense to me since the smaller providers can get a /22 directly from ARIN.
Sometimes resources that come from a regional registry are not welcomed by a national operator. This can go for AS numbers as well as addresses. And sometimes a national operator is the only way out.
Not welcomed as in, filtered out / these providers refuse to route them? Or do they kick up a fuss on the lines of "you should approach only me, or failing that the LIR, for IPs, don't let me catch you running to the RIR next time"
As in, sometimes national operators will decline to speak bgp to (topologically) subnational operators, so that even when they present themselves with a regionally allocated public ASN and address space, these will not be accepted. I am not at liberty to identify specific cases, but if you look at recent-ish (RIR-era) ASN allocations that have never appeared in the routing table, you will come across (n) networks that fit this description. Another reason to approach with caution proposals to cede greater registry-like authority to national PTOs and regulatory authorities, IMHO. TV
On 4/20/05, Tom Vest <tvest@pch.net> wrote:
As in, sometimes national operators will decline to speak bgp to (topologically) subnational operators, so that even when they present themselves with a regionally allocated public ASN and address space, these will not be accepted. I am not at liberty to identify specific cases, but if you look at recent-ish (RIR-era) ASN allocations that have never appeared in the routing table, you will come across (n) networks that fit this description.
Ah, that. Finding places with large incumbent telcos that want to preserve their monopoly, and typically have the local telco regulator in their pocket, is not hard at all .. this happens all the time there One possible reason would be that quite often the people there are not very capable at bgp at all .. so someone who's selling them routers gives them a static route to their upstream, then they give their downstream customers a word doc with a template that assigns the downstreams yet another static route ... Attempts at adding BGP and sometimes, MPLS, to those networks tend to produce interesting looking results. Especially funny example - someone who was a "senior admin" at a certain large asian ISP decided to ask Philip what a route map is, in a sanog tutorial on advanced BGP last year.
Another reason to approach with caution proposals to cede greater registry-like authority to national PTOs and regulatory authorities, IMHO.
Any such authority is guaranteed to be heavily abused to further existing monopolies -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Apr 19, 2005, at 10:57 PM, Suresh Ramasubramanian wrote:
One possible reason would be that quite often the people there are not very capable at bgp at all .. so someone who's selling them routers gives them a static route to their upstream, then they give their downstream customers a word doc with a template that assigns the downstreams yet another static route ...
I think (or at least I hope) that folks that fit your description are identified by the registries and routed to the education track before their applications are approved. I am not (entirely) naive -- and am quite pleased to have the opportunity to contribute to ongoing education efforts through APRICOT -- so I am sure that some share of allocated-but-never-routed ASNs could be explained away as you suggest. That said, the cases I am obliquely referring to are established, fully clue-embued enterprises -- some even service providers -- with competent engineers on staff. I.e., operators that applied for, met the criteria, and received a public ASN plus IP allocation from an RIR. TV
participants (14)
-
Andrew - Supernews
-
Bill Woodcock
-
Chris Woodfield
-
Jay R. Ashworth
-
Jeff Kell
-
John Payne
-
Jon Lewis
-
Owen DeLong
-
Philip Matthews
-
Scott Call
-
sjk
-
Steve Meuse
-
Suresh Ramasubramanian
-
Tom Vest