UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

judgecorp writes "Faced with the shortage of IPv4 addresses and the failure of IPv6 to take off, British ISP PlusNet is testing carrier-grade network address translation CG-NAT, where potentially all the ISP's customers could be sharing one IP address, through a gateway. The move is controversial as it could make some Internet services fail, but PlusNet says it is inevitable, and only a test at this stage." Regarding the failure of IPv6, these graphs imply otherwise.

I recall MxStream

[MathFox]

KPN tried "carrier grade" IP4-NAT in the Netherlands a decade ago... Unfortunately the router software was too buggy and made the routers trash and crash. And how can the customers of the ISP run servers on their computers? NAT has implications for the peer-to-peer nature of the Internet.

Re:I recall MxStream

[MickyTheIdiot]

This may be a feature and not a bug to these ISPs.

The business has changed. They are probably fine with screwing up incoming services. They can charge to fix what they screwed up by using NAT.

Re:I recall MxStream

Consumer grade network connections do not run servers.

A far bigger problem is that a lot of internet services these days use IP-based blocks as the final "brute force" version of "you are abusing the service, go away". It would really suck to be under an ISP that shows every customer coming from a single IP. You'd find yourself banned from all kinds of random places as soon as someone using the same ISP decides to be an idiot.

Re:I recall MxStream

[idontgno]

NAT has implications for the peer-to-peer nature of the Internet.

For a lot of organizations, that's a bonus. If you don't trust the outside network, you certainly don't want to peer arbitrarily with them, and certainly not at any outside machine's initiative. With NAT, an outside system can't initiate connectivity with any machine inside the NAT boundary without some kind of prior arrangement, so no open-ended network scanning.

If you treat the Internet as a big happy cloud of egalitarian peers collaborating at will, NAT sucks. If you treat the Internet as a bad neighborhood, which you have no way of avoiding between your house and the mall, NAT is the gated neighborhood you live in to keep the unsavory inhabitants of that bad neighborhood away from your pristine lawn and Lexus in the driveway. And people choose gated neighborhoods, and NAT, for that precise reason: separation and protection from the riff-raff, the panhandlers, the burglars and the car thieves, the Jehovah's Witnesses. Mostly the JWs, I think.

Re:I recall MxStream

[Tridus]

Yes they do, pretty regularly. Ever played a multiplayer game?

Re:I recall MxStream

NAT has implications for the peer-to-peer nature of the Internet.

For a lot of organizations, that's a bonus. If you don't trust the outside network, you certainly don't want to peer arbitrarily with them, and certainly not at any outside machine's initiative. With NAT, an outside system can't initiate connectivity with any machine inside the NAT boundary without some kind of prior arrangement, so no open-ended network scanning.

That's what firewalls are for, not NAT. Please stop confusing the two.

Re:I recall MxStream

[JDG1980]

That will be a problem of the ISP then, if their customers can't use legitimate services because the ISP can't differentiate between the culprit and the innocent customers, the ISP has a problem. The ISP then has to have either a very good customer management which allows to disconnect culprits very fast without too many false positives, or the ISP has to introduce some kind of class ips, where the customers without complains share the "good ip", and customers with some bad stains get degraded to other, partly blacklisted IPs.

Do you really think any ISPs are going to take on these kinds of responsibilities? You're expecting them to basically be moderators for every forum on the Internet. Aside from the fact that they *shouldn't* be doing this (they should be dumb pipes), they also don't *want* to do this because it's logistically impossible and would open them up to potential legal liability.

Re:I recall MxStream

[Sique]

If you make your users indistinguishable from the outside, you are basicly acting on behalf of your users. So yes, put to the extreme, it would mean that you are responsible for all the stuff your users do. Normal "dumb pipes" don't hide the identity of their users. They are just a means to an end, a tool the user wield to reach a goal.

Re:I recall MxStream

[Miamicanes]

> That will be a problem of the ISP then

What a wonderfully-naive view of the internet. As we all know, consumers in Britain and America have bountiful high-speed low-latency broadband choices within a healthy, competitive marketplace. We have cable OR dsl... maybe cable AND dsl if we're incredibly lucky, and... er...um...

Ok, right then. We're fucked.

Cellular data has low caps and rapidly gets expensive if you're allowed to exceed them without getting throttled to sub-dialup speeds. Satellite data has insane latency, and *insidious* caps whose throttling kicks in at thresholds that aren't necessarily transparent or obvious from the marketing literature. Fiber to the home barely exists, and with the exception of Google in Kansas City, is still the exclusive fiefdom of basically one incumbent large corporation with its own agenda that's vehemently opposed to network neutrality. And those incumbent carriers have all done their best to bribe/buy/bully state officials into passing laws making it illegal for communities (or even existing neighborhoods) to take matters into their own hands, leapfrog over those incumbent carriers, and lay their own open-access fiber *anyway*.

Re:I recall MxStream

[FireFury03]

With NAT, an outside system can't initiate connectivity with any machine inside the NAT boundary without some kind of prior arrangement

That's untrue. Most consumer NAT routers (at least the ones I tested about 3 years ago - doubt its really changed) don't bother to include a stateful firewall and with appropriate ISP-side routing, will happilly let connections into the private network. What you need is a stateful firewall, not NAT - that will protect you, and also doesn't completely fuck up loads of protocols at the same time.

The depressing thing (other than idiots claiming that NAT is good for security) is that Plusnet *were* trialling IPv6, but pulled the plug on the trial last year. When I asked them a month or so ago, they informed me that they had no plans to roll out IPv6 at all. Time to switch to a competent ISP if you're with Plusnet, I suspect (EntaNet and AAISP both offer v6 connections over DSL).

Re:I recall MxStream

[hairyfeet]

Uhhh...and the ISP is gonna give a shit....why exactly? if its like most places in the USA they know they have you by the short hairs, where you gonna go? Shitty satnet? Assraping cellular? Most places have one, maybe 2 choices if you are lucky and the ISPs KNOW THIS. In my area they can assrape me with caps, CG-NAT and any other shitty thing all they want because they know its a choice of them or a 2Mbps on a good day DSL that the carrier (AT&T may they rot in hell) have made clear its a DO NOT FIX.

BTW all of those that have DSL? May want to be looking for an exit as the rumor is that AT&T is seriously looking at bailing on DSL. The reason being they are making assraping money on wireless and they don't want to spend any money upgrading the landlines when they can force everybody onto shitty data plans. Boy that "free market" really works huh? If they do pull out it will leave the cableco with a monopoly on landline Internet in many places and you think you are getting buttfucked now? Oh boy just you wait. Already mine has started playing "the cap game" which is REAL fun. Use their VoIP? No cap, Vonage? Cap. Use Windows all the updates have no cap, Linux or Mac? Cap city,use their PPV? No cap, Netflix? You get the picture.

Re:I recall MxStream

[suutar]

no, but it'll make a great basis for a lawsuit that forces them to give up the CGNAT idea. Assuming the RIAA/MPAA don't realize that everyone sharing one IP address will make tracking sharers harder and axe it themselves.

Re:I recall MxStream

[realityimpaired]

Sure they do... but you have to keep recasting it every few rounds because it expires.

Re:I recall MxStream

[suutar]

It's an expected function of routers. I've never seen a firewall appliance that did nat.

Re:I recall MxStream

[gbjbaanb]

It would really suck to be under an ISP that shows every customer coming from a single IP

not necessarily.... I'm waiting for the RIAA to come down hard against this carrier-grade NAT concept... Maybe someone should tell them they're trying to sneak this pirates free-pass in... :-)

Not "instead of", but "in addition to"

Dual-stack deployment with NAT'd IPv4 alongside with IPv6 is the only viable short-term option for consumer ISPs. You can't just cut off people from the IPv4 internet, you'd leave them with a pretty much useless internet connection.

Re:Not "instead of", but "in addition to"

[FridayBob]

... You can't just cut off people from the IPv4 internet, you'd leave them with a pretty much useless internet connection.

Luckily, IPv6-only connections are becoming less useless every day.

Re:Not "instead of", but "in addition to"

[petermgreen]

Dual-stack deployment with NAT'd IPv4 alongside with IPv6 is the only viable short-term option for consumer ISPs.

NAT'd IPv4 alone is also a "viable" option :(.

From a quick search it seems plusnet have run an IPv6 trial in the past but are not currently offering any IPv6 service :/ Hopefully they fix that before they start rolling out ISP level NAT for real.

Re:Not "instead of", but "in addition to"

[bobbied]

You are right.

I never really understood why we didn't just map all the IPv4 addresses to a IPv6 subset and provide a very simple rule to translate, say by adding all zeros or some other number to the IPv4 address to get its IPv6 one. Then start forcing the adoption of IPv6 by not accepting v4 traffic from the top down though the domain registration authorities and hosting providers. Get legal agreements from them to not route IPv4 traffic in exchange for IPv6 address assignments and allowing new domain registrations, force top level domain authorities to only support IPv6 going forward.

You want to keep your website available? You want your customers to see new domains? You need a IPv6 assignment because we won't route v4 traffic and DNS is going to give you an IPv6 address. ISP's would then be free to provide IPv4 connections, but only if they did the translation to IPv6 internally themselves, which would end up costing IPv4 customers more money and limiting what they can see.

Eventually, there would be enough pressure for the ISP's to push IPv6 down the food chain to the end user who will either pay more for IPv4 service, or upgrade to IPv6. Eventually there will be a tipping point and IPv6 will see universal acceptance.

The problem here is that nobody really has the necessary power to force IPv6 on the world.... So we will keep bumping along trying more and more incremental patches to IPv4. Eventually, you could be behind 20 NATs wondering why your SIPP/VOIP device won't make any calls...

Hey, how about we just put all of the adult content on IPv6 only addresses.... You know THAT would set a fire under things....

Re:Not "instead of", but "in addition to"

[Chirs]

I never really understood why we didn't just map all the IPv4 addresses to a IPv6 subset and provide a very simple rule to translate, say by adding all zeros or some other number to the IPv4 address to get its IPv6 one.

Um....they did?

http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses

Re:Not "instead of", but "in addition to"

[jez9999]

Luckily, IPv6-only connections are becoming less useless every day.

Yep. I love browsing Slashdot at home with my IPv6 conn... oh wait.

Really instead of ?

[pumpkin2146]

I highly doubt it makes sense for plusnet to do this "instead" of IPv6, but it does make sense to do this "as well" as IPv6.

I see the transition involving something like these 5 steps.

1.) Everyone needs IPv4, IPv6 is useless (no content).
2.) Everyone needs IPv4, IPv6 reduces the amount of IPv4 traffic you use.
3.) Most people still need IPv4, but IPv6 is most of the traffic.
4.) IPv4 is a niche requirement. Most normal users won't notice if they don't have it.
5.) IPv4 is Cobol and I come back and get a fat paycheque because I still remember how it works.

I think we are at (2) right now. I think CGN *IS* inevitable (even if it sucks) as part of a transition strategy. If we had started transitioning seriously a few years ago, we might have avoided this, but we didn't.

Re:Really instead of ?

[characterZer0]

If we had started transitioning seriously a few years ago

Some of us did. All the computers and network equipment at my house has been ready for IPv6 for years. I am just waiting for my ISP to get with the program.

ISPs are the problem here. But with government-granted monopolies without regulation, they have no incentive to support IPv6.

Re:Really instead of ?

[Alomex]

ISPs are the problem here.

Actually Windows 7 is also part of the problem and a step backwards. You see it has a buggy Teredo implementation leading to a ton of Teredo Ethernet adapters hanging on to their entries in the ipconfig tables. Some people report up to thousands of adapters. This has lead to various organizations disabling the IPv6 stack in their Windows network configuration.

Fastweb Italian Provider

[paulatz]

The Italian provider Fastweb (pioneer of optical fiber connections in Italy) has been doing it for ages, technically since the very beginning of its business.

The main drawback for it's customers has been with P2P programs, as direct peer-to-peer connections do not work well with NAT. As the Fastweb customers are not NATed with respect to each other, some of them even developed a special version of aMule (the most common P2P network at that time) called "adunanza" that would work inside the ISP-level network. Bittorrent is somehow less sensitive to the NAT problem, hence an "adunanza" torrent client was never developed.

I suspect this may actually be a strong motive behind such a silly ISP choice: reduce the exposition of P2Ping customers to the outside world. If the aim is to reduce P2P or just to hide it from the mayor's private police, it's hard to tell.

Re:Fastweb Italian Provider

[pmontra]

Fastweb is opening up its network. Residential customers with new routers have a public IPv4 address and can open ports on the router (but not port 5000).

Too bad the new routers are not very good. Other customers and I are experiencing weak WiFi signal and lot of lag over WiFi between devices inside the home network (wire is fast). That's ok for browsing with a phone but I'm also experiencing problems handling concurrent connections: even a 2 Mb/s data stream (video streaming, a backup, etc) seems to affect significantly the responsiveness of the other connections (it's a 10 Mb/s symmetric fiber optic line). The old router was much better, but had no WiFi: the now discontinued Fasteweb's TV set top box could get a 4 Mb/s MPEG2 stream and the other computers in my home could access the internet at 6 Mb/s without any problem. I wonder if they messed up the home router or their network.

This is just the beginning

[alphaminus]

Rather than doing this correctly, it will go like this. All "home" users will get CG-NAT. "Business" users will be allowed public IPs at a steep premium, and only when that possibility is completely exhausted, will IPv6 truly begin to be implemented. Hell, people might just use duct tape code and NAT subterfuge to drag this out another decade or two.

Re:Am I reading that graph wrong?

[Albanach]

What I see is less than 11% of the thousand most popular sites has adopted IPv6

I'd imagine the hundred most popular sites account for the vast majority of internet traffic. So it really depends where in the list of 1,000 sites that 11% is. I wonder if folk would feel differently if the ISP in question were to offer an unrestricted ipv6 connection or NAT based ipv4 at the customer's choice?

If a country the size of the UK were to set a switchover date and move to ipv6, the vast majority of English language sites would be running ipv6 by the switchover date for fear of losing that audience. It might take regulation though, as no ISP wants to be first for fear of losing customers.

My Rant....

[ZiakII]

How the hell does slashdot.org not support IPV6, I thought this was a tech website?

Re:My Rant....

[Mr_Silver]

How the hell does slashdot.org not support IPV6, I thought this was a tech website?

Forget IPV6 ... it doesn't have valid HTML, valid CSS and looks terrible on mobile devices.

Re:My Rant....

[the+eric+conspiracy]

Edit should be supported until moderation or a reply occurs.

Re:My Rant....

[jones_supa]

Sometimes it drives me nuts when I see just an edited message "*** never mind, got it working***" with no idea what the problem or the solution was. It could have been helpful to others...

Re:My Rant....

[WaffleMonster]

IPV6 is great in theory, but it's solving a problem that does not exist. When the internet was started, the idea was that every workstation would be on the internet. Once security became a concern, all those workstations ended up behind firewalls. With firewalls, there is no reason to not NAT.

Doing away with ALGs makes the system more secure than restricted cone NAT.

Since only the firewalls need be internet facing, the number of IPs drops drastically.

It is still much less than the number of people on this planet. I believe each and everyone one of them with network access should have the opportunity to be individually addressed if thats what they want.

Multiple web servers and web sites can share a single IP.

Or we can bite the bullet and dispense with all of these shitty hacks that suck, dramatically increase complexity, incur security and accountability problems, don't scale and require permission/coordination from the ISP. Native IPv6 deployment has the same complexity as native IPv4 deployment.

There are people that think that they still need an internet facing IP on every workstation, but the reasons are more personal than practical.

Or maybe they just want to be able to access their computer from somewhere else on the network?

Re:My Rant....

[Threni]

No, it's shit. Produces pages you can't scroll on the S3, using chrome,a quad core phone.

ipv6

[geekoid]

failure if IPV6 = We don't want to spend money helping our customer.

Re:Am I reading that graph wrong?

[Guspaz]

Google reports about 1% of their traffic is IPv6. That's probably a better estimate of IPv6 deployment.

IP Theft from IP...

[KitFox]

So what happens when the "copyright enforcement agencies" decide that somebody on that NAT IP has downloaded a movie and three strikes or something similar gets kicked in for the IP? (I know it's perfectly possible given port, IP, and Time to back-track a connection through a properly-logged NAT.Just an amusing side effect if somebody is dumb, and dumb happens a lot these days.)

Re:Am I reading that graph wrong?

[mwvdlee]

Just recently an IPv6 proponent sent me a chart showing IPv6 traffic growing from 0.25% to 1% of the Internet in a year as proof of its "impending success" and "rapid adoption".

Let's invent IPv8 and setup a single server and client; the rate of adoption will be 1.#INF within it's first year!

Worst rant ever

[saveferrousoxide]

There's no words in all caps, no fantastical assertions, not a single typo, and it's 15 words long!! I'll give you some charity style points for using 100% improper punctuation, but really: 2/10. Hell, this rant about your rant was nearly 3x longer!! You should be ashamed.

failure?

[slashmydots]

Failure to properly plan and fund and implement IPv6 for your own company is not what I would call a failure of IPv6.

To invite someone who's not quite unsavory

[tepples]

NAT is the gated neighborhood you live in to keep the unsavory inhabitants of that bad neighborhood away from your pristine lawn and Lexus in the driveway.

So how should a resident invite someone who's not quite unsavory? For example, to use your example of Jehovah's Witnesses, I study the Bible weekly with one of them. If my neighborhood were to adopt a firewall with a "JWs keep out" policy, I'd be pretty disappointed.

Three birds with one stone

[tepples]

That's what firewalls are for, not NAT. Please stop confusing the two.

But they're not entirely orthogonal, as NAT imposes a firewall by default. It takes down three birds with one stone, namely delaying the effects of IPv4 depletion until an IPv6 rollout can be afforded, firewalling out those assumed to be unsavory, and upselling business class connections to home-based businesses. How would NAT be implemented without a firewall?

Re:Three birds with one stone

[drinkypoo]

How would NAT be implemented without a firewall?

We should probably stop using the term "firewall" for anything that is not a filtering appliance. It means less and less all the time. We know what IP filters are, let's call them that. Anything with ACLs is a firewall, most firewalls are also lots of other things these days, minimally including VPN appliances...

NAT thus requires a router, with NAT capabilities. You don't have to actually do any deliberate filtering. And yet, as you say, you do gain some of the benefits of firewalls for those clients on the NAT segment.

Re:Three birds with one stone

[mellon]

This is actually not true. Most NATs can be penetrated from the outside; they have to be able to be penetrated, or things like Skype don't work. Pretty much any UDP-based protocol requires that the NAT open holes. So the notion that NAT == Firewall is utterly incorrect, and in fact the feeling of security that you apparently have based on this misconception is likely to cause you harm in the future.

Re:Three birds with one stone

[mark-t]

That's the inherent problem with NAT... and CGN in particular. Unless you punch holes in a NAT, the Internet breaks for any end-to-end communication. You can only punch holes in a NAT when you administrate the NAT.

But this is Carrier-Grade NAT.... ie, the NAT is not at the consumer level, but at the ISP level. Can you imagine the nightmarish logistics of having all of the ISP's customers be able to individually punch holes in it for their own applications on a NAT that they don't even actually own?

Re:Three birds with one stone

[TheRaven64]

The search term you are looking for is 'port rebinding attack'. This is a vulnerability that only NAT'd networks are vulnerable to. A firewall without NAT doesn't introduce this problem.

Should be noted

[Pop69]

PlusNet is a subsidiary of BT, the ex state telecom monopoly. BT also operate the vast majority of ADSL infrastructure in the UK. BT Openworld, their other broadband brand name claim to be the largest UK ISP by number of subscribers.

Where BT test on PlusNet then likely everything else BT will follow

Graham's hierarchy

[tepples]

Even more stupid on Graham's hierarchy is name-calling, which calls one's arguments "downright stupid" while giving no evidence of why they're "downright stupid".

Re:The failure of IPv6 was predicted years ago

[Dagger2]

I'm an early adopter of IPv6. I don't believe your claim that it offers me nothing, because it's been making my life easier for years now.

Big Dumb Pipe

[ThatsNotPudding]

There should be a Kickstarter campaign to create an ISP that is actually named Big Dumb Pipe with promises not to up sell, or offer 'cloud storage', or offer security suites to protect your snowflakes, or pretend to be a content creator, but merely provide access and up time, for they are only a Big Dumb Pipe (tm). Oh; and no caps or throttling.

Re:Speaking of IPv6 and firewalls, how infested is

[klapaucjusz]

Whats the worm traffic (ssh and other) on the IPv6 internet?

According to the network administrators I've spoken to (admittedly a biased sample), almost all the malware traffic they're seeing is over IPv4. They say they'll deal with IPv6 malware when it appears.