And so it begins

It has been reported by thinkbroadband and ispreview that plusnet are running tests for Carrier Grade NAT on their network. Unfortunately this was to be expected as the exhaustion of IPv4 addresses means ISPs are finally running out.

The big disappointment here is that general IPv6 deployment really should have happened first, at least in my opinion, and that of others in the industry. At least if end users are able to do IP properly using IPv6 at the same time as suffering CGN on IPv4 they stand some chance of being able to use Internet based services that need some reliable end to end communication.

It is also unfortunate that there are many who do not understand the problems with NAT, and especially CGN. It is all very well people like myself saying NAT is evil, but it helps if people understand some of the reasons why this is the case.

This all stems from one of the fundamental design principles of IP, that every endpoint has a globally unique address. IP packets are addressed to the target address, and the addressing stays the same as the packet passes through a network. Each router sends the packet to a neighbouring router which is logically closer to the final destination. In fact, the only real thing to change on the way is a hop count or time to live which is there to stop infinite loops.

It is worth pointing out that this is not the only way to design a network - there are other ways. One could, for example, have a sort of circuit routed system (like phone calls) where you establish a connection and send packets using a local handle for the connection which is changed at each step via a pre-established route. ATM works a bit like this too. It is a way to do things, but does not allow the same level of re-routing when things break. Circuit switched systems handle capacity limits and re-routing round failure in different ways and would not be as good as the packet based routing used by IP.

The key problem with NAT is that it breaks this principle by changing IP addresses as packets pass through the network. It only works because some protocols, like TCP, have an handshake and some level of logical connection or session which can be tracked and mapped buy the device doing the NAT. This is not true of al IP based protocols, which simply don't work with NAT. It breaks all sorts of protocols which are designed for use by IP in the way it was designed. It is not the end of the world as protocol designers can work around NAT to some extent, and NAT systems can be fudged to understand specific protocols. Many NAT routers have a long list of protocols they know how to fudge which can even include games like Age of Empires. The problem here is a new interdependency between people making protocols and people making NAT boxes which never existed before, and creates flakey operation of networks and stifles development. It also means routers have to keep up with changes. Don't take my word for it though, this is a key point when people from RIPE talk about NAT even though it is RIPE that have run out of IPv4 addresses now.

Carrier Grade NAT adds an extra layer of problems. More normal NAT is done on a router in control of an end user. It has devices that connect on the LAN directly connected. This means that protocols like uPnP have popped up allowing devices to talk to the NAT router and arrange exceptions to the normal operation of NAT. It also allows applications like Skype to pre-empt the operation of routers, guessing the next port to be assigned for NAT. These are all very clever, but do not really scale to CGN. With CGN you are dealing with lots of end users, many of which are behind a layer of NAT at their router as well as the CGN. Devices cannot use uPnP with the CGN, and guessing ports is far less likely to work. Obviously new protocols could allow routers to interact with CGN, but if you are upgrading routers simply adding IPv6 is a much simpler answer to the problem.

There are other issues, such as running out of source ports. Other systems are also being used where each router gets an IP and a range of ports to use for its own NAT, so allowing several routers to share one IP address. This again means new router code at the end user, and so would be better done as IPv6.

We already see issues with NAT on individual routers, including running out of ports and running out of sessions. CGN faces the same problems on a larger scale, and is also costly for an ISP.

Ultimately CGN creates a sort of second class Internet access.

The problem is that, for vast numbers of people, this will mostly work. Anyone that simply checks email, accesses facebook and a few web sites, will probably be fine. If that is all the Internet was or could become, then NAT and CGN would be fine, but we know it can do more and over the years innovations have amazed us all - innovations that should not be stifled by short sighted ISPs ignoring IPv6. There is an irony that many of these common services, facebook, google and even games like WoW already work with IPv6.

There is another factor which is that IPv4 addresses become almost untraceable as they are used by more than one customer at a time and change from moment to moment. This could only work if an ISP has huge logs of every connection (a privacy issue and technical challenge). Even then, tracing a connection may require not just the source IP and port but the target IP and port as well because of overloading of ports. It would also require very accurate timestamps.

Anyway, our policy at A&A is that we have IPv6 (have done for over ten years) and it is standard now on all new connections (and has been for some years). Ultimately we will have to start charging for, and eventually, clawing back IPv4 blocks from customers, but we expect to be able to provide a fixed IPv4 non NAT WAN address to all customers for a long time to come - hopefully long enough to avoid considering CGN.

So, brave of plusnet, we'll all watch with interest.


  1. Ultimately we will have to start charging for...

    Maybe that's Plusnet's intention. Those customers who want a public IPv4 address will be prepared to pay for it. You want a static one sir? (sharp intake of breath) That's going to be expensive.

    1. Possibly. I doubt we will ever charge extra for one fixed unfiltered IPv4 address though. I hope not.

  2. Old but still funny: http://www.youtube.com/watch?v=v26BAlfWBm8
    NATs are good, I want NATs for IPv6 on my iPhone :-)

  3. I'd expect no less from a wholly-owned subsidiary of a world class telecommunications company... stuck as they are in about 1978

  4. Plusnet _were_ running an IPv6 trial some time ago. Last year they pulled the plug on it and when I enquired a month or so ago they told me they had no plans to roll out IPv6. Pretty depressing stuff - not only do they seem to have scrubbed the idea of using IPv6 on their network, they are now saying they're running out of v4 addresses and that *something must be done*...

  5. This just in from RapidSwitch (who launched IPv6 today) but wanted to charge me setup and ongoing fees to change IPv4 to a routed subnet first to "enable IPv6":

    Seems a bit strange that IPv4 needs to be changed to enable IPv6 to work?
    The costs are prohibitive, especially the ongoing costs..

    It's not so much a change, simply that currently an IPv4 subnet is required to then route a IPv6 subnet. The networking team are looking into how to provide IPv6 allocations for users with a shared subnet.
    ---END TICKET---

    Is there some obvious reason I'm missing that means IPv6 deployment is somehow dependent on IPv4 subnetting in their network?

    1. Of course not - they are being silly.

    2. Replying to an old post here now but google found it so I guess someone else might find it the same way... I've asked them to add ipv6 to mine and it seems they still require an ipv4 subnet however they told me there would be no additional charge. All seems rather strange.

  6. While I agree 100% with the point you make, I'm sure that plusnet would argue that mobile broadband operators have basically been doing something very similar to CGN since the launch of 3G

    1. Indeed, but typical use of 3G is not the same, or has not been. I know plenty of people using 3G for "serious" work, and, of course, they tunnel to something real. Others just use facebook, twitter, imessage, etc, all of which will be OK on CGN.

    2. Also, in most cases for 3G the CGN is the single NAT layer with the one device attached being the mobile. CGN for an ISP will mean double NAT.

  7. At the start of last year I had a customer upgrading their internet connection. When they were shopping around for ISPs who could offer a leased line, I advised them that getting a new connection from an ISP that didn't do IPv6 would be silly. Eventually they settled on Eclipse, who said that yes their network supported IPv6. Everything got installed, Eclipse sent me their IPv4 subnet allocations and I asked them for the IPv6 allocations to go with them. Eclipse's reply was that whilst their network supports IPv6, they don't offer IPv6 connectivity to their customers. (As it turns out, Eclipse are just reselling a BT connection, and BT of course don't do IPv6). Needless to say, if I were the customer, I would've been pretty annoyed at having been sold a fairly expensive internet connection under false pretenses.

    Last I heard, Eclipse were saying "early 2013". Virgin Media have been saying "before the end of 2012" for a while, and that didn't happen either. What's really annoying isn't so much the lack of movement on this, but the fact that no ISPs seem to even be making their schedules visible to their customers, and on the rare occasion they do it turns out to be completely inaccurate.

  8. 2nd post as I lost my first. so this one shortened.

    I agree with the first replier, I think isp's have just been looking at how to profit from the situation so plusnet charge for non natted ip's and BT might do the unthinkable and require someone to have a bt business broadband account to avoid CGN.

    Then influx of customers to aaisp etc. :)

    should ofcom regulate that cgn requires a ipv6 deployment?


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.


There are lots of ways to debug stuff, but at the end of the day it is all a bit of a detective story. Looking for clues, testing an hypothe...