<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Times New Roman","serif";
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman","serif";
font-weight:bold;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1460296914;
mso-list-template-ids:1969635090;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:20.0pt;background:silver;mso-highlight:silver'>POINT VIEW !!!! What do you think???</span><span style='font-size:20.0pt'><o:p></o:p></span></p><h1 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:4.5pt;margin-left:0in;mso-line-height-alt:15.0pt'><span style='font-size:20.0pt;font-family:"Georgia","serif";color:#92D050;background:navy;mso-highlight:navy'>Can Large Scale NAT Save IPv4?</span><span style='font-size:20.0pt;font-family:"Georgia","serif";color:#92D050'><o:p></o:p></span></h1><h2 style='mso-margin-top-alt:5.25pt;margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt;line-height:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#333333;font-weight:normal'>LSNs are a Necessary but Imperfect Transitional Technology<o:p></o:p></span></h2><p class=MsoNormal style='text-align:left;line-height:11.25pt;direction:ltr;unicode-bidi:embed'><i><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#555555'>By<span class=apple-converted-space> </span><a href="http://www.networkworld.com/community/user/2404" title="View user profile."><span style='color:#0F7CC2'>jdoyle</span></a><span class=apple-converted-space> </span>on Mon, 10/04/10 - 12:10pm.</span></i><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>I've<span class=apple-converted-space> </span><a href="http://www.networkworld.com/community/node/42436"><span style='color:#0F7CC2'>written previously</span></a><span class=apple-converted-space> </span>that as we make the slow - and long overdue - transition from IPv4 to IPv6, we will soon be stuck with an awkward interim period in which the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4.<span class=apple-converted-space> </span><a href="http://www.networkworld.com/community/node/44989"><span style='color:#0F7CC2'>Large Scale NAT</span></a><span class=apple-converted-space> </span>(LSN, also known as Carrier Grade NAT or CGN) is an essential tool for stretching a service provider's public IPv4 address space during this transitional period.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>I've yet to work an IPv6 project involving LSN in which someone does not eventually, with great hope in his eyes, say, "If LSN extends the life of our IPv4 space, why are we going to the pain and expense of deploying IPv6? Can't we just deploy LSN and forget about IPv6 for now? Perhaps until I retire?"<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A first look LSN does indeed seem to promise an extended lifetime for IPv4. Could it even mean that the Internet<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>never</span></em><span class=apple-converted-space> </span>has to transition to IPv6?<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>This article looks beyond the mechanisms of LSN itself to examine the implications of LSN in a practical network, and why this useful technology should never be viewed as anything other than an interim solution.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A Quick Review of LSN Architectures</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A traditional broadband service provider network conserves IPv4 addresses by assigning a single public IPv4 address to the outside interface of a NAT residing at the edge of each customer network. Behind the NAT, all devices are assigned a private IPv4 address. The NAT works by mapping each application flow - as identified by the combination of a private IPv4 address and a TCP or UDP port - to the public IPv4 address and one of its TCP or UDP ports. In other words, NAT multiplexes the addresses of many inside devices to a single outside address by mapping application flows.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Ports are 16 bit numbers, so potentially 65,536 TCP flows and 65,536 UDP flows could be mapped to a single IPv4 address. The average household or small office does not generate nearly this many flows at one time, making address translation at the edge of such small networks an inefficient use of a public IPv4 address.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>An LSN is a "centralized NAT" placed in the service provider's network. Whether this is<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>in addition to</span></em>the NAT at the customer edge, as with<span class=apple-converted-space> </span><a href="http://www.networkworld.com/community/node/45776"><span style='color:#0F7CC2'>NAT444</span></a>, or<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>instead of</span></em><span class=apple-converted-space> </span>the customer NAT, as with<span class=apple-converted-space> </span><a href="http://www.networkworld.com/community/node/46600"><span style='color:#0F7CC2'>DS-Lite</span></a>, the LSN concept is the same: The public IPv4 addresses are pulled away from the customer edge, where their multiplexing capacity is not efficiently exploited, to the outside of the centralized LSN where many customer networks can share a single public IPv4 address.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>LSN architecture design, then, is mostly figuring out the strategic placement of each LSN to best use the capacity of each public IPv4 address without oversubscribing the address or overtaxing the LSN itself.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Although<span class=apple-converted-space> </span><a href="http://lacnic.net/documentos/lacnicxii/presentaciones/flip6/02_Alain_Durand.pdf"><span style='color:#0F7CC2'>only a few studies</span></a><span class=apple-converted-space> </span>of per-user port usage have been done, an LSN should be able to support 3000 - 5000 users per public IPv4 address. <o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>These numbers, coupled with the tens of thousands of public IPv4 addresses broadband service providers currently hold for customer assignment, do appear to make LSN a practical alternative to near-term IPv6 deployment, adding years to the life of IPv4.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Before coming to such a conclusion, the implications and practical impact of LSN must be considered.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Who Are You?</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A long practice in the networking industry is to identify a user by IP address. This is especially the case when the user might not<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>want</span></em><span class=apple-converted-space> </span>to be identified or when the identification of the machine is more important than the identification of the individual using it.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>By centralizing public IPv4 addresses, each address no longer represents a single machine, a single household, or a single small office. The address now represents thousands of machines, homes, and offices related only in that they are behind the same LSN. Identification by IP address becomes difficult or impossible.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Obfuscation of the network behind a NAT has long been considered (incorrectly, in my opinion) a security benefit. Obfuscation of large groups of networks, with nothing in common except the use of the same broadband provider, creates an unprecedented set of challenges.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>One of those challenges is not administrative or technical, but an opening for an undesirable social behavior within certain Internet communities.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Making Mischief</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>I enjoy participating in a few political discussion groups on the Internet, for the learning experience and for the fun of debating political issues. As I was contemplating the ramifications of LSN one evening I realized that LSN could introduce a new and unwelcome phenomenon on such sites.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>If you have ever participated in an open Internet discussion group, particularly one that deals with contentious issues, you are probably familiar with the concept of a "troll." A troll is someone who is not really interested in the discussion at hand, but instead enjoys making outrageous or inflammatory remarks just to upset the other participants. They are a part of many websites where the general public is allowed to register and leave comments, and they are particularly attracted to political and religious websites. I remember the occasional troll even on the old Cisco Usenet newsgroup, comp.dcom.sys.cisco, in the mid 1990s.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Sometimes a troll will go too far, and the moderators of the discussion group will "ban" him by deleting his user account. And sometimes a banned participant will simply create a new Hotmail or Yahoo e-mail address, register back to the site under a different user name, and continue trolling until banned again.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>To prevent this "repeat offender" behavior, some websites will ban a misbehaving user by IP address rather than user name. This is assumed to be more effective, by banning the user's machine rather than any account he might create from that machine. If the IP address is on the outside interface of a home or small office NAT, blacklisting it might restrict others in the home or office from accessing the website but altogether few "innocent bystanders" are affected.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>What happens, though, if a website bans an IPv4 address on the outside of an LSN? In the effort to restrict a single user, thousands of people will be inadvertently restricted - generally all subscribers on a CMTS or a group of DSLAMs behind the LSN.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A malicious user with a grudge against a particular website might, if he knows his provider is using LSN, intentionally get himself blacklisted by IP address on the site in order to simultaneously get a few thousand of his neighbors banned - he will have performed a small-scale DoS attack by causing the site administrators themselves to unwittingly perform the denial of service.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Black and White</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Remote sites are not the only ones occasionally needing to black-list a user based on an IP address. The local provider also needs black-listing capability. Some also use white-listing: the addition of some preferential treatment or pre-approval. Generally white-listing and black-listing are used in conjunction with spam and virus control, but black-listing can also be applied to enforce use policies.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Black- or white-listing may need to be split in an LSN architecture. Polices applying to incoming sources must be implemented on the outside of the LSN; once the packets are translated, they cannot be easily identified by IPv4 address without some correlation with the LSN's mapping table. Policies applying to outgoing sources - that is, sources within the customer networks - must be implemented on the customer-facing side of the LSN for the same reason.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Lawful Intercept</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Centralized address and port translation within the provider network presents serious challenges to the compliance with lawful intercept requirements such as CALEA. DHCP assignments to traditional networks with NATs at the customer edge change infrequently, making interception easy. Lawful intercept might still be reasonably easy with NAT444 architectures, as long as the interception happens<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>between</span></em><span class=apple-converted-space> </span>the CPE NAT and the LSN. The dependency here is whether both the inside and outside addresses are of interest, or only the inside addresses.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Because of its IPv4-in-IPv6 tunneling, interception in DS-Lite architectures must be performed on the LSN itself. Timestamped logging of the address and port mappings at the LSN must be maintained, which in turn can add a heavy resource burden to the LSN devices. Logging to a storage device off the LSN may also contribute to network load.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Wiretapping of a single subject may mean statically mapping the user to a certain range of ports on a single address, to remove the need to follow dynamic port mappings. A single IPv4 address, or some range of ports for each address, might be set aside for wiretapping purposes to simplify such procedures. But any requirement that<span class=apple-converted-space> </span><em><span style='font-family:"Arial","sans-serif"'>all</span></em><span class=apple-converted-space> </span>users behind an LSN be logged is going to mean logging not only traffic but all changes to the mapping tables.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Traceback</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>The timestamped logging of address and port mappings is essential not only for lawful intercept but also for tracing back specific users when a problem is identified from the outside of the LSN. Such a problem is usually a misbehaving user - a spammer, a DoS source, or someone violating a usage policy - and identification of the user might result in black-listing, cancellation of service, or covert observation for legal action. Without time-specific logs of the address and port mappings, a misbehaving user stays well hidden behind the LSN.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>But where lawful intercept might require logging of one or a few users, logging for traceback purposes could mean logging all users, at least at some sample rate, causing a massive consumption of device resources. A compromise step might be to begin traceback logging only when a problem is detected; while using far less resources, it assumes that the undesirable action will continue long enough for all or most of the traceback to be performed in real time.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>Double Trouble</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>A longstanding complaint about NAT44 is that it breaks some applications that reference the IP address of its packets. In a perfect world - or at least the conceptual world of IP networking - applications would be agnostic to the network layer and thus immune to the address changes through a NAT. But the reality is that many applications do reference the IP address. For the ubiquitous user edge NAT, work-arounds have been created for some applications.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>The double-NAT structure of NAT444 can be expected to break some applications that will work through a single NAT layer. A few MSOs are currently conducting trials to determine what will be affected by NAT444, and therefore what impact it might have on their customers.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>DS-Lite avoids the double NAT problems of NAT444, and presently appears to be the preferred solution for most broadband providers. But some LSN vendors still have DS-Lite on their roadmaps rather than in their products, and CPE with DS-Lite support is rare. This solution is therefore not as immediately available as NAT444. <o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>An Imperfect Necessity</span></strong><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'>There are a host of other concerns around LSN: Single points of failure, potential address pool depletion attacks, performance and scalability, effects on fragmented packets, effects on asymmetric traffic flows, required modifications to provisioning systems, required modifications to internal accounting systems.<o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#1F497D;background:silver;mso-highlight:silver'>Because we have waited far too long to begin implementing IPv6, Large Scale NAT has become an unavoidable necessity for supporting dual stacked broadband customers in the face of a depleted IPv4 address supply. But the problems and complexities LSN introduce to a network mean that it should never be viewed as anything but a transitional technology. It is no substitute for IPv6.</span><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p><p style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;mso-line-height-alt:13.5pt'><span style='font-size:16.0pt;font-family:"Arial","sans-serif";color:#333333'> <o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal dir=RTL><span dir=LTR style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><b><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:#3333FF;background:white'>Abdelfattah ABUQAYYAS, PhD</span></b><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black;background:white'><br></span><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:#3333FF;background:white'>ICT Counselor<br>CITC-KSA Mobile: +966556642230</span><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Twitter: <a href="http://twitter.com/abuqayyas" target="_blank"><span style='color:blue;background:white'>http://twitter.com/abuqayyas</span></a><span style='background:white'><br></span>Facebook: <a href="mailto:afabuqayyas@gmail.com" target="_blank"><span style='color:blue;background:white'>afabuqayyas@gmail.com</span></a><span style='background:white'><br></span>Google Buzz: <a href="http://www.google.com/profiles/afabuqayyas" target="_blank"><span style='color:blue;background:white'>http://www.google.com/profiles/afabuqayyas</span></a></span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-size:14.0pt;color:#17365D'><o:p> </o:p></span></p><p class=MsoNormal dir=RTL><span dir=LTR><o:p> </o:p></span></p></div><pre style="white-space:normal"><br>-----------------------------------------------------------------------------------<br>Disclaimer:<br>This message and its attachment, if any, are confidential and may contain legally<br>privileged information. If you are not the intended recipient, please contact the<br>sender immediately and delete this message and its attachment, if any, from your<br>system. You should not copy this message or disclose its contents to any other<br>person or use it for any purpose. Statements and opinions expressed in this e-mail<br>are those of the sender, and do not necessarily reflect those of the Communications<br>and Information Technology Commission (CITC). CITC accepts no liability for damage<br>caused by this email.<br></pre></body></html>