Typical additional latency for CGN?
Mark Andrews
marka at isc.org
Wed Oct 10 22:30:03 UTC 2012
In message <Pine.LNX.4.61.1210100920590.26706 at soloth.lewis.org>, Jon Lewis writ
es:
> I just spent a few minutes looking into this again, and figured out the
> problem. AT&T has apparently changed the way their CGN works. I use a
> form of port knocking to restrict access to SSHd from "foreign" networks.
> It used to work fine from my phone. Now, the port knocking request from
> the phone and the ssh connection are being NAT'd to different public IPs,
> so my system is allowing ssh access to one AT&T IP, and then the ssh
> connection comes from a nearby but different IP.
Which is a badly designed CGN. I turns singly homed clients into
multi-homed client where the client has no control over the source
address selection. At least with real multi-homed clients they have
the ability to force source addresses to match.
> On Wed, 10 Oct 2012, Owen DeLong wrote:
>
> > The day before I left the US, it was still working on my iPad.
> >
> > Owen
> >
> > On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdeesha at gmail.com> wrote:
> >
> >> On 10/7/2012 9:22 PM, Jon Lewis wrote:
> >>> has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con
> nections?
> >>
> >> Not here, have an SSH session open on my phone on port 22 as we speak. I'm
> on an android on ATT's 3G network in central indiana, if that matters.
> >>
> >> --
> >> Jon Sands
> >> Fohdeesha Media
> >> http://fohdeesha.com/
> >>
> >
> >
> >
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list