Laws regarding sharing IP addresses
Can anyone point me to the right resource in the US regarding being an ISP and issuing shared IP addresses to customers? We have reached the point to start considering options, but I'm not sure if we are required by law to keep all customers separated and trackable. My hunch is that we do, but my company has asked me to research this and I really don't know where to begin. Where would one find these rules?
-
-
TomjNorthIdaho
Forum Guru
- Posts: 1493
- Joined:
- Location: North Idaho
- Contact:
Re: Laws regarding sharing IP addresses
I would assume that 2 or more customers sharing the same network should at informed.
Now what you can do is something like this
Use NAT at your office (lets say you nat to 192.168.56.1/24)
Each customer could be assigned an IP address from 192.168.56.x/24 - where each customer also has a NAT device - where the customer NAT/FW has the following:
Customer WAN: 192.168.56. 2 ( or .3 or anything inside of the 192.168.56.x network)
Customer LAN : 192.168.78.1/24 (each customer can share the same LAN IP address because they NAT to their outside WAN IP address
Note - there are no conflicting IP addresses anywhere - even if the customer connects up their own wireless router using 192.168.1.x or 192.168.0.x
This results in all customer LANs being isolated from each other --- and firewalled from each other. No customer devices ever get a 192.168.78/x address (except for the WAN IP address of their firewall/Wireless-router
All you see is 192.168.56.x IPs to/from customers. Nobody can see another customers LAN network - all customer WANs can ping each other and traceroute out to the Internet.
North Idaho Tom Jones
Now what you can do is something like this
Use NAT at your office (lets say you nat to 192.168.56.1/24)
Each customer could be assigned an IP address from 192.168.56.x/24 - where each customer also has a NAT device - where the customer NAT/FW has the following:
Customer WAN: 192.168.56. 2 ( or .3 or anything inside of the 192.168.56.x network)
Customer LAN : 192.168.78.1/24 (each customer can share the same LAN IP address because they NAT to their outside WAN IP address
Note - there are no conflicting IP addresses anywhere - even if the customer connects up their own wireless router using 192.168.1.x or 192.168.0.x
This results in all customer LANs being isolated from each other --- and firewalled from each other. No customer devices ever get a 192.168.78/x address (except for the WAN IP address of their firewall/Wireless-router
All you see is 192.168.56.x IPs to/from customers. Nobody can see another customers LAN network - all customer WANs can ping each other and traceroute out to the Internet.
North Idaho Tom Jones
-
-
The1stImmortal
just joined
- Posts: 5
- Joined:
Re: Laws regarding sharing IP addresses
So basically you're looking into doing Carrier Grade NAT?
Firstly, the subnet to use for this is 100.64.0.0/10. Its reserved for carrier NAT applications
Secondly, I don't believe in the US, as long as you're not under any kind of special legal encumbrance, you have to ensure customer connections can be linked back to real customers. However, consult a telecommunications lawyer, because I'm not one
If you do want to track it, on mikrotik its a bit messy. There's two main strategies: predictably map real ip/ports to customer ips, or dynamically map and log everything. Afaik RouterOS has no facilities for predictable mapping (automatically - you can do it with rules/scripting but you need handlers for every individual IP, it can't be done dynamically), and many ppl have had issues logging connections (not to mention the storage it chews).
Good luck
Firstly, the subnet to use for this is 100.64.0.0/10. Its reserved for carrier NAT applications
Secondly, I don't believe in the US, as long as you're not under any kind of special legal encumbrance, you have to ensure customer connections can be linked back to real customers. However, consult a telecommunications lawyer, because I'm not one
If you do want to track it, on mikrotik its a bit messy. There's two main strategies: predictably map real ip/ports to customer ips, or dynamically map and log everything. Afaik RouterOS has no facilities for predictable mapping (automatically - you can do it with rules/scripting but you need handlers for every individual IP, it can't be done dynamically), and many ppl have had issues logging connections (not to mention the storage it chews).
Good luck
Re: Laws regarding sharing IP addresses
https://wiki.mikrotik.com/wiki/CALEA
I believe this is what you are actually referring to. As long as you are CALEA compliant, it doesn’t matter if you use shared Public IPs or not..
I believe this is what you are actually referring to. As long as you are CALEA compliant, it doesn’t matter if you use shared Public IPs or not..