[AusNOG] Data Retention and CGNAT - educational exercise

Sid virtualsid at gmail.com
Thu Mar 26 11:31:57 EST 2015


Hi Nick,

> On 26 Mar 2015, at 03:28, Nick Stallman <nick at agentpoint.com> wrote:
> 
> What security concerns would there be to reducing the source ports from 65535 to 100?
> They are usually kept pretty random for a reason aren't they?

I guess it depends on what you want out of CGNAT. As the RFC linked by Scott says, you don't get better or worse security over a non CGNAT setup with algorithmic NAT allocation.

(That RFC again: https://www.rfc-editor.org/rfc/rfc7422.txt )

I've never setup a CGNAT. But if it was for internet end users as an ISP, I can't see it being implemented for security reasons - only as a resource preservation mechanism. "Security" would just be a byproduct.

If you are setting up any NAT solution specifically for some level of "security", then that changes things.

Sid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150326/bb0f491b/attachment.html>


More information about the AusNOG mailing list