Carrier-grade NAT
Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of
Carrier-grade NAT is often used for mitigating IPv4 address exhaustion.[1]
One use scenario of CGN has been labeled as NAT444,[2] because some customer connections to Internet services on the public Internet would pass through three different IPv4 addressing domains: the customer's own private network, the carrier's private network and the public Internet.
Another CGN scenario is
CGNAT techniques were first used in 2000[citation needed] to accommodate the immediate need for large numbers of IPv4 addresses in General Packet Radio Service (GPRS) deployments of mobile networks. Estimated CGNAT deployments increased from 1200 in 2014 to 3400 in 2016, with 28.85% of the studied deployments appearing to be in mobile operator networks.[3]
If an ISP deploys a CGN, and uses
This prompted some ISPs to develop a policy within the American Registry for Internet Numbers (ARIN) to allocate new private address space for CGNs, but ARIN deferred to the IETF before implementing the policy indicating that the matter was not a typical allocation issue but a reservation of addresses for technical purposes (per RFC 2860).
IETF published
Devices evaluating whether an IPv4 address is public must be updated to recognize the new address space. Allocating more private IPv4 address space for NAT devices might prolong the transition to IPv6.
Advantages
- Maximises use of limited public IPv4 address space.
- May provide additional security for customers against attacks targeting their public IP address.
Disadvantages
Critics of carrier-grade NAT argue the following aspects:
- Like any form of NAT, it breaks the end-to-end principle.[6]
- It has significant security and stateful.
- It does not solve the IPv4 address exhaustion problem when a public IP address is needed, such as in Web hosting.
- It may create a performance bottleneck that limits scalability.
- Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because the network address translation (NAT) is usually implemented by mapping ports of the NAT devices in the network to other ports in the external interface. This is done so the router will be able to map the responses to the correct device; in carrier-grade NAT networks, even though the router at the consumer end might be configured for port forwarding, the "master router" of the ISP, which runs the CGN, will block this port forwarding because the actual port would not be the port configured by the consumer.[7] In order to overcome the former disadvantage, the Port Control Protocol (PCP) has been standardized in the RFC 6887.
- In cases of banning traffic based on IP addresses, a system might block the traffic of a spamming user by banning the user's IP address. If that user happens to be behind carrier-grade NAT, other users sharing the same public address with the spammer will be inadvertently blocked.[7] This can create problems for forum and wiki administrators attempting to address disruptive actions of a single malicious user sharing an IP address with legitimate users.
See also
- NAT64
- DNS64
- 464XLAT
References
- RFC 6264
- ^ Chris Grundemann (2011-02-14). "NAT444 (CGN/LSN) and What it Breaks".
- . Retrieved 22 July 2021.
- ^ "Re: shared address space... a reality!". Archived from the original on 2012-06-07. Retrieved 13 September 2012.
- ^ Chris Grundemann (2012-03-13). "100.64.0.0/10 – Shared Transition Space".
- RFC 7021- Assessing the Impact of Carrier-Grade NAT on Network Applications
- ^ a b "MC/159 Report on the Implications of Carrier Grade Network Address Translators Final Report". Ofcom. 2013-04-15. Retrieved 2023-10-17.
External links
- RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs)
- A Multi-perspective Analysis of Carrier-Grade NAT Deployment (May 2016)
- CGN :: Observations & Recommendations (April 2012)
- Understanding Carrier Grade NAT (September 2009)