We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Colton Conor <colton.conor@gmail.com> writes:
We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Right now I'm using A10 for NAT. I can't say enough good things about these dudes. But as far as DMCA takedowns are concerned, we're in the habit of casually ignoring them unless they come through our custodian of records. That would be an excellent question for your SE. And I'm kind of curious myself now. -Daniel
I searched carrier grade NAT in google, and A10 came up a lot. I thought they just had good SEO going on, but it seems they have a good product as well! Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to handle carrier grade NAT on an access network right? On Tue, Jul 29, 2014 at 10:00 AM, Daniel Corbe <corbe@corbe.net> wrote:
Colton Conor <colton.conor@gmail.com> writes:
We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
Right now I'm using A10 for NAT. I can't say enough good things about these dudes.
But as far as DMCA takedowns are concerned, we're in the habit of casually ignoring them unless they come through our custodian of records.
That would be an excellent question for your SE. And I'm kind of curious myself now.
-Daniel
Colton Conor <colton.conor@gmail.com> writes:
I searched carrier grade NAT in google, and A10 came up a lot. I thought they just had good SEO going on, but it seems they have a good product as well! Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to handle carrier grade NAT on an access network right?
They don't have an IPAM built in. IPAMs are usually a back office thing. It's a deeply personal choice usually made by the very same monkey in your organization responsible for managing IP allocations. You can toss IP pool management (in your case, DHCP) at your A10s, but I don't. You can also do some interesting things with DNS on the boxes if you have a software load that supports load balancing. But you don't need that for NAT. Nor is it wise to put all your eggs into one magical packet-routing basket. -Daniel
On Tue, 29 Jul 2014, Colton Conor wrote:
How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
You ask them to provide port numbers. If they can't, then you can't identify a single subscriber. If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote:
If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load.
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user. --Chris
On Tue, 29 Jul 2014 11:42:31 -0500, Chris Boyd said:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
See the various lawsuits against the NSA - the vast majority have been summarily dismissed because the plaintiffs couldn't produce evidence their communications had in fact been intercepted, and thus they didn't have standing to sue.
On Tue, Jul 29, 2014 at 12:54:57PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Tue, 29 Jul 2014 11:42:31 -0500, Chris Boyd said:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
See the various lawsuits against the NSA - the vast majority have been summarily dismissed because the plaintiffs couldn't produce evidence their communications had in fact been intercepted, and thus they didn't have standing to sue.
And the rest have been thrown out because the plaintiffs couldn't produce evidence that they'd been specifically harmed by having their communications intercepted, probably because it hadn't been "collected" (under the NSA definition of same). - Matt -- A polar bear is a rectangular bear after a coordinate transform.
On Jul 29, 2014, at 11:54 AM, <Valdis.Kletnieks@vt.edu> <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 29 Jul 2014 11:42:31 -0500, Chris Boyd said:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
See the various lawsuits against the NSA - the vast majority have been summarily dismissed because the plaintiffs couldn't produce evidence their communications had in fact been intercepted, and thus they didn't have standing to sue.
True, but there is a difference in this case, since I could probably find a way to do discovery of the warrant/subpoena that was delivered to the ISP--assuming it's not an NSL. I would assume that going into court with evidence of the warrant/subpoena would be sufficient to grant standing. Or the notice of intercepted communications that I've seen a few times would work too. In $DAYJOB, we're all colo/cloud, so the stuff we get specifies a specific date. Have not come across any that specify a few seconds of time as another poster noted. In any case IANAL, so who knows until the cases start showing up on the dockets..... --Chris
On Jul 29, 2014, at 9:42 AM, Chris Boyd <cboyd@gizmopartners.com> wrote:
On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote:
If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load.
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
--Chris
As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not. Owen
On Jul 29, 2014, at 10:10 AM, <Valdis.Kletnieks@vt.edu> <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 29 Jul 2014 09:57:54 -0700, Owen DeLong said:
As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not.
Does the *other* provider in your area have a more liberal policy?
None of the providers in my area are currently doing CGN to the best of my knowledge. Owen
On 7/29/14, 12:57 PM, "Owen DeLong" <owen@delong.com> wrote:
As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not.
Relevant: http://comcast6.net/images/files/revolt.jpg ;-) - Jason
As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not.
My local DSL provider does CGN. I switched to cable, but because it was faster, not because of the addressing. They would assign you a global static IP just by calling up and asking for it. When I left, I think they'd assigned 18 static addresses out of several thousand customers. Most consumer ISP customers don't run servers visible from outside, and don't care about CGN. Really. It's not because they're stupid, it's because it has no effect on their day to day usage. R's, John PS: End to end, is that a subchannel of Redtube?
On Tue, Jul 29, 2014 at 12:57 PM, Owen DeLong <owen@delong.com> wrote:
As an ISP customer, would you really accept not being supplied a globally unique address? Really?
Hi Owen, I wouldn't, but outside of the folks I know in this forum, few would notice or care. So long as the ISP has an alternative available for those who do care (such as an existing static IP request mechanism) CGNs are low-risk from a customer-acceptance position. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> Can I solve your unusual networking challenges?
On Jul 29, 2014, at 10:59 AM, William Herrin <bill@herrin.us> wrote:
On Tue, Jul 29, 2014 at 12:57 PM, Owen DeLong <owen@delong.com> wrote:
As an ISP customer, would you really accept not being supplied a globally unique address? Really?
Hi Owen,
I wouldn't, but outside of the folks I know in this forum, few would notice or care. So long as the ISP has an alternative available for those who do care (such as an existing static IP request mechanism) CGNs are low-risk from a customer-acceptance position.
Sure, but I didn’t ask the question of the general public… I asked it of the people on this list. I suspect most of the membership of this list would opt out of CGN one way or another. In my case, my provider is IPv6 capable and I’d simply move my tunnels from IPv4 to IPv6 rather than subject myself to CGN if necessary. Owen
On 7/29/2014 12:42 PM, Chris Boyd wrote:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
--Chris
Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case. Usually the window they give is ~ 3-5 seconds so they're pretty specific.
On Jul 29, 2014, at 10:00 AM, Robert Drake <rdrake@direcpath.com> wrote:
On 7/29/2014 12:42 PM, Chris Boyd wrote:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
--Chris
Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case.
Usually the window they give is ~ 3-5 seconds so they're pretty specific.
This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds (not necessarily a safe assumption in all cases). Further, in a CGN environment, it’s unlikely you would not have multiple customers using the same IP address even down to the single second. Owen
Le 2014-07-29 13:19, Owen DeLong a écrit :
Usually the window they give is ~ 3-5 seconds so they're pretty specific.
This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds
Not really, since usually port blocks are not immediately reallocated to a different user. There's some timeout involved. RFC 6888 recommends 120 seconds. Simon
On 7/29/14 1:00 PM, "Robert Drake" <rdrake@direcpath.com> wrote:
On 7/29/2014 12:42 PM, Chris Boyd wrote:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
--Chris
Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case.
If your CGN logs destination IP, then you are tracking every site your customer visits. Geoff posits that this is valuable information, but some of the likeliest buyers aren't interested. You'll want to find some buyers, because you'll need to defray the cost of your logging. Do some back-of-the-envelope math on the storage required per user per day if you log the 5-tuple. The alternative is logging of address and source ports only, keeping logs equivalent to your DHCP logs now. I've also heard law enforcement say they're not necessarily keen to ask, "Which of your customers accessed this web site at this time?" Sometimes it's awkward. They're much more likely to say, "Who was using this address (and source port) at this time?" If they can't tell you the source port, you have two options: 1. Give them the names of all customers using that address at that time. How many--10? 50? 100? 2. Tell them their subpoena is too broad, and you cannot respond. I suggest you consult with counsel to determine your response. Lee
On Tue, Jul 29, 2014 at 11:42:31AM -0500, Chris Boyd wrote:
On Jul 29, 2014, at 10:23 AM, Mikael Abrahamsson wrote:
If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load.
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
Then you'll no doubt be happy to know that you're very, very unlikely to ever find out. - Matt
OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6). 1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option. 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access) 3. 99.99% of customers don't notice they are transiting CGNAT, it just works. 4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit. 5. NAT translation timeouts are important, XBOX and PlayStation suck. 6. 10,000 customers= approximately 200,000 active translations and 1-2 /24's to be comfortable 7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often. 9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead. 10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice. cheers
Thanks for sharing your experience; it's very unusual to get the perspective of an operator running CGN (on a broadband ISP; wireless has always had it). On 7/29/14 5:28 PM, "Tony Wicks" <tony@wicks.co.nz> wrote:
OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6).
1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option.
Eh, a bit over US$7 now, but whatever. Higher in APNIC.
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
It's viable, it's just not a substitute for IPv4 yet. Except for specific scenarios. For instance, you mention gaming below; if two users are playing on Xbox ONE, they can use IPv6 and they're off the CGN. Or if a bank has blacklisted an IPv4 address on the CGN, but the bank is dual-stack, some users can still get there. Of course, that snowballs.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
Surprised it's that high.
4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit.
Can you quantify? The log entry has to be at least: 32 bits source address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text. As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if "active" indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users. By the way, if that's 8MB of syslog, that's 32Mbps just of logging data. Average, not peak. Maybe the actual log rate is 8MB per five minutes? That's only 400GB for six months. I'm really interested in what your actual log rate is.
5. NAT translation timeouts are important, XBOX and PlayStation suck.
At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care?
6. 10,000 customers= approximately 200,000 active translations and 1-2 /24's to be comfortable
So you've cut your address expense to US$0.50 per user. Definitely better. (500*$10/10000)
7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often.
Between #7 and #8, do they balance out?
9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead.
As long as you have a tool to query your logging system, should be fine.
10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice.
Really? Seems like those would be some of the loudest users. I've always suggested adding IPv6 as an outlet, so that if someone complains about something not working through CGN, you can tell them to deploy IPv6. Thanks again for this perspective. Lee
On Tue, Jul 29, 2014 at 06:19:31PM -0400, Lee Howard wrote:
Thanks for sharing your experience; it's very unusual to get the perspective of an operator running CGN (on a broadband ISP; wireless has always had it).
On 7/29/14 5:28 PM, "Tony Wicks" <tony@wicks.co.nz> wrote:
OK, as someone with experience running CGNAT to fixed broadband customers in general, here are a few answers to common questions. This is based on the setup I use which is CGNAT is done on the BNG (Cisco ASR1K6).
1. APNIC ran out of IPv4 a couple of years ago, so unless you want to pay USD $10+ per IP then CGNAT is the only option.
Eh, a bit over US$7 now, but whatever. Higher in APNIC.
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
It's viable, it's just not a substitute for IPv4 yet. Except for specific scenarios. For instance, you mention gaming below; if two users are playing on Xbox ONE, they can use IPv6 and they're off the CGN. Or if a bank has blacklisted an IPv4 address on the CGN, but the bank is dual-stack, some users can still get there. Of course, that snowballs.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
Surprised it's that high.
4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit.
Can you quantify? The log entry has to be at least: 32 bits source address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text.
You can get it down a bit smaller, if you're OK with having to find the records again to update them at the end of the connection (either TCP FIN, or UDP mapping timeout): 32 bits NAT endpoint ip 16 bits NAT endpoint port 32 bits dest ip 16 bits dest port 32 bits start timestamp 32 bits end timestamp 16 bits customer ID (you could store the customer's internal IP, but that's bigger) That's 22 bytes per flow (maybe 24 if you're planning on having more than 64ki customers in your CGNAT's lifetime). You could drop the timestamps by another 16 bits each if you don't mind reducing granularity (if you guarantee you won't reuse a given IP/port pair for, say, 30 seconds, you can define the timestamp to be, say, 15 second increments) and/or changing the epoch -- 15 second granularity + rolling epoch every week => 16 bit timestamps do just fine.
As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if "active" indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users.
Of course, getting anything back *out* of that again in any sort of reasonable timeframe would be... optimistic. I suppose if you're storing it all in hadoop you can map/reduce your way out of trouble, but that's going to mean a lot of equipment sitting around doing nothing for 99.99% of the time. Perhaps mine litecoin between searches?
7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often.
Between #7 and #8, do they balance out?
I'd doubt it. A customer getting DDoS'd counts against their usage limit; you can't bill traffic pointed at a CGNAT address against any particular customer. <grin> - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
On 7/29/2014 6:42 PM, Matt Palmer wrote:
Of course, getting anything back*out* of that again in any sort of reasonable timeframe would be... optimistic. I suppose if you're storing it all in hadoop you can map/reduce your way out of trouble, but that's going to mean a lot of equipment sitting around doing nothing for 99.99% of the time. Perhaps mine litecoin between searches? The timestamp is a natural index. You shouldn't need to run a distributed query for finding information about a specific incident. You would have to write your own custom tools to access and manage the db, so that's just impractical. The timestamp as well as most of the other fields should be fairly easily compressible since most of the bits are the same. You might as well use a regular plaintext logfile and gzip it.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
Surprised it's that high. So was I to be honest, but in general "It Just Works".
4. You need to log NAT translations for LI purposes. (IP source/destination, Port source/destination, time) Surprisingly this does not produce that big a database burden. However as Cisco's Netflow NAT logging is utterly useless you need to use syslog and this ramps up the ASR CPU a bit.
Can you quantify? The log entry has to be at least: 32 bits source address 16 bits source port 32 bits destination address 16 bits destination port 64 bits? timestamp
The issue with the Cisco NAT Translation flow is that as soon as you set the nat mode to CGN it no longer sends the Pre Nat IP (100.64.x.x), which makes it useless for matching against radius to identify the user. Several weeks of arguing with TAC engineers got nowhere. TAC said, no that can't be done, but could not explain why it worked fine with syslog translation logging. --- 160 bits = 20 bytes per flow You have to log the end of the flow, too, right? Another 20 bytes? 40 bytes per flow. Not including syslog severity and message text. As I recall, a site like cnn.com opens 80 flows, so 3200 bytes of log data. If, as you say in #6, 10,000 customers = 200,000 active translations, that's 8,000,000 bytes of syslog. . . per second? Not sure if "active" indicates how fast those sessions churn. 180 days of log retention would be. . . 124TB of data. Per 10,000 users. That is 200,000 active translations, not 200,000 per second. The ESP40 can handle 2,000,000 active translations.
By the way, if that's 8MB of syslog, that's 32Mbps just of logging data. Average, not peak.
Maybe the actual log rate is 8MB per five minutes? That's only 400GB for six months.
I'm really interested in what your actual log rate is.
Per 10,000 customers we are getting about 2,000,000 records per day in the database real world. We first in first out these after three months. How much bandwidth ? Don't know, I have not actually looked.
5. NAT translation timeouts are important, XBOX and PlayStation suck.
At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care?
Few CPE routers support native v6 (we are a low cost, BYO router ISP)
7. CGNAT protects your customers from all sorts of nasty's like small DDOS attacks and attacks on their crappy CPE 8. DDOS on CGNAT pool IP's are a pain in the rear and happen often.
Between #7 and #8, do they balance out?
Yes, you just need to treat DDOS mitigation a little differently, you can't just upstream block your destination ip as that can randomly nuke thousands of customer translations. You need to remove the target IP from your CGANT pool first.
9. In New Zealand we are not a state of the USA so spammed DCMA emails can be redirected to /dev/null. If a rights holder wishes to have a potential violation investigated (translation logs) they need to pay a $25 fee, so in general they don't bother. Police need a search warrant so they generally only ask for user info when they actually can justify it, so it's not a big overhead.
As long as you have a tool to query your logging system, should be fine.
Yes, it doesn't take a lot to develop the tool. Most of the work is in educating the authorities that they need to supply the exact source/destination ip, destination port and timestamps if they want any data back .
10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice.
Really? Seems like those would be some of the loudest users.
I've always suggested adding IPv6 as an outlet, so that if someone complains about something not working through CGN, you can tell them to deploy IPv6.
Yes, there are only been a few websites that have caused some issues over the last two years, nowhere near as bad as I expected it to be.
Thanks again for this perspective.
Lee
Happy to help. People tend to panic about the unknown. And in this case it's really not as scary as people think, in general it just works and pretty much no standard residential customers notice.
In message <004601cfab84$19ef4e20$4dcdea60$@wicks.co.nz>, "Tony Wicks" writes:
5. NAT translation timeouts are important, XBOX and PlayStation suck.
At least Xbox ONE prefers IPv6. PS4 can, it just doesn't yet. Maybe Kiwis don't play enough games for Sony to care?
Few CPE routers support native v6 (we are a low cost, BYO router ISP)
Actually they are becoming much more common and the additional cost is not that much, basically the cost of the better WiFi radios. If you make IPv6 available and recommend that people buy a IPv6 capable router next time they upgrade they will switch over. You won't find IPv6 in 802.11[bg] only routers but it is in the ones with newer WiFi radios. e.g. NETGEAR WNDR3800 N600 is AUD$80 [mwave.com.au] + shipping and supports IPv6. The price point has come down dramatically from several years ago. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote:
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider.
5. NAT translation timeouts are important, XBOX and PlayStation suck.
Do they suck, or do they just not misbehave in a way that plays nicely with your CGNAT?
10. It is not uncommon for people who run some game servers and websites (like banks) to be completely clueless/confused about cgnat and randomly block IP's as large numbers of users connect from single IP. This is not a big issue in practice.
Is this cluelessness, or just reacting to a usage pattern which overwhelmingly screams "abuse" that your CGNAT happens to emulate? From my experience, I've blocked a lot more abusive sources than NATs by blocking IPs that originate a lot of connections with varying UAs, for example. If you walk like a duck and quack like a duck, it isn't only clueless people who will call you a duck. - Matt -- "Python is a rich scripting language offering a lot of the power of C++ while retaining the ease of use of VBscript." -- The PyWin32 documentation
In message <20140729225352.GO7836@hezmatt.org>, Matt Palmer writes:
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote:
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider.
Like modems that introduce 2 second queuing delays the moment you have a upstream transfer like a icloud backup. Buffer @!#$!@#$! bloat! -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote:
In message <20140729225352.GO7836@hezmatt.org>, Matt Palmer writes:
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote:
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true. Though it will be an increasing percentage over time. Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem.
3. 99.99% of customers don't notice they are transiting CGNAT, it just works.
More precisely: you don't hear from 99.99% of customers, regardless of whether or not they notice problems that are caused by CGNAT. People put up with some *really* bad stuff sometimes without mentioning it to their service provider.
Like modems that introduce 2 second queuing delays the moment you have a upstream transfer like a icloud backup. Buffer @!#$!@#$! bloat!
Among other things. 99.99% of customers don’t now how to isolate the fault of such a thing to their ISP or how to properly complain about it in my experience. For the 0.01% who do, 99% of them don’t know how to get past the ISP’s first-line “let’s reboot your modem and when you call back afterwards, you won’t be my problem any more”. Owen
On 29/07/14 22:22, Owen DeLong wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote:
In message <20140729225352.GO7836@hezmatt.org>, Matt Palmer writes:
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote:
2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true.
Though it will be an increasing percentage over time.
Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem.
Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai & Facebook all having a significant amount of their services v6 native. I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
The only actual residential data I can offer is my own. I am fully dual stack and about 40% of my traffic is IPv6. I am a netflix subscriber, but also an amazon prime member. I will say that if amazon would get off the dime and support IPv6, it would make a significant difference. Other than amazon and my financial institutions and Kaiser, living without IPv4 wouldn't actually pose a hardship as near as I can tell from my day without v4 experiment on June 6. I know Kaiser is working on it. Amazon apparently recently hired Yuri Rich to work on their issues. So that would leave my financial institutions. I think we are probably less than 5 years from residential IPv4 becoming a service that carries a surcharge, if available. Owen
On Jul 29, 2014, at 22:42, Julien Goodwin <nanog@studio442.com.au> wrote:
On 29/07/14 22:22, Owen DeLong wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote: In message <20140729225352.GO7836@hezmatt.org>, Matt Palmer writes:
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true.
Though it will be an increasing percentage over time.
Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem.
Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai & Facebook all having a significant amount of their services v6 native.
I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
There¹s still a lot of websites that are not with the times. No ipv6 on CNN, FOX, or NBC news websites. Slashdot.org shame on you! Comcast and AT&T work, but not Verizon. No surprise there. Power company nope. I think CGN is fine for 99% of customers out there. Until the iPhone came out Verizon Wireless had natted all their blackberry customers and saved million¹s of IP¹s. Then Apple and Google blew a hole into that plan. Then again I¹m for IPv4 just running out and finally pushing people to adopt. The US Govt has done a better job of moving to IPv6 than private industry which frankly is amazing all things considered. Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix. On 7/30/14, 9:45 AM, "Owen DeLong" <owen@delong.com> wrote:
The only actual residential data I can offer is my own. I am fully dual stack and about 40% of my traffic is IPv6. I am a netflix subscriber, but also an amazon prime member.
I will say that if amazon would get off the dime and support IPv6, it would make a significant difference.
Other than amazon and my financial institutions and Kaiser, living without IPv4 wouldn't actually pose a hardship as near as I can tell from my day without v4 experiment on June 6.
I know Kaiser is working on it. Amazon apparently recently hired Yuri Rich to work on their issues. So that would leave my financial institutions.
I think we are probably less than 5 years from residential IPv4 becoming a service that carries a surcharge, if available.
Owen
On Jul 29, 2014, at 22:42, Julien Goodwin <nanog@studio442.com.au> wrote:
On 29/07/14 22:22, Owen DeLong wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote: In message <20140729225352.GO7836@hezmatt.org>, Matt Palmer writes:
On Wed, Jul 30, 2014 at 09:28:53AM +1200, Tony Wicks wrote: 2. IPv6 is nice (dual stack) but the internet without IPv4 is not a viable thing, perhaps one day, but certainly not today (I really hate clueless people who shout to the hills that IPv6 is the "solution" for today's internet access)
Do you have IPv6 deployed and available to your entire customer base, so that those who want to use it can do so? To my way of thinking, CGNAT is probably going to be the number one driver of IPv6 adoption amongst the broad customer base, *as long as their ISP provides it*.
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I¹m not 100% convinced that it is true.
Though it will be an increasing percentage over time.
Definitely a good way of reducing the load on your CGN, with the additional benefit that your network is part of the solution rather than part of the problem.
Being on the content provider side I don't know the actual percentages in practice, but in the NANOG region you've got Google/Youtube, NetFlix, Akamai & Facebook all having a significant amount of their services v6 native.
I'd be very surprised if these four together weren't a majority of any consumer-facing network's traffic in peak times.
Once upon a time, Corey Touchet <corey.touchet@corp.totalserversolutions.com> said:
Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix.
One thing to remember about the video services that do support IPv6 is that a lot of end users, even if they have IPv6 in the home, won't see them over IPv6. Many people watch Netflix and such from TV-connected devices like DVD/Blu-Ray players, "smart" TVs, Xboxes, TiVos, etc. Many (most?) of these devices don't support IPv6, and many never will (because they don't get firmware updates much after release). -- Chris Adams <cma@cmadams.net>
On 07/30/2014 09:16 AM, Chris Adams wrote:
Once upon a time, Corey Touchet <corey.touchet@corp.totalserversolutions.com> said:
Comcast is pushing over 1TBPS of IPv6 traffic, but I¹m sure that¹s mainly video from Youtube and Netflix.
One thing to remember about the video services that do support IPv6 is that a lot of end users, even if they have IPv6 in the home, won't see them over IPv6. Many people watch Netflix and such from TV-connected devices like DVD/Blu-Ray players, "smart" TVs, Xboxes, TiVos, etc. Many (most?) of these devices don't support IPv6, and many never will (because they don't get firmware updates much after release).
In the game console market, from what I could see from some quick searches, Xbox and Wii do v6, but PS4 does not. And as time goes on more things will do v6, not less. :) The time for using "$FOO does not support IPv6, so I don't have to enable it" as an excuse is way past over. Doug
On Jul 30, 2014, at 8:45 AM, Owen DeLong <owen@delong.com> wrote:
I will say that if amazon would get off the dime and support IPv6, it would make a significant difference.
Per Microsoft public statements, they are now moving address space allocated them in Brazil to the US to fill a major service shortfall in Azure. They’re not the only kids on the block with that problem, but are perhaps the one most publicly reported. To my way of thinking, having services like that adopt IPv6 and tell their customers that they need to access the service using IPv6 would go a lot farther that residential service in pushing enterprise adoption. http://tools.ietf.org/html/draft-anderson-siit-dc gives a fairly clever way to make it possible for the service itself to be IPv6-only and yet provide IPv4 access, and preserve IPv4 addresses in the process.
On Jul 30, 2014, at 8:45 AM, Owen DeLong <owen@delong.com> wrote:
I will say that if amazon would get off the dime and support IPv6, it would make a significant difference.
Someone that works for Amazon once told me that they are primed for it now; the question is whether their customers tick the box appropriately. Per Microsoft public statements, they are now moving address space allocated them in Brazil to the US to fill a major service shortfall in Azure. They’re not the only kids on the block with that problem, but are perhaps the one most publicly reported. To my way of thinking, having services like that adopt IPv6 and tell their customers that they need to access the service using IPv6 would go a lot farther than residential service in pushing enterprise adoption. http://tools.ietf.org/html/draft-anderson-siit-dc gives a fairly clever way to make it possible for the service itself to be IPv6-only and yet provide IPv4 access, and preserve IPv4 addresses in the process. If I’m not mistaken, it’s pretty much what Facebook and others like them have implemented, with a view to being internally IPv6-only within a relatively short timeframe.
In message <53D96DBD.3070601@dougbarton.us>, Doug Barton writes:
On 07/30/2014 11:41 AM, Fred Baker (fred) wrote:
Someone that works for Amazon once told me that they are primed for it now
Pun intended? :)
The best thing Amazon could do would be to stop stocking IPv4 only CPE devices. I know this is a hard ask. The second best thing would be to warn that a CPE device was IPv4 only and won't work with the new IPv6 Internet. They could also ship dual stack images for all the Kindle models they have released. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Jul 30, 2014, at 3:55 PM, Mark Andrews <marka@isc.org> wrote:
In message <53D96DBD.3070601@dougbarton.us>, Doug Barton writes:
On 07/30/2014 11:41 AM, Fred Baker (fred) wrote:
Someone that works for Amazon once told me that they are primed for it now
Pun intended? :)
The best thing Amazon could do would be to stop stocking IPv4 only CPE devices. I know this is a hard ask.
The second best thing would be to warn that a CPE device was IPv4 only and won't work with the new IPv6 Internet.
They could also ship dual stack images for all the Kindle models they have released.
In terms of biggest impact, sure. In terms of the biggest impact to effort ratio, I would argue that AAAA for amazon.com would be huge. Owen
On Jul 30, 2014, at 11:41 AM, Fred Baker (fred) <fred@cisco.com> wrote:
On Jul 30, 2014, at 8:45 AM, Owen DeLong <owen@delong.com> wrote:
I will say that if amazon would get off the dime and support IPv6, it would make a significant difference.
Someone that works for Amazon once told me that they are primed for it now; the question is whether their customers tick the box appropriately.
Owens-MacBook-Pro:toneAC owendelong$ host www.amazon.com www.amazon.com has address 72.21.215.232 Owens-MacBook-Pro:toneAC owendelong$ host www.google.com www.google.com has address 74.125.239.145 www.google.com has address 74.125.239.146 www.google.com has address 74.125.239.148 www.google.com has address 74.125.239.144 www.google.com has address 74.125.239.147 www.google.com has IPv6 address 2607:f8b0:4005:802::1010 It appears to me that they have failed to tick their own box correctly. I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I don’t know to what extent AWS would swing the percentage. Owen
On Wed, 30 Jul 2014 16:39:14 -0700, Owen DeLong said:
I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I dont know to what extent AWS would swing the percentage.
There's probably not much stuff that individually is in the Alexa top 100, but collectively AWS probably has a half million or so hosted entities that together would end up at the bottom end of the Top 50 if not better. Of course, then the question becomes what percentage of those half million entities are ready to go once AWS flips the switch....
On Wed, Jul 30, 2014 at 08:05:28PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Wed, 30 Jul 2014 16:39:14 -0700, Owen DeLong said:
I was talking about Amazon, not AWS. Yes, AWS would help too, but in terms of the Alexa list, Amazon would swing the percentage meaningfully. I dont know to what extent AWS would swing the percentage.
There's probably not much stuff that individually is in the Alexa top 100, but collectively AWS probably has a half million or so hosted entities that together would end up at the bottom end of the Top 50 if not better.
Of course, then the question becomes what percentage of those half million entities are ready to go once AWS flips the switch....
Given that almost all of them will be using ELB, which is just a reverse proxy, where AWS controls the A records that get returned, I'd say that most of them would Just Work. The ones that don't will fail only because they're assuming that the IP address they get sent via HTTP header is IPv4, but plenty of sites don't even look, and most of the rest wouldn't need much more than a regex update and/or DB column size change. - Matt -- The real art of conversation is not only to say the right thing at the right place but to leave unsaid the wrong thing at the tempting moment. -- Dorothy Nevill
On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong <owen@delong.com> wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote:
.....
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true.
For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)! Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%. Gary (*) If we are going to make up statistics, four significant digits looks better than one.
In message <CAMfXtQwmpEqBk9CKRq2MpW15tRcuicZ_3DoJUsTBAM4=50319A@mail.gmail.com>, Gary Buhrmaster writes:
On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong <owen@delong.com> wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote:
.....
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true.
For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)!
Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%.
Gary
(*) If we are going to make up statistics, four significant digits looks better than one.
Enable IPv6 at home and measure the traffic. I did, which is why I say > 50%. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Tue, Jul 29, 2014 at 11:56 PM, Mark Andrews <marka@isc.org> wrote:
In message <CAMfXtQwmpEqBk9CKRq2MpW15tRcuicZ_3DoJUsTBAM4=50319A@mail.gmail.com>, Gary Buhrmaster writes:
On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong <owen@delong.com> wrote:
On Jul 29, 2014, at 4:13 PM, Mark Andrews <marka@isc.org> wrote:
.....
Add to that over half your traffic will switch to IPv6 as long as the customer has a IPv6 capable CPE. That's a lot less logging you need to do from day 1.
That would be nice, but I’m not 100% convinced that it is true.
For the 99.99% of the users who believe that facebook and twitter *are* the internet, at least facebook is IPv6 enabled. 50.00%(*)!
Yes, I think we can all stipulate that those participating on this list are different, and have different expectations, and different capabilities, than those other 99.99%.
Gary
(*) If we are going to make up statistics, four significant digits looks better than one.
Enable IPv6 at home and measure the traffic. I did, which is why I say > 50%.
Orange Poland deployed 464XLAT on mobile and is seeing 62% native IPv6 and 38% NAT64 (slide 26) http://www.data.proidea.org.pl/plnog/12edycja/day2/track4/01_ipv6_implementa... I don't have good measurements on this, but i assume the 11 million 464XLAT subscribers on T-Mobile US show a similar profile, possibly higher due to Netflix now supporting IPv6 on Android. CB
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Not exactly what you probably want. But it´s actually working for me: http://ipv6netro.blogspot.de/2013/10/asamap-application-capability-in-wide.h... http://enog.jp/~masakazu/vyatta/map/ Am 29.07.2014 16:45, schrieb Colton Conor:
We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
You can utilize an ASR 1006 / 1013 with an ESP card for CGN functionality. Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server. On Tue, Jul 29, 2014 at 10:45 AM, Colton Conor <colton.conor@gmail.com> wrote:
We are looking for recommendations for a carrier grade nat solution. Who is the leaders in this space? How do carrier grade NAT platforms integrate with DHCP and DNS solutions? How do you keep track of copyright violations in a CGNAT solution if multiple customers are sharing the same public IP address?
On 7/30/14 3:45 PM, "joshua rayburn" <jbrayburn@gmail.com> wrote:
Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server.
http://tools.ietf.org/html/rfc6056 documents a security concern with bulk port assignments. Lee
Slightly off-topic but what are people using as a cpe device in a dual-stack scenario like this? On Friday, August 1, 2014, Lee Howard <Lee@asgard.org> wrote:
On 7/30/14 3:45 PM, "joshua rayburn" <jbrayburn@gmail.com <javascript:;>> wrote:
Starting in 3.10 code you can utilize Bulk Port Allocation to carve out small consecutive port bundles for end users as to not mess up SIP functionsand High Speed Logging to log individual customers ports for law enforcement needs without overrunning your logging server.
http://tools.ietf.org/html/rfc6056 documents a security concern with bulk port assignments.
Lee
participants (26)
-
Ca By -
Chris Adams -
Chris Boyd -
Colton Conor -
Corey Touchet -
Daniel Corbe -
Doug Barton -
excelsio@gmx.com -
Fred Baker (fred) -
Gary Buhrmaster -
John Levine -
joshua rayburn -
Julien Goodwin -
Lee Howard -
Livingood, Jason -
Mark Andrews -
Matt Palmer -
Mikael Abrahamsson -
Owen DeLong -
Robert Drake -
Shawn L -
Simon Perreault -
TJ -
Tony Wicks -
Valdis.Kletnieks@vt.edu -
William Herrin