Re: Large edu's doing NAT campus wide?

[David A Lundy <dlundy () PACIFIC EDU>]

On our campus we do a NAT, not PAT so there is a one to one binding of
inside IP to outside IP address for the duration of the NAT.  That
binding remains for thirty minutes past the last IP traffic for that
NAT.  We find there usually, but not always, is a several hour period
before the outside address is reused.

Dave

-----Original Message-----
From: Kevin Shalla [mailto:kshalla () UIC EDU] 
Sent: Wednesday, May 02, 2007 9:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Large edu's doing NAT campus wide?

How long do people set the time for NAT bindings?  Is that the same 
as the lease time?  I would have figured that it would be closer to a 
day than a minute.

At 04:45 PM 4/30/2007, John Ladwig wrote:
> NAT also severely complicates interactions with Law Enforcement at
times.
> LE: "I have a connection to Yahoo.com from your IP a.b.c.d at this 
> time (measured in minutes, not seconds) - can you identify the user?"
>
> IR: "That IP maps to several hundred hosts behind a NAT, with a 
> 30-second inactivity timeout on the NAT bindings.  Can you be more 
> specific about source port information for our IP and timing down to 
> sub-second, ideally?"
>
> LE:  "...."
>
> Fortunately,  so far we haven't had any life- and safety-related 
> queries from LE that went down this path.
>
>     -jml
>
> > > > "Scott O. Bradner" <sob () HARVARD EDU> 2007-04-28 20:10:31 >>>
> > Is anyone aware of a study of large edu's who are doing NAT
> > campus wide?
>
> makes answering DMCA complaints quick :-)
>
> Scott