Slashdot Mirror
BT Begins Customer Tests of Carrier Grade NAT
judgecorp writes "BT Retail has started testing Carrier Grade NAT (CGNAT) with its customer. CGNAT is a controversial practice, in which IP addresses are shared between customers, limiting what customers can do on the open Internet. Although CGNAT goes against the Internet's original end-to-end principles, ISPs say they are forced to use it because IPv4 addresses are running out, and IPv6 is not widely implemented. BT's subsidiary PlusNet has already carried out CGNAT trials, and now BT is trying it on "Option 1" customers who pay for low Internet usage."
If people had spent as much money on IP6 as they have on NAT, we'd be done by now.
helping get IPv6 implemented rather than crying about it not being implemented?
Is the only solution. This is a stopgap measure like carpooling and congestion charges that don't actually fix the original problem of a diminishing resource.
If computers were people, I'd be a misanthrope.
Fantastic! This will be just as wonderful as AOL was, back when they were still unsure about this whole 'ISP' fad, and offered ghastly semi-access to the internet proper. I think I just threw up in my mouth from all the nostalgia!
I'm not fond of this in the least. I wonder how long before major ISPs finally jump to v6.
Just use IPV6 and do it properly... why on earth BT is not capable of doing this is beyond me...
I hereby declare a Jihad against BT for their infidelity about IPv6.
They have "fixed" the internet so it looks more like television. You are back to be a content consumer, and any attempt to communicate directly with another content consumer will be regulated.
lol
Presumably they'll give you a block of static ipv6 at least
The easiest solution would be to implement it then.
Have some balls, and just do it. I'm sure there will be tons of calls from people using computers and routers from the late 90's. Send them a free router/network card/dongle.
With CGN, they can't *POSSIBLY* argue that an IP address somehow is linked with a particular subscriber anymore.
This is going to create a hell of a problem when people inside the CGN start doing stuff they aren't supposed to outside of it, and those people outside can't do anything useful with the IP that they have.
File under 'M' for 'Manic ranting'
"Yeah, so, like we cba to implement this IPv6 thingamajiggy. Thought you might like some NATs instead though? It sounds like "cats" Cats are good. So we're all good now?"
For most casual users of the web, it is fine.
But for people that actually use the internet beyond the web, it is a god damn nightmare.
Pretty soon you can expect to see internet-facing IPs carry a huge premium. It is going to suck.
Do what you can, implement IPv6 encrypted mesh networking for your town and get people off the general internet. Most people just talk to their friends on facebook.
Kill the facebook, make your own mesh social network, save the internet.
There are many DIY mesh networking implementations. The only problem will be ISPs differ in how they allow you to use their connections. (most ban you from making servers but people do it anyway)
Some ISPs will disallow you to re-broadcast your connection on a large scale, even if it is free and a large package you bought.
You'd likely need to pay them a premium on your end. So don't do it if you are clueless about this.
Also, I hope they put more mobiles behind these. Mobile users should already be on IPv6 as it is and be put through an IPv4 tunnel if they need v4 resources.
All games on them are casual multiplayer anyway, unless it is local play. And that is about the only thing of worth to these people that will be impacted.
Odds are you've already been subjected to CG NAT -- especially if you have a wireless contract or are using some cheap DSL reseller. Check you're "public" IP address - if you're in the RFC 1918 or RFC 6598 IP ranges (10/8, 172.16/12, 192.168/16 or 100.64/10) you're being NAT'ed.
The carrier has probably no choice. He can no longer get IPv4 addresses for new customers, so either he refuses customers or uses NAT to map multiple customers on the same IP.
On the other hand, the average Joe customer will not see the difference. He can surf as before and all his apps will work as before. Some apps (mostly p2p stuff) will suffer, but most internet user don't use those.
If you as customer do need a 'real' IP, then there always is the option to get a more expensive option.
A step back for the Internet. Perhaps if ISP's actually took some of their huge profits and started implementing IPV6 instead of bending over for their shareholders, the world would be a better place.
Why not at least implement ip6 and make the cgnat 6to4? O.o
Over the last eight years and my previous three ISPs, my router has never once received anything other than a 192.168.x.x or a 10.x.x.x IP address from my local ISP. Not once have I received a live & legit IPv4 address. I have to pay a lot more for those. What's the difference between this and CGNAT?
It's pretty easy to set up a node on Tor. We could just declare the "open internet" lost to commercial interests and do all the "interesting" stuff on an encrypted network. Sure, it's slower than an open connection, but with increasingly common cable and optical connections it's still faster than even reasonably fast DSL from a couple years back.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Having to share an IP address with tons of people is absolutely, 100% a crippling experience. There are plenty of sites (newspapers, the site I get textures from, RapidShare, etc.) who limit their services by IP address. There's nothing quite like seeing messages about how your IP has exceeded the download limit on a website you've never visited before. Also: having to deal with bans when playing online games, as many are IP-based. The impossibility of hosting your own servers for games or other purposes. BitTorrent is nigh unusable. I would not pay a dime for this kind of a service, ever again.
Every freaking network stack in existence is updated to IPv6, it's just the carriers that refuse to turn it on!
And letting us know from the get go.
How many unscrupulous ISPs could be doing this behind closed doors right now without anyone noticing??
If BT required all devices on it's network to be IPv6 compliant, many existing in use devices would cease to function.
If BT said you MUST replace your working, but not IPv6 compliant device there would be an even louder cry of EVIL!
The situation is not very good, but there aren't any alternatives.
This is like politics. It's not about choosing the better choice, but the less evil one.
Verizon started field testing IPv6 on their FIOS network in 2010. I figured it's 2013 - they should be done testing by now.
I called our business services rep about a month ago and asked about IPv6 service for our FIOS connections at our offices.
The rep's response:
"IPv6, what's that?" "Hold on. Let me ask my support engineer."
Support engineer's response:
"IPv6 - What's that?"
I may retire from the IT business before Verizon deploys IPv6.
-ted
I know people fear change and all, but at this point, what's the BFD here? Why can't we just start rolling out v6, it seems like a reasonable solution? This is not a rhetorical question. Does anyone know what is taking so damn long? At this point, if we let the legacy crap keep holding up the change we're never going to get there.
At some point you just have to rip the bandaid off and go.
"Limiting what customers can do..." seems to be the new norm... along with with "shut up. give up rights. sign EULA"
Join the Slashcott! Feb 10 thru Feb 17!
The end-to-end principle has to do with where network logic is placed, not which devices are reachable, routeable, or have an IP address. As simply as possible, the end-to-end principle means that we should have smart end hosts and a dumb network. This is why routers don't guarantee packet delivery -- its up to the hosts (with TCP, et al.) to ensure this. This is in contrast to telephony networks, where the network is responsible for almost everything.
There are good reasons to oppose CGNAT, but the "end to end principle" is not one of them.
http://en.wikipedia.org/wiki/End-to-end_principle
or, if you're inclined to primary sources:
http://groups.csail.mit.edu/ana/Publications/PubPDFs/End-to-End%20Arguments%20in%20System%20Design.pdf
we would be done by now. They should have written an extension, not a replacement.
between 192.168 and 10.0.
Apropos of nothing, here's what BT did invest in for their "21st Century Network".
It's all IPv4.
Your src port will always be from x-y on this outgoing IP address. Instead of spreading the users out horizontally by IP address, they could stack them vertically by port number.
Well, I see they still love just fobbing people off..... Can't give me a straight answer...
This is after I was told to call Broadband Customer Secutiyu....
BT: well at this point of time there is no team who can actually give you this information as this information has not yet rolled out within BT desk
BT: and we do not have any updates about this
COME ON BT: We aren't all idiots
That's from our local wireless internet provider. That's in a major US east-coast city.
Or you know, just use one of the many IPv6 tunneling mechanisms. The issue is that many of those mechanisms use IP protocol 41, and many ISPs, modems, and routers filter out non-standard protocol traffic.
Has the customer been informed already? How does he or she take it?
Sharing an IP address? What's next, sharing a desk?
I come here for the love
If so, it's a total non-starter with me.
And how would you 'extend' ipv4 without ending up with essentially all the same problems?
Secure messaging: http://quickmsg.vreeken.net/
It is not a status symbol because it is rare or uncommon -- it is a status symbol because De Beers adverised it... as a brand! "Diamonds are Forever"???? Have you ever seen anybody advertising a commodity before? "Gold is Forever", anybody?
Glenn Beck's darling Goldline and a lot of other gold retailers promote a commodity to people who are afraid of a coming crash of a major currency.
There are already ISPs which supply IPv6. The SixXS FAQ lists [...] 14 in the USA.
The two major ISPs in Fort Wayne, Indiana, are Comcast and Frontier. I tried to read the SixXS FAQ to see if either of these was among these 14, but all I got was this:
Then users behind CGNAT will switch from applications that don't work (those that use a peer-to-peer topology) to applications that do work (those that use a server to forward everything).
"ISPs say they are forced to use it because IPv4 addresses are running out, and IPv6 is not widely implemented."
Aren't ISP's supposed to be the ones implementing IPv6? My ISP doesn't and I therefore cannot use IPv6 to connect to it.
Actually I think all we really needed was a transition mechanism that went with the flow of NAT e.g.
1: for each IPv4 address and UDP port combination an IPv6 address would be allocated.
2: IPv6 packets passing over legacy infrastructure would be encapsulated in a UDP packet. An anycast address would be created to represent IPv6 addresses with no IPv4 equivilent.
3: if a NAT changed the IPv4 address or UDP port of a packet containing an encapsulated IPv6 packet then the IPv6 addresses of the packet inside would be updated to match
With this system the end systems and internet core would need to be updated, but the rest of the existing infrastructure could be left in place.
But i'm just a nobody. Those with power over the stamdards process were on a crusade against NAT so such a system would be unthinkable to them and the transition mechanisms we got either ignored NAT (6to4) or fought it (teredo). Worse still ISPs didn't take either of those transition mechanisms seriously meaning that connectivity between users of transition mechanisms and users of native IPv6 has been poor.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
So will doubling the speed of the cars.
Doubling the speed of the cars doesn't double the capacity in cars per hour. Traffic laws that ban following too closely or "tailgating" appear to define the crime based on a two-second minimum time between vehicles. This leaves 30 vehicle slots per minute.
Or adding lanes.
Which makes it more difficult to get from the lane where you turn on into the lane where you turn off. Each vehicle changing lanes occupies two lanes, and if the driver has to slow down to find a gap in the other lane, it occupies more of the 30 vehicle slots per minute.
But carpooling isn't a solution unless two people are coming from the same place and going to the same place.
That's why city bus systems have transfer stations downtown. People coming from places along one route take the bus downtown and transfer to another bus that goes by the destination.
Just think, if every other packet were concatenated on the previous one, there would be half as many packets, and that would double the capacity of the routers.
Waiting until enough packets arrive to fill a "truck" to get to the next hop would add a boatload of latency. That's why the Internet isn't a truck; it's a series of tubes. Packet goes in one end of a tube; packet comes out the other end.
Everyone using it just got banned from everything everywhere. Everyone is behind one giant router that assigns sub-IPs privately but to the open internet, you're all on the same IP address. So one of those thousands people starts ranting on a forum, you're all IP-banned from it since you're all on the same IP. If you've ever used a common proxy or TOR exit node, you'll notice you're basically banned from everything everywhere. That's exactly what will happen here.
Bookmark this link or this link to find the current day of September 1993.
Odds are you've already been subjected to CG NAT -- especially if you have a wireless contract
Are you fucking stupid? We're talking about NAT at the ISP, not your fucking local firewall.
"Wireless" doesn't necessarily mean wireless local area network technologies such as the 802.11 family. It can also mean technologies associated with cellular carriers, such as CDMA2000, UMTS, WiMAX, or LTE. These have been known to provide only a Private Internets (RFC 1918) address to each customer and use NAT to connect the internal network to the global Internet.
And could you please tone down your F-words?
Hows this even remotely related to the actual issues which come with NAT?
CLI paste? paste.pr0.tips!
Have you, by any chance, imported the CAcert.org root certificate(s)?
I happen to have not. Where should I check for information on the progress of the audit of CAcert?
With this move, BT will cease to be an ISP, and its customers will not actually be paying for internet service.
They easily can, translations are logged as is required by law in many countries.
CGN implementations provide for this in many forms, ranging from syslog (poor scalability) to netflow (pretty much industry standard for getting traffic info and logging it).
Choosing between static IP or NAT is 1993 thinking: The former enhances surveillance and the latter degrades connectivity options (esp. for anything that isn't strictly a client).
The debate should really be about whether IP+DNS is an outdated form of addressing. IMO, they cannot be made consistently loyal to their users' interests (they are subject to tampering and exploits) so they should be -- if not retired -- then demoted in such a way that they matter only on a minute-by-minute basis.
Tor and I2P have such a scheme. They are an extra layer between the network hardware and the application that implement cryptographically-based addressing that also form the basis for identity as well. The identity is the address, and its independant of hardware- and provider-based addressing. Having one's IP address shift from week to week poses no challenge for these anonymous networks. They both offer a better example of the marketing and politics at work in IP and DNS.
Hows this even remotely related to the actual issues which come with NAT?
With anonymous networks like Tor and I2P, you get a crypto-based identity that doubles as your network address. No one else can change it, and you can take it with you.
Many hosting providers have traffic load balancers that distribute traffic based upon source IP address (there is a better way to do this, but I'll get to that later). When traffic arrives it routes that traffic to a specific server. When you have a carrier that has thousands of customers all coming from 1 IP, the load balancer routes it to 1 server which quickly gets overwhelmed and either crashes or is just DoS'ed. Then it points it to the next server, then the next. Back in the early days of the internets - AOL pulled this stunt where entire regions would get nat'ed behind a firewall. It was very efficient in taking out online services.
Most load balancers will now look at the session cookie and load-balance off of that, as long as they are configured to work that way. As the practice of CGNAT (as they call it now) went away, I'm sure a number of hosting companies have gone to using source IP as a sufficient load balancing method. If so, we are sure to see these events happen again.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
One of the most interesting talks at linux.conf.au this year was by Geoff Huston of APNIC (and with a long history of involvement in the internet in Australia), talking about IPv4 address exhaustion and IPv6 and Carrier Grade NAT (and why CGNAT sucks).
tl;d[wr] version: two of the main reasons why it sucks are a) it results in double-NAT when users have their own LANs and NAT devices behind a CGNAT connection and b) it's effectively a ways for a handful of major telcos around the world to gain control of the internet on their terms, just like in their Good Old Day (which is why they have little or no interest in IPv6).
CGNAT means getting the same kind of crappy barely-functional internet service on your landline (or wifi or satellite etc) broadband service as you get on a mobile phone.
Video here:
http://mirror.linux.org.au/linux.conf.au/2013/ogv/The_IPocalypse_20_months_later.ogv
LWN article about Geoff's talk here:
http://lwn.net/Articles/424696/
Add extra bits to the reserved fields, and have routers interpret them as tacked onto the first octet. Want to reach a new IP? Upgrade ur crap.
they do let you opt out.
Yet Mozilla Corp listens to these CAs when the CAs set audit standards, and end users listen to Mozilla Corp. With which party should the solution start?
In a world where everyone and their mother actually uses TOR and I2P, that might be a viable solution.
In the real world, it solves none of the problems with ISP-level NAT, it rather creates an additional one on the TX path.
CLI paste? paste.pr0.tips!
Hmmm...no.
Tor and I2P are each capable of sharing an IP address with multiples of themselves. I2P can also traverse a firewall-like NAT pretty easily (I'm not sure about Tor). You also cite a chicken-and-egg conundrum for Tor and I2P, but that's more of an IPv6 problem because end users have no say in whether they can use IPv6 with their ISPs.
The point is that overcoming ISP-level NAT is possible with some adjustment, using a layer that provides identity-style addressing. Like any big innovation, early adopters will have to flesh it out a bit first.
This is because a large number of idiot sysadmins don't understand that 1 IP != 1 user (even without CGNAT).
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Yes, lets put more load on the core for the sake of letting people be lazy and not upgrade. NAT isn't even a standard, it's a "implement how ever you want and hope your customer's don't complain".
IPv6 doesn't not pass over legacy, it gets routed to legacy. The core of the Internet has been IPv6 for the past 5+ years and a large portion of the Internet was IPv6 for the past decade.
ISPs are the ones who have been slow to upgrade, not the core, and ISPs are the ones that would have to upgrade to your new idea. See the problem? The people who are not adopting the upgrades are the ones you are targeting to upgrade.