[unisog] Anyone doing large scale NAT for their campus?
sagenung at ilstu.edu
Fri Sep 20 20:58:53 GMT 2002
I can tell you about our experiences.
At 01:25 PM 9/20/2002 -0400, you wrote:
>A pair of external security reviews were recently conducted to get an
>outside opinion on the state of security here at Maryland. Both came back
>with a recommendation that we move the entire campus (32,000 active hosts)
>onto non routed addresses and use NAT for access to the rest of the world.
>This has caught my management's attention.
At Illinois State, we have a population of about 21,000 students and
approximately 3,500 faculty and staff. A few years ago, we were wrestling
with issue of how we could provide sufficient addressing for residential
broadband coverage for 7,500 students that live on campus (ie: ResNet) and
an unknown subset of 17,000 off-campus students, faculty, staff. Although
we have a class B address space, for political reasons it was carved up
rather inefficiently using a /24 mask. This model was conceived in the very
early '90s when we had no appreciation for the growth that we'd experience
As time marched on, we reached a point where nearly 200 subnets where in
production (this was caused mostly by migrations from token ring to
switched ethernet in the late '90s). So, we looked at a model using private
(ie: 10.0.0.0/24) addressing to augment our existing address space. In the
model, we routed private address space throughout campus (including ResNet
and off-campus ADSL). We provide off-campus ADSL connectivity to the campus
network through a partnership with our LEC. We serve as the ISP in this
relationship. Anyway, we NAT'd only when the traffic passed to the public
Internet or a local ISP that we peered with.
>This strikes me as overkill and I worry about protocols currently in use
>or under development would be kneecapped by such a move.
This is a valid concern. By the fall of 1999, we started implementing
private addressing in ResNet and off-campus ADSL and consequently
encountered several problems with NAT. The first was product immaturity.
We're a Cisco shop. For the first 12 months, we tripped over several
different bugs in 12.0 IOS. At one time, we owned 3 bugIDs. By later images
of 12.1, these problems began to disappear. We now run 12.2 and have had
almost no problems with NAT (regardless of the application).
>For the ones that come immediately to mind such as multicast, our Cisco
>smiled and said that his gear could handle it.
Our first implementation of NAT was based upon the RSP4 processor on the
7500 series router. Although the 7500 is a good platform, we quickly
discovered that it would not scale NAT to the degree that we needed. We
later examined the PIX platform as an alternative but found that it
prevented us from maintaining our asymmetric routing model. Eventually, we
selected the 7200 series platform using the NSE-1 processor. Since this
processor provides hardware acceleration for NAT (Cisco calls it PXF), we
found that the NSE could scale large numbers of concurrent translations
with high volume. We have 4 of these platforms and average about 4,000
concurrent translations among them (averaging 10-15% processor load per
platform). We use PBR to balance the volume (that's our next bottleneck).
>Of course I worry about the next big thing that takes off in higher
>education prior to larger
>markets that his box won't handle for the first year.
That's what got us - at the time it was Napster and Scour.
>There's also the small issue of getting buy-in from our researchers and
There are many selling points. First, you can provide essentially an
unlimited amount of address space throughout your network. As such, you
don't need to remask or introduce variably masked networks for users.
Second, you can implement DHCP throughout your entire network without
having to reserve address space out of your existing publicly addressable
subnets. Third, it can reduce your exposure to the public Internet because
translations only exist as long as there are active flows.
>While NAT'ing is fairly commonplace in the home and commerical realms, I
>am not aware of a large research institution that has taken the plunge.
>Does anyone know of a school that has done this and any lessons (positive
>or negative) that we can learn from them before we make a decision on
>pursuing this option?
We are now extending our private address space into non-traditional
environments such as labs. We also use private addressing in our wireless
networks and our public access networks (open jacks in public spaces
restricted to University students, faculty, or staff). Although it was a
bumpy ride in the beginning, it has paid dividends.
One challenge I will make you aware of is logging. You will need to log
your NAT translations and map them to a DHCP lease to have the means for
tracking users in the event that the RIAA or law enforcement officials
coming knocking on your door. We have a solution for this but are still
working on ways to improve it.
>I.T. Security Officer
>University of Maryland
>Office of Information Technology
>+1 301 405 2996
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University
More information about the unisog