couple of questions regarding 'lifeline' and large scale nat...

Masataka Ohta mohta at necom830.hpcl.titech.ac.jp
Fri Feb 10 18:19:46 CST 2012


Leo Bicknell wrote:

> UPNP, NAT-PMP, the ability to enter static bypasses (DMZ's, NAT
> passthrough), combined with the problems of some applications that
> make thousands of TCP connections in a short order eating up ports
> makes it a nightmare to manage and debug.

The applications can simply be debugged to use socket option
of REUSEPORT.

I pointed it out so along with static port mapping at the last
meeting in "Track: IPv4 runout, Doing More with Less".

> Of course, if they are
> doing illegal things you'd better keep some detailed records of who did
> what when a LEO comes knocking.

Are you saying we MUST record all the IP addresses and
port numbers of all peers of your customers to prevent
illegal things?

If so, we have to do so, even if you are not using NAT,
I'm afraid.

If not and we only have to have information on which
port is used by which customer, static port mapping
is just fine.

Anyway, developers of virus software will be quite
cooperative to use REUSEPORT, to hide symptoms that
the virus software is installed.

> The key to a low cost service is making it as low cost as possible,
> moving the NAT inside the carrier will had a huge amount of headache and
> support costs, not what you want.

Use NAT with static port mapping (and same port numbers are used
in and out), there is no headache and support cost caused by NAT.

> A possibly relevant question with IPv4 exhaustion coming is could you
> make this service IPv6 only so you don't have to find IPv4 addresses for
> it.

IPv6 means considerably more amount of headache and
support costs than using NAT cleverly and simply.

						Masataka Ohta



More information about the NANOG mailing list