[AusNOG] Data Retention and CGNAT - educational exercise

Tony Wicks tony at wicks.co.nz
Thu Mar 26 07:21:12 EST 2015 

Ok, having the experience of building and running an ISP from scratch running CGNAT here are a few answers for you -

1. I do the CGNAT on the BNG, everything but the DNS requests to my servers get translated on the BNG
2. BNG=ASR1k/ESP40
3. ESP40 running CGNAT on all customers is good for around 32k ADSL2+ customers without issues
3. A ratio of between 15:1 and 100:1 for 100.64/12:Public IPv4 is achievable depending on your setup
4. 99.99% of customers don't know or care in the slightest. Deal with those who desperately want to have a public IP the same way you currently deal with those who want a static IP, they are largely the same people
5. Logging Translations via Netflow works well, via syslog not so much. Per 10K customers you are looking at 0.5G/day after stripping out unneeded information
6. DDOS are a pain in the rear, the old blocking destination hammer approach is no good until you have removed the IP from the NAT pool
7. You no longer need to worry about customers crappy compromised CPE as they no longer have public IP's
8. You sometimes need to educate website owners as to why there are so many sessions from a couple of your IP's. 
9. Also educating the government people that they need to supply source/destination IP/ports and exact time takes a little while but they eventually get the idea
10. Xbox and PlayStation suck, you need to tune your NAT session timeouts
11. Overall it just works, I see a lot less in the way of issues as compared to dealing with compromised customer CPE

So overall CGNAT is not as scary as it seems when you look at it, I have been quite impressed at how well it works at scale. It's largely flawless once you have it tuned.




-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Scott O'Brien
Sent: Thursday, 26 March 2015 2:16 a.m.
To: <ausnog at lists.ausnog.net>
Subject: [AusNOG] Data Retention and CGNAT - educational exercise

G’Day Noggers,

Just a little light hearted post to get the minds ticking.  There has been a bit of talk about the data retention requirements of late, what’s required to be kept, and what CGNAT might mean for the complexity and amount of information to keep.

I’m not sure if providers are asked just to keep information of "who had what address” at a given time or if full records of sessions made (including src and dst address) are required such that you need to keep logs of flows somehow, be it netflow or some other way.  It has been mentioned that if it were the former, keeping just RADIUS logs would not be enough in an environment where CGNAT is used.  To get a successful match of “who had what address and port” at a given time, you’re going to have to be logging all the translations through a NAT appliance.  An exercise which can be expensive for the amount of data you need to keep.  Even with the deployment of ipv6 where more traffic becomes native and you’ll have to look after less translations, this is something that might be still required for a time yet! ;)

I’m curious of another way to do NAT to reduce the amount of data you need to keep and have an idea.  A little background, a single IP address can be translated a lot of times.  A TCP/UDP IP packet can have 65535 ports.  The translation table can be made up of a tuple of src address, src port, dst port AND destination address.  The last part means you can use the same address AND PORT for multiple translations to a bunch of different hosts out there on the internet.  This means if the NAT appliance was capable of it, there is a ton of translations that can occur on just a single IP and Port.

The idea to reduce the amount of data required to be collected in a CGNAT environment is to allocate a user behind the CGNAT a static range of ports (let’s say 100 for conversation sake, perhaps ip 1.1.1.1, ports 400-500).  This user could potentially make hundreds of thousands of different connections only using that single IP/Port combination.  With this static ip/port allocation, instead of logging every single translation/session, you can just log what user “owns this port”.  Because the destination address and port are part of the tuple identifying the translation, the only time a customer realistically needs to use more than one public address/port combo is when they make concurrent connections to the same destination address.  The idea of allocating say 100 ports means they could make 100 concurrent connections to a destination.  The magic CGNAT appliance here in question could hopefully be smart enough to notice when 50 ports are used, to allocate (and log the allocation) of another chunk of say 100 ports on some address to use for that customer (with some arbitrary upper limit)

I guess the question I’m curious to ask the masses of network geeks is do you see this as a viable way of performing CGNAT on the average consumer base?  Would it work?  I think it’d be useful to be able to more quickly resolve those “who” questions and reduce the amount of data kept in a CGNAT environment.

Thanks!
~ Scott O'Brien
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list