We're rolling out CGN with PCP[1,2] to help mitigate some of the risks involved, however applications may have to adapt to make proper use of it, as it doesn't work too well currently.

Things like uTorrent pick a port and then keep requesting it with UPnP even if it keeps failing, instead of trying a new one.

Our particular vendor's PCP implementation dedicates a block of ports to be used for PCP MAPs, and the client cannot use a port outside of that block, not even a port that's been reserved for that subscriber's SNAT block.

Thankfully the range we've allocated will include the XBox Live port (3074), but that is then only good for the first subscriber that sends a PCP MAP, subsequent attempts from subs behind the same IP will fail.

There is a UPnP function, AddAnyPortMapping() as specified in IGD:2, that when translated into a PCP MAP will prefer a port, but if unavailable will accept any offered by the PCP server. However all of our Broadcom chipset based CPEs don't support it, and I have no idea how many applications would use it either.

We'll only be deploying CGN in conjunction with dual stacked IPv6 in an attempt to offload traffic off CGN and also mitigate the risks.

That then introduces new issues like do we leave the IPv6 firewall on by default? And do any applications support the the the WANIPv6FirewallControl [3] UPnP features to open up pinholes dynamically? Oh wait, that's part of IGD:2 which our CPEs don't support. :(

FWIW: We're looking at leaving the IPv6 firewall on by default, but allowing IPSec[4] to all internal hosts, following the XBox One P2P approach[5].

Things aren't necessarily easier even when you have in-house CPE developers.

Apologies for the rant!

-Richard

Appropriate links:

[1] PCP: https://tools.ietf.org/html/rfc6887

[2] UPnP<->PCP Interworking Function: http://tools.ietf.org/search/rfc6970

[3] http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf

[4] IPv6 Security Suggestions: https://tools.ietf.org/html/rfc6092

[5] XBox One presentation at NANOG: http://www.youtube.com/watch?v=VSjljW4clPM

On Thu, Feb 27, 2014 at 12:52 AM, Lloyd Parkes <lloyd@must-have-coffee.gen.nz> wrote:

On 27/02/2014, at 12:13 pm, Neil Fenemor <neil@underground.geek.nz> wrote:

As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it.

Is there anyone here who has had to choose between CGN and dual-stack lite and is willing to say why they made the choice they did. I’m familiar with the various possible issues and I’m interested in hearing about what people’s actual issues have been.

Cheers,
Lloyd

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog