ISPs More Likely To Throttle Netizens Who Connect Through Carrier-Grade NAT: Cloudflare (theregister.com) 55
An anonymous reader shares a report: Before the potential of the internet was appreciated around the world, nations that understood its importance managed to scoop outsized allocations of IPv4 addresses, actions that today mean many users in the rest of the world are more likely to find their connections throttled or blocked.
So says Cloudflare, which last week published research that recalls how once the world started to run out of IPv4 addresses, engineers devised network address translation (NAT) so that multiple devices can share a single IPv4 address. NAT can handle tens of thousands of devices, but carriers typically operate many more. Internetworking wonks therefore developed Carrier-Grade NAT (CGNAT), which can handle over 100 devices per IPv4 address and scale to serve millions of users.
That's useful for carriers everywhere, but especially valuable for carriers in those countries that missed out on big allocations of IPv4 because their small pool of available number resources means they must employ CGNAT to handle more users and devices. Cloudflare's research suggests carriers in Africa and Asia use CGNAT more than those on other continents.
Cloudflare worried that could be bad for individual netizens. "CGNATs also create significant operational fallout stemming from the fact that hundreds or even thousands of clients can appear to originate from a single IP address," wrote Cloudflare researchers Vasilis Giotsas and Marwan Fayed. "This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity. Blocking the shared IP therefore penalizes many innocent users along with the abuser."
So says Cloudflare, which last week published research that recalls how once the world started to run out of IPv4 addresses, engineers devised network address translation (NAT) so that multiple devices can share a single IPv4 address. NAT can handle tens of thousands of devices, but carriers typically operate many more. Internetworking wonks therefore developed Carrier-Grade NAT (CGNAT), which can handle over 100 devices per IPv4 address and scale to serve millions of users.
That's useful for carriers everywhere, but especially valuable for carriers in those countries that missed out on big allocations of IPv4 because their small pool of available number resources means they must employ CGNAT to handle more users and devices. Cloudflare's research suggests carriers in Africa and Asia use CGNAT more than those on other continents.
Cloudflare worried that could be bad for individual netizens. "CGNATs also create significant operational fallout stemming from the fact that hundreds or even thousands of clients can appear to originate from a single IP address," wrote Cloudflare researchers Vasilis Giotsas and Marwan Fayed. "This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity. Blocking the shared IP therefore penalizes many innocent users along with the abuser."
As in all things, Not just the internet! (Score:5, Insightful)
Re: (Score:1)
Hmm... Close to the heart of the matter. Obviously the bad actors are highly motivated to seek more eyeballs and attention, but the current Internet situation is muddled by "mostly harmless" suckers who just want to be famous. It's kind of like winning the lottery if an "influencer's" posts start going viral--but I'm also sure the bad actors are studying how those winners got the visibility, and whatever worked, the bad actors will double it.
Interesting negative example is bugging me right now. Where are al
Re: (Score:1)
"He who does not work shall not eat" - Lenin
Re: (Score:2)
They've got their favorite talking heads pushing hate. Of course they want to emulate Nazis.
Re: (Score:2)
NAT is also what is keeping those MPAA and RIAA lawsuits at bay.
Because it's preventing identification of the person committing the offense.
When you have 480 people randomly distributed in an area using CGNAT (which may be a wide area because mobile internet is almost always behind CGNAT), that one person pirating that movie or music is impossible to identify.
Even regular NAT is good enough to provide doubt on who committed the offense since that's usually good to a household.
It's a wonder why the media ind
Re: (Score:2)
No it's not, and there's a reason the media industry is not pushing for IPv6.
Widespread NAT breaks p2p, as users stuck behind NAT cannot peer with each other. This turns decentralised protocols like bittorrent, back into centralised systems with dedicated seed boxes. It's much easier to target a small handful of seed boxes than individual users spread all around the world.
MPAA/RIAA absolutely want widespread NAT and do not want IPv6 because this turns the decentralized and hard to control internet into a ce
Re: (Score:2)
Porno-trolls had âoediscovered the nexus of antiquated copyright laws, paralyzing social stigma, and unaffordable defense costsâ, Judge Otis Wright wrote in the opinion that coined the term. âoeThey exploit this anomaly by accusing individuals of illegally downloading a single pornographic video. Then they offer to settle â" for a sum calculated to be just below the cost of a bare-bones defense.â Most âoereluctantly pay rather than have their names associated with illegally downloading pornâ, he went on. âoeFor these individuals, resistance is futile.â
I'm getting blocked (Score:4, Insightful)
Just from having 10s of tabs open, cloudfare hates users that operate outside of the norm.
Re:I'm getting blocked (Score:4, Funny)
So just open 100 times as many? That'll bring you to the usual standard.
Re: (Score:2)
The usual standard for techies... everyone else doesn't know what a tab is. And cloudfare wants everyone to behave the same
Title should read ... (Score:4, Interesting)
.... IPv6 is a failure.
IPv6 is great if:
1. You are starting from scratch (no IPv4)
2. You trust your firewall/router to fully and accurately work as a stateful firewall, with no bugs.
Re: (Score:3)
That was my thinking as well-- what went wrong with IPv6-- too complex, focused on the wrong problems, or the firewall issues. For home I gave up on it before because my ISP din't give a subnettable allocation which made it not worth the hassle. I have changed ISPs though, might want to check again.
Re: (Score:2)
It's not "too complex", it works the same as legacy IP did just with a larger address space. You only think it's too complex because you've never bothered to learn about it properly.
In fact, once you add in all the kludges used to keep legacy ip limping along (nat, address overlaps, misuse of reserved or squatted address space, address recycling etc etc etc) then IPv6 is actually much simpler.
For home I gave up on it before because my ISP din't give a subnettable allocation
What ISP gives you a subnettable allocation of legacy ip for home use?
The standard for a v6 home allocation is /56 (
Re: (Score:2)
Can you elaborate on #2? In principle, an IPv6 firewall / stateful router can protect devices on the LAN by essentially using NAT logic except for rewriting addresses, right? Assuming that a more naive approach of blocking incoming SYN packets by default isn't good enough, at least.
(Posting as AC so I can moderate up some deserving comments below.)
Re: (Score:2)
Well I *meant* to post as AC. I'll have to apply those mod points elsewhere :( ... and ironically Slashdot is throttling me, for reasons unrelated to whether my ISP uses CGNAT.
Re: (Score:2)
For me it primarily comes down to rule complexity. I have 7 VLANs for my home, plus WAN. That works out to 168 paths that need to be evaluated with IPv6. For IPv4 I can eliminate about 75% of that with nat design as well as outliers which might otherwise force me to add additional VLANs. (Outliers like smart home devices that are generally blocked from external access but might need the ability to allow it for a firmware update.)
Then, once you have that many states you are tracking... it is easy to have
Re: (Score:2)
That's exactly what any consumer router or firewall does by default.
Your ID suggests you might have been around long enough to remember when legacy IP was used in this way too - with proper routable address space on both sides of the firewall. That's exactly how a firewall is designed to work, NAT is just extra complexity that introduces new problems.
With routable space both sides it's easy to verify your firewall configuration works as intended.
With non routable space behind you're relying on the upstream
Re: (Score:2)
Yep. I have a paid-for static IPv4, but I just get a free IPv6 block from my ISP. Not using it though.
The good news is... (Score:5, Funny)
...we should be finished with the IPv6 switchover by the end of the 1990s.
Re: (Score:2)
Some ISPs are way behind the times. I have a symmetrical 300Mbit connection from FiOS and it wasn't until a few years ago they supported IPV6.
Re: (Score:2)
At this rate, it's going to be by the end of 2090s.
(To be fair, my latest ISP switch early this year finally resulted in proper ISP level IPv6 support. So weird, having firewall popups with IPv6 addresses.
Re: (Score:2)
At this rate, it's going to be by the end of 2090s.
The problem is that it is simply not needed for most folks. The workarounds will likely keep IPv4 alive for at least another 20 years.
Re: (Score:2)
I'm not so sure. Here in developed countries, we got a lot of IPv4 address space. But we're a minority in the world.
Most people actually live in a developing world, which got very little. They're the ones getting CGNAT issues, because their carriers have to put them on the same IP as hundreds and thousands of other subscribers.
So this may actually be needed for "most folks". Or at least desired. It's just that this is the majority that doesn't really matter for those who are deciding.
Re: (Score:2)
And why do you think I overlooked that? Yes, people in some regions getting worse-than-possible service, much of the US among them. They still get "good enough" and they can just connect to it, no configuration needed. And that is why there is no drive from consumers to change anything.
Re: (Score:2)
The reason why you almost certainly overlooked that is "most folks". Overwhelming majority of humans live outside developing world. We're a tiny minority of "folks".
There's indeed a significant drive to change that from consumers. Scamming is a very large source of living for a lot of people in South-East Asia and some regions of Africa (there's a reason we call specific popular form of scam "Nigerian"). Those are the people who suffer from scammers eating IP bans. I would be surprised if number of people h
Re: (Score:2)
The reason why you almost certainly overlooked that is "most folks".
I did not. But use your fake superiority if you must.
Re: (Score:1)
That's your literal statement though.
While reality is the exact opposite by the numbers, as I note above.
Sucks (Score:5, Informative)
My local ISP switching to CG NAT was the last straw that made me actually switch to Comcast/Xfinity. Not only do you have all the aforementioned issues, you also can't connect back to your computer from the outside even by using Dynamic DNS services. I don't run websites or anything from my home network, but I do like to be able to get back in via SSH and retrieve files and such from my devices at home.
With Xfinity at least I'm back to having my own IP (and honestly the connection is more stable and faster).
If they ever switch I'm going to have to break down and just buy business internet. Hopefully though we just eventually make it to IPV6.
Re: (Score:2)
Because of the shortage of legacy IP, any new or expanding provider has no option but to use CGNAT or charge a _LOT_ more for service.
People complain about a lack of competition - this is one of the reasons why.
In some countries there are no non-CGNAT consumer options. Even business plans are behind CGNAT unless you pay significantly more.
You should be using IPv6 for everything - that way you can ssh direct to multiple devices instead of having to use nonstandard ports or go through a jump server, and you w
Re: (Score:2)
My local ISP switching to CG NAT was the last straw that made me actually switch to Comcast/Xfinity. Not only do you have all the aforementioned issues, you also can't connect back to your computer from the outside even by using Dynamic DNS services. I don't run websites or anything from my home network, but I do like to be able to get back in via SSH and retrieve files and such from my devices at home.
You'd only need to get a $5/month vm on linode or something like that, have your home computer connect to it with openvpn then connect to your home computer via the linode vm IP.
I have even often map static ip addresses to home computers with such a scheme so I don't really care about CGNAT anymore.
CGNAT plus IPv6 here. (Score:2)
I'm on CGNAT. While I understand there are ways to get this turned off, if you do you lose ipv6 connectivity.
My ISP is not the most competent[1] but it's my only option unless I go with something like 5G.
Sometimes IPv4 fails but not IPv6 and sometimes the other way around.
I notice far more quickly when ipv6 goes down. Far more websites stop working that do when I've only got IPv6 connectivity.
(Note that because of the way it fails, it's not that I lose the route, it's that the modem loses the traffic until
Re: (Score:2)
I guess you didn't read this bit.
If you use DNSoTLS or DNSoHTTPS you're handing your data to whoever runs those so it's just the same problem with the same solution of different port. I don't actually care if my ISP wants to monitor my DNS queries but I do care that they don't work at all.
Ultimately, in my case, it doesn't matter what po
Re: (Score:2)
Ultimately, in my case, it doesn't matter what port you use or what protocol you use so long as it's not port 53 as the only traffic allowed to cross the modem on port 53 is (a subset of) valid DNS traffic.
You are assuming they have configured their routers to actually inspect the packets content instead of just saying "port 53, must be DNS!" and forwarding it along. You can make your hacker tool run on port 53 and lazy networks will readily except the connection because they aren't doing packet inspection.
Re: (Score:2)
I know they have because I've done tests, down to confirming which hop is blackholing the data.
Genuine DNS was broken for me when a (TCP) DNS packet exceeds one MTU. I wrote a short program to send a (genuine) DNS request out and a short program to send a (genuine) response back that required multiple TCP packets and I could control the TTL on the packets being sent.
Every single hop until my router returns a TTL exceeded, so it's definitely seeing the packet. When the response packet fits in a single TCP pa
Time to fix the situation (Score:2)
Cloudflare is abusive too (Score:2, Insightful)
Cloudflare itself is part of the problem, putting VPN and other shared networks of all kinds in IP blocklists that punish innocent users and take useful IP addresses out of the internet pool. And no, not specific IP addresses that have definitely done something malicious, but IP addresses owned by a similar provider that they have blocked in the past. Worst and most frustrating, they package up these blocklists as a product that their own customers have trouble challenging or understanding, and then mislead
Re: (Score:1)
I now pay for high-speed Internet so I can sit waiting for 20 seconds for Cloudflare to "check I'm human" when I click on a link.
Technology destroying their 'security system' sounds like a good thing to me.
Re: Cloudflare is abusive too (Score:2)
Yeah they're whining here about this but they throw captchas relentlessly at those of us on standard net configs too. I would say its even more likely to get a robot accusation on desktop than a doublenat mobile session.
IP hogs - Some companies did that by default (Score:3)
If you understand what that means, I don't have to tell you. But, for others, their are 24 million IPv4 addresses in a Class A sub-net. To be fair, it can't be broken down too far. But, in theory, you can TONS of Class C sub-nets out of a Class A. Each of those Class Cs could be allocated to a different company, country or individual. Like 64K Class C sub-nets out of a Class A, (in theory).
Any way, we got to the IPv4 shortage because the Internet was not designed for the future. Nor was IPv4 sub-net allocations done in a forward thinking mode. Thus, NAT at home, NAT at work, NAT at a much larger scale.
In reality, companies don't need public IPs inside their own networks. In fact, it could be considered a security breach to use such. So a company could have a simple public Class C at each location for external access. Or even just a few IPs at smaller sites. However, no one knew this Internet thing was going to take off in the way that it did.
Re: (Score:2)
A while back I worked at a company that had 3 public Class A IPv4 sub-nets allocated to it.
AWS aside, as they now seem to have the equivalent of 8 Class A's... That's gotta be a Telco. Not even Sun+Oracle ended up with 5 class A's. As least I don't think they did... Sun was working on their own cloud there at the end, so I'll have to hedge my bet here. I was amused to find Oracle using Sun's 129.146.x.x block from the MPK campus for OCI VM's a couple years back.
But you are right... I've often stated that if we knew back in the early 90's that 4+ billion people would be walking around with a a
Re: (Score:2)
HP had 2x class A after their acquisition of DEC, i'm not aware of anyone else having larger than that.
I have a dual stack IPv4/IPv6 ISP these days that issues a single IPv4 (dynamic but hasn't changed in 8+ years), and a /64. My problem with their IPv6 is the RA & addressing are not under my control.
This is a totally broken setup, unless your applying legacy thinking to it and don't understand how it works. The /64 you get on the WAN interface is just for the router, and you typically need to use prefix delegation to get a second prefix (which should be a /56 for home use) that is then routed behind your router and entirely under your control.
Yes with v6 your router actually gets to be a router, not a
Re: (Score:2)
That's gotta be a Telco. Not even Sun+Oracle ended up with 5 class A's. As least I don't think they did...
Actually the second company WAS Sun Microsystems. The first company, where I originally worked, was StorageTek, which had 3 Class A sub-nets.
At the time Sun acquired STK, Sun had 2 Class A sub-nets, as far as I remember. Thus, the extreme desire by the North American IP allocating authority to claw back as much as they could. So, when it was all done, Sun did not end up with 5 Class A sub-nets. Not sure how many Sun had to give up, but if I remember correctly it was at least 2. When we transferred all the
Re: (Score:2)
Actually the second company WAS Sun Microsystems. The first company, where I originally worked, was StorageTek, which had 3 Class A sub-nets.
Ahhh.... 2005... The StorageTek acquisition should have worked out much better than it did. The problem was Sun was casting about for a more rounded revenue stream. The bottom had fallen out of workstations, and servers we're getting commoditized, and they were competing with "free" in the software division where I was. They were dabbling in early Cloud computing ala Sun Grid, which may have been the reason for the extra address allocations. Behind the scenes McNealy was fighting for his job, ultimately
Re: (Score:2)
Legacy IP was an experimental military network that is now a hideous collection of kludges and duct tape.
IPv6 is the production ready version intended for a global public network.
Content networks are not "ISPs" (Score:3)
This article is about CDN/proxy/content providers naively throttling traffic due to invalid assumptions not ISPs. While there are obvious issues with CGN it is strange hearing this angle from a large provider who should know better. It isn't like this is a new issue. Decades ago it was common for ISPs (AOL et el) to run their own network of http proxy servers to reduce bandwidth and latency. All of those requests came from a small pool of addresses.
Re: (Score:2)
CGNAT is far more widely used in developing countries, as noted in the article.
In developed countries there tend to be long established providers that got large early pools of legacy address space and don't need CGNAT.
New providers would be forced to use CGNAT, so this stifles competition and is one of the reasons many americans have no choice of provider.
A lot of the content providers and CDNs are based in these developed countries and still cling to this assumption because they have never had to experienc
Same With VPNs (Score:2)
I used to say the same thing but then I realized; I actively block VPNs. And we do it at work. We don't care who is on the other end of that VPN; if it's on a known block of providers it's getting filtered.
In those cases...we tell people who complain to get off the $3/month VPN they bought off Youtube.
I don't think CGNAT is really the concern when everyone is being sold pointless VPN connections from people that we're actively blocking. It's the same effect. The difference is the people using a VPN have a c
When the internet IS the cell network (Score:2)