Slashdot Mirror
BT Begins Customer Tests of Carrier Grade NAT
judgecorp writes "BT Retail has started testing Carrier Grade NAT (CGNAT) with its customer. CGNAT is a controversial practice, in which IP addresses are shared between customers, limiting what customers can do on the open Internet. Although CGNAT goes against the Internet's original end-to-end principles, ISPs say they are forced to use it because IPv4 addresses are running out, and IPv6 is not widely implemented. BT's subsidiary PlusNet has already carried out CGNAT trials, and now BT is trying it on "Option 1" customers who pay for low Internet usage."
If people had spent as much money on IP6 as they have on NAT, we'd be done by now.
helping get IPv6 implemented rather than crying about it not being implemented?
Is the only solution. This is a stopgap measure like carpooling and congestion charges that don't actually fix the original problem of a diminishing resource.
If computers were people, I'd be a misanthrope.
Fantastic! This will be just as wonderful as AOL was, back when they were still unsure about this whole 'ISP' fad, and offered ghastly semi-access to the internet proper. I think I just threw up in my mouth from all the nostalgia!
I'm not fond of this in the least. I wonder how long before major ISPs finally jump to v6.
I hereby declare a Jihad against BT for their infidelity about IPv6.
With CGN, they can't *POSSIBLY* argue that an IP address somehow is linked with a particular subscriber anymore.
This is going to create a hell of a problem when people inside the CGN start doing stuff they aren't supposed to outside of it, and those people outside can't do anything useful with the IP that they have.
File under 'M' for 'Manic ranting'
STUN disagrees.
Who's gonna pay for the "free" dongle? And how on earth can you make IPv6 a premium option if you don't make IPv4 unbearably broken and inconvenient for users? And once they start crying you offer a "new and improved internet".
Sad jokes aside - why aren't they implementing NAT64 ? It's solves the problem in the same way as NAT, except more and more resources will have incentive to move to IPv6 and once the momentum is gained and all of the resources are there you can just drop NAT64 altogether without anyone noticing.
The carrier has probably no choice. He can no longer get IPv4 addresses for new customers, so either he refuses customers or uses NAT to map multiple customers on the same IP.
On the other hand, the average Joe customer will not see the difference. He can surf as before and all his apps will work as before. Some apps (mostly p2p stuff) will suffer, but most internet user don't use those.
If you as customer do need a 'real' IP, then there always is the option to get a more expensive option.
The main reason in my opinion most ISPs are not fully migrated to IPv6 is because there are MANY inhouse and 3rd party apps that ISPs use for monitoring, operations, business etc that do not support IPv6 yet. It not just a matter of upgrading the routing infrastructure to support IPv6, they have to uplift most if not all of their operational tools as well, which all adds up to millions.
It's BT. No explanation for the sheer incompetence is required.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
BT already gives all customers a home hub (router) as part of the deal, this is pretty standard in the uk. They upgrade them every couple of years for you, so going to an IPv6-enabled one is not difficult.
Get free bitcoins: http://freebitco.in
Over the last eight years and my previous three ISPs, my router has never once received anything other than a 192.168.x.x or a 10.x.x.x IP address from my local ISP. Not once have I received a live & legit IPv4 address. I have to pay a lot more for those. What's the difference between this and CGNAT?
It's pretty easy to set up a node on Tor. We could just declare the "open internet" lost to commercial interests and do all the "interesting" stuff on an encrypted network. Sure, it's slower than an open connection, but with increasingly common cable and optical connections it's still faster than even reasonably fast DSL from a couple years back.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Having to share an IP address with tons of people is absolutely, 100% a crippling experience. There are plenty of sites (newspapers, the site I get textures from, RapidShare, etc.) who limit their services by IP address. There's nothing quite like seeing messages about how your IP has exceeded the download limit on a website you've never visited before. Also: having to deal with bans when playing online games, as many are IP-based. The impossibility of hosting your own servers for games or other purposes. BitTorrent is nigh unusable. I would not pay a dime for this kind of a service, ever again.
The story actually implies that this is on their roadmap.
A considerable part of the problem is that many new devices are not IPv6 compatible, some sort of NAT is required.
New devices aside, the world is full of older IPv4 only devices.
And letting us know from the get go.
How many unscrupulous ISPs could be doing this behind closed doors right now without anyone noticing??
If BT required all devices on it's network to be IPv6 compliant, many existing in use devices would cease to function.
If BT said you MUST replace your working, but not IPv6 compliant device there would be an even louder cry of EVIL!
The situation is not very good, but there aren't any alternatives.
This is like politics. It's not about choosing the better choice, but the less evil one.
Verizon started field testing IPv6 on their FIOS network in 2010. I figured it's 2013 - they should be done testing by now.
I called our business services rep about a month ago and asked about IPv6 service for our FIOS connections at our offices.
The rep's response:
"IPv6, what's that?" "Hold on. Let me ask my support engineer."
Support engineer's response:
"IPv6 - What's that?"
I may retire from the IT business before Verizon deploys IPv6.
-ted
Yes, but:
How many of those 3rd party apps are there because of the limitations of IPv4?
-
"Limiting what customers can do..." seems to be the new norm... along with with "shut up. give up rights. sign EULA"
Join the Slashcott! Feb 10 thru Feb 17!
Your cell carrier doesn't count as an ISP for your smartphone? You don't get a publicly routable address on any cell network I've used.
upon the advice of my lawyer, i have no sig at this time
Mobile providers have been doing it for ages but at least here in the UK fixed line providers generally haven't.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
The end-to-end principle has to do with where network logic is placed, not which devices are reachable, routeable, or have an IP address. As simply as possible, the end-to-end principle means that we should have smart end hosts and a dumb network. This is why routers don't guarantee packet delivery -- its up to the hosts (with TCP, et al.) to ensure this. This is in contrast to telephony networks, where the network is responsible for almost everything.
There are good reasons to oppose CGNAT, but the "end to end principle" is not one of them.
http://en.wikipedia.org/wiki/End-to-end_principle
or, if you're inclined to primary sources:
http://groups.csail.mit.edu/ana/Publications/PubPDFs/End-to-End%20Arguments%20in%20System%20Design.pdf
we would be done by now. They should have written an extension, not a replacement.
For the vast majority of users, port forwarding isn't a priority. BT are selling this to lower tier internet users like my Granma who knows nothing about port forward and doesn't care. So long as she can send and receive emails, use a web browser and make the odd Skype call, she has no other need.
You and I on the other hand need to have the port forwarding capabilities, but then you and I probably need higher bandwidth etc that a higher tier package gives us.
I'm not saying it's right, I think they should skip this and go to IPv6. But port forwarding isn't a feature that the vast majority of internet users need or use.
between 192.168 and 10.0.
Apropos of nothing, here's what BT did invest in for their "21st Century Network".
It's all IPv4.
Your cell carrier doesn't count as an ISP for your smartphone? You don't get a publicly routable address on any cell network I've used.
At least Saunalahti in Finland offers publicly routable IPv4 addresses to their mobile customers. You have to activate the feature in the self-service portal and use the correct APN so generally only those who know what they're doing would do it, but it is all documented on their website. The feature is free of charge.
I can answer that question with another one: How is the ISP going to make more money with IPv6? If it's supposed to get them customers, they need to explain clearly why they're better with IPv6 to the 99% of the customer base that doesn't even know what an IP address is. It's a chicken-and-egg problem--IPv6 won't be clearly superior to the end user until most of the Internet is on it, and most of the Internet won't be on IPv6 until it's clearly superior to the end user. Nobody wants to go first and lay the groundwork for no good advantage. Let somebody else do it first; when a lot of other people are on IPv6, then we'll have a reason to move. When ISPs look at IPv6, they see a large investment of time, money and expertise that doesn't really have any convincing prospect of making them money back.
Your src port will always be from x-y on this outgoing IP address. Instead of spreading the users out horizontally by IP address, they could stack them vertically by port number.
why on earth BT is not capable of doing this is beyond me.
yes, apparently it is. I'm almost positive it's not beyond BT's Internet engineers why BT isn't capable of 'just using' IPv6 (without also implementing 'CGN' to make it work to the IPv4 Internet).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Or you know, just use one of the many IPv6 tunneling mechanisms. The issue is that many of those mechanisms use IP protocol 41, and many ISPs, modems, and routers filter out non-standard protocol traffic.
Well, part of the problem is that there are still routers being sold today that don't support IPv6.
You'll need a regulatory push to get to IPv6. The digital TV transition in the US didn't happen because people gradually migrated off of analog, it happened because the government said 'after this date, analog TV goes dark'.
Tons of people still use WinXP that has no functional IPv6 stack. Tons of people use old consumer modems and routers that have no IPv6 stack. Even many new modems and routers don't come with IPv6 capability. Was this poor planning on the part of ISPs, and entirely their fault? Abso-fucking-lutely!
Has the customer been informed already? How does he or she take it?
Sharing an IP address? What's next, sharing a desk?
I come here for the love
I'm not sure, can she still make the "odd Skype call"? Or would that require that one computer can actually open a connection to the other one?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
P2P file sharing will also take a hit, as there will be less users that your client can connect to.
No. I'm saying plenty of consumers are running software and/or hardware that can't even use IPv6. While enabling IPv6, so those that can use it can do so and relinquish their IPv4 address, will go a long way towards relieving the pressure on ISPs, that's considerably different from saying everyone has already updated.
If so, it's a total non-starter with me.
And how would you 'extend' ipv4 without ending up with essentially all the same problems?
Secure messaging: http://quickmsg.vreeken.net/
It is not a status symbol because it is rare or uncommon -- it is a status symbol because De Beers adverised it... as a brand! "Diamonds are Forever"???? Have you ever seen anybody advertising a commodity before? "Gold is Forever", anybody?
Glenn Beck's darling Goldline and a lot of other gold retailers promote a commodity to people who are afraid of a coming crash of a major currency.
I believe Skype utilizes STUN to deal with NAT, so it'll work, but fully peer-to-peer stuff will break.
upon the advice of my lawyer, i have no sig at this time
There are already ISPs which supply IPv6. The SixXS FAQ lists [...] 14 in the USA.
The two major ISPs in Fort Wayne, Indiana, are Comcast and Frontier. I tried to read the SixXS FAQ to see if either of these was among these 14, but all I got was this:
Then users behind CGNAT will switch from applications that don't work (those that use a peer-to-peer topology) to applications that do work (those that use a server to forward everything).
Actually I think all we really needed was a transition mechanism that went with the flow of NAT e.g.
1: for each IPv4 address and UDP port combination an IPv6 address would be allocated.
2: IPv6 packets passing over legacy infrastructure would be encapsulated in a UDP packet. An anycast address would be created to represent IPv6 addresses with no IPv4 equivilent.
3: if a NAT changed the IPv4 address or UDP port of a packet containing an encapsulated IPv6 packet then the IPv6 addresses of the packet inside would be updated to match
With this system the end systems and internet core would need to be updated, but the rest of the existing infrastructure could be left in place.
But i'm just a nobody. Those with power over the stamdards process were on a crusade against NAT so such a system would be unthinkable to them and the transition mechanisms we got either ignored NAT (6to4) or fought it (teredo). Worse still ISPs didn't take either of those transition mechanisms seriously meaning that connectivity between users of transition mechanisms and users of native IPv6 has been poor.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
AIUI skype first tries direct connection using nat traversal techniques if needed. If that fails it routes the call via a node with a public IP address (they used to (ab)use customers on open internet connections to provide this service but nowadays I belive they provide it from their own servers).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
So will doubling the speed of the cars.
Doubling the speed of the cars doesn't double the capacity in cars per hour. Traffic laws that ban following too closely or "tailgating" appear to define the crime based on a two-second minimum time between vehicles. This leaves 30 vehicle slots per minute.
Or adding lanes.
Which makes it more difficult to get from the lane where you turn on into the lane where you turn off. Each vehicle changing lanes occupies two lanes, and if the driver has to slow down to find a gap in the other lane, it occupies more of the 30 vehicle slots per minute.
But carpooling isn't a solution unless two people are coming from the same place and going to the same place.
That's why city bus systems have transfer stations downtown. People coming from places along one route take the bus downtown and transfer to another bus that goes by the destination.
Just think, if every other packet were concatenated on the previous one, there would be half as many packets, and that would double the capacity of the routers.
Waiting until enough packets arrive to fill a "truck" to get to the next hop would add a boatload of latency. That's why the Internet isn't a truck; it's a series of tubes. Packet goes in one end of a tube; packet comes out the other end.
Everyone using it just got banned from everything everywhere. Everyone is behind one giant router that assigns sub-IPs privately but to the open internet, you're all on the same IP address. So one of those thousands people starts ranting on a forum, you're all IP-banned from it since you're all on the same IP. If you've ever used a common proxy or TOR exit node, you'll notice you're basically banned from everything everywhere. That's exactly what will happen here.
Bookmark this link or this link to find the current day of September 1993.
Odds are you've already been subjected to CG NAT -- especially if you have a wireless contract
Are you fucking stupid? We're talking about NAT at the ISP, not your fucking local firewall.
"Wireless" doesn't necessarily mean wireless local area network technologies such as the 802.11 family. It can also mean technologies associated with cellular carriers, such as CDMA2000, UMTS, WiMAX, or LTE. These have been known to provide only a Private Internets (RFC 1918) address to each customer and use NAT to connect the internal network to the global Internet.
And could you please tone down your F-words?
To be fair, we would be saying the same thing were we migrating to IPv6....
Hows this even remotely related to the actual issues which come with NAT?
CLI paste? paste.pr0.tips!
Have you, by any chance, imported the CAcert.org root certificate(s)?
I happen to have not. Where should I check for information on the progress of the audit of CAcert?
Never attribute to incompetence what can more parsimoniously be explained by greed or malice.
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
They easily can, translations are logged as is required by law in many countries.
CGN implementations provide for this in many forms, ranging from syslog (poor scalability) to netflow (pretty much industry standard for getting traffic info and logging it).
Uh, what? My father has never got anything beyond the first ADSL modem he got from BT almost a decade ago.
But it is harder to uniquely identify you by IP address
Choosing between static IP or NAT is 1993 thinking: The former enhances surveillance and the latter degrades connectivity options (esp. for anything that isn't strictly a client).
The debate should really be about whether IP+DNS is an outdated form of addressing. IMO, they cannot be made consistently loyal to their users' interests (they are subject to tampering and exploits) so they should be -- if not retired -- then demoted in such a way that they matter only on a minute-by-minute basis.
Tor and I2P have such a scheme. They are an extra layer between the network hardware and the application that implement cryptographically-based addressing that also form the basis for identity as well. The identity is the address, and its independant of hardware- and provider-based addressing. Having one's IP address shift from week to week poses no challenge for these anonymous networks. They both offer a better example of the marketing and politics at work in IP and DNS.
Hows this even remotely related to the actual issues which come with NAT?
With anonymous networks like Tor and I2P, you get a crypto-based identity that doubles as your network address. No one else can change it, and you can take it with you.
Many hosting providers have traffic load balancers that distribute traffic based upon source IP address (there is a better way to do this, but I'll get to that later). When traffic arrives it routes that traffic to a specific server. When you have a carrier that has thousands of customers all coming from 1 IP, the load balancer routes it to 1 server which quickly gets overwhelmed and either crashes or is just DoS'ed. Then it points it to the next server, then the next. Back in the early days of the internets - AOL pulled this stunt where entire regions would get nat'ed behind a firewall. It was very efficient in taking out online services.
Most load balancers will now look at the session cookie and load-balance off of that, as long as they are configured to work that way. As the practice of CGNAT (as they call it now) went away, I'm sure a number of hosting companies have gone to using source IP as a sufficient load balancing method. If so, we are sure to see these events happen again.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Yes, because I'm sure the ISP will never keep logs which would allow such identification, and in any case they would never provide them to other corporations or the government upon request...
This is hardly an impossible problem.
Start with the new customers, and any equipment swaps, service plan upgrades, etc. You'll get most of your customer base within about 5 years, then you can go after any that remain.
I do installation and repair for an ISP, The ADSL modems we stopped using 10 years ago are pretty much all gone (I haven't seen one in about a year, and it was probably almost a year before that that I saw the previous one) the ones we stopped using 5 years ago are rare (I might see one every month or two). At this point I'd say I mainly see a mix of the ones we stopped using 2-3 years ago, and the current ones with only exceedingly rare exceptions.
One of the most interesting talks at linux.conf.au this year was by Geoff Huston of APNIC (and with a long history of involvement in the internet in Australia), talking about IPv4 address exhaustion and IPv6 and Carrier Grade NAT (and why CGNAT sucks).
tl;d[wr] version: two of the main reasons why it sucks are a) it results in double-NAT when users have their own LANs and NAT devices behind a CGNAT connection and b) it's effectively a ways for a handful of major telcos around the world to gain control of the internet on their terms, just like in their Good Old Day (which is why they have little or no interest in IPv6).
CGNAT means getting the same kind of crappy barely-functional internet service on your landline (or wifi or satellite etc) broadband service as you get on a mobile phone.
Video here:
http://mirror.linux.org.au/linux.conf.au/2013/ogv/The_IPocalypse_20_months_later.ogv
LWN article about Geoff's talk here:
http://lwn.net/Articles/424696/
> Sad jokes aside - why aren't they implementing NAT64
NAT64 is generally more restrictive for IPv4 than common NAT, while does not have much advantages (if compared to IPv4NAT together with IPv6).
But there are other options like MAP-E, which solves both IPv4 exhaustion and IPv6 deployments with advantages (compared to CGNAT) for both users (better control over NAT) and ISPs (just stateless and easily scalable gateways).
Add extra bits to the reserved fields, and have routers interpret them as tacked onto the first octet. Want to reach a new IP? Upgrade ur crap.
BT already gives all customers a home hub (router) as part of the deal, this is pretty standard in the uk. They upgrade them every couple of years for you, so going to an IPv6-enabled one is not difficult.
A few cents or dollars per NEW module kills timely standard adoption. We're talking about ISPs, so let's use a well-known evolutionary example with WIFI routers available to users even outside the ISP chain:
First, no wifi at all,
then default / empty passwords all neighbors could steal,
then WEP only because WPA wasn't supported,
then no WPA2...
then (or mixed in with the above):
no support for G,
then no support for N
finally, "support" for N on just 130mbps, but not multiples of it. The unwritten word is also SINGLE band (2.4Ghz)
That is what I remember from a ton of different routers I either got from ISPs, owned, gave away or just troubleshooted. The great fragmentation tells you that it won't be an easy problem to solve. I mean, just check your Wifi now and see how many of the ancient no-nos you can still see from neighbors around you who PAID for their routers --I don't even want to know what they have to settle for at the Modem level.
Providing an upgraded router may not be the same as just "going" up to an IPv6-enabled router. Supply chains take forever (5 years) to provide today's optional features.
If you need more proof that a 2 year cycle for upgrades means nothing, just look at how few top of the line smartphones *refreshed yearly* support 5Ghz bands. Even if you paid through the nose to correct that, you still must leave the 2.4 Ghz band open because your pricy game console [refreshed every 5 years] isn't that lucky or your visitors' gadgets are behind. It's not a pretty picture. Give it 10 or 15 more years
Yet Mozilla Corp listens to these CAs when the CAs set audit standards, and end users listen to Mozilla Corp. With which party should the solution start?
In a world where everyone and their mother actually uses TOR and I2P, that might be a viable solution.
In the real world, it solves none of the problems with ISP-level NAT, it rather creates an additional one on the TX path.
CLI paste? paste.pr0.tips!
You wont need a regulatory push to IPv6. While yes, it would help considerably in terms of providing a unified industry focus, it may not be required at all in fact. So now you're waiting for the other shoe to drop, yes? Mobile phones. It will be the cellular industry that will push IPv6 as they're already using GGNAT anyways (which is why PPTP works half the time for air-cards due to GRE getting borked). Mobile phones already rely on cloud based applications and e-mail anyways. So it's trivial for the likes of Google, Microsoft, and Apple to implement IPv6 on their end anyways. I can only imagine China Telecom having a serious interest in getting deployed ASAP with an ever increasing mobile phone usage rate (thanks to their growing economy). Most major ISPs are already in an IPv6 deployment phase anyways, and consume WiFi routers are now being sold to support IPv6 too. So with the moment getting started, the adoption rate will explode with exponential growth.
Life is not for the lazy.
Hmmm...no.
Tor and I2P are each capable of sharing an IP address with multiples of themselves. I2P can also traverse a firewall-like NAT pretty easily (I'm not sure about Tor). You also cite a chicken-and-egg conundrum for Tor and I2P, but that's more of an IPv6 problem because end users have no say in whether they can use IPv6 with their ISPs.
The point is that overcoming ISP-level NAT is possible with some adjustment, using a layer that provides identity-style addressing. Like any big innovation, early adopters will have to flesh it out a bit first.
This is because a large number of idiot sysadmins don't understand that 1 IP != 1 user (even without CGNAT).
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Yes, lets put more load on the core for the sake of letting people be lazy and not upgrade. NAT isn't even a standard, it's a "implement how ever you want and hope your customer's don't complain".
IPv6 doesn't not pass over legacy, it gets routed to legacy. The core of the Internet has been IPv6 for the past 5+ years and a large portion of the Internet was IPv6 for the past decade.
ISPs are the ones who have been slow to upgrade, not the core, and ISPs are the ones that would have to upgrade to your new idea. See the problem? The people who are not adopting the upgrades are the ones you are targeting to upgrade.
UDP hole-punching only works with certain NAT setups, not all of them. NAT is not a standard, so each company is free to implement it however they want.
Not sure what they are doing these days. Their old scheme was a major contributing factor in a huge Skype outage a few years back. As far as I recall, they needed a bunch of servers at Amazon in order to get Skype back online. That outage might never have happened, if IPv6 had been deployed when it should have been.
Do you care about the security of your wireless mouse?