Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Owen DeLong <owen () delong com>]

Sent from my iPad

On Jan 18, 2013, at 8:06 AM, William Herrin <bill () herrin us> wrote:

> On Fri, Jan 18, 2013 at 12:20 PM, Lee Howard <Lee () asgard org> wrote:
> > On 1/17/13 6:21 PM, "William Herrin" <bill () herrin us> wrote:
> > > Then it's a firewall that mildly enhances protection by obstructing
> > > 90% of the port scanning attacks which happen against your computer.
> > > It's a free country so you're welcome to believe that the presence or
> > > absence of NAT has no impact on the probability of a given machine
> > > being compromised. Of course, you're also welcome to join the flat
> > > earth society. As for me, the causative relationship between the rise
> > > of the "DSL router" implementing negligible security except NAT and
> > > the fall of port scanning as a credible attack vector seems blatant
> > > enough.
> >
> > CGNs are not identical to home NAT functionality.
>
> Didn't say they were. What I said was that claiming NAT has no
> security impact was false on its face.

Even I have never claimed that. I think everyone pretty well understands at this point just how injurious NAT is to 
actual security.
> CGNs are most certainly not full cone NATs. Full cone NATs guarantee
> that any traffic which arrives at the external address is mapped to
> the internal address at the same port, functionality which requires a
> 1:1 mapping between external addresses and active internal addresses.
> Were they full-cone, with a 1:1 IP address mapping, CGNs would be
> completely useless for the stated purpose of reducing consumption of
> global addresses.
>
> I'm given to understand that they do try to restrict a given internal
> address to emitting packets on a particular range of ports on a
> particular external address but that's functionality on top of a
> restricted-port cone NAT, not a fundamentally different kind of NAT.
Actually, as I understand it, it's a hybrid. It's full cone (sort of) in that any packet that arrives within the port 
range will be translated to the corresponding internal address. It's restricted cone in that it's a port range instead 
of all ports. I'm not sure how the interior device is constrained to emitting only within the port range unless they 
are customizing all of the CPE in order to support that.

> > > I assume that fewer than 1 in 10 eyeballs would find Internet service
> > > behind a NAT unsatisfactory. Eyeballs are the consumers of content,
> > > the modem, cable modem, residential DSL customers. Some few of them
> > > are running game servers, web servers, etc. but 9 in 10 are the email,
> > > vonage and netflix variety who are basically not impacted by NAT.
> >
> > Netflix seems to have some funny interactions with some gateways and CGN.
> > [nat444-impacts]
>
> Some NATs have serious bugs that aren't obvious until you try to stack them.

Which in itself is a pretty strong argument against CGN.

> > What about p2p?
>
> If it worked with CGNs there'd be a whole lot less than 1 in 10 folks
> needing to opt out.

So you are assuming <10% of the internet currently uses any p2p technology? Interesting.

> > You're going with linear growth?  See nro.net/statistics.
>
> I'm guessing sublinear given the major backpressure from having to
> purchase or transfer IP addresses from other uses instead of getting
> fresh ones from a registry but the evidence isn't in yet so I'll
> conservatively estimate it at linear.

I don't think that backpressure really works against having new subscribers or towards reducing churn in the market 
place where there is competition. As such, I don't see how that would apply.

> > > Is it more like 1 in 5 customers would cough up
> > > an extra $5 rather than use a NAT address? The nearest comparable
> > > would be your ratio of dynamic to static IP assignments. Does your
> > > data support that being higher than 1 in 10? I'd bet the broad data
> > > sets don't.
> >
> > If an ISP is so close to running out of addresses that they need CGN,
> > let's say they have 1 year of addresses remaining.  Given how many ports
> > apps use, recommendations are running to 10:1 user:address (but I could
> > well imagine that increasing to 50:1).  That means that for every user you
> > NAT, you get 1/10 of an address.
>
> So at 10:1 you get 9/10ths of an address back from each of the 9 in 10
> eyeballs who converts to NAT. At a more likely ratio of 30:1 you get
> 29/30ths back. I'd have to rerun my numbers but that shaves something
> on the order of 1 year off my 37 year estimate.

Actually, at 10:1, you get back 10/11ths, not 9/10ths.

However, if CGN's limitations pick up some bad press in the early days, that ratio may well convert to more like 1:10 
where you get back 1/11th instead of 10/11ths. This all remains to be seen. Remember, the public will go much more with 
the emotional reaction to the first press accounts than it will go with rational or well thought out technical argument.


Owen