So says Cloudflare, which published research last week that recounts how once the world started running out of IPv4 addresses, engineers devised Network Address Translation (NAT) so that multiple devices could share the same IPv4 address. NAT can handle thousands of devices, but carriers typically operate many more devices. So Internetworking Winx developed Carrier-Grade NAT (CGNAT), which can handle more than 100 devices per IPv4 address and scales to serve millions of users.
This is useful for carriers everywhere, but is especially valuable for carriers in countries that missed out on large allocations of IPv4 because their smaller pool of available number resources means they must employ CGNAT to handle more users and devices. Cloudflare’s research shows that carriers in Africa and Asia use CGNAT more than those in other continents.
Cloudflare is worried that this could be bad for individual netizens.
“CGNAT also produces significant operational consequences arising from the fact that hundreds or thousands of clients may originate from a single IP address,” wrote Cloudflare researchers Vassilis Giotsas and Marwan Fayed. “This means that IP-based security systems could inadvertently block or crush large groups of users as a result of a single user engaging in malicious activity behind CGNAT.”
“Blocking shared IPs penalizes abusers as well as many innocent users.”
The researchers also noted that “Traditional abuse-mitigation techniques, such as blocklisting or rate-limiting, assume a one-to-one relationship between IP addresses and users: when malicious activity is detected, the offending IP address can be blocked to prevent further abuse.”
Because CGNAT is more prominent in Africa and Asia, and more widely used, they suggested that “CGNAT is a potentially overlooked source of bias on the Internet.”
“Those biases will be more pronounced where there are more users and fewer addresses, such as in developing regions. And these biases can have profound impacts on user experience, network operations, and digital equity,” the researchers wrote.
To test that hypothesis, the pair went looking for CGNAT implementations using traceroutes, WHOIS and reverse DNS pointer (PTR) records, and existing lists of VPN and proxy IP addresses. That effort yielded a dataset of labeled IPs for over 200K CGNAT IPs, 180K VPNs and proxies, and 900K other IPs relevant to the study of CGNAT. They used that dataset and Cloudflare’s analysis of bot activity to analyze whether CGNAT traffic is rate-limited with the same frequency as traffic from non-abstract IP addresses.
That effort found indicators of bias, as non-CGNAT IPs are more likely to contain bots than CGNAT IPs, but ISPs are more likely to throttle traffic from the latter.
“Despite bot scores indicating that traffic is more likely to be from human users, CGNAT IPs are subject to rate limiting three times more often than non-CGNAT IPs,” the pair wrote. “This is possible because multiple users share the same public IP, increasing the chance of legitimate traffic being caught by customers’ bot mitigation and firewall rules.”
The authors therefore conclude: “Accurate detection of CGNAT IPs is important to minimize collateral effects in network operations and ensure fair and effective application of security measures.”
He suggests that the ISPs running CGNAT stay in touch to help the community better understand the challenges of using the technology without creating bias.
The authors also acknowledge that all these problems will go away if the world switches to IPv6 and until that happens CGNAT will have to deal with network operators. They also note the old adage – “There is nothing more permanent than a temporary solution” – as a possible reason CGNAT remains relevant today.
<a href