<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Nick,</div><div><br>On 26 Mar 2015, at 03:28, Nick Stallman <<a href="mailto:nick@agentpoint.com">nick@agentpoint.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>What security concerns would there be to reducing the source ports from 65535 to 100?</span><br><span>They are usually kept pretty random for a reason aren't they?</span><br></div></blockquote><div><br></div>I guess it depends on what you want out of CGNAT. As the RFC linked by Scott says, you don't get better or worse security over a non CGNAT setup with algorithmic NAT allocation.<div><br></div><div>(That RFC again: <a href="https://www.rfc-editor.org/rfc/rfc7422.txt">https://www.rfc-editor.org/rfc/rfc7422.txt</a> )</div><div><br></div><div>I've never setup a CGNAT. But if it was for internet end users as an ISP, I can't see it being implemented for security reasons - only as a resource preservation mechanism. "Security" would just be a byproduct.</div><div><br></div><div>If you are setting up any NAT solution specifically for some level of "security", then that changes things.</div><div><br></div><div>Sid</div><div><blockquote type="cite"><div><span></span></div></blockquote></div></body></html>