Rate of growth on IPv6 not fast enough?

Bryan Fields Bryan at bryanfields.net
Mon Apr 19 12:22:31 CDT 2010


On 4/19/2010 10:14, Patrick Giagnocavo wrote:
> The eyeball ISPs will find it trivial to NAT should they ever need to do
> so however, something servers cannot do - you are looking at numbers,
> not operational considerations.

LSN is not trivial.

Here is some unverified calculations I did on the problem of scaling nat.

Right now I'm using 42 translation entries in my nat table.  Each entry takes
up 312 bytes of FIB memory, which is ~12.7 Kib of data in the FIB.  Mutiply
this by 250k users and we have 3,124,237 KiB of FIB entries, or 3.1 GiB.  This
is not running any PtP programs or really hitting the network, I'm just
browsing the web and typing this email to you.

If we look a the total number of translations for 250k users we see 10.5M
entries.  As TCP/UDP only has 65,536 ports and about 1025 of them are
unusable, this leaves 64,511 ports to work with per IP.  Divided out we need
163 public IP's min just to nat the number of users on a single PDSN pool,
assuming we have a 1/2 loading thats 326 public IP's for one pool.

Now things get fun when I turn on my torrent program,  average
number of translations is at 3500 per person (during a virus outbreak or other
network event), we'll need a pool of 27k public IP's and 254 GiB of ram to
store the NAT tables.  This would be a /17 of IP space just to NAT 250k
private users!

This is why nat does not scale.  NAT breaks other IP protocols which don't use
TCP or UDP, and even breaks common protocols like TCP based FTP unless the NAT
device has special support for FTP to do deep packet inspection and track the
FTP sessions.


Now suppose some one finds out that 250k people are behind a LSN box.  All
they have to do is write a virus that opens up tons of connections and it will
DDOS the entire providers nat device.

Jjust think, a single user could get the entire user base blocked from 4chan!


-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net




More information about the NANOG mailing list