Enhance CG-NAT Re: V6 still not supported
Abraham Y. Chen
aychen at avinta.com
Sun Apr 3 03:13:48 UTC 2022
Hi, Matt:
1) The challenge that you described can be resolved as one part of
the benefits from the EzIP proposal that I introduced to this mailing
list about one month ago. That discussion has gyrated into this thread
more concerned about IPv6 related topics, instead. If you missed that
introduction, please have a look at the following IETF draft to get a
feel of what could be done:
https://datatracker.ietf.org/doc/html/draft-chen-ati-adaptive-ipv4-address-space
2) With respect to the specific case you brought up, consider the EzIP
address pool (240/4 netblock with about 256M addresses) as the
replacement to that of CG-NAT (100.64/10 netblock with about 4M
addresses). This much bigger (2^6 times) pool enables every customer
premises to get a static IP address from the 240/4 pool to operate in
simple router mode, instead of requesting for a static port number and
still operates in NAT mode. Within each customer premises, the
conventional three private netblocks may be used to handle the hosts (IoTs).
3) There is a whitepaper that presents an overview of other
possibilities based on EzIP approach:
https://www.avinta.com/phoenix-1/home/RevampTheInternet.pdf
Hope the above makes sense to you.
Regards,
Abe (2022-04-02 23:10)
On 2022-04-02 16:25, Matthew Petach wrote:
>
>
> On Fri, Apr 1, 2022 at 6:37 AM Masataka Ohta
> <mohta at necom830.hpcl.titech.ac.jp> wrote:
>
>
> If you make the stateful NATs static, that is, each
> private address has a statically configured range of
> public port numbers, it is extremely easy because no
> logging is necessary for police grade audit trail
> opacity.
>
> Masataka Ohta
>
>
> Hi Masataka,
> One quick question. If every host is granted a range of public port
> numbers on the static stateful NAT device, what happens when
> two customers need access to the same port number?
>
> Because there's no way in a DNS NS entry to specify a
> port number, if I need to run a DNS server behind this
> static NAT, I *have* to be given port 53 in my range;
> there's no other way to make DNS work. This means
> that if I have two customers that each need to run a
> DNS server, I have to put them on separate static
> NAT boxes--because they can't both get access to
> port 53.
>
> This limits the effectiveness of a stateful static NAT
> box to the number of customers that need hard-wired
> port numbers to be mapped through; which, depending
> on your customer base, could end up being all of them,
> at which point you're back to square one, with every
> customer needing at least 1 IPv4 address dedicated
> to them on the NAT device.
>
> Either that, or you simply tell your customers "so sorry
> you didn't get on the Internet soon enough; you're all
> second class citizens that can't run your own servers;
> if you need to do that, you can go pay Amazon to host
> your server needs."
>
> And perhaps that's not as unreasonable as it first sounds;
> we may all start running IPv4-IPv6 application gateways
> on Amazon, so that IPv6-only networks can still interact
> with the IPv4-only internet, and Amazon will be the great
> glue that holds it all together.
>
> tl;dr -- "if only we'd thought of putting a port number field
> in the NS records in DNS back in 1983..."
>
> Matt
>
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220402/75ee9212/attachment.html>
More information about the NANOG
mailing list