我有written previouslythat as we make the slow - and long overdue - transition from IPv4 to IPv6, we will soon be stuck with an awkward interim period in which the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4.Large Scale NAT(LSN,也被称为运营商级NAT或CGN)是在这个过渡时期拉伸服务提供商的公共IPv4地址空间的重要工具。
我有yet to work an IPv6 project involving LSN in which someone does not eventually, with great hope in his eyes, say, "If LSN extends the life of our IPv4 space, why are we going to the pain and expense of deploying IPv6? Can't we just deploy LSN and forget about IPv6 for now? Perhaps until I retire?"
A first look LSN does indeed seem to promise an extended lifetime for IPv4. Could it even mean that the Internetneverhas to transition to IPv6?
本文着眼超越LSN本身的机制来检查LSN的影响在实际网络中,为什么这个有用的技术,不应该被视为一种临时解决方案的任何其他。
LSN架构的快速回顾
传统的宽带服务提供商网络通过向驻留在每个客户网络的边缘上的NAT的外部接口分配一个单一的公共IPv4地址节省IPv4地址。在NAT后面,所有的设备都分配一个专用的IPv4地址。该NAT的工作原理是每个应用程序流映射 - 为标识的私有IPv4地址和TCP或UDP端口的组合 - 以公共IPv4地址和它的TCP或UDP端口一个。换句话说,NAT多路复用许多内的设备到单个外部地址通过映射应用程序中的地址流。
Ports are 16 bit numbers, so potentially 65,536 TCP flows and 65,536 UDP flows could be mapped to a single IPv4 address. The average household or small office does not generate nearly this many flows at one time, making address translation at the edge of such small networks an inefficient use of a public IPv4 address.
一个LSN是一个“集中NAT”放置在服务提供商的网络。这是否是此外在NAT在客户边缘,与NAT444, 要么instead of客户NAT,与DS-精简版中,LSN概念是相同的:公共IPv4地址从客户边缘,在那里他们的复用容量不能有效地利用拉远,到中央LSN,许多客户网络可以共享一个公共IPv4地址的外部。
LSN architecture design, then, is mostly figuring out the strategic placement of each LSN to best use the capacity of each public IPv4 address without oversubscribing the address or overtaxing the LSN itself.
虽然只有少数的研究每个用户端口的使用已经完成,一个LSN应该能够支持3000 - 5000用户占公共IPv4地址。
These numbers, coupled with the tens of thousands of public IPv4 addresses broadband service providers currently hold for customer assignment, do appear to make LSN a practical alternative to near-term IPv6 deployment, adding years to the life of IPv4.
Before coming to such a conclusion, the implications and practical impact of LSN must be considered.
Who Are You?
A long practice in the networking industry is to identify a user by IP address. This is especially the case when the user might not想to be identified or when the identification of the machine is more important than the identification of the individual using it.
By centralizing public IPv4 addresses, each address no longer represents a single machine, a single household, or a single small office. The address now represents thousands of machines, homes, and offices related only in that they are behind the same LSN. Identification by IP address becomes difficult or impossible.
一个NAT防火墙后面的网络混淆历来被认为是(错误,在我看来)中的安全利益。大集团的网络,与没有共同之处,除了使用相同的宽带提供商的混淆,造成了前所未有的挑战。
其中的一个挑战是不是行政或技术,但在特定的互联网社区内的不良社会行为的开口。
Making Mischief
我喜欢参与互联网上的一些政治讨论小组,为学习经验以及讨论政治问题的乐趣。当我正在考虑LSN一个晚上的后果,我意识到,LSN可以在这些网站上推出一个新的和不受欢迎的现象。
如果你曾经参加一个开放的互联网讨论组,特别是一个在与有争议的问题的交易,你可能熟悉的概念“巨魔”。一个巨魔是谁的人是不是真的手头有兴趣讨论,而是喜欢做离谱的或煽动性言论只是为了扰乱其他参与者。他们是许多网站供公众被允许注册并发表评论的一部分,他们特别吸引政治和宗教网站。我记得即使在旧思科Usenet新闻组偶尔巨魔,comp.dcom.sys.cisco,20世纪90年代中期。
有时,一个巨魔会走得太远,并通过删除他的用户帐户讨论小组的主持人将“封杀”了他。有时,一个被禁止的参与者都将只需创建一个新的Hotmail或Yahoo的电子邮件地址,根据不同的用户名注册回现场,并继续拖钓,直到再次被禁止。
为了防止这种“惯犯”行为,一些网站将禁止通过IP地址而不是用户名的行为不端的用户。这被认为是更有效的,通过禁止用户的机器,而不是他可能会从机器上创建的任何帐户。如果IP地址是一个家庭或小型办公室NAT的外部接口上,列入黑名单,可能限制其他人在家里或办公室访问该网站,但完全少数“无辜的旁观者”都受到影响。
会发生什么,不过,如果一个网站上的LSN外禁止的IPv4地址?在限制单个用户的努力,成千上万的人将被无意中限制 - 通常在CMTS或一组LSN背后的DSLAM的所有订户。
与针对特定的网站可能怀恨在心的恶意用户,如果他知道他者正在使用LSN,故意让自己列入黑名单的网站IP地址,以便同时获得他的邻居几千取缔 - 他已经进行了小通过使网站管理员自己在不知不觉中进行拒绝服务进制DoS攻击。
黑和白
远程站点是不是偶尔需要到黑名单基于IP地址的用户的唯一部分。本地供应商也需要黑上市的能力。有的还使用白名单:增加了一些优惠待遇或前置审批。一般白名单和黑上市与垃圾邮件和病毒控制结合使用,但黑的上市也可以应用到强制使用政策。
Black- or white-listing may need to be split in an LSN architecture. Polices applying to incoming sources must be implemented on the outside of the LSN; once the packets are translated, they cannot be easily identified by IPv4 address without some correlation with the LSN's mapping table. Policies applying to outgoing sources - that is, sources within the customer networks - must be implemented on the customer-facing side of the LSN for the same reason.
Lawful Intercept
运营商网络礼物与合法拦截的要求,如CALEA的合规性严重挑战之内集中地址和端口转换。DHCP分配到与客户边缘变化很少的NAT传统网络中,使拦截容易。合法拦截可能仍然是相当容易与NAT444架构,只要发生拦截之间the CPE NAT and the LSN. The dependency here is whether both the inside and outside addresses are of interest, or only the inside addresses.
Because of its IPv4-in-IPv6 tunneling, interception in DS-Lite architectures must be performed on the LSN itself. Timestamped logging of the address and port mappings at the LSN must be maintained, which in turn can add a heavy resource burden to the LSN devices. Logging to a storage device off the LSN may also contribute to network load.
单个对象的窃听可能意味着静态映射用户在一定范围内的端口上的单一地址,以除去需要按照动态端口映射。一个单一的IPv4地址,或者一些范围为每个地址端口,可能被窃听的目的,以简化这种程序作废。但是,任何要求,即all一个LSN登录后的用户将意味着日志不仅交通,但所有更改映射表。
追溯
地址和端口映射的时间戳记录不仅是合法的拦截也为当问题从LSN外部标识追溯具体用户至关重要。这样的问题通常是一个行为异常的用户 - 垃圾邮件发送者,DoS攻击源,或者有人违反使用策略 - 与用户的识别可能导致黑上市,取消业务,或采取法律行动隐蔽观察。如果没有地址和端口映射的具体时间日志,出现异常的用户停留以及隐藏在背后的LSN。
但是,在合法拦截可能需要一个记录或几个用户,日志记录回溯目的可能意味着登录的所有用户,至少在某些采样率,造成设备资源的大量消耗。一种折衷的一步可能开始检测到问题,只有当回溯记录;同时采用少得多的资源,它假设的不良行为将持续足够长的全部或大部分回溯的实时执行。
双重麻烦
A longstanding complaint about NAT44 is that it breaks some applications that reference the IP address of its packets. In a perfect world - or at least the conceptual world of IP networking - applications would be agnostic to the network layer and thus immune to the address changes through a NAT. But the reality is that many applications do reference the IP address. For the ubiquitous user edge NAT, work-arounds have been created for some applications.
NAT444的双重NAT结构可有望打破一些应用程序将通过一个单一的NAT层工作。一些多系统运营商目前正在进行试验,以确定哪些将被NAT444的影响,因此可能对他们的客户什么样的影响。
DS-精简版避免NAT444的双NAT问题,并且当前是对于大多数宽带服务提供商的首选方案。但有些LSN供应商仍然有DS-精简版在他们的路线图,而不是在他们的产品,并与CPE DS-精简版的支持是罕见的。因此,该解决方案是不是立即可用的NAT444。
一个不完美的必要性
有大约LSN等来解决的问题:单点故障,潜在的地址池枯竭攻击,性能和可扩展性,对分段的数据包,非对称交通流的影响,需要修改配置系统,需要修改内部会计系统。
Because we have waited far too long to begin implementing IPv6, Large Scale NAT has become an unavoidable necessity for supporting dual stacked broadband customers in the face of a depleted IPv4 address supply. But the problems and complexities LSN introduce to a network mean that it should never be viewed as anything but a transitional technology. It is no substitute for IPv6.