Typical additional latency for CGN?
Owen DeLong
owen at delong.com
Wed Oct 10 23:11:55 UTC 2012
On Oct 10, 2012, at 3:30 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <Pine.LNX.4.61.1210100920590.26706 at soloth.lewis.org>, Jon Lewis writ
> es:
>> I just spent a few minutes looking into this again, and figured out the
>> problem. AT&T has apparently changed the way their CGN works. I use a
>> form of port knocking to restrict access to SSHd from "foreign" networks.
>> It used to work fine from my phone. Now, the port knocking request from
>> the phone and the ssh connection are being NAT'd to different public IPs,
>> so my system is allowing ssh access to one AT&T IP, and then the ssh
>> connection comes from a nearby but different IP.
>
> Which is a badly designed CGN. I turns singly homed clients into
> multi-homed client where the client has no control over the source
> address selection. At least with real multi-homed clients they have
> the ability to force source addresses to match.
>
AT&T probably likes it for mobile, however, because it's about the easiest
way possible to prevent data services from being successfully used for VOIP.
Owen
>> On Wed, 10 Oct 2012, Owen DeLong wrote:
>>
>>> The day before I left the US, it was still working on my iPad.
>>>
>>> Owen
>>>
>>> On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdeesha at gmail.com> wrote:
>>>
>>>> On 10/7/2012 9:22 PM, Jon Lewis wrote:
>>>>> has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con
>> nections?
>>>>
>>>> Not here, have an SSH session open on my phone on port 22 as we speak. I'm
>> on an android on ATT's 3G network in central indiana, if that matters.
>>>>
>>>> --
>>>> Jon Sands
>>>> Fohdeesha Media
>>>> http://fohdeesha.com/
>>>>
>>>
>>>
>>>
>>
>> ----------------------------------------------------------------------
>> Jon Lewis, MCP :) | I route
>> Senior Network Engineer | therefore you are
>> Atlantic Net |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list