nanog mailing list archives
Re: NAT64 and matching identities
From: Lee Howard <Lee () asgard org>
Date: Tue, 19 Nov 2013 09:46:31 -0500
On 11/18/13 3:06 PM, "Justin M. Streiner" <streiner () cluebyfour org> wrote:
It's looking more and more like NAT64 will be in our future. One of the valid concerns for NAT64 - much like NAT44 - is being able to determine the identity of a given user through the NAT at a given point in time.
Bulk port allocation. Your NAT logs then approximate your DHCP (or whatever) logs in size and scope. Unless you mean to use it to front a web service. Then just use x-forwarded-for, and make sure your logs and log parsers can handle it. Might want to write a correlation script.
How feasible this is depends on how robust/scalable $XYZ's translation logging capabilities are, and possibly how easily that data can be matched against a source of identify information, such as RADIUS accounting logs, DHCP lease logs, etc.
Ask the vendors; it took them a while, but they all have techniques for reducing logs.
Other IPv6 transition mechanisms appear to be no less thorny than NAT64 for a variety of reasons.
Yes; see rfc7021. Once you've deployed it, an experience report at a NANOG meeting would be welcome. Lee
Current thread:
- NAT64 and matching identities Justin M. Streiner (Nov 18)
- Re: NAT64 and matching identities Tom Taylor (Nov 18)
- Re: NAT64 and matching identities Paul WALL (Nov 18)
- Re: NAT64 and matching identities Lee Howard (Nov 19)
- Re: NAT64 and matching identities Andrew Sullivan (Nov 19)
- Re: NAT64 and matching identities Fred Baker (fred) (Nov 19)
- RE: NAT64 and matching identities Don Bowman (Nov 19)
- RE: NAT64 and matching identities Ian Smith (Nov 19)
- RE: NAT64 and matching identities Justin M. Streiner (Nov 19)
- Re: NAT64 and matching identities Lee Howard (Nov 20)
- Re: NAT64 and matching identities Gary E. Miller (Nov 20)
- Re: NAT64 and matching identities Lee Howard (Nov 20)
- RE: NAT64 and matching identities Tony Hain (Nov 22)
- Re: NAT64 and matching identities Owen DeLong (Nov 22)
- Re: NAT64 and matching identities Tom Taylor (Nov 18)