[AusNOG] Telstra run out of IPv4 - goes CGNAT

Mark ZZZ Smith markzzzsmith at yahoo.com.au
Tue Mar 24 13:21:11 EST 2015 






________________________________
From: Skeeve Stevens <skeeve+ausnog at theispguy.com>
To: AusNOG Mailing List <ausnog at ausnog.net> 
Sent: Tuesday, 24 March 2015, 0:46
Subject: [AusNOG] Telstra run out of IPv4 - goes CGNAT



Hi all,

I am surprised no one talked about this yesterday

http://www.itnews.com.au/News/401918,telstra-runs-out-of-ipv4-addresses.aspx

This is something I have been saying will happen for a long time now, but forgetting about the Data Retention issue and talking about the CGNAT one, I would be interested to see how many ISPs in Australia are running CGNAT and if they would share their experiences with the rest of us.

Does anyone think this large scale rollout of CGNAT will have a backlash from users? or will no one even notice?

I know of a couple of ISPs running the A10 vThunder CGN boxes, and I am indeed running them on a few ISPs... and for small ISPs they are excellent.  Good price, great performance, easy to manage.  We've also not had a single customer ever complain about things not working.

/I suspect that people aren't complaining (or vocally) because NAT traversal technologies have been deployed in end-user applications over the last few years. It wasn't a pretty picture in September 2013:


RFC7021 - "Assessing the Impact of Carrier-Grade NAT on Network Applications"
https://tools.ietf.org/html/rfc7021

RFC6269 is also a useful read as it discusses the issues related to address sharing, including the potential issues when collecting metadata:


RFC6269 - "Issues with IP Address Sharing"
https://tools.ietf.org/html/rfc6269


The fundamental problem I see with NAT/CGN/IP address sharing is that applications that would be best suited to a peer-to-peer communications model are forced into a hub-and-spoke model ("client-server-client"), via an intermediary device at the hub. This is because the communication hosts at the spokes can't directly see each other.

The intermediary device then can become:

(a) a single point of failure, with a widespread impact to many clients if it fails
(b) a performance bottleneck, making the application harder to scale
(c) a point to perform man-in-the-middle attacks, by e.g., preventing proper end-to-end security

The intermediary device becomes critical to the availability, performance and security of the application. If it is run by somebody on the Internet you don't know and/or might not trust, you should move to IPv6 so that you can directly communicate with the other device using your globally unique IPv6 addresses.

(c) is why Skype went from a hybrid peer-to-peer/hub-and-spoke model (where the hub devices were other skype user's PCs with public addresses) to a pure hub-and-spoke model at the instruction of a certain three letter agency.


I'd be interested also to hear of other vendor solutions being deployed out there, how they are working and deal with the common problems, how they scale and most importantly (for me) is the price point and are they appropriate for small (sub 10k) ISPs.


...Skeeve

--
Skeeve Stevens - The ISP GuyEmail: skeeve at theispguy.com ; Twitter: @TheISPGuy
Blog: TheISPGuy.com ; Facebook: TheISPGuy

Linkedin: /in/skeeve ; Expert360: Profile
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list