Typical additional latency for CGN?

Mark Andrews marka at isc.org
Wed Oct 10 22:30:03 UTC 2012


In message <Pine.LNX.4.61.1210100920590.26706 at soloth.lewis.org>, Jon Lewis writ
es:
> I just spent a few minutes looking into this again, and figured out the 
> problem.  AT&T has apparently changed the way their CGN works.  I use a 
> form of port knocking to restrict access to SSHd from "foreign" networks. 
> It used to work fine from my phone.  Now, the port knocking request from 
> the phone and the ssh connection are being NAT'd to different public IPs, 
> so my system is allowing ssh access to one AT&T IP, and then the ssh 
> connection comes from a nearby but different IP.

Which is a badly designed CGN.  I turns singly homed clients into
multi-homed client where the client has no control over the source
address selection. At least with real multi-homed clients they have
the ability to force source addresses to match.

> On Wed, 10 Oct 2012, Owen DeLong wrote:
> 
> > The day before I left the US, it was still working on my iPad.
> >
> > Owen
> >
> > On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdeesha at gmail.com> wrote:
> >
> >> On 10/7/2012 9:22 PM, Jon Lewis wrote:
> >>> has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con
> nections?
> >>
> >> Not here, have an SSH session open on my phone on port 22 as we speak. I'm
>  on an android on ATT's 3G network in central indiana, if that matters.
> >>
> >> --
> >> Jon Sands
> >> Fohdeesha Media
> >> http://fohdeesha.com/
> >>
> >
> >
> >
> 
> ----------------------------------------------------------------------
>   Jon Lewis, MCP :)           |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list