[arin-ppml] Stepping forward, opening my mouth and removing all doubt about

Kevin Kargel kkargel at polartel.com
Thu Aug 28 13:48:11 EDT 2008


 On Thu, Aug 28, 2008 at 10:25 AM, Kevin Kargel <kkargel at polartel.com>
wrote:
> Speaking as a system administrator for an ISP..  The number of 
> customers who during the course of a year use applications that would 
> be negatively affected by nat is more in the range of 80 to 100 %..
>
> Flame this if you want.. I am speaking from experience having tried it..

>Kevin,

>Would you settle for questions which challenge you to document your claims
instead?

I will be happy to answer your questions.  I am sure there are technical
solutions to each of these problems, the issue is that my customers have
neither the inclination nor the skills to tackle the issue, they would
rather pay me and expect everything to run smoothly.  I'll throw in some
easily grabbed surface links..

My and your customers are not extraordinarily loyal.  With prices being
competative they will take their business to whichever ISP works best for
them with the least amount of trouble.  I want that to be me.


> Instant messaging

>Which widely used IM systems do you find have trouble when the clients are
behind a NAT firewall? Certainly not AIM, Yahoo messenger, Google >chat or
IRC. DCC has some issues, but now you've crossed into P2P file transfer
rather than IM.


To the contrary, Any of the yahoo IM features using p2p break when behind
NAT..  It doesn't matter that it's a p2p, my customers just know there is a
button for that in there Yahoo console and they expect it to work.  The apps
will survive local NAT to some degree, but look in the FAQ's and you will
find instructions for overcoming NAT..  It takes special software to be able
to utilize some IM features like file transfer behind NAT..  
http://www.brothersoft.com/enat-for-msn-messenger-17678.html
http://www.unixwiz.net/techtips/yahoo-sonicwall.html

> online gaming (like yahoo and msn games),

>Which Yahoo or MSN games malfunction when access is attempted from behind a
NAT firewall?

Try to host any YAHOO or MSN card game from behind a NATed console..  I am
not talking about local NAT on your personal router, but on an ISP supplied
NAT address..  Unless you are talking about 1 to 1 NAT..  But that rather
defeats the purpose..
http://answers.yahoo.com/question/index?qid=20080826124256AAb1nB7
http://www.homenethelp.com/web/howto/game-behind-router.asp


>game consoles,

>Which game consoles malfunction when access is attempted from behind a NAT
firewall? The standard deployment for DSL and cable modems is to >send out a
"DSL router" which implements a local NAT firewall and all three
manufacturers knew that when they designed the current >>>>generation of
consoles. Would you have us believe that Microsoft, Sony and Nintendo built
and deployed game consoles which require extraordinary action to get on the
Internet?

No, I would have you believe that Microsoft, Sony and Nintendo built and
deployed game consoles which require ordinary action to get on the internet.
Not extraordinary action like NAT
http://boardsus.playstation.com/playstation/board/message?board.id=psnetwork
&thread.id=116102

Again, there is a huge difference between using NAT for your one game
console, and putting your game console behind an ISP NAT alongside dozens or
hundreds of other game consoles.  Try running three Xboxes behind your SOHO
router without doing fancy router tricks and see what happens..
http://support.microsoft.com/kb/908880

> VOIP,

>Other than Skype (see P2P apps), what widely used VOIP services malfunction
when the client is behind a NAT firewall? Definately not Vonage. >I used it
for years behind NAT+PPPoE.
Are you talking about your personal NAT in your PPPoE router or a private
address supplied by your ISP?  There is a difference..  Try running two
simultaneous sessions of VOIP behind your NATed router even.
http://blogs.zdnet.com/ip-telephony/?p=1095

>>Which widely used VPN client products malfunction when the client is
behind a NAT firewall? Certainly not Microsoft's PPtP client nor Cisco's VPN
client nor open source solutions like OpenVPN. I've used all of these
without difficulty from behind NAT firewalls.

CITRIX for one..  Also Cisco VPN and Microsoft PPtP..  Again..  We are
talking about a 1 to hundreds NAT..  Not your SOHO router
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_qanda_item091
86a00801c2dbe.shtml
http://osdir.com/ml/security.vpn/2003-08/msg00017.html
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_examp
le09186a00800949c0.shtml

> p2p applications,
> web cam videoconference,

>>And you believe that more than 80% of your users use applications in these
two categories? What's your basis for this claim? Have your surveyed your
users? Performed traffic analysis to match well known applications to user
accounts?

I base it on the thousands of phone calls I got the first day we implemented
NAT..  I also base it on my network traffic analysis (Xangati if you are
interested, very cool) that enumerates endpoints associated with a
protocol..  As I type this I have over 150 customers using BitTorrent, a
couple dozen actively using VOIP, dozens on yahoo and msn games, ad
nauseum..  And this is in the middle of the day during school..

> followed by a host of other applications..  Almost all of my 
> residential customers use one or more applications in this ilk at least
occasionally.

>>Not unless your user base is comprised of a disproportionate number of
techies. I'll concede that possibility, but if true it negates the utility
of your observations for establishing a baseline for the percentage of users
who directly need globally routable IP addresses.

You don't need techies to want to do p2p or play games..  Any schoolkid will
meet that criteria, and most of those are techies these days..

One instance of any of these applications behind a NAT is configurable
without undue strain, but when you try configuring NAT to work with hundreds
or thousands of instances of a single application without special
client-side configuration you are going to have to think harder. Remember
that your customers expect their software to work out-of-the-box..  And when
it doesn't they are going to call you and that costs you money.

Also, if your ISP does not by default give you a block of NAT'ed addresses
in the same subnet as your WAN for your LAN, then you are forced to
double-nat which greatly increases the likelyhood of breaking apps.

>>Regards,
>>Bill Herrin


--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls
Church, VA 22042-3004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3107 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080828/b4c81849/attachment.bin>


More information about the ARIN-PPML mailing list