nanog mailing list archives

Re: SlashDot: "Comcast Gunning for NAT Users"

From: Jared Mauch <jared () puck Nether net>
Date: Thu, 31 Jan 2002 17:02:40 -0500


        how to identify non-host based devices:

        1) check out mac-address ranges
        2) count flows/ip to determine if this
pattern appears to be legit.  (this in theory could also be done
to prevent file sharing systems that keep a large number of
peer-to-peer connections)
        3) port/ip based filtering

        I suspect that for the people who went out and
bought the linksys/other routers that want to link up their
two home computers you will see a few that just say "hey, it's just
another $5/mo and i don't have to worry about this device i got
at frys/best buy/compusa/whatnot that i don't really understand".

        there's [almost alyways] a way to beat any system.  I think
they are just trying to reduce the support costs of people with
these devices at a time when they are getting bad PR (at least here in
MI) about the switchover from @home-> comcast.

        the uninitiated will blame comcast when it's their
router/nat/whatnot unit.

        - jared
        
On Thu, Jan 31, 2002 at 04:44:59PM -0500, David Charlap wrote:


Keith Woodworth wrote:


From a technical standpoint how does one detect NAT users over the
network?


You can't deterministically do so, but there are some telltale signs. 
NAT implementations (at least the ones I've seen) tend to choose very
large port numbers (above 30,000) for the ports that they generate.

Of course, this can happen without NAT.  And it is possible to write NAT
stacks that choose low-numbered ports (it's trivially easy to make this
change in the Linux IPMASQ code, for instance.)

Anybody who tries to detect NAT through these kinds of heuristic methods
will end up with a lot of false positives and false negatives.  And if
it becomes a problem, the NAT implementors will simply alter their code
to make it impossible to distinguish from a single host's traffic.

-- David


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

Re: Fwd: SlashDot: "Comcast Gunning for NAT Users", (continued)
- - Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" William Allen Simpson (Jan 31)
- Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" Valdis . Kletnieks (Jan 31)
- RE: SlashDot: "Comcast Gunning for NAT Users" Daniel Golding (Jan 31)
  - RE: SlashDot: "Comcast Gunning for NAT Users" Daniel Senie (Jan 31)
- Re: SlashDot: "Comcast Gunning for NAT Users" Jon Mansey (Jan 31)
  - Re: SlashDot: "Comcast Gunning for NAT Users" Marc Pierrat (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Dan Hollis (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Keith Woodworth (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" David Charlap (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Keith Woodworth (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Jared Mauch (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Daniel Senie (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" kevin graham (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" Paul Bradford (Jan 31)
    - Re: SlashDot: "Comcast Gunning for NAT Users" EA Louie (Jan 31)
    - Message not available
    - Re: SlashDot: "Comcast Gunning for NAT Users" Matt Barrette (Jan 31)
- Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" Bill Woodcock (Jan 31)
  - Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" jerry scharf (Jan 31)
  - Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" Simon Higgs (Jan 31)
  - Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" Eric A. Hall (Jan 31)
    - Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" Dan Hollis (Jan 31)

(Thread continues...)