[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ISP's who assign unrouteable addresses

To: "'Pyda Srisuresh'" <suresh@livingston.com>, bmccann@indusriver.com
Subject: RE: ISP's who assign unrouteable addresses
From: "william.wells" <william.wells@damark.com>
Date: Sun, 16 May 1999 16:39:57 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Seems like this could have problems if 2 of their customers wanted to
communicate with each other of if the customers wanted to use the 10.x.x.x
address space. It would also seem like trouble if the customers ran a
protocol (as a server) which used a command and data connection (in the
fashion of FTP) where the command connection passed the IP/port of the data
connection back to the other end and then waited for the connection. 

My experience is that NAT doesn't work well in this situation unless the
protocol is commonly known. For example, we use "middleware" package
internally. A PC connects to us via a command connection and are then
informed to reconnect to the IP of our system on a specific port. All
subsequent traffic occurs on the new connection. At one remote site, we
decided to use NAT and immediately ran into problems since the NAT software
on the routers didn't know how to translate the PORT command. I believe
there are other software packages which also utilize a form of IP/Port
redirection.

If the customer is only doing simple things, as Pyda has said, or has
contracted for an "end-node" type service (such as an AOL customer), this is
probably OK.  In some senses, doesn't AOL NAT everyone who uses their
software?

> -----Original Message-----
> From:	Pyda Srisuresh [SMTP:suresh@livingston.com]
> Sent:	Sunday, May 16, 1999 12:06 PM
> To:	bmccann@indusriver.com
> Cc:	ipsec@lists.tislabs.com
> Subject:	Re: ISP's who assign unrouteable addresses
> 
> > 
> > My company has encountered two ISP's, US West and MediaOne, who assign
> > unrouteable addresses (10.x.x.x) to some of their customers. The ISP's
> > run NAT in the head-end of their cable network or ADSL network to
> translate
> > those addresses before they hit the Internet.
> > 
> 
> That may be OK, so long as the service provided is limited - such as 
> simple e-mail access. 
> 
> Specifically, if the users are assured of only certain services that are
> guaranteed to work and not others, I dont see this as a breach of service.
> 
> > Obviously, an end-user wanting IPSEC is in trouble.
> > 
> I would be surprised if they are promised end-to-end IPSec as part of the 
> service level agreement (SLA).
> 
> > Any thoughts about how to deal with this problem? 
> 
> This is a problem only if it violates the SLA between the service provider
> 
> and the customer.
> 
> >                                                   I personally don't
> > mind NAT if it is performed at the boundary between a stub network
> > and the Internet. The owner of that network can NAT and employ a
> > security gateway if he needs IPSEC.
> > 
> > On the other hand, I think ISP's that use NAT are short-changing their
> > customers. 
> 
> Is this opinion shared by the customers using the service? probably not.
> 
> >            Is there anything we can offer a customer who is stuck
> > with one of the unrouteable addresses?
> > 
> > -Ben McCann
> >  
> > -- 
> > Ben McCann                              Indus River Networks
> >                                         31 Nagog Park
> >                                         Acton, MA, 01720
> > email: bmccann@indusriver.com           web: www.indusriver.com 
> > phone: (978) 266-8140                   fax: (978) 266-8111
> > 
> 
> cheers,
> suresh

Prev by Date: Re: ISP's who assign unrouteable addresses
Next by Date: Re: ISP's who assign unrouteable addresses
Prev by thread: Re: ISP's who assign unrouteable addresses
Next by thread: IPCOMP
Index(es):
- Main
- Thread