Carrier Grade NAT

Colton_Conor · July 29, 2014, 2:45pm

We are looking for recommendations for a carrier grade nat solution. Who is
the leaders in this space? How do carrier grade NAT platforms integrate
with DHCP and DNS solutions? How do you keep track of copyright violations
in a CGNAT solution if multiple customers are sharing the same public IP
address?

Daniel_Corbe · July 29, 2014, 3:00pm

Colton Conor <colton.conor@gmail.com> writes:

We are looking for recommendations for a carrier grade nat solution. Who is
the leaders in this space? How do carrier grade NAT platforms integrate
with DHCP and DNS solutions? How do you keep track of copyright violations
in a CGNAT solution if multiple customers are sharing the same public IP
address?

Right now I'm using A10 for NAT. I can't say enough good things about
these dudes.

But as far as DMCA takedowns are concerned, we're in the habit of
casually ignoring them unless they come through our custodian of
records.

That would be an excellent question for your SE. And I'm kind of
curious myself now.

-Daniel

Mikael_Abrahamsson · July 29, 2014, 3:23pm

You ask them to provide port numbers. If they can't, then you can't identify a single subscriber.

If law enforcement comes along without port numbers then you give them a list of subscribers behind that IP at the time. Use port block allocation and keep track of the blocks to reduce logging load.

Colton_Conor · July 29, 2014, 3:25pm

I searched carrier grade NAT in google, and A10 came up a lot. I thought
they just had good SEO going on, but it seems they have a good product as
well! Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need
all 4 to handle carrier grade NAT on an access network right?

Chris_Boyd1 · July 29, 2014, 4:42pm

There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.

--Chris

Valdis_Kletnieks · July 29, 2014, 4:54pm

See the various lawsuits against the NSA - the vast majority have been summarily
dismissed because the plaintiffs couldn't produce evidence their communications
had in fact been intercepted, and thus they didn't have standing to sue.

Owen_DeLong · July 29, 2014, 4:57pm

As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not.

Owen

Robert_Drake · July 29, 2014, 5:00pm

Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case.

Usually the window they give is ~ 3-5 seconds so they're pretty specific.

Valdis_Kletnieks · July 29, 2014, 5:10pm

Does the *other* provider in your area have a more liberal policy?

Owen_DeLong · July 29, 2014, 5:19pm

This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds (not necessarily a safe assumption in all cases). Further, in a CGN environment, it’s unlikely you would not have multiple customers using the same IP address even down to the single second.

Owen

Owen_DeLong · July 29, 2014, 5:21pm

None of the providers in my area are currently doing CGN to the best of my knowledge.

Owen

Michael · July 29, 2014, 5:27pm

Not exactly what you probably want. But it´s actually working for me:

http://ipv6netro.blogspot.de/2013/10/asamap-application-capability-in-wide.html
http://enog.jp/~masakazu/vyatta/map/

Simon_Perreault1 · July 29, 2014, 5:40pm

Le 2014-07-29 13:19, Owen DeLong a �crit :

Usually the window they give is ~ 3-5 seconds so they're pretty specific.

This assumes that your log server and theirs are synchronized to an accurate time source within 3-5 seconds

Not really, since usually port blocks are not immediately reallocated to a different user. There's some timeout involved. RFC 6888 recommends 120 seconds.

Simon

Livingood_Jason · July 29, 2014, 5:51pm

Relevant: http://comcast6.net/images/files/revolt.jpg

- Jason

John_L · July 29, 2014, 5:52pm

As an ISP customer, would you really accept not being supplied a globally unique address? Really? I would not.

My local DSL provider does CGN. I switched to cable, but because it
was faster, not because of the addressing. They would assign you a
global static IP just by calling up and asking for it. When I left, I
think they'd assigned 18 static addresses out of several thousand
customers.

Most consumer ISP customers don't run servers visible from outside, and
don't care about CGN. Really. It's not because they're stupid, it's
because it has no effect on their day to day usage.

R's,
John

PS: End to end, is that a subchannel of Redtube?

William_Herrin · July 29, 2014, 5:59pm

Hi Owen,

I wouldn't, but outside of the folks I know in this forum, few would
notice or care. So long as the ISP has an alternative available for
those who do care (such as an existing static IP request mechanism)
CGNs are low-risk from a customer-acceptance position.

Regards,
Bill Herrin

Lee_Howard2 · July 29, 2014, 6:20pm

If your CGN logs destination IP, then you are tracking every site your
customer visits. Geoff posits that this is valuable information, but some
of the likeliest buyers aren't interested. You'll want to find some
buyers, because you'll need to defray the cost of your logging. Do some
back-of-the-envelope math on the storage required per user per day if you
log the 5-tuple.

The alternative is logging of address and source ports only, keeping logs
equivalent to your DHCP logs now.

I've also heard law enforcement say they're not necessarily keen to ask,
"Which of your customers accessed this web site at this time?" Sometimes
it's awkward. They're much more likely to say, "Who was using this
address (and source port) at this time?"

If they can't tell you the source port, you have two options:
1. Give them the names of all customers using that address at that time.
How many--10? 50? 100?
2. Tell them their subpoena is too broad, and you cannot respond.

I suggest you consult with counsel to determine your response.

Lee

Daniel_Corbe · July 29, 2014, 6:35pm

Colton Conor <colton.conor@gmail.com> writes:

I searched carrier grade NAT in google, and A10 came up a lot. I thought they
just had good SEO going on, but it seems they have a good product as well!
Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to
handle carrier grade NAT on an access network right?

They don't have an IPAM built in. IPAMs are usually a back office
thing. It's a deeply personal choice usually made by the very same
monkey in your organization responsible for managing IP allocations.

You can toss IP pool management (in your case, DHCP) at your A10s, but I
don't.

You can also do some interesting things with DNS on the boxes if you
have a software load that supports load balancing. But you don't need
that for NAT. Nor is it wise to put all your eggs into one magical
packet-routing basket.

-Daniel

_Matt_Palmer · July 29, 2014, 8:04pm

And the rest have been thrown out because the plaintiffs couldn't produce
evidence that they'd been specifically harmed by having their communications
intercepted, probably because it hadn't been "collected" (under the NSA
definition of same).

- Matt

_Matt_Palmer · July 29, 2014, 8:05pm

Then you'll no doubt be happy to know that you're very, very unlikely to
ever find out.

- Matt