[c-nsp] large scale NAT/PAT solution

Gert Doering gert at greenie.muc.de
Thu Jun 9 03:22:44 EDT 2005


Hi,

On Wed, Jun 08, 2005 at 10:06:25PM -0700, Ted Mittelstaedt wrote:
> >This business model is fundamentally flawed.  NAT/PAT is more expensive
> >for the ISP, so the users pay less.
> 
> I disagree.  If you can force all users behind NAT then their Windows
> machines don't get infected with every new virus and trojan to come
> around, thus you save a lot of bandwidth and a lot of support calls.

This is a nice dream.  Half of the Windows malware is of the 
"come, get it" variant and users will happily download it from web 
sites.  Also, you'd need to make sure that none of these sites can
talk to other sites, which normal NAT implementations don't prevent
(so a single user with a notebook that got infected somewhere else
will infect all your population).

NAT is *not* a security feature.  If you want that, put up a firewall
that prevents connections toward the users (as NAT/PAT can do) *and*
does content checking (virus scan on HTTP and POP3 connects, etc.), 
prevents connections between users, and so on.

[..]
> >Furthermore, ISPs are not supposed to charge for IP address space (as
> >per the RIPE guidelines that you all signed...).
> 
> News to me - where is this specifically?  

Has been in the RIPE documents forever.

It has beem removed recently, because there as the assumption "if an ISP
is dumb enough to do that, the marketplace will find a competitor with
a more sane business model".  Maybe that was a mistake.

> Does RIPE not charge requestors for IP address space themselves?

The RIPE NCC charges for the effort to maintain the database, etc., but
the fees are not directly tied to "one network of size X costs X*<amount>"
(which is the ARIN model, as far as I understand).

There is *some* dependency on the number of addresses you have, as there
are different size categories for the yearly recurring fees, and if you
have recently received large blocks, you can get bumped up into the
next larger category.  But that mostly reflects the fact that "every 
RIPE member pays the same fee" isn't really fair, comparing very small
ISPs and very large Telcos.  OTOH, the overall difference between the
different fee categories isn't *that* large either.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list