nanog mailing list archives
RE: NAT64 and matching identities
From: Don Bowman <don () sandvine com>
Date: Tue, 19 Nov 2013 16:48:29 +0000
From: Justin M. Streiner [mailto:streiner () cluebyfour org]
It's looking more and more like NAT64 will be in our future. One of the valid concerns for NAT64 - much like NAT44 - is being able to determine the identity of a given user through the NAT at a given point in time. How feasible this is depends on how robust/scalable $XYZ's translation logging capabilities are, and possibly how easily that data can be matched against a source of identify information, such as RADIUS accounting logs, DHCP lease logs, etc.
... snip ... We implemented a product around this. What we found in doing so was that a) you need to use port-block allocation to make it feasible (cannot do unbounded NATP where every flow gets its own port), That AAA works well when the NAT is a gateway device, and that Otherwise DHCP works ok, and syslog is the fallback. All devices Supported one of those three. We also found there was a need for IPV6 identification (e.g. some customers used DNS reverse lookup in ipv4 to find the ID of a user for e.g. single-sign-on type solutions, and this no longer worked in a NAT44/NAT64/IPv6 environment. We found there was a need for both real-time (e.g. query who is this right now, e.g. sign-on), and after the fact (who had this @ this time). The general purpose coordinates we called 'session qualifiers', and we found that sometimes it included VLAN or MPLS or other tunnels. Let me know if u want more info and I can follow up offline.
Current thread:
- NAT64 and matching identities Justin M. Streiner (Nov 18)
- Re: NAT64 and matching identities Tom Taylor (Nov 18)
- Re: NAT64 and matching identities Paul WALL (Nov 18)
- Re: NAT64 and matching identities Lee Howard (Nov 19)
- Re: NAT64 and matching identities Andrew Sullivan (Nov 19)
- Re: NAT64 and matching identities Fred Baker (fred) (Nov 19)
- RE: NAT64 and matching identities Don Bowman (Nov 19)
- RE: NAT64 and matching identities Ian Smith (Nov 19)
- RE: NAT64 and matching identities Justin M. Streiner (Nov 19)
- Re: NAT64 and matching identities Lee Howard (Nov 20)
- Re: NAT64 and matching identities Gary E. Miller (Nov 20)
- Re: NAT64 and matching identities Lee Howard (Nov 20)
- RE: NAT64 and matching identities Tony Hain (Nov 22)
- Re: NAT64 and matching identities Owen DeLong (Nov 22)
- Re: NAT64 and matching identities Valdis . Kletnieks (Nov 22)
- Re: NAT64 and matching identities joel jaeggli (Nov 22)
- Re: NAT64 and matching identities Owen DeLong (Nov 22)
- Re: NAT64 and matching identities Tom Taylor (Nov 18)