cancel
Showing results for 
Search instead for 
Did you mean: 

Question about bannings etc.

steroberts89
Newbie
Posts: 6
Registered: 12-09-2012

Question about bannings etc.

Hi, Quick question If I may. (I'm a programmer, not a full network kinda guy, except I've kicked a few servers in my time.)
My understanding of CG-NAT is that our gateways are assigned a private IP's and when we need to access a server on the big bad web, we are Natted through a shared pool of IP's
My question is, if someone did that got them banned and resulted in an IP ban (there is X-ForwardedFor etc but this is seldom used) would that mean that all of plusnet accounts would be banned as to the external service they would appear to be the PN IP? or someone at plusnet would be forever asking to get the IPaddesses unbanned?
Also what about services which only allow a set number of connections from an IP address?
Just wandering :p
Cheers!
33 REPLIES
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Question about bannings etc.

An easy way to look at these questions is to ask:  does this happen on my mobile phone?
/*all*/ mobile providers use some form of CG-NAT. 
MJN
Aspiring Pro
Posts: 1,091
Thanks: 39
Fixes: 2
Registered: 26-08-2010

Re: Question about bannings etc.

The answer is that would pretty much have to happen.
It may well be the case that, primarily to ease logging and greater control, there might be some influence on what port(s) each customer is assigned so that if a connection is suspected of abuse by a third party then PN could identify with relative ease which customer was to blame.
Ideally the third party's filtering could also operate down to that level and not block only by IP but IP and port but they'll only start doing that if they can detect the CGNAT in place (it wouldn't work for conventional NAT) and broadbrush blocking becomes more of a problem than the hassle that such measures introduce. I am not aware that such port-level blocking capability is currently all that prevalent, and I don't see source ports being captured in access logs.
MrToast
Grafter
Posts: 550
Registered: 31-07-2007

Re: Question about bannings etc.

Well Stephen, in principle what you say is true. If a provider is to be so crude as to block an IP then a number of users could be blocked.
This could of course happen now for those on dynamically allocated IP addresses where you have been handed a used IP that has been blocked by some one else's activity.
It already does happens for email service where PN outgoing relays can be blocked by some mail exchanges due to the SPAM actions of a few. Slightly different, but a similar consideration.
Also we notice this at work where our corporate network support >40k users behind a NAT with a limited number of public addresses. Services such as whois lookups often limit the number of queries per day. I sometimes find such services blocked even though I haven't made a single use myself that day.
So yes. I think what you describe is another possible downside of CG-NAT.
Community Gaffer
Community Gaffer
Posts: 4,956
Thanks: 232
Fixes: 4
Registered: 04-04-2007

Re: Question about bannings etc.

Key consideration is how many customer you have behind that NAT'd address as well.  10 might not be a major issue.  1,000 could well be though.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: Question about bannings etc.

You can't block by ports anyway - unless we are going to stop using port 80 for web server access?
If my bank blocked an ip address - perhaps because of DDoS activity, then even if "my" ip address was shared with just one other person, it would be an extremely major issue!
Perhaps each user could share from a pool of addresses so that each communication attempt gets mapped to a different IPV4 address?

benoh
Grafter
Posts: 272
Registered: 24-08-2007

Re: Question about bannings etc.

Its likely that you'll be statically assigned a set of "source ports" on the external ip, shared with a few other users..this makes it alot easier to log, rather than logging each session, just log once when the range is assigned, but also means remote ends can block just these source ports if they are static.
MJN
Aspiring Pro
Posts: 1,091
Thanks: 39
Fixes: 2
Registered: 26-08-2010

Re: Question about bannings etc.

Quote from: vilefoxdemonofdoom
You can't block by ports anyway - unless we are going to stop using port 80 for web server access?

It'd be by source port, not destination.
When you connect to a web server running on port 80 your client listens on a ephemeral source port (between 1025 and 65535 depending on OS) for replies. In the case of CG-NAT these source ports can be determined by the gateway after the translation regardless of what the client chose and fixed to within a given range per customer to ease logging and audit and potentially faciliate more granular access control by third parties.
steroberts89
Newbie
Posts: 6
Registered: 12-09-2012

Re: Question about bannings etc.

Quote from: vilefoxdemonofdoom
You can't block by ports anyway - unless we are going to stop using port 80 for web server access?
If my bank blocked an ip address - perhaps because of DDoS activity, then even if "my" ip address was shared with just one other person, it would be an extremely major issue!
Perhaps each user could share from a pool of addresses so that each communication attempt gets mapped to a different IPV4 address?

If the IP address changed that randomly, there would be an issue with some banks and some forum software etc as it checks that the connection IP address is the same as when the session was initiated. (this is done to stop session hi-jacking)
xS9
Dabbler
Posts: 20
Registered: 26-01-2013

Re: Question about bannings etc.

Just an insight for those trying to get an idea of this End to End.
What a CG NAT does is duplicate the NAT you have on your ADSL router. So instead of you going
192.168.0.2 (Laptop) -> 192.168.0.1 (Router LAN Side) -> 89.xxx.xxx.xxx (Router WAN Side) -> *INTERNET* -> 157.xxx.xxx.xxx (Bank Firewall)
Your are going
192.168.0.2 (Customer A - Laptop) -> 192.168.0.1 (Router LAN Side) -> 10.10.1.23 (Router - CG NAT LAN ADRESSS) -> *INTERNET via 89.xxx.xxx.1* -> 157.xxx.xxx.xxx (Bank IP)
192.168.0.2 (Customer B - Laptop) -> 192.168.0.1 (Router LAN Side) -> 10.10.1.24 (Router - CG NAT LAN ADRESSS) -> *INTERNET via 89.xxx.xxx.1* -> 157.xxx.xxx.xxx (Bank IP)
Any internet traffic should work. The ONLY cases where this falls down if a remote client wants to connect to a server of some sort listening on your local network at home. Anything where YOU initiate the connection should be fine. It's only connections which SOMEONE else initiates to YOU where you'll have issues.
I could go on about about how TCP traffic is stateful etc....
Another way to think about it is, it's like surfing the web via a works/company proxy..... (without the messy configuration of a proxy)
                                                                                                                           


VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: Question about bannings etc.

So we effectively have double NAT.
Local NAT for multiple PC's / applications (as at present).
A second NAT step for the ISP?

MJN
Aspiring Pro
Posts: 1,091
Thanks: 39
Fixes: 2
Registered: 26-08-2010

Re: Question about bannings etc.

Hi xS9,
Quote from: xS9
Any internet traffic should work. The ONLY cases where this falls down if a remote client wants to connect to a server of some sort listening on your local network at home. Anything where YOU initiate the connection should be fine. It's only connections which SOMEONE else initiates to YOU where you'll have issues.

That's not quite true - some customer initiated connections can also fail if the source address is embedded in a higher layer protocol because the CG-NAT might not be able to spot/modify it hence the return path fails.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: Question about bannings etc.

http://www.ispreview.co.uk/index.php/2013/01/isp-plusnet-trials-controversial-ipv4-address-sharing-a...
Quote
On top of that customers would have difficulty when attempting to host their own FTP, website or game servers and port forwarding may not work properly either. The list goes on. Suffice to say that IP address sharing is a minefield of security, performance and connectivity concerns.

It says the test will last for 3 weeks.
I still can't see how bit torrent is supposed to work - bit torrent combines client and server functions.

Community Veteran
Posts: 4,938
Thanks: 357
Fixes: 16
Registered: 10-06-2010

Re: Question about bannings etc.

bittorrent will work, your bittorrent client will be able to upload and download, but only to IP addresses that are able to accept an incoming connection. bittorrent still works if you don't bother to set up any port forwarding / UPNP for it - although it might be slower because it won't be able to connect to as many peers. If there's only one other peer, and they're also "not connectable" same as you, then it's tough luck, it won't work.
If bittorrent combines client and server functions, that means if it can only be the client, then it will only be able to talk to peers who can be the server.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: Question about bannings etc.

I think the whole idea is pretty much a non-starter then.
I suppose you might find a few people who only do web browsing - and nothing else - to accept a special cut price CGNAT.