CGNAT is the acronym for Carrier Grade Network Address Translation, which translated to common language would be something similar to large-scale network address translation. Basically it is a technology, which today many Internet Service Providers use, and which allow multiple users to access the Internet by sharing a small number of public addresses. Let’s say it would be one of the techniques that allows us to extend the useful life of the IPv4 protocol, as a preliminary step to a future evolution to IPv6, with wich we will no longer have (at least in the short term) addressing problems.
For all those who don’t know, IPv4 addresses are the way in which different devices are identified in a network, and the IPv4 protocol stack is the set of protocols that allow two devices to communicate through a network. such as the Internet.
This address consists of 32 bits (which in binary format takes values 0 or 1), although we tend to recognize it in dotted decimal format (for example, 192.168.1.10). As it turns out, when the IPv4 address was designed with 32 bits, they fell a little short, and as a limited resource, it ends up being a precious asset … and more so in our days, in which it is increasingly common to find all kinds of artifacts with Internet connection. This problem will be resolved in the evolution to IPv6, in which we will have 128-bit addresses, which will allow us to have address spaces greater than the current Internet, in each of our homes (and it is not an exaggeration), in addition to allow us end-to-end direct connectivity.
But let’s say that this evolution is not going to be overnight, and there are still years to think about an IPv4 blackout (as in its day there was a blackout on analog television technology for example). Meanwhile, we have at our disposal, a series of transition techniques, among which is CGNAT, which allows us to “endure” the shortage of addresses that we are currently suffering, until we reach the oasis that the new protocol stack (IPv6) supposes.
How does CGNAT work?
Let’s say that each communication on the Internet is uniquely identified by the ends that establish the communication. To identify these remote ends, we have an IPv4 address (32 bits), and a port number (between 0 and 65535… although there are reserved ranges, and this is not completely accurate). Well, CGNAT allows us to share the same public IP address (necessary to communicate on the public Internet) and a range of specific ports, for multiple private IP addresses (which we normally use, for example, in our home).
In short, and as we have started the article, it allows multiple final users (with multiple private IPv4 addresses) to access the Internet, YouTube, mail, Netflix, etc, etc … with a much smaller set of public IP addresses.
How many private addresses are translated to each public IP depends on the oversubscription we use… but we can perfectly use a single public IP address for 16, 32 or 64 private addresses. This also depends on the type of CGNAT that we use, and how it is configured in the equipment that supports it.
As a curiosity, it should be noted that normally a shared addressing range is used (which would something similar to a private addressing range) defined by the IETF in RFC 6598 (https://tools.ietf.org/html/rfc6598). This address space reserved by the IANA for this shared use in Internet Service Providers is 100.64.0.0/10 (100.64.0.0-100.95.255.255).
CGNAT advantages and disadvantages
From the point of view of the conventional home user, the use of CGNAT is usually quite transparent. In fact, by hiding the private address with which the user identifies himself in the operator’s network, CGNAT allows in some way to secure the accesses that can be made from outside (Internet), since CGNAT limits that sessions are always started from the user side, and not viceversa (form Internet).
From the operator’s point of view, it is an opportunity to optimize the use of public addressing, which is becoming increasingly scarce, and therefore entails a higher cost.
Types of CGNAT
Although there are more complex classifications, summarizing a lot, we can say that there are two main types of CGNAT, dynamic and deterministic (which would be a more static assignment).
- Dynamic CGNAT. The dynamic CGNAT allows you to consume public addresses (and their corresponding ports) dynamically, as connections (or communications) are opened and processed. The dynamic CGNAT is much more efficient, because it only consumes the pools (or groups) of public addressing, as new connections are created on the private side. That is precisely the advantage, that we can make a much greater (and more efficient) use of public addressing.
However, it also has a trade-off.
As by legal requirements, there must be a record of which private addresses correspond to each connection via a public address, it is necessary to keep an accounting of each and every connection, in an external system, which is basically a Syslog server . This implies, therefore, from the operator’s point of view, that an additional system must be in place that allows first the reception of that record, and later its storage according to the requirements of the current Law. By the way … in case you had wondered, this effectively protects us all, so that no one can carry out illegal acts with a shared public address with respect to which traceability is lost.
- CGNAT Deterministic. In the deterministic CGNAT, there is a pre-assignment of a range of ports from each public IP to a specific private IP address… whether or not there is communication. This implies that the same private address (e.g. 100.65.0.10) will always use a public address (e.g. 184.108.40.206), and a specific range of ports (e.g. from 2048 to 4096) for its connections. This implies that the operator has no need to keep the record of said connections, since the assignment is always the same, and therefore, traceability is not lost.
If you are an operator, and you are interested in these improvements, don’t hesitate to visit our ISP Solutions