[arin-ppml] The non-deployment of IPv6

Ted Mittelstaedt tedm at ipinc.net
Tue Dec 15 15:22:46 EST 2009

Lee Howard wrote:

> Legal issues with NAT:
> * If you get a subpeona for records related to an IP address, can you 
> figure
>   out what device used that IP address? 
> * Can the legal requestor provide all of the data required to identify a 
> host?
>   (IP address, timestamp, port number)

Among the smaller consumer routers, this capability is iffy.  Some of
them (Linksys BEFSR41 or RV042 for example) don't even let you see
the translation table at all from any interface.  Others, (linksys
RVS4000, or openwrt/ddwrt) have a IP Connectrack button that lets you
see the translation table - but to get any long-term history you would
have to run Netflow  (stuff running dd-wrt allows this, but none
of the small consumer routers do) and log it.

Even the commercial firewalls, Cisco PIX and ASA, would require an
external logging server.  And while I've seen lots of companies with
firewalls like that in service - most of them don't bother setting up
the logging server.

The biggest problem with NAT though is that you have a device - the
NAT device - which is easily attackable from the inside.  All it takes 
is one customer to get infected with a bot and POW the NAT gets 
overloaded and every customer you have dependent on it, goes offline.

This is even if the NAT isn't being targeted.

> * The request was based on a server log someplace.  Is its timestamp
>   accurate?  Is yours?

ntp on the logging server and the translator

> * Does that server log include port numbers?

Netflow does.  But not many smaller and medium sized companies run it,
or if they do run it they run a collector that doesn't save over the
long term.


More information about the ARIN-PPML mailing list