What's a CGN (was: Re: IPv6 Firewall on CPEs - Default on or off)

[Philipp Kern]

On Tue, Dec 04, 2012 at 10:51:54AM +0000, Benedikt Stockebrand wrote:
> > True. It's not that 1G/1G CGN would be hard with Linux hardware of any sort.
> I'll quote you on that one.  You realize what the "CG" in CGN stands for?

Yep. I try to use it for the technology instead of the performance
requirement, though. Because with less capable boxes you suffer of the
same scalability issues. And the large CGN boxes are just much more
beefier, the technology doesn't change much.

And yes, I work at a university where people thought that it's a great
idea to put a whole campus behind a single NAT IP and using private IP
space throughout despite having two /16 available. I see the dorms as a
subcase of that, it just happened that they were moved to different
hardware for political reasons.

We suffer of all the issues the CGN has: cost, bad performance, bad
traceability for law enforcement (solved by grawling through huge log
files), obviously no end-to-end connectivity. Except that we do have a
configuration interface that does allow customers to get few public IPs
through 1:1 NAT.

Funny enough we're now migrating customers to public IP space because we
noticed that we have plenty of it.

The reason why I raised it in this thread is the "let's default to
firewalling" point. Obviously I cannot just say that everybody implements
a diode style firewall on his CPE if there's no CPE. But for the *very
same arguments you raised on this list* people want to have a stateful
firewall nonetheless. And I try to collect arguments for both sides to
avoid having to put another stateful box into the way of traffic where
one wouldn't have been needed if no firewall's needed.

(Obviously a CPE with a diode-style configuration might be suddenly
stateful where a stateless device would be sufficient, but meh. Especially
if the IPv4 NAT is just done in a CGN so that you don't even need to track
those tables.)

Kind regards
Philipp Kern