CGN FAQ [UPC]

ED E

This is coming up more and more, so time for a thread we can link to. Explanation is simplified into laymans terms and may not be 100% technically accurate(its not for the networking heads among you).


What is NAT(Network Address Translation)?
Your ISP gives you one public IP address, say 89.100.100.1, but you dont usually have a single device (like old dial up PCs) so NAT "shares" one public IP with multiple private devices. Port forwarding is a way of setting up manual NAT rules.

Where is NAT normally?
Your modem/router combo does NAT as it sits between your devices and the public internet.

What is CGN?
Carrier Grade NAT is where the ISP does NAT on their routers before your routers, then your modem/router does its own. This is whats called "Double NAT", and its never really a good thing.

What does it break?
UPnP (universal plug and play), port forwarding, prevents hosting. Some VPNs, gaming has issues. Sometimes you'll erratic issues.

Why do they do it?
$$$$$ / IPv4 Starvation. The internet is "running out of" IPv4(the current type) of IPs. The price varies but it can be around $5-15 USD right now, but will only increase over time as the number of internet connected people and devices sky rockets. In normal mode 1 customer = 1 IP. With CGN 1 IP = 30, 50, 200... customers. When you have a network with millions of subscribers (Liberty Global, Vodafone, Hutchison Whompaa etc etc) then this "multiplication factor" can be a cost saving vs the kit required.

Who does it
Mobile operators have done it for years. If you've got a regular phone sim with data plan you're likely given a 10. address and share a public IP with a cluster of other users. This is fine for the light use of mobile content consumption. Often though if you buy a "broadband"(its really midband!) dongle from a mobile Op you'll get a public IP just to yourself, presumably because the recognize that users have a real need for one!

Time Warner in the USA started it a while back, as did a few others.

UPC is now doing it, mostly enabling it when you change service, change modem, move home or for new customers.

UPC:

In ireland, this our main concern, so far they've been the only ones seen to deploy it to their production fixed line network. I'm sure others will try it at some point, but theyre the first. Theyve been moving in IP blocks from Austria etc to cover growth and now they're doing this.

DS-Lite
DS-Lite is the form of CGN UPC Ireland use, DS-Lite = Dual Stack Lite. What that means is they give you an IPv6 address to yourself, and then share an IPv4 between you and the rest of the NAT group. So in theory you do have a unique address, but VERY few services use IPv6 yet so in effect you end up going through Double NAT nearly all the time.

Am I on DS-Lite/CGN???
Simplest way is to login to your modem and check what WAN IP it shows. If its a regular IPv4 address you're in the clear, if its an IPv6 address then you're CGN'd. See below.

What can I do?
UPC enabled it for you, and only they can disable it again. Their provisioning system has a flag that they can enable or disable it for your modem. The Talk2 Reps here on Boards.ie are by the far best channel to access their contact center, like any ISP phone support is hit and miss.

Bridging?
Wont work in a double NAT situation.

My speeds are slow...
CGN shouldnt have any noticeable impact on speeds and very little on latency, but in practice there have been reports of this not being the case.

---

I've probably missed some stuff but that's a start, I'll edit in changes later if there's more.

Hope this helps,
ED-E.

Cuddlesworth

ED E wrote: »

My speeds are slow...
CGN shouldnt have any noticeable impact on speeds and very little on latency, but in practice there have been reports of this not being the case.

DS-lite combines carrier grade nat with a VPN tunnel. Considering how the current range of UPC Ireland home devices struggle with normal operations, running a IPV6 VPN could easily push them over the edge. Its normal in the network world to assume that putting traffic through a vpn halves the maximum throughput of a router.

Calahonda52

Much obliged for this

I ran a test your IPv6 from my pc:

Your IPv4 address on the public Internet appears to be xxx.xxx.xxx.xxx

Your Internet Service Provider (ISP) appears to be LGI-UPC Liberty Global Operations B.V.,AT

No IPv6 address detected

Good news! Your current configuration will continue to work as web sites enable IPv6.

You appear to be able to browse the IPv4 Internet only. You will not be able to reach IPv6-only sites.

Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 Internet, or is not configured to use it. This may in the future restrict your ability to reach IPv6-only sites

The xxx.xxx.xxx.xxx above is the same as the IP address shown when I log into the router, so is this IPv4 or IPv6

What is the ? for the nice folk over at The Talk2

ED E

Cuddlesworth wrote: »

DS-lite combines carrier grade nat with a VPN tunnel. Considering how the current range of UPC Ireland home devices struggle with normal operations, running a IPV6 VPN could easily push them over the edge. Its normal in the network world to assume that putting traffic through a vpn halves the maximum throughput of a router.

Good point that I'd totally missed. Would be interesting if somebody on DS-L could test for say a week, then have themselves reverted. A samnkows box would do a great job of this. Then we could make educated claims about it.

ED E

Its still not 100% clear, CGN *could* be implemented without a slowdown, but UPCs cheapo CPE(modems) could mean it does cause a slowdown.

Calahonda52

ED E wrote: »

Its still not 100% clear, CGN *could* be implemented without a slowdown, but UPCs cheapo CPE(modems) could mean it does cause a slowdown.

Thanks, before I go near UPC re this, can you tell from what I posted above if I am on DS lite as I don't seem to have an IPv6 address
deleted earlier post as not helpful

ED E

You aren't on CGN, your modem shows an IPv4 so thats definite.

Calahonda52

ED E wrote: »

You aren't on CGN, your modem shows an IPv4 so thats definite.

Much obliged, back to drawing board

Cuddlesworth

ED E wrote: »

Its still not 100% clear, CGN *could* be implemented without a slowdown, but UPCs cheapo CPE(modems) could mean it does cause a slowdown.

It could do a lot of things.

https://tools.ietf.org/html/rfc6333

4.2. CPE

Note: If an IPv4 home host decides to use another IPv4 DNS server,
the DS-Lite CPE will forward those DNS requests via the B4 interface,
the same way it forwards any regular IPv4 packets. However, each DNS
request will create a binding in the AFTR. A large number of DNS
requests may have a direct impact on the AFTR's NAT table
utilization.

5.3. Fragmentation and Reassembly

Using an encapsulation (IPv4-in-IPv6 or anything else) to carry IPv4
traffic over IPv6 will reduce the effective MTU of the datagram.
Unfortunately, path MTU discovery [RFC1191] is not a reliable method
to deal with this problem.

A solution to deal with this problem is for the service provider to
increase the MTU size of all the links between the B4 element and the
AFTR elements by at least 40 bytes to accommodate both the IPv6
encapsulation header and the IPv4 datagram without fragmenting the
IPv6 packet.

However, as not all service providers will be able to increase their
link MTU, the B4 element MUST perform fragmentation and reassembly if
the outgoing link MTU cannot accommodate the extra IPv6 header. The
original IPv4 packet is not oversized. The packet is oversized after
the IPv6 encapsulation. The inner IPv4 packet MUST NOT be
fragmented. Fragmentation MUST happen after the encapsulation of the
IPv6 packet. Reassembly MUST happen before the decapsulation of the
IPv4 packet. A detailed procedure has been specified in [RFC2473]
Section 7.2.

As well as other concerns. I've only read up on the standard today, I wouldn't be comfortable implementing this.

https://tools.ietf.org/html/draft-ietf-softwire-dual-stack-lite-06#section-7.2
https://tools.ietf.org/html/draft-ietf-intarea-shared-addressing-issues-05#page-12

7.2. VPN

Dual-stack lite implementations SHOULD NOT interfere with the
functioning of IPv4 or IPv6 VPNs.

8.4.1. How many ports per customers?

Because IPv4 addresses will be shared among customers and potentially
a large address space reduction factor may be applied, in average,
only a limited number N of TCP or UDP port numbers will be available
per customer. This means that applications opening a very large
number of TCP ports may have a harder time to work. For example, it
has been reported that a very well know web site was using AJAX
techniques and was opening up to 69 TCP ports per web page. If we



Durand, et al. Expires February 12, 2011 [Page 11]

Internet-Draft Dual-stack lite August 2010


make the hypothesis of an address space reduction of a factor 100
(one IPv4 address per 100 customers), and 65k ports per IPv4
addresses available, that makes an average of N = 650 ports available
simultaneously to be shared among the various devices behind the
dual-stack lite tunnel end-point.

There is an important operational difference if those N ports are
pre-allocated in a cookie-cutter fashion versus allocated on demand
by incoming connections. This is a difference between an average of
N ports and a maximum of N ports. Several service providers have
reported an average number of connections per customer in the single
digits. At the opposite end, thousands or tens of thousands of ports
could be use in a peak by any single customer browsing a number of
AJAX/Web 2.0 sites.

As such, service providers allocating a fixed number of ports per
user should dimension the system with a minimum of N = several
thousands of ports for every user. This would bring the address
space reduction ratio to a single digit. Service providers using a
smaller number of ports per user (N in the hundreds) should expect
customers applications to break in a more or less random way over
time.

In order to achieve higher address space reduction ratios, it is
recommended that service provider do not use this cookie-cutter
approach, and, on the contrary, allocate ports as dynamically as
possible, just like on a regular NAT. With an average number of
connections per customers in the single digit, having an address
space reduction of a factor 100 is realistic. However, service
providers should exercise caution and make sure their pool of port
numbers does not go too low. The actual maximum address space
reduction factor is unknown at this time.

8.4.3. Subscriber controlled port assignment

Dynamic port assignment precludes inbound access to subscriber
servers, just as in a CPE NAT. Inbound access to subscriber servers
can be provided through pre-assigned and/or reserved port mappings in
the AFTR. Specifying the mechanisms for managing and signaling these
reserved port mappings is out of scope for this document.

If you ping the gateway address on UPC's implementation of dual stack, does it return in 0ms? The AFTR is supposed to be doing the routing, which makes far more sense to me.

5.7. Well-Known IPv4 Address
192.0.0.0 is the reserved subnet address. 192.0.0.1 is reserved for
the AFTR element, and 192.0.0.2 is reserved for the B4 element. If a
service provider has a special configuration that prevents the B4
element from using 192.0.0.2, the B4 element MAY use any other
addresses within the 192.0.0.0/29 range.

Calahonda52

Just an update: the CCTV guys came and turned off the firewall in the UPC router and the port forwarding works.
Just wonder whats the risk of no firewall in the UPC router?
Most of our kit is Mac

rogue-entity

ED E wrote: »

Bridging?
Wont work in a double NAT situation.

That is not because it's a double-NAT, it's because of their DS-Lite implementation. It isn't really dual-stack because they tunnel your IPv4 over IPv6.

ED E

rogue-entity wrote: »

That is not because it's a double-NAT, it's because of their DS-Lite implementation. It isn't really dual-stack because they tunnel your IPv4 over IPv6.

I know what they do.

If it was full DS bridging would be possible and there would be no problems at all, theres no NAT going on. But its DSLite as above and they are using carrier NAT.

rogue-entity

Agreed but my suggestion was "Won't work with DS-Lite" rather than referring to Double-NAT.

Thank you for the write-up though, if only UPC/VM themselves were even half as helpful.