SlashDot: "Comcast Gunning for NAT Users"

I got this forwarded to me. I'm not impressed.

Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.

Besides the technical difficulties of detecting a household that is running a NAT'ed router, why not win over the customer with a low-cost extra IP address vs: the customers one-time hardware cost for the router. There are people who would be willing to pay some amount monthly vs: (let's say) $100 for a NAT box.

Does anyone know what percentage of home broadband users run NAT? Does anyone have stats for IP-addresses saved by using NAT?

Martin

------ Forwarded Message

Slashdot, the tabloid of the tech world. I believe if you read through all
the comments no one ever came up with any proof of this and reading
through Commcast's AUP doesn't reveal this policy either. I think it was
largely trollbait.

andy

Andy Walden <andy@tigerteam.net> writes:

... reading through Commcast's AUP doesn't reveal this policy
either. I think it was largely trollbait.

Could be. But AT&T Broadband out here just resent its terms of service
with the monthly bill, and stated that it's strictly prohibited to
attach more than one device to the cable service. They reminded
their customers that a second IP address is available for an extra
$5/month.

I suppose one could get lawyerly and argue that you *are* attaching
a single device -- the NAT box -- to their network; other devices
are merely attached to the NAT box. But I don't think that was their
intent.

Whether this pricing model is enforceable aside, it is also in direct
conflict with the projection that some day soon, the refrigerator, the
hot tub, the stove, the stereo, the room thermostat, the garage door
opener, etc. will all be IP-addressable. I'll be damned if I'll spend
an extra $5/month for my refrigerator to surf the web, and I'll bet I'm
not alone :-).

Jim Shankland

Without rehashing the Slashdot discussion, no, I really don't think you
are, and with the large market for home networking and steps people
are taking toward security with NAT routers and pesonal firewalls, I
think it would be an uphill battle to enforce a policy such as this. I
guess we will see how it shakes out.

andy

Which do you resemble more? Dilbert, or his pointy-haired boss?

Which does the person who made this business decision resemble more?

Yes, it sounds like a dumb idea, if it's true (which I haven't seen supported
yet).

Hmm. I doubt Comcast is actually doing this - they are far too busy actually
trying to build a network, out of the ashes of the @home debacle. However,
even if they were, there isn't really anything wrong with it. We scratch our
heads, collectively, when a large broadband provider goes chapter 11, but
then oppose a pricing model that might be profitable. Now, if a provider was
refusing to provide extra IPs, then I could see the problem. However, if a
provider is willing to provide extra IPs for something reasonable like
$5/month, more power to them. There are several good reasons why they might
want to ban NAT:

1 - When you come to the stadium, you can't bring in your own hot-dogs. It's
the same sort of thing - the hot dogs are subsidizing the ticket price. In
this case, extra fees for things like IP addresses and extra email boxes,
are the concession items.

2 - Support issues - supporting a largely clue-challenged user base, is hard
enough without people slapping linksys routers in, then expecting the ISP
to, defacto, provide support. Anyone remember when the only supported router
for UUNet ISDN lines was the Pipeline 50? This was to (in theory) enable
supportability

3 - NAT is wonderful, but we aren't running out of IP addresses that
quickly, and NAT will break some applications. Large scale NAT is probably
not the solution to future IP address exhaustion problems. Providers who do
this are not being bad guys, because extra IP addresses cost less than the
costs of supporting NAT boxes. If folks don't like this, they can become
involved with ARIN and propose some bizarre price-support scheme for IP
addresses, to encourage NAT, I suppose.

4 - This is, of course, an unenforceable policy (which is why I suspect it
does not exist). However, it is very reasonable for a provider to refuse to
support a customer with a NAT box, if the customer is buying a single user
service.

One usage policy I would support: never again seeing the word "slashdot" in
the subject line of a NANOG email

- Daniel Golding

2 comments

1) when your primary machine is an XP/2K box running ICS, is that illegal also? Are we to expect comcast to come knocking at the door wanting to inspect the configuration of our PCs to see if it has 2 NICs, or a wireless card in it? Are we supposed to willingly just open up our PCs so comcast can look inside?

2) I heard recently of ppl openly sharing their broadband connection using 802.11 access points, Airports etc among friends, neighbors, coworkers. I can see where your DSL or cable company would be a little more concerned about losing revenue like this, over just 2 or 3 PCs sharing at one domestic location.

jm

Besides the technical difficulties of detecting a household that is

    > running a NAT...

Can you think of a way of doing it reliably? Anything that provides
anything more than a guess?

                                -Bill

You could look for systems that seem to have some level of security, and assume they must have a router with filtering fronting them.

jerry

Hmm. I doubt Comcast is actually doing this - they are far too busy actually
trying to build a network, out of the ashes of the @home debacle. However,
even if they were, there isn't really anything wrong with it. We scratch our
heads, collectively, when a large broadband provider goes chapter 11, but
then oppose a pricing model that might be profitable. Now, if a provider was
refusing to provide extra IPs, then I could see the problem. However, if a
provider is willing to provide extra IPs for something reasonable like
$5/month, more power to them. There are several good reasons why they might
want to ban NAT:

1 - When you come to the stadium, you can't bring in your own hot-dogs. It's
the same sort of thing - the hot dogs are subsidizing the ticket price. In
this case, extra fees for things like IP addresses and extra email boxes,
are the concession items.

2 - Support issues - supporting a largely clue-challenged user base, is hard
enough without people slapping linksys routers in, then expecting the ISP
to, defacto, provide support. Anyone remember when the only supported router
for UUNet ISDN lines was the Pipeline 50? This was to (in theory) enable
supportability

Especially considering the clue-challened support departments at Cable ISPs, this is a legitimate problem.

Newer Linksys and similar routers can spoof the MAC address of the PC that's behind them as a way to avoid having to tell the cable company about the new "computer." Connected backwards, the Linksys routers appear to merrily spoof the default gateway off the segment (i.e. most likely the first MAC address the box hears) and create lots of support headaches.

3 - NAT is wonderful, but we aren't running out of IP addresses that
quickly, and NAT will break some applications. Large scale NAT is probably
not the solution to future IP address exhaustion problems. Providers who do
this are not being bad guys, because extra IP addresses cost less than the
costs of supporting NAT boxes. If folks don't like this, they can become
involved with ARIN and propose some bizarre price-support scheme for IP
addresses, to encourage NAT, I suppose.

Well, NAT saves the cable company from having to route subnets. ATT Broadband in Massachusetts is now offering "business" service. Reading the fine print, they provide a NAT router, and say you can have up to 253 users behind it. Of course any apps that wouldn't work with NAT will not work.

As such, clearly they DO support and/or allow such use of routers. Actually, they've been doing this for a long time. They supply cable service to many schools in the area, and those are all supported using NAT boxes.

4 - This is, of course, an unenforceable policy (which is why I suspect it
does not exist). However, it is very reasonable for a provider to refuse to
support a customer with a NAT box, if the customer is buying a single user
service.

Support is one thing. Trying to detect the presence is another entirely. Wasting time, effort and money trying to track down users who're using "cable routers" is looney.

www.freenetworks.org

The movement is quite large, and the implications of its continued growth
are interesting. Perhaps this is the ultimate target?

Community-owned networks are mildly free-riding for the time being.
New DOCSIS specs give finer control on bandwidth usage which is more
important than IP addresses.

Comcast "hunting" NAT users - sounds like strong language, but I think the
SlashDot reference has been pummeled enough. No residental SP
should be burning support $$ for residential NAT, so a "public" policy of
either charging for it or not supporting it sounds like good business to me.

It's not very enforceable, so I'd be very surprised to see much money
spent on this witch hunt.

Marc (new to list)

How about sniffing the packets going into the Carnivore box? Maybe there's no Carnivore box and the ISPs are providing the Feds with the data from their own logs. Now put a price tag on the cost of doing that and wince. Now find a cost-recovery option for acquiring that data in the first place (like $5 per month per machine using NAT).

Best Regards,

Simon

Hmm, isn't this the same industry that charged us additional fees for each television in a house that was hooked up to the CableTV service? Why oh why is anyone surprised by this tactic? Especially from a monopoly.

Let's face it, if the company wants to offer a service, they have the option to specify the terms of the service. If they say the residential cable access product is for one computer - that's the service. If they require a purchase of additional IP addresses to allow the user additional IP addresses - that's the service. If they want to offer a business class service with as many IP addresses as justifiable using ARIN guidelines - that's the service.

You don't like it, don't buy it. They are under no obligation to give you what you want, although it usually does help sales.

Greg U

At least one provider has a fully staffed full time "anti-nat" divison
now. But will they burn more cash in the nat witch-hunt than they save?

I also wonder about false positives. Watch the lawsuits fly as they
mistakenly cutoff non-nat customers.

-Dan

network?

Keith

Keith Woodworth wrote:

From a technical standpoint how does one detect NAT users over the
network?

You can't deterministically do so, but there are some telltale signs.
NAT implementations (at least the ones I've seen) tend to choose very
large port numbers (above 30,000) for the ports that they generate.

Of course, this can happen without NAT. And it is possible to write NAT
stacks that choose low-numbered ports (it's trivially easy to make this
change in the Linux IPMASQ code, for instance.)

Anybody who tries to detect NAT through these kinds of heuristic methods
will end up with a lot of false positives and false negatives. And if
it becomes a problem, the NAT implementors will simply alter their code
to make it impossible to distinguish from a single host's traffic.

-- David

Keith Woodworth wrote:

>+On Thu, 31 Jan 2002, Marc Pierrat wrote:
>+> It's not very enforceable, so I'd be very surprised to see much money
>+> spent on this witch hunt.
>+
>+At least one provider has a fully staffed full time "anti-nat" divison
>+now. But will they burn more cash in the nat witch-hunt than they save?
>+
>+I also wonder about false positives. Watch the lawsuits fly as they
>+mistakenly cutoff non-nat customers.

>From a technical standpoint how does one detect NAT users over the
network?

Informants wherever Linksys router are sold.

+
+Keith Woodworth wrote:
+>
+> From a technical standpoint how does one detect NAT users over the
+> network?
+
+You can't deterministically do so, but there are some telltale signs.
+NAT implementations (at least the ones I've seen) tend to choose very
+large port numbers (above 30,000) for the ports that they generate.

That was my understanding.

+Anybody who tries to detect NAT through these kinds of heuristic methods
+will end up with a lot of false positives and false negatives. And if
+it becomes a problem, the NAT implementors will simply alter their code
+to make it impossible to distinguish from a single host's traffic.

Thats sort of what I thought. Ive looked at some tcpdumps that are coming
from a FreeBSD machine doing NAT a while ago to see what was in the
packets exactly and I could not see how you could tell that box was doing
NAT really. But I'm not completely proficient in deciphering packets so I
may have missed something along the way.

Keith

how to identify non-host based devices:

  1) check out mac-address ranges
  2) count flows/ip to determine if this
pattern appears to be legit. (this in theory could also be done
to prevent file sharing systems that keep a large number of
peer-to-peer connections)
  3) port/ip based filtering

  I suspect that for the people who went out and
bought the linksys/other routers that want to link up their
two home computers you will see a few that just say "hey, it's just
another $5/mo and i don't have to worry about this device i got
at frys/best buy/compusa/whatnot that i don't really understand".

  there's [almost alyways] a way to beat any system. I think
they are just trying to reduce the support costs of people with
these devices at a time when they are getting bad PR (at least here in
MI) about the switchover from @home-> comcast.

  the uninitiated will blame comcast when it's their
router/nat/whatnot unit.

  - jared

> It's not very enforceable, so I'd be very surprised to see much money
> spent on this witch hunt.

At least one provider has a fully staffed full time "anti-nat" divison
now. But will they burn more cash in the nat witch-hunt than they save?

I also wonder about false positives. Watch the lawsuits fly as they
mistakenly cutoff non-nat customers.

assuming that they pull the plug prior to warning the accussed offender of
the problem. They'd get no false positive from me, that's for sure
Guilty as charged here.