Page MenuHomeVyOS Platform

CGN -- external ports limitting
Closed, InvalidPublicFEATURE REQUEST


Req-4 from RFC6888 (Common Requirements for Carrier-Grade NATs)

A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber.

   a.  Per-subscriber limits MUST be configurable by the CGN

   b.  Per-subscriber limits MAY be configurable independently per
       transport protocol.

   c.  Additionally, it is RECOMMENDED that the CGN include
       administrator-adjustable thresholds to prevent a single
       subscriber from consuming excessive CPU resources from the CGN
       (e.g., rate-limit the subscriber's creation of new mappings).

Justification:  A CGN can be considered a network resource that is
   shared by competing subscribers.  Limiting the number of external
   ports assigned to each subscriber mitigates the denial-of-service
   (DoS) attack that a subscriber could launch against other
   subscribers through the CGN in order to get a larger share of the
   resource.  It ensures fairness among subscribers.  Limiting the
   rate of allocation mitigates a similar attack where the CPU is the
   resource being targeted instead of port numbers.  However, this
   requirement is not a MUST because it is very hard to explicitly
   call out all CPU-consuming events.

some examples pg #32


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)