Mark Foster wrote:
I take it the recently reported issue of an entire country (Dubai?) being blocked from editing Wikipedia articles due to the abuse of a single user of the single IP address behind which much of the country was NAT'd, isn't an issue of this then?
It was Qatar, and it was their content filtering proxy, rather than a NAT. This is why web sites should use things like X-Forwarded-For:, rather than just raw IPs.
Security is one thing, but isn't there an obscurity issue to be raised as well? (A cheap, NAT'd and thus semi-anonymous, dialup ... hmm... am I just pessimistic about user tendencies?)
Technology evolves. If you're doing NAT on the NAS that the user is dialled into, there'd be minimal effort for the NAS vendor to support something like an additional AVPair during user authentication to tell your RADIUS server what IP that subscriber was going to be NAT'd to. Then you use netflow, or ip accounting, or any of the bazillion ways that exist in people's networks today to correlate subscriber originated traffic to NAT, for abuse tracking purposes. There are probably other ways but this is the first one that occurred to me.