Slashdot Mirror
UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
judgecorp writes "Faced with the shortage of IPv4 addresses and the failure of IPv6 to take off, British ISP PlusNet is testing carrier-grade network address translation CG-NAT, where potentially all the ISP's customers could be sharing one IP address, through a gateway. The move is controversial as it could make some Internet services fail, but PlusNet says it is inevitable, and only a test at this stage."
Regarding the failure of IPv6, these graphs imply otherwise.
KPN tried "carrier grade" IP4-NAT in the Netherlands a decade ago... Unfortunately the router software was too buggy and made the routers trash and crash. And how can the customers of the ISP run servers on their computers? NAT has implications for the peer-to-peer nature of the Internet.
extern warranty;
main()
{
(void)warranty;
}
Dual-stack deployment with NAT'd IPv4 alongside with IPv6 is the only viable short-term option for consumer ISPs. You can't just cut off people from the IPv4 internet, you'd leave them with a pretty much useless internet connection.
why in the world is it inevitable? Inevitable because they want to keep holding off on newer technology? If I was with Plusnet I'd use this as a good reason to start looking elsewhere.
Am I reading that graph wrong?
What I see is less than 11% of the thousand most popular sites has adopted IPv6
Either that or we seem to be using different definitions for the word "failure".
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
...a split in how ISPs will implement IPs
easier surveillance, easier p2p blocking, easier content filtration, what could go wrong. Oh wait I have a knock at the door, be right ba......
[loss of carrier...]
I highly doubt it makes sense for plusnet to do this "instead" of IPv6, but it does make sense to do this "as well" as IPv6.
I see the transition involving something like these 5 steps.
1.) Everyone needs IPv4, IPv6 is useless (no content).
2.) Everyone needs IPv4, IPv6 reduces the amount of IPv4 traffic you use.
3.) Most people still need IPv4, but IPv6 is most of the traffic.
4.) IPv4 is a niche requirement. Most normal users won't notice if they don't have it.
5.) IPv4 is Cobol and I come back and get a fat paycheque because I still remember how it works.
I think we are at (2) right now. I think CGN *IS* inevitable (even if it sucks) as part of a transition strategy. If we had started transitioning seriously a few years ago, we might have avoided this, but we didn't.
Short this company
The Italian provider Fastweb (pioneer of optical fiber connections in Italy) has been doing it for ages, technically since the very beginning of its business.
The main drawback for it's customers has been with P2P programs, as direct peer-to-peer connections do not work well with NAT. As the Fastweb customers are not NATed with respect to each other, some of them even developed a special version of aMule (the most common P2P network at that time) called "adunanza" that would work inside the ISP-level network. Bittorrent is somehow less sensitive to the NAT problem, hence an "adunanza" torrent client was never developed.
I suspect this may actually be a strong motive behind such a silly ISP choice: reduce the exposition of P2Ping customers to the outside world. If the aim is to reduce P2P or just to hide it from the mayor's private police, it's hard to tell.
this post contain no useful information, no need to mod it down
Rather than doing this correctly, it will go like this. All "home" users will get CG-NAT. "Business" users will be allowed public IPs at a steep premium, and only when that possibility is completely exhausted, will IPv6 truly begin to be implemented. Hell, people might just use duct tape code and NAT subterfuge to drag this out another decade or two.
How the hell does slashdot.org not support IPV6, I thought this was a tech website?
failure if IPV6 = We don't want to spend money helping our customer.
The Kruger Dunning explains most post on
Stop bending over and putting your ass up to your shareholders, and start investing in your company's infrastructure.
This way when one customer violates an AUP the entire ISP can be null routed in a single line.
Fastweb in Italy is using this method since a decade. And it works quite well. They offer fiber or ADSL depending from the user location. Almost every internet service I used (IP blacklist, megaupload-like services...) know that behind a single fastweb IP there may be a million of users.
*Smash head against desk*
seems like a colossal waste of money -- they'll eventually come around to ipv6 and just throw this out... right?
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
This would not be an issue if IPv6 was not such a pain in the ass to implement.
1.During it's design, way too much effort was put in to solving problems that were not important. Many design decisions seem to satisfy only academic concerns and the egos of those who hold said concerns.
2. Furthermore, due to the simple march of progress (Faster, cheaper computers. More bandwith. Better hardware), many of the above concerns are now moot. Many of IPv6's built in mechanisms will not be implemented today but replaced by "six-afied" versions of their ipv4 counterparts.
3. Back to point one again, it seems like someone's ego prevented any kind of transition plan or backward compatibility. The all-or-nothing attitude has prevented rollout that should have happened a decade ago. Even inevitable address space exhaustion has not proven incentive enough.
Sorry to say, but v6 should have been scrapped a long time ago. A simple extension to v4 to expand the address space should have been adopted (Perhaps with some extensions/modifications to help alleviate some of the other issues. Goodness knows TCP could use some tweaks)
I'm surprised it has not happened already. Usually someone pragmatic comes up with a brilliant, but hackish compromise that everyone informally adopts by sheer necessity.. Then becomes formalized after the fact when standards bodies realize everyone's using it anyway.
So what happens when the "copyright enforcement agencies" decide that somebody on that NAT IP has downloaded a movie and three strikes or something similar gets kicked in for the IP? (I know it's perfectly possible given port, IP, and Time to back-track a connection through a properly-logged NAT.Just an amusing side effect if somebody is dumb, and dumb happens a lot these days.)
@Whee
There's no words in all caps, no fantastical assertions, not a single typo, and it's 15 words long!! I'll give you some charity style points for using 100% improper punctuation, but really: 2/10. Hell, this rant about your rant was nearly 3x longer!! You should be ashamed.
A far bigger problem is that a lot of internet services these days use IP-based blocks as the final "brute force" version of "you are abusing the service, go away". It would really suck to be under an ISP that shows every customer coming from a single IP.
That's what X-Forwarded-For: and agreements with ISPs are for. See, for example, Wikimedia's implementation of X-Forwarded-For:.
I wonder how well this will work with IP Geolocation based services; I already visit stores online that show me New Brunswick brick&mortar store inventories. These kinfs of failures are quite irritating for end-users.
Because otherwise, they will just end up running out of ports when they have a larger number of people simultaneously using their services.
Quite quickly too.
This plan is so colossally doomed to fail that I have no words for it.
Where can I buy the popcorn? This is gonna be funny as hell to watch.
File under 'M' for 'Manic ranting'
IPV6 is a classic engineering failure. They made this nice new protocol with absolutely no way to transition from IPV4. Say what you will about managers, but any average manager could have spotted this problem from a mile away. Nobody reading ./ today will live long enough to see the end of IPV4. The engineers can claim victory all they want to but IPV6 is the biggest failure in networking history.
Failure to properly plan and fund and implement IPv6 for your own company is not what I would call a failure of IPv6.
Ang again the same arguments are brought, why ipv6 is *not* the solution to a problem that does *not* exist.
NAT is the gated neighborhood you live in to keep the unsavory inhabitants of that bad neighborhood away from your pristine lawn and Lexus in the driveway.
So how should a resident invite someone who's not quite unsavory? For example, to use your example of Jehovah's Witnesses, I study the Bible weekly with one of them. If my neighborhood were to adopt a firewall with a "JWs keep out" policy, I'd be pretty disappointed.
That's what firewalls are for, not NAT. Please stop confusing the two.
But they're not entirely orthogonal, as NAT imposes a firewall by default. It takes down three birds with one stone, namely delaying the effects of IPv4 depletion until an IPv6 rollout can be afforded, firewalling out those assumed to be unsavory, and upselling business class connections to home-based businesses. How would NAT be implemented without a firewall?
Its that like Military grade NAT and Combat ready NAT?
The NAT I use is the SAME NAT that they use. There is no such thing as "Carrier Grade" NAT.
Do not look at laser with remaining good eye.
You're missing the point. Internet multiplayer games are quite popular these days.
Or, you could take turns and pass around the controller. It'd be just like in the 80s! YAY!
plusnet are crap. They were biggish about 13 years ago, before UK's broadband got a decent roll-out, a time when people would jump ship on dial-up every few months because services invariable were massively oversold. They're just a crappy BT reseller these days, offering awful packages, but rather cheap. There are hundreds of similar ISPs like them.
I can think of some words.
What a downright stupid thing to say.
PlusNet is a subsidiary of BT, the ex state telecom monopoly. BT also operate the vast majority of ADSL infrastructure in the UK. BT Openworld, their other broadband brand name claim to be the largest UK ISP by number of subscribers.
Where BT test on PlusNet then likely everything else BT will follow
carrier grade NAT has it come to this? this is sad.
Not all their customers, just the first 64K
In my area the 4G Verizon WWAN devices are doing this. It screws with VPNs big time. It connects you to verizon on an internal IP and then verizon NATs you the web content through their system.
The WWAN dongles can connect to the 3G service and then you're fine, that still works the "old fashioned" way.
This is fine for Bubba lookin at boats on craigslist or grandma getting emailed pics of little Johnny, but if you are in that 1% of non-typical use, whoops.
Flappinbooger isn't my real name
For example - this article.
Basically IPv6 does not offer anything to early-adopters.
Pretty much any UDP-based protocol requires that the NAT open holes.
So does any TCP-based protocol, but as far as I can tell unless a port is forwarded, the router doesn't know where to forward incoming connections. So a NAT acts as a firewall against TCP-based protocols. UDP-based protocols, as I understand it, begin with a TCP connection to a trusted introducer, followed by having each side of the connection send a datagram on an ephemeral port to the other end so that the NAT knows how to route that particular port. This is limited to a few thousand connections per public IP address because there are only 16,000 or so ephemeral ports.
Even more stupid on Graham's hierarchy is name-calling, which calls one's arguments "downright stupid" while giving no evidence of why they're "downright stupid".
If they delivered full IPV6 with a CNAT as fallback, I might understand. All the big boys are on IPV6 nowadays anyway. But only CNAT? That, my friend, is connectivity they can shove where the sun don't shine...
10 ?"Hello World" life was simple then
Internet multiplayer games are quite popular these days.
MMO and social games are server-based and, as far as I'm aware, work fine through NAT. People living in an IPv4-starved market who want to play FPS and RTS that don't use a dedicated server would probably be encouraged to upgrade to business-or-enthusiast class Internet access.
Anyone with a 100.64.0.0/10 WAN address is being CGNATted by their ISP. http://whois.domaintools.com/100.64.0.0 How does one do port forwarding when CGNATted? e.g. Black Ops 2 needs TCP 3074 opened. Can anyone who is CGNATted confirm if they can port forward to one of their internal devices? I believe HugesNet uses CGNAT too.
I think this might be a intermediate step to change to IPv6. Nobody takes action until they suffer. Sharing one IPv4 address will make them suffer.
Give them the option for an IPv6 address and a shared IPv4 address to maintain backward compatibility.
Theoretically a "carrier grade NAT" could (due to the large scale) have the resources (both computational and developer time) to be capable of packet inspection to figure out what ports need to be dynamically mapped for more types of traffic than are supported in a cheaper implementation.
Posting as AC for obvious reasons. I'm working for an ISP and we testing Juniper MX routers for CGNAT. It will be deployed for "legacy" DSL customers. These routers can handle a lot of traffic, and we found that the wast majority of applications have no issues with another layer of NAT. There is a plan to offer a web interface to allow a customer to punch a hole when necessary.
I've played a multi-player game, and it worked just fine through MY NAT device, so why wouldn't it work through the ISPs
Because you control the port forwarding on your own NAT device, not your ISP's. Or because your machine is never selected to be the server, limiting the selection of opponents. Or because your game is in a genre that traditionally uses a dedicated server operated by the game's publisher as opposed to using the publisher's servers only for matchmaking, such as MMO or a browser-based game.
Any XFF: address would be a fairly meaningless RFC6598 address
Say the connection comes from 123.45.67.89, and the proxy specifies "XFF: 100.64.123.45", and the operator of the proxy has an agreement with the operator of the web site. Then instead of blocking the whole proxy, the web site would block "123.45.67.89.100.64.123.45". Yes, HTTPS would make this harder, as HTTPS proxies tend to get people up in arms because of the level of trust the user is required to have in the proxy.
They will have more than one IPv4 address serving the NAT clients, of course!!!
If IPv6 fails, it's because of registrars like Dotster who STILL don't support IPv6 (Is this 1995 or what?) and broadband companies that are extremely slow in handing out addresses to their clients (German Telekom, I'm looking at you!).
Many applications and all relevant web browsers already support it, as well as all halfway modern OS. So it's not an acceptance problem, it's just a problem of very few very heavy-weight roadblocks, IMHO.
There should be a Kickstarter campaign to create an ISP that is actually named Big Dumb Pipe with promises not to up sell, or offer 'cloud storage', or offer security suites to protect your snowflakes, or pretend to be a content creator, but merely provide access and up time, for they are only a Big Dumb Pipe (tm). Oh; and no caps or throttling.
In other words, the carriers want to have full control over the devices and data.
This is their own announcement, if anyone is interested:
Hi all,
We need a bit of help with some testing over the next few weeks. As many people will probably know there's a finite number of IP addresses in the world and there aren't many left. In order to ensure that people have access to the Internet during the transition to the new world of IPv6 ISPs like ourselves are looking at options including Carrier Grade NAT. Even if the world switched on IPv6 today there would still be people and applications that don't work under IPv6, some games consoles for example. As such everyone will still need an IPv4 address for the foreseeable future.
Carrier Grade NAT (CGNAT) is similar to the NAT that people use on their home routers. The NAT on your home router lets all the devices on your network (PCs, tablets, phones, consoles etc.) share one IP address. What CGNAT does is take that a step further and has several customers sharing one IP address. For most people they will never notice, most mobile operators already use CGNAT and so most applications will just work. The main problem is where you are hosting services on your broadband connection like hosting a website or hosting games (the kind of thing for which you set up port forwarding on your router).
We're just about to test and evaluate a CGNAT system to see if it's suitable and see what kind of applications and services work and don't work, as such we'd like a bit of help from people to try out and see. We're doing testing internally too but with so many devices, applications, games, VPNs, etc. we'll never test everything. With some help we'll try and get as much as we can.
What we want from the testers is just to do what you would normally do, we'll give you a special username to use so that if you do find things that you need to work but which don't you can easily switch back. We'd also like you to record what works and doesn't on a spreadsheet (we'll probably use Google docs just to make it easy).
If you can help then please reply, the trial is due to start in a couple of weeks and is expected to last around 3 weeks.
Any questions then please let us know.
I'm fairly sure a broadband connection with carrier grade NAT cannot not qualify as "Good honest broadband from Yorkshire". Therefore, if Plusnet wants to use carrier grade NAT, it will need a new slogan.
why in the world is it inevitable? Inevitable because they want to keep holding off on newer technology? If I was with Plusnet I'd use this as a good reason to start looking elsewhere.
PlusNet meant that it was inevitable that "it could make some Internet services fail".
But you knew that already, since you were using PlusNet.
Whats the worm traffic (ssh and other) on the IPv6 internet? The weird IPv6 people want us to just hop on IPv6 by tunneling under our old IPv4 firewall/routers. So how much parasitism and hacking is on the new network? And can we expect a wave of new attacks/exploits to happen to people who turn on IPv6 and blindly bypass the only protection they have?
IPv6 goes global with the first Microsoft OS release where IPv4 requires installing an extra package which OEMs are not permitted to install by default.
This is a great chance for them to play the white hat, but it'd be a significant departure from historical behavior for them (e.g. they fought TCP/IP tooth and nail, thinking that NetBIOS and NetBEUI had a chance in hell of winning), and it took them a very long time to support IPv6 at all in the first place.
If ISPs are turning to carrier grade NAT, then they are in a desperate situation. The current approach will only buy time for an ISP who has run out or will soon run out of IPv4 addresses, but they should still have a parallel IPv6 strategy in place. Without support for IPv6, customers won't be able to access new services which are only IPv6 accessible, and as hosting services can't get acces to new IPv4 blocks this will be the case.
As IT professionals we should all be asking our ISPs, and even our employers, when they plan to be IPv6 ready. This is similar to the Y2K issue, except the cut off date is a little bit more fuzzy. If the work is done, then your average user shouldn't notice anything. If it isn't then they are going to be complaining of connectivity problems.
Jumpstart the tartan drive.
Ok, it's not CG-NAT, but if you get commercial service from Comcast, they give you a POS cable router that has NAT turned on. That's OK, but the problem is that the ONLY way to turn NAT off is to purchase a static IP. You can't put it in bridge mode and use your own router unless you have a static IP (for an extra charge, of course).
As far as I'm concerned, their policy of forcing NAT upon me means they are not delivering the full Internet experience, as many applications either do not work or do not work as well through NAT. I argued with them for about 10 minutes, but arguing with some phone monkey who has no idea how the Internet works (or is supposed to work) is futile, and I wasn't about to give them any more money, so I just lived with it.
...without a firewall on your router? Seriously, unless you invest deeply, 90% of the consumer grade devices can't do that - my router supports IPv6 in theory (no carrier support yet to test it) but only has a 400mhz CPU. Trying to implement any stateful firewall on that will just make the system unstable if you make some more intensive use of the connection (streaming HD TV, torrent, etc). No "smart" device I have in my home supports firewalls apart from my PC, so they can not be trusted to just cope on their own.
I'm probably missing something I guess, but it just doesn't seem like a genious prospect to me.
IPv4 is just .. nothing. it's an idea. it's not hardware and in software it can be done in ridiculous
many different ways.
if i have a physical connection from A to B i can use any sort of "protocol" over it.
even with ADSL, IPv4 is just an "emulation" ontop of the ATM (not like in cash)
network.
in theory the real ISP network can be something completely different from IPv4.
in theory, the customer doesn't get the internet, but access to the protocol called "IPv4"
which implies that they must get an IP-address.
how the f#ck this is really implemented by the ISP can be completely IPv4 agnostic.
in reality, the ISP needs about 3 real IPv4 addresses for themselves and the rest they can give away
to the customers.
the 3 real IPv4-addresse would be the BGP router and the ISPs DNS servers.
HOW the packets really go from a IPv4 enabled customers "adaptor" to the ISP BGP router
can be completely VIRTUAL or EMULATED!!!
-of course-
if the ISP only secured a 255 (=255-3 customers possible) network or 255.255 (255*255-3 customers possible) they are "fucked" : )
and IPv6 sucks on soo many level security wise. everything is reachable from everywhere.
your ipv6 toaster gets hacked (burn down your house) your ipv6 tv gets hacked (your not watching the "real" news anymore) etc.
sh1t it was HORRIBLE with ipv4 and pings of death. holy f#ck what a nightmare ipv6 is gonna be with no firewall/NATs (needed) anymore!!!
Whats the worm traffic (ssh and other) on the IPv6 internet?
According to the network administrators I've spoken to (admittedly a biased sample), almost all the malware traffic they're seeing is over IPv4. They say they'll deal with IPv6 malware when it appears.
Who said SSL = user accounts?
Nobody, necessarily. It's just that the CPU and latency hit of SSL is more justifiable when information private to a particular user is being transmitted. And sometimes a web site operator finds the insight that an XFF proxy gives into which customer is actually causing a problem worthy of a block valuable. Perhaps either or both of these reasons is part of why Slashdot, for example, redirects all HTTPS accesses to HTTP except for logged-in paying subscribers.
I can use https on Google and Wikipedia without logging on.
There are bans, and then there are bans. Both sites you mention (Google Search and Wikipedia) are useful for reading even if a particular user or anonymous users behind a particular IP are blocked from editing. An IP address found to be the source of vandalism can be blocked first from editing anonymously, then from editing with any user account (if the problem is believed to arise from sock or meat puppetry), and finally (unlikely) from reading. If you're on HTTPS, and you're not logged in, and you're behind a Big Honkin' NAT, and the NAT's IP address shares an owner with a recognized XFF proxy, and the IP is blocked, then you might end up redirected to HTTP so that the site can read the XFF header sent by the proxy.
"where potentially all the ISP's customers could be sharing one IP address" All customers sharing the same Ip? Aren't you going to be limited to 65535 connections if they're all NATted to the same ip?
I didn't know firewalls can keep Jehovah's Witnesses out.
I don't know why you'd want to keep Jehovah's Witnesses out, but if you insist, you can use APK's old standby: a hosts file.
Whats the worm traffic (ssh and other) on the IPv6 internet? The weird IPv6 people want us to just hop on IPv6 by tunneling under our old IPv4 firewall/routers. So how much parasitism and hacking is on the new network? And can we expect a wave of new attacks/exploits to happen to people who turn on IPv6 and blindly bypass the only protection they have?
Unlike IPv4, it is not practical to probe the IPv6 network blindly. You need to know the IP address of your target exactly. There is no guessing it.
A worm on IPv4 can send a packet to a random IPv4 address and have a high chance of that packet actually reaching someone. There are only about 4 billion IPv4 addresses. Even a single computer can send to every single IPv4 address in a span of only a few hours. If there are thousands of infected computers sending random packets, they got the IPv4 network covered in mere moments.
Fast forward to the IPv6 world. The IPv6 has an address space of 128 bits. This is the same size as strong encryption keys. Sending to a random address has zero chances of actually reaching anyone.
IPv6 addresses can be split into the first 64 bits called the prefix and the other half of 64 bits called the host identifier. Lets say you somehow learned the prefix of some user. But even if you only have to guess 64 bits of host identifier, the chances that you are going to hit his computer is so extremely low that we can call it zero.
What if you already know his full address? You wont for long. Most operative systems today have privacy extensions enabled. This is a system that makes your computer change the host identifier part of your address on a regularly basis (at least once per day).
People will still have routers and those will provide firewall services on IPv6. You would not get past that, but even if you did, you would not be able to simply guess an address. You can only send packets to people that recently sent packets to you first. Or which otherwise advertised the address through DNS or through a peer to peer network such as Bittorrent.
Bottom line: Classic worms and cold scanning is history on IPv6.
When the entire ISP gets blacklisted for this or that reason, causing users to leave in droves, they'll see the error of their ways...
"where potentially all the ISP's customers could be sharing one IP address" - The most retarded thing I have ever read (as a network engineer). Whoever wrote this article had no clue how natting is implemented in ISP's and why it has to be used.
Most of the internet still uses ipv4, that's the problem. ISP's could implement ipv6 but this would cut off services to customers that are not using ipv6 yet. So ISPs would never do that as it would cause complaints and many angry faces. Until more services move over to ipv6, then there will be addressing issues.
Because otherwise, they will just end up running out of ports when they have a larger number of people simultaneously using their services.
You do know that NATs can have more than one IP on the WAN side right?
Yes there is a limit to the customer to IP ratio that can be achived but unless an ISP is growing very quickly ISP level NAT should give them enough breathing room for the forseeable future.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I would be stunned if ISPs started routinely proxying all HTTP traffic
AOL did.
(and they don't stand a chance with HTTPS)
Anonymous visitors coming from an ISP whose NAT IP is blocked but whose proxy is known to add reliable XFF headers would get redirected from HTTPS to HTTP so that they can view the site through the proxy.
CPU & latency have not been an issue for years now.
HTTPS involves more round-trips than HTTP. True, SSL latency has been solved for wired Internet links (fiber, cable, DSL), but latency is still a problem with cell and sat links.
Everything else you explained either compromises functionality or makes everything far more complex.
Complexity is a stopgap until the Rest Of The World completes the IPv6 upgrade.
Simply deploying IPv6 solves all the issues.
The issues are exactly the same for an ISP that has installed carrier-grade NAT64 so that IPv6-only users can view web sites that don't yet have an AAAA.
If the DMZ device is a video game console, as I've seen it to be in several household deployments, it would probably make the news if someone managed to exploit it for remote execution of homebrew.
Thanks!
I've implemented dual-stack at home with my ISP (an Entanet reseller) providing me with a /56 as well as one IPv4 address. It all worked fine, except for my wife's W7 laptop. On debugging it, I found that it was using a Teredo address on the wifi interface directly, rather than as the endpoint of a Teredo tunnel. There was no sign of a Teredo tunnel over v4 anyway. I assume this is an aspect of the W7 bug. The solution was to disable the Teredo interface, and it now picks up a v6 /64 prefix from a radvd daemon and appends the usual MS pseudo-random suffix.
And this is another example of how the UK has not been a serious technology leader since the 18th century.
NAT is sometimes necessary and is nothing new. Yes,it does break the end-to-end concept of how IP is SUPPOSED to work. But for 99.99% of residential Internet subscribers it works just fine. For the few exceptions you can offer "business class" services or a "gamers package" that gives the customer one or more global IP addresses they can use for VPNs, servers, or game consoles. The problem many ISPs are having with IPv6 is CPE and DSLAM vendors that are dragging their feet on compliance and supporting the 0x86dd ethertype. In theory, a simple firmware update should fix this, but in many cases may require a hardware upgrade. The industry is moving towards CG NAT as a long-term "temporary" solution to this problem. Why do you think RFC6598 was written and implemented by IANA? Get over yourselves already. NAT is here to stay.
You realize that each customer is often going to be using up multiple ports at one time, right? And owing to the inherent statefulness of each connection and resources that the NAT system will have to dedicate to maintaining that state, it imposes a rather severe upper limit on how many ports a single NAT device can actually utilize at once.
File under 'M' for 'Manic ranting'