So, you’ve asked me to whitelist your CGNAT IPs. I’d love to hear your justification and where the benefit is here for me or our users?
In my opinion CGNAT is the cancer of the ISP/telecoms industry.
“But Steve – we’re running out of IPv4 addresses, so we need CGNAT to fill the gap before IPv6!”
The problem here is the telecoms industry should have ensured that IPv6 is available to *all* consumers on all available links before considering the use of IPv4 CGNAT.
But that doesn’t appear to be happening. The biggest obstacle to widespread IPv6 adoption are these very same companies. IPv6 requires implementation time, planning and investment. There’s no profit in that, only costs. So, they wait until equipment becomes obsolete before replacing it with IPv6 capable stuff. Then let others work out how to do a lot of the hard work of implementation and take on the risk of doing so. This is why we’re still on IPv4 as this process has been glacial.
Company executives see IPv4 CGNAT as a way to increase profits and reduce costs.
“IPv4 ranges are expensive and have become a commodity, so let’s put all our consumer-grade stuff behind CGNAT and charge a premium to have a “proper” connection. End-users won’t care, they don’t understand this stuff anyway. That way – we can conserve our IPv4 resources, have more subscribers overall and potentially lease off the IPv4 space we saved and increase our profits further.”
The problem is, the internet and IPv4 was never really designed for this. Sure – we use NAT on home/company networks to conserve IPs, this also has the side-effect of not having any of the machines directly addressable and therefore making things slightly more secure (NAT is not a replacement for a firewall though).
But, NAT comes at a cost. And that cost is complexity when things go wrong.
If an IP behind the NAT becomes infected or the user installs a malicious application and their computer starts to act as part of a botnet, or under the control of a bad actor, group or state or a hidden proxy – any of these can then generate abuse, causing the NAT IP to be the IP originating that abuse. If that abuse is reported back, it’s then very difficult for the administrator of that network to pinpoint which machine(s) behind that NAT are at fault.
For regular NAT, where the entity is a company – this is a pain, but it’s a single entity, they are “responsible” for their own equipment and security and typically have an IT department with competent professionals who can resolve this and put measures in place to prevent it from happening again.
For NAT for residential connections, this very much isn’t the case. The ISP/telco does not want to have to deal with the security (or lack thereof) of their consumers. We see this *all* the time. They don’t have the people, process or will to do it. It hurts their profit, annoys their non-technical subscribers, who think it is the responsibility of the ISP/telco, not their own, to “fix” the problem they created. This is compounded by the cheap equipment usually supplied for these connections that does not keep granular NAT logs and has very limited capabilities, even in the hands of an IT professional – finding the offending device can be extremely difficult.
For CGNAT, this is far, far worse, as you then have hundreds of residential connections all sharing a single IP. Finding the affected subscriber when an abuse report comes in is much harder. It requires the exact timestamp and source port of the connection that was made, and it requires that the CGNAT gateway has been configured to log all of this information and keep it long enough.
Then once the subscriber is identified, the ISP/teclo, then has to have the procedures in place to handle this. Most don’t (or don’t want to).
I would love if it if I could tag all the CGNAT IPs as such, but maintaining a static list is damn near impossible (and time consuming) and the ISP/telco industry mostly tries to hide their use of CGNAT and mostly doesn’t use the already available method of labelling these hosts using a -cgnat- designation in the rDNS of such IPs.
So, look at it from our point-of-view as an anti-abuse and threat intelligence company. Where is the benefit to us or our customers in whitelisting your huge static list of CGNAT addresses and not adding these IPs to our blocklists when they emit abuse?
If I were a black-hat or state actor wanting to hide my tracks, then CGNATs would be one of the things I would prefer to use (via an anonymous residential proxy).
Guess what? This is already happening.
