Carrier-grade NAT

From Wikipedia, the free encyclopedia
  (Redirected from Carrier grade NAT)
Jump to: navigation, search
Carrier Grade NAT.

Carrier-grade NAT (CGN), also known as large-scale NAT (LSN), is an approach to IPv4 network design in which end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end sites. This shifts the NAT function and configuration thereof from the customer premises to the Internet service provider network.

Carrier-grade NAT has been proposed as an approach for mitigating IPv4 address exhaustion.[1]

One use scenario of CGN can be described as NAT444,[2] because some customers' connections to public servers would pass through three different IPv4 addressing domains: the customer's own private network, the carrier's private network and the public Internet.

Another CGN scenario is Dual-Stack Lite, in which the carrier's network uses IPv6 and thus only two IPv4 addressing domains are needed.

Shared address space[edit]

If an ISP deploys a CGN, and uses RFC 1918 address space to number their customers, there is a risk that customer equipment already using RFC 1918 space will stop working. The reason is that routing and NAT will not work if the same addresses occur on both inside and outside network interfaces.

This prompted some ISPs to develop policy within ARIN to allocate new private address space for CGNs, but ARIN deferred to the IETF before implementing the policy indicating that the matter was not typical allocation but a reservation for technical purposes (per RFC 2860).

IETF created RFC 6598, detailing Shared Address Space for use in ISP CGN deployments and NAT devices that can handle the same addresses occurring both on inbound and outbound interfaces. ARIN returned space to the IANA as needed for this allocation.[3] The allocated address block is[4]


  • Devices or software that tries to figure out if an IPv4 address is public will have to be updated to recognize the new space.
  • Allocating more private IPv4 address space for NAT devices might prolong the transition to IPv6.


Critics of carrier-grade NAT argue the following aspects:

  • Like any form of NAT, it breaks the end-to-end principle.[5]
  • It has significant security, scalability, and reliability problems, by virtue of being stateful.
  • It makes record-keeping for law-enforcement operations more difficult, except if the translation of the addresses is logged.
  • It makes it impossible to host services.
  • It does not solve the IPv4 address exhaustion problem when a public IP address is needed, such as in web hosting.

Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because the network address translation (NAT) is usually implemented by mapping ports of the NAT devices in the network to other ports in the external interface. This is done so the router will be able to map the responses to the correct device; in carrier-grade NAT networks, even though the router at the consumer end might be configured for port forwarding, the "master router" of the ISP, which runs the CGN, will block this port forwarding because the actual port would not be the port configured by the consumer.[6] In order to overcome the former disadvantage, the Port Control Protocol (PCP) has been standarized in the RFC 6887.

In addition, in rare cases there might be an issue of bans based on IP addresses; in Wikipedia, for example, the system might block a spamming user by banning the IP address which represents them. If that user happens to be behind carrier-grade NAT, other users sharing the same public IP with the spammer will be mistakenly blocked.[6]

See also[edit]


External links[edit]