Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Lee Howard <Lee () asgard org>]

On 1/17/13 6:21 PM, "William Herrin" <bill () herrin us> wrote:

> On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard <Lee () asgard org> wrote:
> > On 1/17/13 9:54 AM, "William Herrin" <bill () herrin us> wrote:
> > > On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives () gmail com> wrote:
> > > > The people on this list have a influence in how the Internet run, hope
> > > > somebody smart can figure how we can avoid going there, because there
> > > > is frustrating and unfun.
> > >
> > > "Free network-based firewall to be installed next month. OPT OUT HERE
> > > if you don't want it."
> >
> > I haven't heard anyone talking about carrier-grade firewalls.  To make
> > CGN
> > work a little, you have to enable full-cone NAT, which means as long as
> > you're connected to anything on IPv4, anyone can reach you (and for a
> > timeout period after that).  And most CGN wireline deployments will have
> > some kind of bulk port assignment, so the same ports always go to the
> > same
> > users.  NAT != security, and if you try to make it, you will lose more
> > customers than I predicted.
>
> Hi Lee,
>
> Then it's a firewall that mildly enhances protection by obstructing
> 90% of the port scanning attacks which happen against your computer.
> It's a free country so you're welcome to believe that the presence or
> absence of NAT has no impact on the probability of a given machine
> being compromised. Of course, you're also welcome to join the flat
> earth society. As for me, the causative relationship between the rise
> of the "DSL router" implementing negligible security except NAT and
> the fall of port scanning as a credible attack vector seems blatant
> enough.

CGNs are not identical to home NAT functionality.  Home NATs are
frequently restricted cone NATs, which is why uPNP or manual
port-forwarding are required.  CGNs for residential deployments are full
cone NATs, so that this problematic applications are less problematic.
See http://en.wikipedia.org/wiki/Network_address_translation  and
draft-donley-nat444-impacts.


> > > It's not a hard problem. There are yet plenty of IPv4 addresses to go
> > > around for all the people who actually care whether or not they're
> > > behind a NAT.
> >
> > I doubt that very much, and look forward to your analysis supporting
> > that
> > statement.
>
> If you have the data I'll be happy to crunch it but I'm afraid I'll
> have to leave the data collection to someone who is paid to do that
> very exhaustive work.

I don't have any data that might support your assertion, which is why I'm
calling you on it.

> Nevertheless, I'll be happy to document my assumptions and show you
> where they lead.
>
> I assume that fewer than 1 in 10 eyeballs would find Internet service
> behind a NAT unsatisfactory. Eyeballs are the consumers of content,
> the modem, cable modem, residential DSL customers. Some few of them
> are running game servers, web servers, etc. but 9 in 10 are the email,
> vonage and netflix variety who are basically not impacted by NAT.


Netflix seems to have some funny interactions with some gateways and CGN.
[nat444-impacts]
What about p2p?


> I assume that 75% or more of the IPv4 addresses which are employed in
> any use (not sitting idle) are employed by eyeball customers. Verizon
> Wireless has - remind me - how many /8's compared to, say, Google?

The same number: 0.
I don't know how many addresses VZW has, but I could look it up in Whois
if I knew the orgID.
How'd you get 75%?

> If you count from the explosion of interest in the Internet in 1995 to
> now, it took 18 years to consume all the IPv4 addresses. Call it
> consumption of 1/18th of the address space per year.

You're going with linear growth?  See nro.net/statistics.


> Is it more like 1 in 5 customers would cough up
> an extra $5 rather than use a NAT address? The nearest comparable
> would be your ratio of dynamic to static IP assignments. Does your
> data support that being higher than 1 in 10? I'd bet the broad data
> sets don't.

If an ISP is so close to running out of addresses that they need CGN,
let's say they have 1 year of addresses remaining.  Given how many ports
apps use, recommendations are running to 10:1 user:address (but I could
well imagine that increasing to 50:1).  That means that for every user you
NAT, you get 1/10 of an address.
Example:  An 10,000-user ISP is growing at 10% annually.  They have 1,000
addresses left, so they implement CGN.  You say to assuming 90% of them
can be NATted, so next year, 100 get a unique IPv4 address, the other 900
share 90 addresses.  At 190 addresses per year, CGN bought you five years.
 
I think your 90% is high.  If it's 70%, you burn 370 per year.
That doesn't include the fact the increased support costs, or alienated
customer cancellations, or any of the stuff I talked about in TCO of CGN.

Lee