We're rolling out CGN with PCP[1,2] to help mitigate some of the risks
involved, however applications may have to adapt to make proper use of it,
as it doesn't work too well currently.
Things like uTorrent pick a port and then keep requesting it with UPnP even
if it keeps failing, instead of trying a new one.
Our particular vendor's PCP implementation dedicates a block of ports to be
used for PCP MAPs, and the client cannot use a port outside of that block,
not even a port that's been reserved for that subscriber's SNAT block.
Thankfully the range we've allocated will include the XBox Live port
(3074), but that is then only good for the first subscriber that sends a
PCP MAP, subsequent attempts from subs behind the same IP will fail.
There is a UPnP function, AddAnyPortMapping() as specified in IGD:2, that
when translated into a PCP MAP will prefer a port, but if unavailable will
accept any offered by the PCP server. However all of our Broadcom chipset
based CPEs don't support it, and I have no idea how many applications would
use it either.
We'll only be deploying CGN in conjunction with dual stacked IPv6 in an
attempt to offload traffic off CGN and also mitigate the risks.
That then introduces new issues like do we leave the IPv6 firewall on by
default? And do any applications support the the the WANIPv6FirewallControl
 UPnP features to open up pinholes dynamically? Oh wait, that's part of
IGD:2 which our CPEs don't support. :(
FWIW: We're looking at leaving the IPv6 firewall on by default, but
allowing IPSec to all internal hosts, following the XBox One P2P
Things aren't necessarily easier even when you have in-house CPE developers.
Apologies for the rant!
 PCP: https://tools.ietf.org/html/rfc6887
 UPnP<->PCP Interworking Function: http://tools.ietf.org/search/rfc6970
 IPv6 Security Suggestions: https://tools.ietf.org/html/rfc6092
 XBox One presentation at NANOG:
On Thu, Feb 27, 2014 at 12:52 AM, Lloyd Parkes <
On 27/02/2014, at 12:13 pm, Neil Fenemor <neil(a)underground.geek.nz> wrote:
As an ISP'll end up with collisions with their customers if RFC1918 space
is used for their intermediary/ISP portion of NAT444, a new /10
(specifically 100.64.0.0/10) was allocated for this use. RFC6598 details
the allocation, and the use cases for it.
Is there anyone here who has had to choose between CGN and dual-stack lite
and is willing to say why they made the choice they did. I'm familiar with
the various possible issues and I'm interested in hearing about what
people's actual issues have been.
NZNOG mailing list