CgNAT: Difference between revisions
m Added the source for ISP selling static IPs |
|||
| (7 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
{{StubNotice}} | {{StubNotice}} | ||
Carrier-Grade Network Address Translation ( | '''Carrier-Grade Network Address Translation''' ('''CGNAT''', also known as LSN and NAT444) is used by Internet Service Providers (ISPs) to mitigate IPv4 address exhaustion by making thousands of customers share a single public IPv4 address. | ||
===Complaints from law enforcement agencies=== | ===Complaints from law enforcement agencies=== | ||
Law enforcement agencies find it harder to identify criminals behind an IPv4 address used by thousands of people. As a result the agency may have to tap connections of all users sharing that address to identify the criminal. <ref>{{Cite web |last=European Cybercrime Centre (EC3) |date=17 Oct 2017 |title=Are you sharing the same IP address as a criminal? Law enforcement call for the end of Carrier Grade NAT (CGN) to increase accountability online |url=https://www.europol.europa.eu/media-press/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online |website=europol.europa.eu}}</ref><ref name=":0">{{Cite web |last=Gözükara |first=Furkan |date= | Law enforcement agencies find it harder to identify criminals behind an IPv4 address used by thousands of people. As a result the agency may have to tap connections of all users sharing that address to identify the criminal. <ref>{{Cite web |last=European Cybercrime Centre (EC3) |date=17 Oct 2017 |title=Are you sharing the same IP address as a criminal? Law enforcement call for the end of Carrier Grade NAT (CGN) to increase accountability online |url=https://www.europol.europa.eu/media-press/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online |website=europol.europa.eu |url-status=live |archive-url=http://web.archive.org/web/20260113094744/https://www.europol.europa.eu/media-press/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online |archive-date=13 Jan 2026}}</ref><ref name=":0">{{Cite web |last=Gözükara |first=Furkan |date=12 Aug 2020 |title=Challenges and possible severe legal consequences of application users identification from CNG-Logs |url=https://huggingface.co/MonsterMMORPG/ResearchArticles/resolve/main/Challenges_And_Possible_Severe_Legal_Consequences_Of_Application_Users_Identification_From_Cng-Logs.pdf |url-status=live |archive-url=https://web.archive.org/web/20260325105054if_/https://cas-bridge.xethub.hf.co/xet-bridge-us/69bf4baa046cd4daeb7bf0ef/460ad5a86be835d6d5c2434ebdb40c7324de08a7b6f3d26e95174b89ef4420b1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cas%2F20260325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20260325T105052Z&X-Amz-Expires=3600&X-Amz-Signature=d98dba8455c48d3cee4724a97d2628edb13f7984e8c5cd7ef9caf0e803ede057&X-Amz-SignedHeaders=host&X-Xet-Cas-Uid=public&response-content-disposition=inline%3B+filename*%3DUTF-8%27%27Challenges_And_Possible_Severe_Legal_Consequences_Of_Application_Users_Identification_From_Cng-Logs.pdf%3B+filename%3D%22Challenges_And_Possible_Severe_Legal_Consequences_Of_Application_Users_Identification_From_Cng-Logs.pdf%22%3B&response-content-type=application%2Fpdf&x-amz-checksum-mode=ENABLED&x-id=GetObject&Expires=1774439452&Policy=eyJTdGF0ZW1lbnQiOlt7IkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc3NDQzOTQ1Mn19LCJSZXNvdXJjZSI6Imh0dHBzOi8vY2FzLWJyaWRnZS54ZXRodWIuaGYuY28veGV0LWJyaWRnZS11cy82OWJmNGJhYTA0NmNkNGRhZWI3YmYwZWYvNDYwYWQ1YTg2YmU4MzVkNmQ1YzI0MzRlYmRiNDBjNzMyNGRlMDhhN2I2ZjNkMjZlOTUxNzRiODllZjQ0MjBiMSoifV19&Signature=TY5erWEIVs-leuMB0apq-SCLJhGnVFYWJmDBnCiCK6LYI6R0CgTFCrS3fsiYTzZ9UpxRxv-OnxUjfoi6sx5lu69mUt0RkH3H-PWsOhleHZZ7AXZ5WOzUgnU2Vf8hgntr18pc4Qq6P8rycYnVbXAPLQBy2kKf1S4Hci79GdIh5yd1109m3wVcz7pbJJ9qsQ1PSp3GKrxoOdO4~GVDzR32bud2MBOUnz~ceI4HatvCClJJ9l1ZeMLEFNQmAGT2K72wzhT~gtmmrhpxIy8nj4wKJo1RD6n~T8rIgO-3BtXS8g0kFc4twMQLMV80oOBo2G22wL2rB4kWbj2WLQjNFiR5RQ__&Key-Pair-Id=K2L8F4GPSG1IFC |archive-date=25 Mar 2026 |access-date=22 Mar 2026 |website=HuggingFace |series=Forensic Science International: Digital Investigation |publisher=Elsevier Ltd. |publication-date=8 Nov 2021 |via=ScienceDirect |doi=10.1016/j.fsidi.2021.301312}}</ref> | ||
A 2016 survey conducted by the European Cybercrime Centre revealed that 90% of EU Member State cyber divisions regularly encountered errors related to CGNAT technologies during investigations, sometimes forcing them to discontinue cases or employ more resource-intensive approaches. <ref>{{Cite web |last=European Police Office (Europol) |title=IOCTA 2016 INTERNET ORGANISED CRIME THREAT ASSESSMENT |url=https://www.europol.europa.eu/iocta/2016/resources/iocta-2016.pdf |website=europol.europa.eu}}</ref><ref name=":0" /> | A 2016 survey conducted by the European Cybercrime Centre revealed that 90% of EU Member State cyber divisions regularly encountered errors related to CGNAT technologies during investigations, sometimes forcing them to discontinue cases or employ more resource-intensive approaches. <ref>{{Cite web |last=European Police Office (Europol) |first=page 57-58 |title=IOCTA 2016 INTERNET ORGANISED CRIME THREAT ASSESSMENT |url=https://www.europol.europa.eu/iocta/2016/resources/iocta-2016.pdf |website=europol.europa.eu |url-status=live |archive-url=https://web.archive.org/web/20260216020928/https://www.europol.europa.eu/iocta/2016/resources/iocta-2016.pdf |archive-date=16 Feb 2026}}</ref><ref name=":0" /> | ||
The process of reverse-tracking from | The process of reverse-tracking from CGNAT logs is fundamentally flawed. In criminal cases where CGNAT logs are used as primary evidence, there exists significant potential for misidentification, as the same public IP address and port combination might be reassigned to different users within a very short time. <ref name=":0" /> | ||
===Security concerns=== | ===Security concerns=== | ||
If a malicious actor using a | If a malicious actor using a CGNAT IP address gets blacklisted by a server/website then all users sharing the same CGNAT IP will also get blacklisted.<ref name=":1">{{Cite web |last=Asturias |first=Diego |date=21 Jul 2025 |title=CGNAT: The Workaround to IPv4 Depletion [2025] |url=https://www.rapidseedbox.com/blog/cgnat |website=rapidseedbox.com |url-status=live |archive-url=http://web.archive.org/web/20251106223938/https://www.rapidseedbox.com/blog/cgnat |archive-date=6 Nov 2025}}</ref> | ||
A DDoS attack targeted at one user behind a | A DDoS attack targeted at one user behind a CGNAT IP address affects all users behind that address, which can disrupt service for entire neighborhoods.<ref>{{Cite web |last=Newman |first=Sean |date=8 Mar 2022 |title=There Goes the Neighborhood: The DDoS Disadvantages of Carrier Grade NAT |url=https://www.corero.com/ddos-disadvantages-of-carrier-grade-nat/ |website=corero.com |url-status=live |archive-url=http://web.archive.org/web/20250818040618/https://www.corero.com/ddos-disadvantages-of-carrier-grade-nat/ |archive-date=18 Aug 2025}}</ref><ref>{{Cite web |last=Turner |first=Glen |date=1 Oct 2019 |title=The Effect of DDoS Attacks on Carrier-grade NAT Devices |url=https://www.a10networks.com/resources/videos/the-effect-of-ddos-attacks-on-carrier-grade-nat-devices/ |website=a10networks.com |url-status=live |archive-url=http://web.archive.org/web/20250903220230/https://www.a10networks.com/resources/videos/the-effect-of-ddos-attacks-on-carrier-grade-nat-devices/ |archive-date=3 Sep 2025}}</ref><ref name=":1" /> | ||
===Service limitations=== | ===Service limitations=== | ||
Because multiple people share the same public IP address, | Because multiple people share the same public IP address, port forwarding becomes impossible in practice. This prevents them from hosting personal websites or having remote access to home security cameras or personal computers. CGNAT basically breaks all protocols that require direct connection to work.<ref>{{Cite web |last=Swer |first=Daryll |date=25 Mar 2021 |title=Shortcomings of CGNAT and Potential Workarounds |url=https://www.daryllswer.com/shortcomings-of-cgnat-and-potential-work-arounds/ |website=daryllswer.com |url-status=live |archive-url=http://web.archive.org/web/20260203193145/https://www.daryllswer.com/shortcomings-of-cgnat-and-potential-work-arounds/ |archive-date=3 Feb 2026}}</ref><ref>{{Cite web |title=Pros & Cons Deploying Carrier Grade NAT (CGNAT) |url=https://brandergroup.net/2023/01/benefits-and-issues-deploying-carrier-grade-network-address-translation-cgnat/ |website=brandergroup.net |url-status=live |archive-url=https://web.archive.org/web/20260216021001/https://brandergroup.net/2023/01/benefits-and-issues-deploying-carrier-grade-network-address-translation-cgnat/ |archive-date=16 Feb 2026}}</ref> | ||
To circumvent these limitations, ISPs typically offer subscriptions for dedicated IPv4 addresses or IPv6 tunnels.<ref>{{Cite web |date=8 Mar 2024 |title=About Static IP addresses |url=https://www.att.com/support/article/u-verse-high-speed-internet/KM1002300/ |website=att.com}}</ref> | Games or services that rely on P2P communication (e.g. Mario Kart 8 Deluxe) are also affected by CGNAT: if all of the users aren't able of receiving packets then a connection can't be established. | ||
To circumvent these limitations, ISPs typically offer subscriptions for dedicated IPv4 addresses or IPv6 tunnels.<ref>{{Cite web |date=8 Mar 2024 |title=About Static IP addresses |url=https://www.att.com/support/article/u-verse-high-speed-internet/KM1002300/ |url-status=live |archive-url=http://web.archive.org/web/20251111020054/https://www.att.com/support/article/u-verse-high-speed-internet/KM1002300/ |archive-date=11 Nov 2025 |website=att.com}}</ref> | |||
===ELI5: Why (and how) does CGNAT break the internet?=== | |||
Let's assume that normal IP addresses are "public" phone numbers and that IPs used by CGNAT are "private" phone numbers, that is numbers that can only initiate calls, not receive them. let's assume that there are 2 users (user A and user B): | |||
1) User A wants to call user B, and both users have "public" phone numbers: no problem here, the only thing that user A needs to do is insert user B's phone number into the dialer! | |||
2) User A wants to call user B, but user A only has a private number (CGNAT). there's nothing stopping user A from calling user B, but user B will only see a generic phone number, a number that is used by thousands of other users. | |||
3) User A wants to call user B, but user B only has a private number (CGNAT). since user B can't receive calls, to establish communication between user A and user B, user B is the one that needs to initiate the call. | |||
4) User A wants to call user B, but both users only have private numbers (CGNAT). Both users can initiate calls, but neither of them can receive them, thus a connection can't be established. there's only one solution to this, having user A and user B call user C (a man in the middle that has a "public" IP address thus being able of receiving calls) with user C rerouting the voice from user A to user B and viceversa. this means that there's an additional cost and privacy risks, since a not well intentioned man in the middle can eavesdrop on the conversation. | |||
====How does IPv6 resolve the issue?==== | |||
There are only roughly 4 billion IPv4 addresses (or phone numbers), compared to the roughly 340 undecillion IPv6 addresses (that's more than the number of grains on planet earth SQUARED!). 4 billion addresses are not enough for every single user, hence the need of reusing addresses, potentially assigning one to thousands of users (there may be only 8 billion humans on planet earth, but the numbers of devices connected to the internet vastly exceeds that). IPv6 does not have those limitations, and because reusing IPv6 addresses is useless due to the vast number, every single IPv6 address is inherently "pubic" (aka being able of receiving and initiating calls). | |||
==References== | |||
<references /> | <references /> | ||