Slashdot Mirror
UK ISPs Respond To the Dangers of Using Carrier Grade NAT Instead of IPv6
Mark.JUK writes "Several major Internet Service Providers in the United Kingdom, including BSkyB, Virgin Media, TalkTalk, AAISP and Fluidata, have warned that the adoption of Carrier Grade NAT (IPv4 address sharing) is likely to become increasingly common in the future. But the technology, which many view as a delaying tactic until IPv6 becomes more common place, is not without its problems and could cause a number of popular services to fail (e.g. XBox Live, PlayStation Network, FTP hosting etc.). The prospect of a new style of two tier internet could be just around the corner."
A few of the ISPs gave the usual marketing department answers, but three of them noted that they've been offering IPv6 for ages and CGNAT is only inevitable for folks that didn't prepare for what they knew was coming. Which, unfortunately, appears to be most of the major UK ISPs.
If, and only if, they do offer IPv6 services to their customers than I am pretty cool with this. Realistically IPv4 is done. There is no real other option for the ISPs than to move to this type of setup for backwards compatibility and push IPv6 for full compatibility.
Unlike the US, where if people get bad service, they get vocal and kick up a stink, the British have a tendency to just wear it. Expensive, shit service is par for the course here, and business and the 1% know it.
I've been following the IP6 thing here in the UK with interest. BT the major supplier seem to be uninterested in full IPV6 for all customers. I've seen statements that they are pursuing CGNAT for IPV6. If this is true it beggars belief. The only reason I can that makes any form of sense is the attempt to stop a proliferation of home based servers, suck as toasters, fridges, TV & PVRs etc.
"If you wait long enough, it will go away... after having done its damage. If it was bad, it will be back."
What insentive is there for ISP's to go IPv6?
Surely having a two-tier internet just allows for more marketing oppertunities...
I HATE it!!!! No SIP telephony. No remote access. No server hosting stuff. The only way I've been able to access a carrier-NATted network from the outside is by having the CPE router establish a VPN tunnel on connection to the internet. Even then the traffic has to flow the the VPN hub, so yeah carrier -NAT SUCKS!!!
I didn't know Pink Floyd was talking about ISPs.
"Hanging on in quiet desperation is the English way. The pool is gone, v4 is over. Thought I'd more addresses to assign."
.. your country bought a shit load of IP address in the early day of teh Internet.
for the record:
Slovenia population: 2M
IP4 reserved IP: 2.5M
http://www.nirsoft.net/countryip/si.html
Love many, trust a few, do harm to none.
Even if an ISP implements IPv6 or dual stack for his residential customers, they will still face problems:
- IPv6-only customer will not be able to reach IPv4-only content (and I bet there will be lots of it for years)) without CGN (NAT64)
- not enough public IPv4 addresses for all customers mean that there has to be a form of NAT deployed centrally (CGN with NAT44) to provide them with IPv4 access (again, not all content is reachable by IPv6).
Of course public IPv4 addresses (going around CGN) will be still there, you will just need to pay more for them. Marketing departments are not going to miss such an occasion, after all they need a financial explanation to rollout of IPv6.
If you want to host a game server or FTP, you still can. Just pay a tad more for the privilege, right?
IPv6 by itself is not going to resolve everything and avoid CGN usage. Those ISPs who say "we deployed IPv6 and it fixes everything" forget about the problem underneath (trailing/legacy IPv4 content).
I can't really believe that no one has thought of this or even suggested it.
Premium rates should be charged for IPv4 addresses, or even taxed/levied by the government, there for making IPv6 cheaper.
Most people won't care if they get an IPv6 address or IPv4 address. If IPv6 is cheaper then people will go for it.
Perhaps the reason why carrier grade nat is being bandied about is because the government and its various security services want to monitor us even more, and carrier grade nat will make that even easier.
So you've got an ISP that uses ipv6 and you get your own address so every service on the internet is guaranteed to work (sort of). Then you've got an ISP where rumor gets around that you all share one IP and that might cause a gigantic list of problems, break a ton of services, prevent you from accessing millions of websites that IP-banned "you," etc. Guess which ones customers are going to go for. You need zero technical knowledge to tell someone that with one ISP a ton of stuff on the internet doesn't work and with the other it works just fine.
NAT64 is not too bad, and it puts the problems to the right side. If the IPv4 side complains that they run into problems because of those many connections from the same IP, they know they have to move to IPv6.
WTF!? He just one-hit killed me. That's some Carrier Grade bullshit right there.
At DeweyCheatam&Howe, we are committed to combining Carrier Grade customer service with Wall Street Grade executive profits.
Come on, dude, stop driving that Carrier Grade '60s clunker and get a real car!
She's my ex-girlfriend now, because that Carrier Grade whore was in our bedroom with some poolboy from down the block.
You can hold down the "B" button for continuous firing.
Do you really think you are going to get everyone to adopt an IPv7 before IPv6 is ubiquitous? Some people are already invested in IPv6. It will send the wrong message if the standards organizations start changing the recommended protocols before the current ones are widely adopted. Even less organizations will want to be early adopters. Without early adopters, there will not be any late adopters who wait until charges are widespread before switching.
Absolutely no IPv6 proponent is suggesting that anyone adopt ipv6 at this time without having a dual ipv4/ipv6 stack. The point of having ipv6 is to be able to connect to future possible ipv6-only content... which will start proliferating once the norm became people having both stacks. Much like how windows-only apps started becoming the norm even while it was still essentially just a GUI over top of DOS.
File under 'M' for 'Manic ranting'
ipv7 will not be necessary until we start colonizing other planets... *OUTSIDE* of our solar system.
File under 'M' for 'Manic ranting'
Even if an ISP implements IPv6 or dual stack for his residential customers, they will still face problems:
- IPv6-only customer will not be able to reach IPv4-only content (and I bet there will be lots of it for years)) without CGN (NAT64)
- not enough public IPv4 addresses for all customers mean that there has to be a form of NAT deployed centrally (CGN with NAT44) to provide them with IPv4 access (again, not all content is reachable by IPv6).
First off, one shouid generally be dual-stack at this point.
If you're out of public IPv4 addresses, then give the end-point an IPv6 address and use NAT64; do NOT given them a private/RFC1918 IPv4 address, and set up NAT44.
I'm pretty sure that, that's what the carrier grade NAT will accomplish.
Perhaps, but it's impossible, which rather puts a damper on doing it.
This is what we already did with IPv6.
It'd probably be enough for a large portion of our galaxy, too.
NAT64 is not the solution so many here make it out to be. The original sensible migration path was to use dual stack and get most services over to ipv6 before the v4 space ran out.
Everyone here knows the problems with less than 1:1 NAT in a pure v4 world. Slashdot'ers complain bitterly about it all the time. NAT64 brings all those problems and more.
Think about this. Suppose your v6 only mail relay needs to send mail to a v4 only relay. It looks up the MX for the domain, than looks up the name it gets in response. Oh there is only A record no AAAA. Okay no problem right?
We will just set up our DNS server to generate synthetic AAAA records when only an A rec exists and prefix the A record with the ipv6 network address spaced allocated for NAT'ing to the ipv4 space. Sounds good but now you have to give up DNSSEC or deal with even more complexity.
Oh that remote mail server wants to a reverse lookup? How does a v4 only host deal with ipv6 PTR record? it probably doesn't. In any case the source ip points back at an address being used by the NAT gateway; but that's dynamic so the DNS server is going to have aware of the NAT device and probably be capable of generating synthetic PTR records on the fly.
NAT64 is probably fine for the base case of contacting some webserver via http(s). It really falls down pretty fast when you think about other protocols, and typical SOPs on legacy systems that make all kids of assumptions about ipv4 addressing. Its not just smtp either think about all the stuff both older UNIX and Windows systems do by source subnet. Which by definition are the ones you have the NAT64 gateway in the first place. As for WWW access a traditional layer 7 proxy server for use when only an A record exists is likely a better choice.
This feet dragging that's gone will mean that largish deployments of things like NAT64 are likely to be required; and that's unfortunate; because it takes what would have been a somewhat complex transition and turned it into something that is going to be a costly train wreck with difficult and confusing brokenness all over the place.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
the big providers in the US, and many of the rest, are IPv6 enabled in the core. but edge equipment at the subscriber is not up to the task, so NAT IPv4 is how it's done here. virtually all of the DSL modems are MD'd (manufacturer discontinued) IPv4, so it makes sense.
if this is supposed to be a new economy, how come they still want my old fashioned money?
CGN has already happened in countries that were late on the Internet bandwagon and got too few IPs.
I am currently an unfortunate subscriber going through CGN, and let me tell you, the time I spent debugging connectivity issues is mindblowing.
For those who don't understand the extent of the problem, CGN is also called NAT444:
Your internal network has an IPv4 subnet, say 10.17.0.x. Then your router is allocated an IPv4 from your ISP. You think that's your IP, but it isn't. Your ISP itself is running NAT internally, and ultimately your data is being sent through the wire to the wider Internet with yet another IP.
So you have 3 networks: IPv4 IPv4 IPv4
Practically speaking, nothing that acts as a server will work. i.e. none of the modern multiplayer networking stacks work reliably, for example. When testing your PS3 networking, it will say (correctly) that you are screwed because you have a "Type 3 NAT", which is Sony speak for NAT444.
We don't have enough for Earth yet alone our solar system: http://xkcd.com/865/
it was thinking like this why we got stuck with IPV4
As you wrote - each of ISPs mentioned in the article says in one way or the other that CGN is a neccessity.
Problem with IPv6 is that the business case is weak. ISPs have to spend money upgrading to IPv6 without offering anything new to get more income from subscribers. CGN and "pay more for a public IPv4" is, sadly, one of such cases that is likely to go forward.
Not sure if you're trying to be funny, sarcastic, or if you genuinely think that.
The reason we got stuck with 32 bits is because when that was decided upon, nobody ever expected that the internet protocol was going to become ubiquitous. That shortsighted view does not exist today.
Yes, we will run out of ipv6 space eventually... it's a given. But it's not going to happen before we go to the stars.
File under 'M' for 'Manic ranting'
There's a RFC about one group's experience with using IPv6 and NAT64 exclusively (not dual stack): https://tools.ietf.org/html/rfc6586 It looks like the biggest stumbling blocks are chat clients and games. The result is not too surprising, because most P2P networking arrangements involve some kind of passing of IP addresses around, and it's doubtful that most programmers would have put in IPv6 support already.
What's new that they could actually afford to offer more public IP's for home subscribers that actually want them.
And increased customer choice spells more opportunity for commercial gain, does it not?
File under 'M' for 'Manic ranting'
In jest I once remarked that we should keep IPv4 but rejig TCP to support 128 bits of port numbering (or maybe even more). Each client could have a (formerly) full 16bit range of ports and we could support a bajillion devices and do modulo 2^16 math to 'map' to the ports you're familiar with.
People called me evil.
May I repeat that this was in jest.
As you wrote - each of ISPs mentioned in the article says in one way or the other that CGN is a neccessity.
Most also say they have no immediate plans to deploy CGN as sufficient IPv4 address space is available within their allocations.
Every last one of them have already or are in process of deploying IPv6.
Problem with IPv6 is that the business case is weak.
Q. Hello, I am Interested in Internet service, do you offer IPv6?
A. No, there is no business case for us to do so.
Q. Thanks for your time....click.
For me this is already reality today. Every RFP without exception we have participated in last 3 years either required or asked about IPv6.
ISPs have to spend money upgrading to IPv6 without offering anything new to get more income from subscribers.
CGN and "pay more for a public IPv4" is, sadly, one of such cases that is likely to go forward
This was never about providing anything "new" it is about getting to *continue* to provide the same level of service.
CGN costs more not only in terms of hardware it costs in customer support and administrative resources required to manage the system vs dumb packet punters.
As an ISP the less CGN you need the less you spend. The more IPv6 you deploy the less CGN you need.
Do you have to look at the network topology and ping a 128-char hex dump?
DNS updates are STILL broken for IPv6 and piss easy for IPv4.
If you're willing to leave everything to "automagically" connect (and then be completely fuggered when it doesn't), then you have a house with magic IP6 pixies running things and hope for the best.
Seriously.
I have a NAS box and a Media server and some computers that will want to share drives and so on.
IPv4 this is EASY (relatively!) to do.
I give my machine the name. It asks for a lease, the DHCP server tells my DNS server what IP address was handed out for what machine and what it should be called.
I can then "ping arthur". As opposed to "ping 192.168.0.93" or use fixed IP addresses and copy the info to my DNS server config and reboot.
But what do you do if you have IP6?
DNS updates won't work. And now you have "ping 2e:92:ee:24:5a:3f:f4:f4:f4:90:0d".
Brill.
The problem with ipv6/ipv4 dual stacking when there is little to no ipv6 only out there is that it is pain now, payoff later...maybe. Unsurprisingly, it's had trouble getting people to line up for it.
Frankly, your ISP doesn't care that much about you, because you're not the vast majority of their user base. People who have even *heard* the terms "IPv4" and IPv6" are probably less than 1% of their customers.
For accessing IPv4, there are some alternatives to central CGN - 4rd, NAT-E and NAT-T. They are based on idea of keeping complete NAT state in customer routers and assign port ranges to them (e.g. one customer gets 256 ports from one IP, so 256 customers could share one IP) and use IPv6 as an underlying transport protocol for that. Routers translating this to legacy IPv4 internet would be stateless and therefore much more robust, simpler and scalable. Not to mention that having NAT just in customer routers allows users for example configure some static mapping for local services.
Sorry, names of alternatives are not 'NAT-E' and 'NAT-T', but 'MAP-E' and 'MAP-T'.
This article was totally lacking in any useful facts about why CGN (Carrier Grade NAT) won't work just fine. As you can see today, lots of games and things like Skype manage just fine to talk to other devices that are also behind a NAT. One of the many ways they do it is ICE (http://tools.ietf.org/html/rfc5245). Most applications today are designed to work behind NATs, that is because most people are behind NATs. Sure, I wish I could wave a magic want and have everyone using v6 but articles like this that have no factual information on what the problem is or why don't help.
Frankly, your ISP doesn't care that much about you, because you're not the vast majority of their user base. People who have even *heard* the terms "IPv4" and IPv6" are probably less than 1% of their customers.
I think it depends on who you are. If you are just a residential customer getting service from megaco regardless of what your gripe is the sentiment is fairly universal.
Small ISPs on the other hand care about every customer especially if you happen to have a business account. It only takes a few such calls to light necessary fires.
The larger ones.. the ones who can afford to not care about their customers are paradoxically the ones currently much further along deploying IPv6.
This isn't incremental adoption, this is trying to mash two incompatible networks together and failing; We could be doing this with IPX or even NetBEUI instead of IPv6 and it wouldn't be much more difficult - That's how much of a ballache this is.
It's like no thought was given into the migration strategy when this was conceived - The most important thing in any network is the end-points but, relatively speaking, almost no end-point equipment supports IPv6 apart from computers - Games consoles, remote cameras, phones, PVRs, cable/sat boxes, home routers, I could go on.
Yes NAT is a PITA but at least it doesn't require throwing out the bath and baby out with the bathwater!
What someone needs to implement is sort of endpoint IPv6 IPv4 NAT - that would smooth the way by several orders of magnitude.
And no it's not impossible, just horribly kludgy like NAT; I've seen it done between IPX and IP FFS!
Yes there are more IPv6 addresses than IPv4, but you won't need to access ALL of them and the whole point of NAT is address translation; There doesn't have to be any fixed relation between the addresses most of the time as long as the DNS mapping is right (And you are almost forced to use DNS with IPv6 anyway since doing it by the numbers is nigh impossible unlike with v4), and for those addresses where you need a fixed target, you could assign a static NAT for that particular address pair.
The principle is simple and well known; Implementation is annoying but we can derive implementations from existing many-to-many IPv4 NAT systems and extend to understand IPv6 and DNS relationships.
The reasons this hasn't been done yet is the IPv6 vendors want to sell all new equipment instead of just one magic box, and on the flip-side IPv4 people don't give a crap because they hold all the cards and content.
This is exactly what a lot of people fail to see. The free market is like Portland cement: stop stirring it for too long and it loses its fluidity and sets into cartels. And say what you will about the EU, they're doing a relatively good job at continuously prodding the big market players for the good of the consumer. Especially compared to the US, where a lot of providers of common services (like cell and internet) overprice and underdeliver.
Eyeball ISP's that light up IPv6 and control the router see a significant percentage of traffic (double digits) as IPv6.
Content sites that enable IPv6 see ~1% of traffic being IPv6.
ISP's that delay turning on IPv6 are just increasing their long term costs as they will need to install bigger CGN's and will have a bigger customer base to move when the time comes as customers will continue to buy IPv4 only equipment.
For most sites there is not a significant cost or pain to deploy IPv6 these days. The servers boxes already support IPv6 as do the desktops.
For a home user, assuming that their ISP supports IPv6, you are looking at replacing a single router. IPv6 capable routers can be got for around $150
and cheaper ones are coming.
For customer facing servers you turn on IPv6 in the router or check the IPv6 box with the cloud provider. Add a test DNS entry with the IPv6 address for the server and check that your backends work. Once that is done you put a AAAA address on the main DNS entry. If thing break at this sage you remove the AAAA record and re-test.
The day to day costs of dual stack vs IPv4 only is negligible.
How do you figure dual stacking has any pain associated with it? It's completely transparent to the end user when you are accessing things by name.
File under 'M' for 'Manic ranting'
1995-ish I wanted to write my thesis on IPv6. I did a lot of research, tests, then decided on a different subject that was closer to my heart at the time. (had to skip a year because of work abroad)...
2013: I am still on IPv4 and there is not even a hint that my ISP's employees even heard of it.
I honestly don't get it. OS-es support it, devices support it, network devices support it, it is just not happening. The fastest evolving technology, the billion-chillion dollar web, and we are still sharing IPs and paying premium for a damn public IP ....
How is that. Anyone care to share ?
... which is about 25 years behind the rest of the world in most things, i have had native IPv6 for a year now, and could have had it much earlier if i switched to my current ISP (internode) earlier.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Could we please please do a World IPv4 dat on, say, 04-04-2014 where we globally turn IPv4 OFF?
Then we could turn it back on the next day, wait a year, then turn it off permanently.
Problem solved.
True, although those mechanisms are fairly new (=a bit late) and not widely commercially implemented at the moment (home-device support), compared to centralized "classic" NAT in form of a CGN device.
How many people call and ask for IPv6?
That 0.01% who are technical and who care?
For majority of subscribers it's rather:
Q: Hello, do I need this IPv6?
A: No, it gives you same things as IPv4.
Q: Oh, thank you, I'll take just plain old IPv4 then, don't want to pay more for the same.
As for RFPs... sadly people ask for many things when they provide requirements, but do not quite use them. The very same companies that require or ask about IPv6 support when buying network equipment often just don't do anything with it afterwards, except for "ok, we future-proofed ourselves by asking for IPv6 in case someone forces it on us later on".
Fully agreed that CGN = more expenses (and therefore undesired), but "more IPv6 _you_ deploy" is not a sufficient condition by itself. You also depend on what _others_ do, and if there is a lot of content available only over IPv4 you still need a CGN in one form or another.
Luckily Google, Youtube and some other large content provideers have already made the right thing and switched IPv6 on.
How? Why? In what way? Or are you just trolling?
They should reverse the pricing on this. Essentially, tell their customers that they are moving to IPv6, which will be priced the same, whereas if customers want to stay w/ IPv4, it will become more expensive, due to IPv4 addresses running out. That's how companies migrate customers to products they prefer to promote over the existing ones.
Also, there ain't much that most customers would need to do. If they are on Windows 7 or OS-X or Linux, their OSs already support IPv6. W/ XP, some more tools would be good, since XP doesn't do a good job of natively supporting it. The main showstopper for customers is not what their own systems can or can't support - it's that most websites are still IPv4 only. So shifting them to an IPv6/dual-stack lite solution should enable them to access all content over the internet.
When are we going to have a new IPv7 which addresses this problem and gives us a solid new IP that can allow incremental adoption in the existing Internet, thereby ensuring it WILL be adopted and solve the IPv4 problems? IETF, GET TO WORK!!!!
What do you mean by 'incremental adoption in the existing internet'? There is no solution that doesn't involve increasing the IPv4 address space from its existing 32-bits, but the moment you allow that, due to the changes in the IP header, the same amount of efforts needed in adapting IPv6 would be needed in this 'IPv7' as well.
I do think there will be an IPv7, but I happen to think it will be compatible w/ IPv6, not IPv4. What might happen is that once IPv6 has settled down, they might decide whether they want to increase the global prefix and decrease the interface ID, or adapt a tree structure in order to simplify routing, or so on - things of that sort, that won't change the IP header, but will have enough changes in it that it would make sense to rev the protocol. It was impossible to have a protocol compatible w/ IPv4, but w/ IPv6, that difficulty won't be so much.
now a days it became easy to on-line shopping from at home. for more details pls visit http://www.amazon.com/
How many people call and ask for IPv6?
That 0.01% who are technical and who care?
Again I think it depends on who you are. If you are a business. If you are one of countless millions running a web site and ask about IPv6 because you want to offer the best experience to all customers this will have a measurable impact on the (in)actions of the ISP. If it is just a megaco access network your right it makes no difference.
As for RFPs... sadly people ask for many things when they provide requirements, but do not quite use them.
I don't give a shit if they use it or not. I just want to win. If checking yes in that box give me an advantage over someone who checks no thats all I care about.
You also depend on what _others_ do, and if there is a lot of content available only over IPv4 you still need a CGN in one form or another.
Luckily Google, Youtube and some other large content providers have already made the right thing and switched IPv6 on.
Absolutely.
Fully agreed that CGN = more expenses (and therefore undesired), but "more IPv6 _you_ deploy" is not a sufficient condition by itself. You also depend on what _others_ do, and if there is a lot of content available only over IPv4 you still need a CGN in one form or another. Luckily Google, Youtube and some other large content provideers have already made the right thing and switched IPv6 on.
Youtube is a massive fraction of the bandwidth on the net. Between them, Google and Facebook having v6, I'm told that v6-enabling an ISP sees about 40-50% of their traffic go over v6 immediately. (My stat is from a University network providing access to residential dorms, so the figure should be fairly similar at residential ISPs once all their customers are actually using v6).
Halving your required CGN capacity is a decent chunk of savings.
It's impossible because of the pidgeon hole principle. A v4 node has no way to uniquely identify every v6 node, so it can't specify which one it's trying to send traffic to.
The only sort-of workarounds are tunnels or, as you say, NAT. But you already dismissed these gateway and tunnelling mechanisms as "clumsy" in your original post, so I'm not sure why you're now suggesting them as the solution.
NAT64 has been done. It's not used because, as you accurately point out, embedded devices are doing a spectacularly poor job of supporting IPv6, which makes it easier to use the dual stack+NAT44 deployment that you so quickly dismiss as being unworkable.
And note that doing that works just fine. You can have v6-capable devices on the same network as v4-only devices. When you roll out v6 on the network, v6-capable devices will get and use it straight away, and the v4-only devices will get it when you upgrade them.
I'm not sure how you can say that's not incremential adoption.