CGN fixed/hashed nat question

William Herrin bill at
Wed Jan 23 13:22:06 UTC 2013

On Tue, Jan 22, 2013 at 4:52 PM, Dan Wing <dwing at> wrote:
> draft-donley-behave-deterministic-cgn provides that functionality in
> an attempt to help randomize ports (see RFC6056).  However, because
> the ports are fixed and there are relatively few ports, an attacker
> can determine the ports by causing the victim to open a bunch
> of TCP connections.  This can be done by a bunch of "img src" tags
> in an HTML-encoded email message, among other mechanisms.  If the
> hashing causes no logging, it creates a new requirement for a strong
> audit trail of the CGN configuration.

I thought this was desirable behavior for a CGN since effective port
prediction facilitates p2p nat traversal?

Bear in mind that Windows XP uses a dynamic port range between 1024
and 5000 and allocates them linearly. Small range and trivially
predictable. Were it practical to use this knowledge for much more
than denial of service I tend to think we'd have noticed by now.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list