nanog mailing list archives
Re: CGN fixed/hashed nat question
From: William Herrin <bill () herrin us>
Date: Wed, 23 Jan 2013 18:05:52 -0500
On Wed, Jan 23, 2013 at 4:31 PM, Jean-Francois Mezei <jfmezei_nanog () vaxination ca> wrote:
Generally speaking for CGN setups, how many end users are NATed to a single public IP address ? In terms of traceability, there is a huge difference between loading 200k end users onto 1 public IP and putting say 5 end users per public IP. In the later case, it becomes possible to assign a good range of ports to each of the 5 users on that IP address. In the former case, it isn't. An ISP who nats 5 customers to each public IP address reduces fivefold the need for pulic IP addresses, which is still a major accomplishement.
If you'll entertain a guess, it'll shake out around 64:1. If I were designing it (I'm not) it might look something like this: A CIDR block of customer private IPs will map to a particular CGN box. (e.g. 100.67.64.0/18, 16,000ish customers) That box will have roughly 6 bits fewer public IPs available for the translations (64:1 ratio, e.g. 203.0.113.0/24). Multiple such mappings allowed per CGN box. The box will algorithmically allocate 256 ports to each interior IP, consuming about 1/4 of the exterior ports. All 256 are on the same exterior IP. No logging need be generated where customers need fewer than 256 translations at once. Which is most people all the time and many of the rest most of the time. The algorithm will exclude the .0 and .255 external addresses from use, mapping the respective internal IPs to the other externals. The box will dynamically allocate port ranges in blocks of 256ish ports to the very active interior customers upon demand when no further translations are available in that customer's existing blocks. It will log once upon allocation of the port range and once again upon release of the range when no translations are active for a timeout period. When allocating dynamic port ranges it will try to match the algorithmically picked IP address if port blocks are available but will fail over to other IP addresses rather than refuse an outbound connection. I note that any algorithmic assignment is going to come up weak on draft-ietf-behave-lsn-requirements's REQ-15 but that's a "should" anyway and I'm willing to risk it. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- CGN fixed/hashed nat question Eric Oosting (Jan 21)
- Re: CGN fixed/hashed nat question Nick Hilliard (Jan 21)
- Re: CGN fixed/hashed nat question Eric Oosting (Jan 21)
- RE: CGN fixed/hashed nat question Dan Wing (Jan 22)
- Re: CGN fixed/hashed nat question Dobbins, Roland (Jan 22)
- Re: CGN fixed/hashed nat question Nick Hilliard (Jan 23)
- Re: CGN fixed/hashed nat question Sander Steffann (Jan 23)
- Re: CGN fixed/hashed nat question Randy Bush (Jan 23)
- Re: CGN fixed/hashed nat question Nick Hilliard (Jan 23)
- Re: CGN fixed/hashed nat question Dobbins, Roland (Jan 22)
- Re: CGN fixed/hashed nat question Jean-Francois Mezei (Jan 23)
- Re: CGN fixed/hashed nat question William Herrin (Jan 23)
- Re: CGN fixed/hashed nat question Christian Kratzer (Jan 23)
- Re: CGN fixed/hashed nat question William Herrin (Jan 23)
- Re: CGN fixed/hashed nat question Nick Hilliard (Jan 21)
- Re: CGN fixed/hashed nat question Simon Perreault (Jan 23)
- Re: CGN fixed/hashed nat question William Herrin (Jan 23)
- Re: CGN fixed/hashed nat question Simon Perreault (Jan 23)
- Re: CGN fixed/hashed nat question William Herrin (Jan 23)