Typical additional latency for CGN?

Owen DeLong owen at delong.com
Wed Oct 10 23:11:55 UTC 2012


On Oct 10, 2012, at 3:30 PM, Mark Andrews <marka at isc.org> wrote:

> 
> In message <Pine.LNX.4.61.1210100920590.26706 at soloth.lewis.org>, Jon Lewis writ
> es:
>> I just spent a few minutes looking into this again, and figured out the 
>> problem.  AT&T has apparently changed the way their CGN works.  I use a 
>> form of port knocking to restrict access to SSHd from "foreign" networks. 
>> It used to work fine from my phone.  Now, the port knocking request from 
>> the phone and the ssh connection are being NAT'd to different public IPs, 
>> so my system is allowing ssh access to one AT&T IP, and then the ssh 
>> connection comes from a nearby but different IP.
> 
> Which is a badly designed CGN.  I turns singly homed clients into
> multi-homed client where the client has no control over the source
> address selection. At least with real multi-homed clients they have
> the ability to force source addresses to match.
> 

AT&T probably likes it for mobile, however, because it's about the easiest
way possible to prevent data services from being successfully used for VOIP.

Owen

>> On Wed, 10 Oct 2012, Owen DeLong wrote:
>> 
>>> The day before I left the US, it was still working on my iPad.
>>> 
>>> Owen
>>> 
>>> On Oct 8, 2012, at 5:20 AM, Jon Sands <fohdeesha at gmail.com> wrote:
>>> 
>>>> On 10/7/2012 9:22 PM, Jon Lewis wrote:
>>>>> has anyone else noticed AT&T mobile is blocking ssh (outgoing 22/tcp) con
>> nections?
>>>> 
>>>> Not here, have an SSH session open on my phone on port 22 as we speak. I'm
>> on an android on ATT's 3G network in central indiana, if that matters.
>>>> 
>>>> --
>>>> Jon Sands
>>>> Fohdeesha Media
>>>> http://fohdeesha.com/
>>>> 
>>> 
>>> 
>>> 
>> 
>> ----------------------------------------------------------------------
>>  Jon Lewis, MCP :)           |  I route
>>  Senior Network Engineer     |  therefore you are
>>  Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list