[arin-ppml] CGN multiplier was: RE: Input on an article by Geoff Huston (potentially/myopically off-topic addendum)

Owen DeLong owen at delong.com
Thu Sep 15 15:57:47 EDT 2011 


Sent from my iPad

On Sep 15, 2011, at 13:02, "Michel Py" <michel at arneill-py.sacramento.ca.us> wrote:

>>> Michel Py wrote:
>>> 1. Basic and idiot-proof firewall.
> 
>> Owen DeLong wrote:
>> There's no difference here between NAT and no NAT. The stateful
>> inspection firewall portion is identical.
> 
> There actually is a slight advantage with NAT: difficult if not
> impossible to misconfigure the firewall part. I can't tell how many
> broken firewall setups I see are broken, because there is something
> equivalent to a "permit ip any any" somewhere near the top. It takes
> some skill do configure a firewall correctly, skill that the people who
> need cheap solutions generally do not possess. With NAT, the worst you
> can do is a "DMZ host", you expose 1 host not the entire network.
> 

I keep hearing this, but, the reality doesn't match your claim.

It is relatively easy to misconfigure a NAT firewall to fail open and in some
cases they fail open in interesting and not easily detected ways.

For example, if you permit outbound UDP without restriction, you are effectively
permitting bidirectional wide-open IPv6 to many of your windows boxes the
moment someone attempts to go to a site with an AAAA record whether you
know it or not.

I have seen NATs where they managed to expose the entire subnet by
mapping the "DMZ host" to 255.255.255.255.

I have seen idiots get really creative about being idiots.

NAT is not a panacea to protect you from administrator incompetence no
matter how much you'd like to think it is.

Worse, NAT is essentially a toxic pollutant on the internet. Your use of NAT
causes problems the cost of which is born by people outside of your network.

> 
>> In reality, the hardware to deploy a full multi homed solution,
>> including tunnel terminating routers for 2 colos can be had for
>> about $600. You can find 1U colo slots for around $40/month
>> or less, including transit.
> 
> And what about your time?

Pretty trivial amount of time involved...

> Time to handle the paperwork with ARIN to get an ASN and a PI prefix.

Took me about 30 minutes.

> Time to find the 2 colos.

Another hour.

> Time to purchase, install and configure the gear (including BGP config
> with the 2 colos).

About 1 hour each.

> * your hourly rate = $250/hr

> Plus the Arin setup fees, plus the Arin maintenance fee. Plus the $60
> for Comcast to have a static IP, because you if you can handle the
> dynamic one not the customer, etc etc.
> 
> I want your setup, I want you to configure it and take care of
> everything.
> Give me an itemized quote for:
> 
> 1. Setup cost (total hardware + fees + labor + travel)

The two colos were close by so there wasn't really any "travel".

I used Juniper routers, so, my setup is more expensive than if you use, say, Mikrotik.

3 routers: MikroTik RB750GL -- $59.95@ = $180
ARIN: $1250 (IPv6 /48) + $500 (ASN)
Setup Labor: $750-$1,000
Travel: Depends on chosen location(s)
ISP: Depends on your chosen ISP(s)
Colo: Depends on your chosen colo provider(s)

> 2. Recurring costs
> 

Per incident: $250/hour -- Generally not needed.
Annual ARIN fees: $100
ISP Fees: Depends on your chosen ISP
Colo Fees: Depends on the colo

> And compare to one-time $200 for a dual-wan router.
> No, a dual-wan router is not what I call multihoming. Yes, there are
> plenty of people out there that use it because they can't afford your
> solution.
> 

You get what you pay for. Use dual addressing from two upstreams down to the local host and you get roughly the same functionality as you get from NAT and a little less dysfunction, but, your numbers change from time to time.

> What you describe is indeed THE superior solution, but money does not
> grow on trees. If I had to bill myself at the rate I charge customers
> for configuring my own network, I'd be bankrupt.
> 

True that.

> 
> 
>> Lee Dilkie wrote: 
>> and ARIN will issue you a /24 PI space for such whimsical reasons?
> 
> Actually, if you have the setup Owen describes, yes. Fully multihomed,
> good enough reason (as long as there are any /24 left). After that,
> you'll have to buy a prefix on top of paying ARIN.
> 

Sure, but, I thought we were talking about IPv6 -- ARIN has plenty of /48s.

Owen

More information about the ARIN-PPML mailing list