Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Fri Jan 18 18:06:54 UTC 2013

On Fri, Jan 18, 2013 at 12:20 PM, Lee Howard <Lee at asgard.org> wrote:
> On 1/17/13 6:21 PM, "William Herrin" <bill at herrin.us> wrote:
>>Then it's a firewall that mildly enhances protection by obstructing
>>90% of the port scanning attacks which happen against your computer.
>>It's a free country so you're welcome to believe that the presence or
>>absence of NAT has no impact on the probability of a given machine
>>being compromised. Of course, you're also welcome to join the flat
>>earth society. As for me, the causative relationship between the rise
>>of the "DSL router" implementing negligible security except NAT and
>>the fall of port scanning as a credible attack vector seems blatant
>>enough.
>
> CGNs are not identical to home NAT functionality.

Didn't say they were. What I said was that claiming NAT has no
security impact was false on its face.

>  Home NATs are
> frequently restricted cone NATs, which is why uPNP or manual
> port-forwarding are required.  CGNs for residential deployments are full
> cone NATs,

CGNs are most certainly not full cone NATs. Full cone NATs guarantee
that any traffic which arrives at the external address is mapped to
the internal address at the same port, functionality which requires a
1:1 mapping between external addresses and active internal addresses.
Were they full-cone, with a 1:1 IP address mapping, CGNs would be
completely useless for the stated purpose of reducing consumption of
global addresses.

I'm given to understand that they do try to restrict a given internal
address to emitting packets on a particular range of ports on a
particular external address but that's functionality on top of a
restricted-port cone NAT, not a fundamentally different kind of NAT.

>>I assume that fewer than 1 in 10 eyeballs would find Internet service
>>behind a NAT unsatisfactory. Eyeballs are the consumers of content,
>>the modem, cable modem, residential DSL customers. Some few of them
>>are running game servers, web servers, etc. but 9 in 10 are the email,
>>vonage and netflix variety who are basically not impacted by NAT.
>
> Netflix seems to have some funny interactions with some gateways and CGN.
> [nat444-impacts]

Some NATs have serious bugs that aren't obvious until you try to stack them.

> What about p2p?

If it worked with CGNs there'd be a whole lot less than 1 in 10 folks
needing to opt out.

> How'd you get 75%?

It's a SWAG, hence an assumption.

> You're going with linear growth?  See nro.net/statistics.

I'm guessing sublinear given the major backpressure from having to
purchase or transfer IP addresses from other uses instead of getting
fresh ones from a registry but the evidence isn't in yet so I'll
conservatively estimate it at linear.

>>Is it more like 1 in 5 customers would cough up
>>an extra $5 rather than use a NAT address? The nearest comparable
>>would be your ratio of dynamic to static IP assignments. Does your
>>data support that being higher than 1 in 10? I'd bet the broad data
>>sets don't.
>
> If an ISP is so close to running out of addresses that they need CGN,
> let's say they have 1 year of addresses remaining.  Given how many ports
> apps use, recommendations are running to 10:1 user:address (but I could
> well imagine that increasing to 50:1).  That means that for every user you
> NAT, you get 1/10 of an address.

So at 10:1 you get 9/10ths of an address back from each of the 9 in 10
eyeballs who converts to NAT. At a more likely ratio of 30:1 you get
29/30ths back. I'd have to rerun my numbers but that shaves something
on the order of 1 year off my 37 year estimate.

Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004