nanog mailing list archives

RE: CGNAT Solutions

From: "Aaron Gould" <aaron1 () gvtc com>
Date: Wed, 29 Apr 2020 10:48:17 -0500

In testing, I observed opening a website, for instance cnn.com can cause >200 ports/sessions to fire off.  Although, 
many are short-lived sessions, but, ports requests nonetheless.

Overall, I use about 1,500 public ip's for 50,000 private ip customers

I allow 3,000 ports per customer ... 30 blocks of 100 each

We started our port blocks at a nice round number, so that each pba dynamic assignment results in nice 100-199, next 
200-299 .... good for parsing, grep'ing logs for doing subpoena info look-ups, etc.

I see most customers hover well below 1,000 ports/sessions active, and what appear to be misbehaving hosts (malware, 
infected, bots, etc, unsure) hit up at the 3,000 max and trigger a ports exceeded error message.  I see the 3k port 
limit as putting a cap on free-running suspicious hosts.  We can then investigate and contact customer of the concern.

-Aaron


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Robert Blayzor
Sent: Wednesday, April 29, 2020 9:14 AM
To: nanog () nanog org
Subject: Re: CGNAT Solutions

On 4/28/20 11:01 PM, Brandon Martin wrote:

Depending on how many IPs you need to reclaim and what your target
IP:subscriber ratio is, you may be able to eliminate the need for a lot
of logging by assigning a range of TCP/UDP ports to a single inside IP
so that the TCP/UDP port number implies a specific subscriber.

You can't get rid of all the state tracking without also having the CPE
know which ports to use (in which case you might as well use LW4o6 or
MAP), but at least you can get it down to where you really only need to
log (or block and dole out public IPs as needed) port-less protocols.



I'm wondering if there are any real world examples of this, namely in
the realm of subscriber to IP and range of ports required, etc.  ie: Is
is a range of 1000 ports enough for one residential subscriber? How
about SMB where no global IP is required.

One would think a 1000 ports would be enough, but if you have a dozen
devices at home all browsing and doing various things, and with IOT,
etc, maybe not?


-- 
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/

Current thread:

Re: CGNAT Solutions, (continued)
- - - Re: CGNAT Solutions JORDI PALET MARTINEZ via NANOG (Apr 29)
    - Re: CGNAT Solutions Masataka Ohta (Apr 29)
    - Re: CGNAT Solutions Ca By (Apr 29)
    - Re: CGNAT Solutions Masataka Ohta (Apr 30)
    - Re: CGNAT Solutions Robert Blayzor (Apr 29)
    - Re: CGNAT Solutions Tarko Tikan (Apr 29)
    - Re: CGNAT Solutions james jones (Apr 29)
    - Re: CGNAT Solutions Mikael Abrahamsson via NANOG (Apr 29)
    - Re: CGNAT Solutions Robert Blayzor (Apr 29)
    - Re: CGNAT Solutions Mikael Abrahamsson via NANOG (Apr 29)
    - RE: CGNAT Solutions Aaron Gould (Apr 29)
- Re: CGNAT Solutions JORDI PALET MARTINEZ via NANOG (Apr 28)
  - Re: CGNAT Solutions Jared Geiger (Apr 28)
- Re: CGNAT Solutions Mike Hammett (Apr 29)
- Re: CGNAT Solutions John Alcock (Apr 29)