Slashdot Mirror
UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
judgecorp writes "Faced with the shortage of IPv4 addresses and the failure of IPv6 to take off, British ISP PlusNet is testing carrier-grade network address translation CG-NAT, where potentially all the ISP's customers could be sharing one IP address, through a gateway. The move is controversial as it could make some Internet services fail, but PlusNet says it is inevitable, and only a test at this stage."
Regarding the failure of IPv6, these graphs imply otherwise.
KPN tried "carrier grade" IP4-NAT in the Netherlands a decade ago... Unfortunately the router software was too buggy and made the routers trash and crash. And how can the customers of the ISP run servers on their computers? NAT has implications for the peer-to-peer nature of the Internet.
extern warranty;
main()
{
(void)warranty;
}
Dual-stack deployment with NAT'd IPv4 alongside with IPv6 is the only viable short-term option for consumer ISPs. You can't just cut off people from the IPv4 internet, you'd leave them with a pretty much useless internet connection.
why in the world is it inevitable? Inevitable because they want to keep holding off on newer technology? If I was with Plusnet I'd use this as a good reason to start looking elsewhere.
Am I reading that graph wrong?
What I see is less than 11% of the thousand most popular sites has adopted IPv6
Either that or we seem to be using different definitions for the word "failure".
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I highly doubt it makes sense for plusnet to do this "instead" of IPv6, but it does make sense to do this "as well" as IPv6.
I see the transition involving something like these 5 steps.
1.) Everyone needs IPv4, IPv6 is useless (no content).
2.) Everyone needs IPv4, IPv6 reduces the amount of IPv4 traffic you use.
3.) Most people still need IPv4, but IPv6 is most of the traffic.
4.) IPv4 is a niche requirement. Most normal users won't notice if they don't have it.
5.) IPv4 is Cobol and I come back and get a fat paycheque because I still remember how it works.
I think we are at (2) right now. I think CGN *IS* inevitable (even if it sucks) as part of a transition strategy. If we had started transitioning seriously a few years ago, we might have avoided this, but we didn't.
The Italian provider Fastweb (pioneer of optical fiber connections in Italy) has been doing it for ages, technically since the very beginning of its business.
The main drawback for it's customers has been with P2P programs, as direct peer-to-peer connections do not work well with NAT. As the Fastweb customers are not NATed with respect to each other, some of them even developed a special version of aMule (the most common P2P network at that time) called "adunanza" that would work inside the ISP-level network. Bittorrent is somehow less sensitive to the NAT problem, hence an "adunanza" torrent client was never developed.
I suspect this may actually be a strong motive behind such a silly ISP choice: reduce the exposition of P2Ping customers to the outside world. If the aim is to reduce P2P or just to hide it from the mayor's private police, it's hard to tell.
this post contain no useful information, no need to mod it down
Rather than doing this correctly, it will go like this. All "home" users will get CG-NAT. "Business" users will be allowed public IPs at a steep premium, and only when that possibility is completely exhausted, will IPv6 truly begin to be implemented. Hell, people might just use duct tape code and NAT subterfuge to drag this out another decade or two.
How the hell does slashdot.org not support IPV6, I thought this was a tech website?
failure if IPV6 = We don't want to spend money helping our customer.
The Kruger Dunning explains most post on
This way when one customer violates an AUP the entire ISP can be null routed in a single line.
Fastweb in Italy is using this method since a decade. And it works quite well. They offer fiber or ADSL depending from the user location. Almost every internet service I used (IP blacklist, megaupload-like services...) know that behind a single fastweb IP there may be a million of users.
*Smash head against desk*
seems like a colossal waste of money -- they'll eventually come around to ipv6 and just throw this out... right?
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
So what happens when the "copyright enforcement agencies" decide that somebody on that NAT IP has downloaded a movie and three strikes or something similar gets kicked in for the IP? (I know it's perfectly possible given port, IP, and Time to back-track a connection through a properly-logged NAT.Just an amusing side effect if somebody is dumb, and dumb happens a lot these days.)
@Whee
There's no words in all caps, no fantastical assertions, not a single typo, and it's 15 words long!! I'll give you some charity style points for using 100% improper punctuation, but really: 2/10. Hell, this rant about your rant was nearly 3x longer!! You should be ashamed.
A far bigger problem is that a lot of internet services these days use IP-based blocks as the final "brute force" version of "you are abusing the service, go away". It would really suck to be under an ISP that shows every customer coming from a single IP.
That's what X-Forwarded-For: and agreements with ISPs are for. See, for example, Wikimedia's implementation of X-Forwarded-For:.
Because otherwise, they will just end up running out of ports when they have a larger number of people simultaneously using their services.
Quite quickly too.
This plan is so colossally doomed to fail that I have no words for it.
Where can I buy the popcorn? This is gonna be funny as hell to watch.
File under 'M' for 'Manic ranting'
Failure to properly plan and fund and implement IPv6 for your own company is not what I would call a failure of IPv6.
Ang again the same arguments are brought, why ipv6 is *not* the solution to a problem that does *not* exist.
NAT is the gated neighborhood you live in to keep the unsavory inhabitants of that bad neighborhood away from your pristine lawn and Lexus in the driveway.
So how should a resident invite someone who's not quite unsavory? For example, to use your example of Jehovah's Witnesses, I study the Bible weekly with one of them. If my neighborhood were to adopt a firewall with a "JWs keep out" policy, I'd be pretty disappointed.
That's what firewalls are for, not NAT. Please stop confusing the two.
But they're not entirely orthogonal, as NAT imposes a firewall by default. It takes down three birds with one stone, namely delaying the effects of IPv4 depletion until an IPv6 rollout can be afforded, firewalling out those assumed to be unsavory, and upselling business class connections to home-based businesses. How would NAT be implemented without a firewall?
Its that like Military grade NAT and Combat ready NAT?
The NAT I use is the SAME NAT that they use. There is no such thing as "Carrier Grade" NAT.
Do not look at laser with remaining good eye.
You're missing the point. Internet multiplayer games are quite popular these days.
I can think of some words.
PlusNet is a subsidiary of BT, the ex state telecom monopoly. BT also operate the vast majority of ADSL infrastructure in the UK. BT Openworld, their other broadband brand name claim to be the largest UK ISP by number of subscribers.
Where BT test on PlusNet then likely everything else BT will follow
In my area the 4G Verizon WWAN devices are doing this. It screws with VPNs big time. It connects you to verizon on an internal IP and then verizon NATs you the web content through their system.
The WWAN dongles can connect to the 3G service and then you're fine, that still works the "old fashioned" way.
This is fine for Bubba lookin at boats on craigslist or grandma getting emailed pics of little Johnny, but if you are in that 1% of non-typical use, whoops.
Flappinbooger isn't my real name
Pretty much any UDP-based protocol requires that the NAT open holes.
So does any TCP-based protocol, but as far as I can tell unless a port is forwarded, the router doesn't know where to forward incoming connections. So a NAT acts as a firewall against TCP-based protocols. UDP-based protocols, as I understand it, begin with a TCP connection to a trusted introducer, followed by having each side of the connection send a datagram on an ephemeral port to the other end so that the NAT knows how to route that particular port. This is limited to a few thousand connections per public IP address because there are only 16,000 or so ephemeral ports.
snrk Have you seen how many transition technologies have been proposed at IETF? We originally assumed everyone would deploy dual stack and wait for IPv4 traffic to tail off, but that assumed deployment ten years ago, which didn't happen. Then we started looking at CGN about five or so years ago; the problem is that CGN depends on there being lots of IP addresses, and since then we've come up with better solutions that do a smarter job of distributing the state required to do nat. This is what MAP-E and lightweight 4over6 are. MAP-E and lightweight 4over6 are getting serious consideration by ISPs.
I don't disagree that there were a lot of egos involved in early IPv6 development, but we actually do have a solid transition suite, and people are deploying it. CGN is five-year-old technology that never saw widespread deployment, and probably never will.
Seconded.
"A simple extension to v4 to expand the address space should have been adopted"
Indeed. All they needed was another 2 bytes to be used as address space in the IP4 packet - perhaps in the options or padding section - since 65K times the current address space is more than enough (and don't anyone quote me Bill gates 640K remark as a lame repost) and to update the IP version number in the packet. Sorted.
Even more stupid on Graham's hierarchy is name-calling, which calls one's arguments "downright stupid" while giving no evidence of why they're "downright stupid".
If they delivered full IPV6 with a CNAT as fallback, I might understand. All the big boys are on IPV6 nowadays anyway. But only CNAT? That, my friend, is connectivity they can shove where the sun don't shine...
10 ?"Hello World" life was simple then
It's unlikely that they will deploy CGN, because the trial will probably fail. But if they do, they will still almost certainly do routing aggregation, so the IP address you get will likely be associated with the BRAS or concentrator closest to you. They won't be able to get pinpoint accuracy, but they will probably know what city you are in, if you are in a city.
If anything there are too many transition technologies, not too few.
It's called dual stack. v6 deployment is not all-or-nothing. For instance, OS upgrades have been rolled out over the past decade, and content provider and ISP upgrades are being rolled out now. Take a look at Comcast, who are doing v6 despite less than 100% of their traffic being done over v6.
I'm an early adopter of IPv6. I don't believe your claim that it offers me nothing, because it's been making my life easier for years now.
Internet multiplayer games are quite popular these days.
MMO and social games are server-based and, as far as I'm aware, work fine through NAT. People living in an IPv4-starved market who want to play FPS and RTS that don't use a dedicated server would probably be encouraged to upgrade to business-or-enthusiast class Internet access.
Anyone with a 100.64.0.0/10 WAN address is being CGNATted by their ISP. http://whois.domaintools.com/100.64.0.0 How does one do port forwarding when CGNATted? e.g. Black Ops 2 needs TCP 3074 opened. Can anyone who is CGNATted confirm if they can port forward to one of their internal devices? I believe HugesNet uses CGNAT too.
I think this might be a intermediate step to change to IPv6. Nobody takes action until they suffer. Sharing one IPv4 address will make them suffer.
Give them the option for an IPv6 address and a shared IPv4 address to maintain backward compatibility.
Theoretically a "carrier grade NAT" could (due to the large scale) have the resources (both computational and developer time) to be capable of packet inspection to figure out what ports need to be dynamically mapped for more types of traffic than are supported in a cheaper implementation.
Heh. I was also thinking that carrier-grade NAT would cut out a big chunk of piracy traffic. BitTorrent performs poorly if you can't accept incoming connections, and not at all if the other peer can't either. Serving a homebound FTP warez site would also be out of question.
Posting as AC for obvious reasons. I'm working for an ISP and we testing Juniper MX routers for CGNAT. It will be deployed for "legacy" DSL customers. These routers can handle a lot of traffic, and we found that the wast majority of applications have no issues with another layer of NAT. There is a plan to offer a web interface to allow a customer to punch a hole when necessary.
I've played a multi-player game, and it worked just fine through MY NAT device, so why wouldn't it work through the ISPs
Because you control the port forwarding on your own NAT device, not your ISP's. Or because your machine is never selected to be the server, limiting the selection of opponents. Or because your game is in a genre that traditionally uses a dedicated server operated by the game's publisher as opposed to using the publisher's servers only for matchmaking, such as MMO or a browser-based game.
Any XFF: address would be a fairly meaningless RFC6598 address
Say the connection comes from 123.45.67.89, and the proxy specifies "XFF: 100.64.123.45", and the operator of the proxy has an agreement with the operator of the web site. Then instead of blocking the whole proxy, the web site would block "123.45.67.89.100.64.123.45". Yes, HTTPS would make this harder, as HTTPS proxies tend to get people up in arms because of the level of trust the user is required to have in the proxy.
There should be a Kickstarter campaign to create an ISP that is actually named Big Dumb Pipe with promises not to up sell, or offer 'cloud storage', or offer security suites to protect your snowflakes, or pretend to be a content creator, but merely provide access and up time, for they are only a Big Dumb Pipe (tm). Oh; and no caps or throttling.
1.During it's design, way too much effort was put in to solving problems that were not important. Many design decisions seem to satisfy only academic concerns and the egos of those who hold said concerns.
Care to be specific what are your talking about?
When I look at the IPv6 header and compare it to the IPv4 header I see address fields are a lot bigger and garbage from the IPv4 header is now gone. Thats it. TCP and UDP protocols below are exactly the same.
The next header scheme is the same one deployed in dumb layer 2 networks for vlan tagging... I don't see anyone complaining about that either.. Some L2 people have even gone nuts chaining with QinQ et al.
There are new things that did not have to change but these are management not wire issues. Their mostly ethernet/multicast nobody except the very few who write network stacks for operating systems and security schemes for L2 switches have to pay much attention to.
The efforts I see going on around me are centered in dealing with the reality of a larger address space and numbering networks.
Furthermore, due to the simple march of progress (Faster, cheaper computers. More bandwith. Better hardware), many of the above concerns are now moot. Many of IPv6's built in mechanisms will not be implemented today but replaced by "six-afied" versions of their ipv4 counterparts.
What are you talking about? Many of what?
Back to point one again, it seems like someone's ego prevented any kind of transition plan or backward compatibility. The all-or-nothing attitude has prevented rollout that should have happened a decade ago. Even inevitable address space exhaustion has not proven incentive enough
Suggest something better than native dualstack without breaking anyones shit.
Sorry to say, but v6 should have been scrapped a long time ago. A simple extension to v4 to expand the address space should have been adopted (Perhaps with some extensions/modifications to help alleviate some of the other issues. Goodness knows TCP could use some tweaks)
Thats exactly what IPv6 is on the wire:
http://en.wikipedia.org/wiki/IPv6_packet
Compare that to IPv4 on the wire:
http://en.wikipedia.org/wiki/IPv4_packet
I'm surprised it has not happened already. Usually someone pragmatic comes up with a brilliant, but hackish compromise that everyone informally adopts by sheer necessity.. Then becomes formalized after the fact when standards bodies realize everyone's using it anyway.
The format or feature set of IPv6 have never been much of an issue.
The real problem that lots and lots of us must do make our toys IPv6 compatible is to make provisions for a larger address space.
For example my game does not work with IPv6 not because of the format of a packet...the game does not generate packets it uses the OS network layer to do that for it. It does not care about the format of an IP packet except for trivialities such as MSS.
The reason my game is not IPv6 compatible is because it is not capable of addressing a larger address space without the source code being modified. Aint none of this got shit to do with a packet format on the wire.
why in the world is it inevitable? Inevitable because they want to keep holding off on newer technology? If I was with Plusnet I'd use this as a good reason to start looking elsewhere.
PlusNet meant that it was inevitable that "it could make some Internet services fail".
But you knew that already, since you were using PlusNet.
Whats the worm traffic (ssh and other) on the IPv6 internet? The weird IPv6 people want us to just hop on IPv6 by tunneling under our old IPv4 firewall/routers. So how much parasitism and hacking is on the new network? And can we expect a wave of new attacks/exploits to happen to people who turn on IPv6 and blindly bypass the only protection they have?
IPv6 goes global with the first Microsoft OS release where IPv4 requires installing an extra package which OEMs are not permitted to install by default.
This is a great chance for them to play the white hat, but it'd be a significant departure from historical behavior for them (e.g. they fought TCP/IP tooth and nail, thinking that NetBIOS and NetBEUI had a chance in hell of winning), and it took them a very long time to support IPv6 at all in the first place.
If ISPs are turning to carrier grade NAT, then they are in a desperate situation. The current approach will only buy time for an ISP who has run out or will soon run out of IPv4 addresses, but they should still have a parallel IPv6 strategy in place. Without support for IPv6, customers won't be able to access new services which are only IPv6 accessible, and as hosting services can't get acces to new IPv4 blocks this will be the case.
As IT professionals we should all be asking our ISPs, and even our employers, when they plan to be IPv6 ready. This is similar to the Y2K issue, except the cut off date is a little bit more fuzzy. If the work is done, then your average user shouldn't notice anything. If it isn't then they are going to be complaining of connectivity problems.
Jumpstart the tartan drive.
Ok, it's not CG-NAT, but if you get commercial service from Comcast, they give you a POS cable router that has NAT turned on. That's OK, but the problem is that the ONLY way to turn NAT off is to purchase a static IP. You can't put it in bridge mode and use your own router unless you have a static IP (for an extra charge, of course).
As far as I'm concerned, their policy of forcing NAT upon me means they are not delivering the full Internet experience, as many applications either do not work or do not work as well through NAT. I argued with them for about 10 minutes, but arguing with some phone monkey who has no idea how the Internet works (or is supposed to work) is futile, and I wasn't about to give them any more money, so I just lived with it.
...without a firewall on your router? Seriously, unless you invest deeply, 90% of the consumer grade devices can't do that - my router supports IPv6 in theory (no carrier support yet to test it) but only has a 400mhz CPU. Trying to implement any stateful firewall on that will just make the system unstable if you make some more intensive use of the connection (streaming HD TV, torrent, etc). No "smart" device I have in my home supports firewalls apart from my PC, so they can not be trusted to just cope on their own.
I'm probably missing something I guess, but it just doesn't seem like a genious prospect to me.
... in what fantasy world would this have worked? Upgrading the IP version number by itself is an incompatible change, and any address-space extension means that a stateless, 1:1 address mapping is impossible. Once a stateless mapping is impossible, we're right back to the current mess of transition, since new-IP hosts would not be able to talk to old-IP hosts without an intermediary.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
Whats the worm traffic (ssh and other) on the IPv6 internet?
According to the network administrators I've spoken to (admittedly a biased sample), almost all the malware traffic they're seeing is over IPv4. They say they'll deal with IPv6 malware when it appears.
Who said SSL = user accounts?
Nobody, necessarily. It's just that the CPU and latency hit of SSL is more justifiable when information private to a particular user is being transmitted. And sometimes a web site operator finds the insight that an XFF proxy gives into which customer is actually causing a problem worthy of a block valuable. Perhaps either or both of these reasons is part of why Slashdot, for example, redirects all HTTPS accesses to HTTP except for logged-in paying subscribers.
I can use https on Google and Wikipedia without logging on.
There are bans, and then there are bans. Both sites you mention (Google Search and Wikipedia) are useful for reading even if a particular user or anonymous users behind a particular IP are blocked from editing. An IP address found to be the source of vandalism can be blocked first from editing anonymously, then from editing with any user account (if the problem is believed to arise from sock or meat puppetry), and finally (unlikely) from reading. If you're on HTTPS, and you're not logged in, and you're behind a Big Honkin' NAT, and the NAT's IP address shares an owner with a recognized XFF proxy, and the IP is blocked, then you might end up redirected to HTTP so that the site can read the XFF header sent by the proxy.
I didn't know firewalls can keep Jehovah's Witnesses out.
I don't know why you'd want to keep Jehovah's Witnesses out, but if you insist, you can use APK's old standby: a hosts file.
Whats the worm traffic (ssh and other) on the IPv6 internet? The weird IPv6 people want us to just hop on IPv6 by tunneling under our old IPv4 firewall/routers. So how much parasitism and hacking is on the new network? And can we expect a wave of new attacks/exploits to happen to people who turn on IPv6 and blindly bypass the only protection they have?
Unlike IPv4, it is not practical to probe the IPv6 network blindly. You need to know the IP address of your target exactly. There is no guessing it.
A worm on IPv4 can send a packet to a random IPv4 address and have a high chance of that packet actually reaching someone. There are only about 4 billion IPv4 addresses. Even a single computer can send to every single IPv4 address in a span of only a few hours. If there are thousands of infected computers sending random packets, they got the IPv4 network covered in mere moments.
Fast forward to the IPv6 world. The IPv6 has an address space of 128 bits. This is the same size as strong encryption keys. Sending to a random address has zero chances of actually reaching anyone.
IPv6 addresses can be split into the first 64 bits called the prefix and the other half of 64 bits called the host identifier. Lets say you somehow learned the prefix of some user. But even if you only have to guess 64 bits of host identifier, the chances that you are going to hit his computer is so extremely low that we can call it zero.
What if you already know his full address? You wont for long. Most operative systems today have privacy extensions enabled. This is a system that makes your computer change the host identifier part of your address on a regularly basis (at least once per day).
People will still have routers and those will provide firewall services on IPv6. You would not get past that, but even if you did, you would not be able to simply guess an address. You can only send packets to people that recently sent packets to you first. Or which otherwise advertised the address through DNS or through a peer to peer network such as Bittorrent.
Bottom line: Classic worms and cold scanning is history on IPv6.
When the entire ISP gets blacklisted for this or that reason, causing users to leave in droves, they'll see the error of their ways...
Because otherwise, they will just end up running out of ports when they have a larger number of people simultaneously using their services.
You do know that NATs can have more than one IP on the WAN side right?
Yes there is a limit to the customer to IP ratio that can be achived but unless an ISP is growing very quickly ISP level NAT should give them enough breathing room for the forseeable future.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Note: for now this is only an opt-in trial.
Yes it's sad. RIPE have run out of IPv4 addreses while many internet resources are only availble on IPv4. So growing ISPs have no real choice but to deploy mechanisms that allow users to access those resources while using less than one IPv4 address per user. The only real question is which such mechasmism to deploy (each has it's pros and cons).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I would be stunned if ISPs started routinely proxying all HTTP traffic
AOL did.
(and they don't stand a chance with HTTPS)
Anonymous visitors coming from an ISP whose NAT IP is blocked but whose proxy is known to add reliable XFF headers would get redirected from HTTPS to HTTP so that they can view the site through the proxy.
CPU & latency have not been an issue for years now.
HTTPS involves more round-trips than HTTP. True, SSL latency has been solved for wired Internet links (fiber, cable, DSL), but latency is still a problem with cell and sat links.
Everything else you explained either compromises functionality or makes everything far more complex.
Complexity is a stopgap until the Rest Of The World completes the IPv6 upgrade.
Simply deploying IPv6 solves all the issues.
The issues are exactly the same for an ISP that has installed carrier-grade NAT64 so that IPv6-only users can view web sites that don't yet have an AAAA.
If the DMZ device is a video game console, as I've seen it to be in several household deployments, it would probably make the news if someone managed to exploit it for remote execution of homebrew.
Thanks!
You realize that each customer is often going to be using up multiple ports at one time, right? And owing to the inherent statefulness of each connection and resources that the NAT system will have to dedicate to maintaining that state, it imposes a rather severe upper limit on how many ports a single NAT device can actually utilize at once.
File under 'M' for 'Manic ranting'