I recall hearing a while ago that those who were early adopters of CGNAT (predominantly mobile providers) are backing away from it due to problems, and shifting more rapidly to IPv6.
(And apparently the police are not big fans either, as it makes it more difficult to track down miscreants).
2 is an interesting point. Let's say you want to rate limit login attempts to help reduce brute force attacks. How would you recommend doing it if not by ip? You can tie it to the specific username being requested but this has other downsides, ie. you can DOS someones account by sending fraudulent login attempts to it, and it also doesn't prevent attacks where people just test previously leaked username / password combos against your site.
Rate limiting by IP is trivial to work around. If you’re doing something white/grayhat there are plenty of services that will allow you to affordably "lease" as many IP addresswas as you need for very short amounts of time. For blackhat purposes it’s only slightly more effort and even cheaper to do the same thing, illegally of course.
Not at all, it's a stupid idea. You are trying to nail down an identity without authentication, that can not work. If you use credentials with sufficiently high entropy, which you should do anyway, you don't have a problem that this could be the solution to.
They are alaready doing so. IPv6 test enviroments has been a disaster in the ISP I work for, too many devices don't support IPv6 in the domestic market and solution to router IPv4 over IPv6 are problematic.
To the best of my knowledge, Comcast is running dual-stack v4 and v6. The GP was talking about running a purely v6 network, and pointing out that it wasn't yet feasible. Your example of Comcast doesn't really fit the bill because Comcast already has a v4 network to all of their customers, and they are not migrating customers to a solely-v6 network.
This is the chicken-and-egg problem that all new networks are facing with regard to IPv6 adoption. In order to have a usable network, you have to support IPv4 to all endpoints. But once you have v4 at all endpoints, the incentive to run v6 is greatly diminished.
As always, v6 needs a "killer app" that Grandma wants to use that is unavailable over the v4 internet, and then network administrators could use the actual demand from their customers as a justification for moving to v6. Unfortunately, at the moment, the list of v4-only must-have apps is still greater than the list of v6-only must-have apps.
v6 with DS-Lite/464/MAP is going to be cheaper than v4-only because it allows the ISP to sell off (or not buy) most of their v4 addresses while also using less equipment. T-Mobile has already adopted this architecture.
Maybe you just don't get to know what problems it causes because they don't talk about it. Dual stack is currently under testing and afaik higher ups are not very happy about it.
Maybe we've done too early (it was about five years ago maybe, I don't really remember exactly) and now tooling is better, idk
Right now IoT devices use a communications model that overcome's NAT by tying the device to a service endpoint in the cloud. The device registers itself as an IoT device in aws and then your local hosts hit the device by going to the device endpoint in the cloud. I don't know if this model will hold up when IPv6 more widely supported though.
Many large cable ISPs in the USA have been running IPv6 internally for years now. They likely have some of the largest deployments if you account for all their IP managed gear.
Of course, these are the same ISPs that already provide a dual-stack gateway to their customers.
Not sure I would classify CableOne/Sparklight as a large cable ISP. Their website says they service about 900k customers. Even if all of these customers had internet service this would put them fairly far down the list of ISPs. I would more classify them as a medium sized ISP.
There's one big issue with CGNAT for ISPs: compliance.
At least in Poland, you must provide law enforcement with information about your subscriber for any given 5-tuple at a given time (timestamp, {src,dest}{ip,port} and protocol). If you're CGNATing everyone, you have to either:
- log all outgoing connections (which is a GDPR hazard)
- design your CGNAT to use static outgoing ports for a given customer (but then you're running out of ports pretty fast, if you're doing anything close to >=500 subscribers)
With IPv6, you can just immediately tell who the subscriber is based on the IP address, and as such don't have to log anything.
Look to the mobile networks as a sign for things to come. How much money do you think network operators are going to invest in a highly available and performant IPv4 CGNAT experience? I know of one large mobile network that said they're constrained on CGNAT capacity and their plans arent positive.
My fiber ISP gives you overloaded PPPoE for the legacy "dedicated dynamic IP" experience, IPv6 is carried over more modern and performant IPoE infrastructure, and if you want you can use DS-lite for IPv4 to trade CGNAT for performance
Most of the stuff regular people care about performance for is on CDNs that support IPv6 (or is YouTube, Netflix etc)
