Carrier Grade NAT VS IPv6

Problem BackstageYesterday I went to a cocktail organized by ISPA, the Belgian Internet Service Providers Association. I worked several years for ISP’s and I trying to keep in touch with them to gather interesting information about market trends. The topic of the event was “IPv6” (what a surprise!).

Eric Vyncke, CTO of the IPv6 Forum, presented a keynote and, one more time, invited ISP’s to deploy as soon as possible IPv6. Compared to other European countries, Belgium is far behind! It was also a good opportunity to perform some good networking. While listening to some conversations, I learned that some ISP’s have plans to deploy “Carrier Grade NAT” (CGN) as a transition to IPv6. What???

The main problem for ISP’s is not their backbone and networking devices (all manufacturers are IPv6 ready for years) but the Triple-Play boxes massively deployed in their customers premises! The idea behind CGN is to assign private IP addresses to customers and perform NAT at the ISP level. With this technique, multiple customers might be hidden behind a single public IP address:

Carrier Grade NAT
Carrier Grade NAT Example

From a technical point of view, there is no difference between Carrier Grade NAT and regular NAT. The goal is to assign private IP addresses to “internal” hosts (assigned following the RFC1918) and “translate” them in public IP addresses which are routable in the Internet. In the case of CGN, this translation is performed by the ISP at the edge of its backbone just before reaching the wild Internet. As IP addresses for residential customers are already assigned dynamically, it’s tempting to use this technique instead of immediately jumping into the IPv6 train. It looks interesting… not so!

First, my point of view as a customer. I’m paying my subscription to have a FULL Internet connectivity. I’m paying for an open pipe to the Internet, I don’t want to be limited in any way. Today, most ISP’s already filter critical ports like SMTP(25), HTTP(80) “for my own security“…  But I’m using VPN’s and other services to connect back to my home network. If ISP’s implement Carrier Grade NAT, forget this! No more incoming connections will be allowed from the Internet to your home. Online services which implement rate-limit for the usage of their resources are also based on IP addresses. Try to use Google Hacking without splitting your requests across multiple proxies and you will be quickly banned: Google will authorize new requests only after resolving a CAPTCHA. Twitter is also a well known service to limit the number of requests to their API. If multiple customers are now connected to the Internet behind the same IP address, there are more risks to be blocked by services implementing a poor user detection.

From a commercial point of view, how will ISP’s deal with customers still in need for a valid public IP address? Will they split their offers and propose both solutions? There are risks that subscriptions with a “good” IP address will be more expensive. I call this discrimination! Sorry to be rough!

From a business point of view, some services like online advertisement will suffer of this solution. How will Google be able to correctly analyze people behavior and display relevant ads if multiple people use the same IP address? From the same IP, people will visit fishing, technology or football websites. It will become a headache to display the right ads! Conclusion: risks of loss of revenue.

Finally, and maybe the worst case, from a legal point of view. Imagine a suspicious activity detected against a website. After investigations, the offending public IP address has been extracted from logs. Who’s behind this IP address? How many customers? According to data retention laws, ISP’s must keep trace of IP communications. Helas, most ISP’s do not log the source port of all communications. Without this information, it will be impossible to track the user at the source.

Dear ISP’s, come on, it’s time to wake up and deploy IPv6 NOW!


Post Navigation