Carrier Grade NAT VS IPv6

Problem BackstageYesterday I went to a cocktail organized by ISPA, the Belgian Internet Service Providers Association. I worked several years for ISP’s and I trying to keep in touch with them to gather interesting information about market trends. The topic of the event was “IPv6” (what a surprise!).

Eric Vyncke, CTO of the IPv6 Forum, presented a keynote and, one more time, invited ISP’s to deploy as soon as possible IPv6. Compared to other European countries, Belgium is far behind! It was also a good opportunity to perform some good networking. While listening to some conversations, I learned that some ISP’s have plans to deploy “Carrier Grade NAT” (CGN) as a transition to IPv6. What???

The main problem for ISP’s is not their backbone and networking devices (all manufacturers are IPv6 ready for years) but the Triple-Play boxes massively deployed in their customers premises! The idea behind CGN is to assign private IP addresses to customers and perform NAT at the ISP level. With this technique, multiple customers might be hidden behind a single public IP address:

Carrier Grade NAT
Carrier Grade NAT Example

From a technical point of view, there is no difference between Carrier Grade NAT and regular NAT. The goal is to assign private IP addresses to “internal” hosts (assigned following the RFC1918) and “translate” them in public IP addresses which are routable in the Internet. In the case of CGN, this translation is performed by the ISP at the edge of its backbone just before reaching the wild Internet. As IP addresses for residential customers are already assigned dynamically, it’s tempting to use this technique instead of immediately jumping into the IPv6 train. It looks interesting… not so!

First, my point of view as a customer. I’m paying my subscription to have a FULL Internet connectivity. I’m paying for an open pipe to the Internet, I don’t want to be limited in any way. Today, most ISP’s already filter critical ports like SMTP(25), HTTP(80) “for my own security“…  But I’m using VPN’s and other services to connect back to my home network. If ISP’s implement Carrier Grade NAT, forget this! No more incoming connections will be allowed from the Internet to your home. Online services which implement rate-limit for the usage of their resources are also based on IP addresses. Try to use Google Hacking without splitting your requests across multiple proxies and you will be quickly banned: Google will authorize new requests only after resolving a CAPTCHA. Twitter is also a well known service to limit the number of requests to their API. If multiple customers are now connected to the Internet behind the same IP address, there are more risks to be blocked by services implementing a poor user detection.

From a commercial point of view, how will ISP’s deal with customers still in need for a valid public IP address? Will they split their offers and propose both solutions? There are risks that subscriptions with a “good” IP address will be more expensive. I call this discrimination! Sorry to be rough!

From a business point of view, some services like online advertisement will suffer of this solution. How will Google be able to correctly analyze people behavior and display relevant ads if multiple people use the same IP address? From the same IP, people will visit fishing, technology or football websites. It will become a headache to display the right ads! Conclusion: risks of loss of revenue.

Finally, and maybe the worst case, from a legal point of view. Imagine a suspicious activity detected against a website. After investigations, the offending public IP address has been extracted from logs. Who’s behind this IP address? How many customers? According to data retention laws, ISP’s must keep trace of IP communications. Helas, most ISP’s do not log the source port of all communications. Without this information, it will be impossible to track the user at the source.

Dear ISP’s, come on, it’s time to wake up and deploy IPv6 NOW!



  1. I think ISPs would be ridiculously stupid not to consider carrier-grade NAT or NAT64 or any other transition measure. It is impossible to organize a “flag day” or a “forklift upgrade” from IPv4 to IPv6. There are too many hosts and in particular: too many stupid people on the internet.

    The point however is that it’s a transition measure. If all the sites you visit are native IPv6-reachable, CGN should be no problem for you. In the ideal case, you will not send any traffic through the NAT at all because all your traffic will go through an IPv6 route.

    I don’t believe there are any (credible) ISPs seriously considering CGN *to the exclusion of* IPv6. That would be insane. The amount of state that needs to be maintained to make that work for any reasonable amount of customers far outweighs the cost of investing in IPv6 infrastructure.

  2. Is this really a surprise? Isps and other big companies have been delaying the switch to ipv6 for years, and now we can’t distribute anymore ipv4 addresses anymore they still aren’t making the change. The people who make the decision are all scared of changing any type of technology, because at it stands now, its cheaper to put all your customers in a huge NAT’d network than it is to upgrade their addresses. The only way we are going to see companies wanting to switch to ipv6 are when the price of maintaining a ipv4 network becomes too pricey. It just goes to show that big business isn’t interested in furthering human potential, but how much money they get to take home at the end of the day.

  3. ISPs do consider CGN and will probably implement this as well. Its not wrong so long as its used as a transition mechanism. I see no problem offering native v6 and some sort of NAT to access the legacy ipv4 internet. Once the IP addresses really run out, this is one of the few things they can do to keep ipv4 more or less accessible. Doesn’t matter which of the many mechanisms you use, you always end up sharing address pools. But it should never be the only type of connectivity you have.

    Of course, NAT’ed v4 access without native v6 is just wrong. I’d complain loudly about that. Belgium is indeed lagging behind quite badly and I haven’t seen a single one of the ISPs who has a clear vision on how to perform the migration. I’ve met some people and they have probably worked out some sort of stategy, but it has never been communicated externally. There are even some who will tell their customers v6 is irrelevant because they still have a huge ipv4 pool. Of course its the same ones who haven’t even bothered setting up v6 peerings with transit providers.

    From a commercial point of view, the ISPs will probably start selling the IP addresses for absurd prices. There is one with a bright yellow logo who already does just that, go ask them for something as little as a /28 and see. The blue smurfs probably aren’t any better though.

  4. Please name and shame the ISPs who are considering carrier NAT. If my current ISP is considering this (and they may very well be. They plan to support IPv6 ‘somewhere in 2013’) I want to warn them beforehand that I will _not_ pay for such a subscription.
    Perhaps if enough costumers call beforehand they will reconsider.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.