Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/danwing/statuses/113608984087079641">Dan Wing :unverified: (danwing@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:41:21 JST</a><a href="https://infosec.exchange/@danwing" title="danwing@infosec.exchange"><img src="https://gnusocial.jp/avatar/277422-48-20241207014121.webp" width="48" height="48" alt="Dan Wing :unverified:" style="position: absolute; left: 0; top: 0;">Dan Wing :unverified:</a><div><a href="https://gnusocial.jp/notice/8089199" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/99109" title="vurpo@mastodon.coffee">vurpo 🏳️‍⚧️</a></li><li><a href="https://gnusocial.jp/user/241166" title="fl@infosec.exchange">FL | エフル</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@fl">@fl</a> <a href="https://mastodon.coffee/@vurpo" rel="nofollow noreferrer">@vurpo</a> <a href="https://mastodon.social/@DJGummikuh" rel="nofollow noreferrer">@DJGummikuh</a> To avoid that ongoing logging, the three vendor CGNAT implementations I am aware of use fixed port ranges per subscriber. For example if the CGNAT is configured to give everyone 1024 ports that means neighbor Bob gets 1024 ports and his range might be 10000-11024, I would get the next set of 1024 ports (11025-12049), neighbor Sue gets the next set of 1024 ports, and so on. Some CGNATs have an 'overflow' pool of ports shared amongst subscribers, so a subscriber can 'burst' beyond their 1024 ports to consume 2x or 3x that amount. Those overflow which are dynamically assigned likely create logs when they are mapped to a subscriber.  See <a href="https://datatracker.ietf.org/doc/html/rfc7422" rel="nofollow noreferrer">https://datatracker.ietf.org/doc/html/rfc7422</a> and see vendor documentation for more details.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4139116#notice-8089200">In conversation</a><time datetime="2024-12-07T10:41:21+09:00" title="Saturday, 07-Dec-2024 10:41:21 JST">about 7 months ago</time> <span>from <span><a href="https://infosec.exchange/@danwing/113608984087079641" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@danwing/113608984087079641">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://datatracker.ietf.org/doc/html/rfc7422">RFC 7422: Deterministic Address Mapping to Reduce Logging in Carrier-Grade NAT Deployments</a></h5><div> from <span>Olivier Vautrin</span></div></header><div>In some instances, Service Providers (SPs) have a legal logging requirement to be able to map a subscriber's inside address with the address used on the public Internet (e.g., for abuse response). Unfortunately, many logging solutions for Carrier-Grade NATs (CGNs) require active logging of dynamic translations. CGN port assignments are often per connection, but they could optionally use port ranges. Research indicates that per-connection logging is not scalable in many residential broadband services. This document suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response. IPv6 is, of course, the preferred solution. While deployment is in progress, SPs are forced by business imperatives to maintain support for IPv4. This note addresses the IPv4 part of the network when a CGN solution is in use.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Dan Wing :unverified: (danwing@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:41:21 JSTDan Wing :unverified:
in reply to
@fl @vurpo @DJGummikuh To avoid that ongoing logging, the three vendor CGNAT implementations I am aware of use fixed port ranges per subscriber. For example if the CGNAT is configured to give everyone 1024 ports that means neighbor Bob gets 1024 ports and his range might be 10000-11024, I would get the next set of 1024 ports (11025-12049), neighbor Sue gets the next set of 1024 ports, and so on. Some CGNATs have an 'overflow' pool of ports shared amongst subscribers, so a subscriber can 'burst' beyond their 1024 ports to consume 2x or 3x that amount. Those overflow which are dynamically assigned likely create logs when they are mapped to a subscriber. See https://datatracker.ietf.org/doc/html/rfc7422 and see vendor documentation for more details.
In conversationabout 7 months ago from infosec.exchangepermalink
Attachments
1. No result found on File_thumbnail lookup.
  RFC 7422: Deterministic Address Mapping to Reduce Logging in Carrier-Grade NAT Deployments
  from Olivier Vautrin
  In some instances, Service Providers (SPs) have a legal logging requirement to be able to map a subscriber's inside address with the address used on the public Internet (e.g., for abuse response). Unfortunately, many logging solutions for Carrier-Grade NATs (CGNs) require active logging of dynamic translations. CGN port assignments are often per connection, but they could optionally use port ranges. Research indicates that per-connection logging is not scalable in many residential broadband services. This document suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response. IPv6 is, of course, the preferred solution. While deployment is in progress, SPs are forced by business imperatives to maintain support for IPv4. This note addresses the IPv4 part of the network when a CGN solution is in use.

Public

Embed Notice

HTML Code

Corresponding Notice