[unisog] Anyone doing large scale NAT for their campus?

Scott Genung sagenung at ilstu.edu
Fri Sep 20 20:58:53 GMT 2002


Gerry,

I can tell you about our experiences.

At 01:25 PM 9/20/2002 -0400, you wrote:
>A pair of external security reviews were recently conducted to get an
>outside opinion on the state of security here at Maryland. Both came back
>with a recommendation that we move the entire campus (32,000 active hosts)
>onto non routed addresses and use NAT for access to the rest of the world.
>This has caught my management's attention.

At Illinois State, we have a population of about 21,000 students and 
approximately 3,500 faculty and staff. A few years ago, we were wrestling 
with issue of how we could provide sufficient addressing for residential 
broadband coverage for 7,500 students that live on campus (ie: ResNet) and 
an unknown subset of 17,000 off-campus students, faculty, staff. Although 
we have a class B address space, for political reasons it was carved up 
rather inefficiently using a /24 mask. This model was conceived in the very 
early '90s when we had no appreciation for the growth that we'd experience 
later on.

As time marched on, we reached a point where nearly 200 subnets where in 
production (this was caused mostly by migrations from token ring to 
switched ethernet in the late '90s). So, we looked at a model using private 
(ie: 10.0.0.0/24) addressing to augment our existing address space. In the 
model, we routed private address space throughout campus (including ResNet 
and off-campus ADSL). We provide off-campus ADSL connectivity to the campus 
network through a partnership with our LEC. We serve as the ISP in this 
relationship. Anyway, we NAT'd only when the traffic passed to the public 
Internet or a local ISP that we peered with.

>This strikes me as overkill and I worry about protocols currently in use
>or under development would be kneecapped by such a move.

This is a valid concern. By the fall of 1999, we started implementing 
private addressing in ResNet and off-campus ADSL and consequently 
encountered several problems with NAT. The first was product immaturity. 
We're a Cisco shop. For the first 12 months, we tripped over several 
different bugs in 12.0 IOS. At one time, we owned 3 bugIDs. By later images 
of 12.1, these problems began to disappear. We now run 12.2 and have had 
almost no problems with NAT (regardless of the application).

>For the ones that come immediately to mind such as multicast, our Cisco 
>consultant has
>smiled and said that his gear could handle it.

Our first implementation of NAT was based upon the RSP4 processor on the 
7500 series router. Although the 7500 is a good platform, we quickly 
discovered that it would not scale NAT to the degree that we needed. We 
later examined the PIX platform as an alternative but found that it 
prevented us from maintaining our asymmetric routing model. Eventually, we 
selected the 7200 series platform using the NSE-1 processor. Since this 
processor provides hardware acceleration for NAT (Cisco calls it PXF), we 
found that the NSE could scale large numbers of concurrent translations 
with high volume. We have 4 of these platforms and average about 4,000 
concurrent translations among them (averaging 10-15% processor load per 
platform). We use PBR to balance the volume (that's our next bottleneck).

>Of course I worry about the next big thing that takes off in higher 
>education prior to larger
>markets that his box won't handle for the first year.

That's what got us - at the time it was Napster and Scour.

>There's also the small issue of getting buy-in from our researchers and 
>professors.

There are many selling points. First, you can provide essentially an 
unlimited amount of address space throughout your network. As such, you 
don't need to remask or introduce variably masked networks for users. 
Second, you can implement DHCP throughout your entire network without 
having to reserve address space out of your existing publicly addressable 
subnets. Third, it can reduce your exposure to the public Internet because 
translations only exist as long as there are active flows.

>While NAT'ing is fairly commonplace in the home and commerical realms, I
>am not aware of a large research institution that has taken the plunge.
>Does anyone know of a school that has done this and any lessons (positive
>or negative) that we can learn from them before we make a decision on
>pursuing this option?

We are now extending our private address space into non-traditional 
environments such as labs. We also use private addressing in our wireless 
networks and our public access networks (open jacks in public spaces 
restricted to University students, faculty, or staff). Although it was a 
bumpy ride in the beginning, it has paid dividends.

One challenge I will make you aware of is logging. You will need to log 
your NAT translations and map them to a DHCP lease to have the means for 
tracking users in the event that the RIAA or law enforcement officials 
coming knocking on your door. We have a solution for this but are still 
working on ways to improve it.

>Thanks!
>-Gerry
>
>---
>Gerry Sneeringer
>I.T. Security Officer
>University of Maryland
>Office of Information Technology
>+1 301 405 2996


Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University

(309)438-8731   http://www.tnss.ilstu.edu



More information about the unisog mailing list