If you don’t know what CGNAT is, follow along and I’ll tell you the story that lead me to it’s discovery on my internet provider’s network and furthermore why it’s a terrible threat to an open, peer-to-peer enabled internet.
My old ISP was belong internet, chosen solely for their carbon neutrality. The ratings were ok and the price was good, but I did not remain a customer for long at all.
I decided to set up a Diaspora server(https://diasporafoundation.org/) from my apartment and begun preparing my ‘server’, which was to be an underpowered(for this application) Raspberry Pi model 3B. After spending quite some time setting it up with the software it was time to open some ports to the internet, I’d expected this to be on of only a couple of scenarios:
- I was on static IP already, so I just needed to open a few ports in my router and set up DNS to point to my public IP
- I was using a dynamic IP address, in which case I was going to use a dynamic DNS service to give me a ‘permanent’ internet domain name, and then use a DNS redirect to that dynDNS domain. And obviously open the ports
I begun my process by opening the ports in the router and trying to test that I could access ports 80/443 in a browser. I was disturbed to see some totally unexpected content. I ran an NMAP port scan of my public IP and saw a number of unrecognised, open ports which caused some momentary panic. This was weird enough that I started googling, I wish I still knew the keywords I’d used doing that search. Finally I stumbled upon CGNAT, carrier-grade network address translation.
CGNAT – carrier-grade network address translation
CGNAT essentially means that you share your public IP address with other internet users, which is, frankly totally nuts. Your public IP address is probably the strongest piece of identity information you provide to a remote server and now it’s being used by a large number of untrusted people, I find this concerning.
Let me give some concrete examples:
- Public IPs are the ones blacklisted when servers are being attacked, someone else behind the GCNAT router might be dodgy as heck and get your public IP blocked
- Public IPs are often enough whitelisted by corporate VPNs to ensure that other parties cannot connect – with CGNAT there are a hoard of people on your ‘network’
More importantly in this case, it makes hosting a server from home all but impossible, there’s no way to open a port at the CGNATs side without significant cooperation with the ISP. It’s a low-grade hack for ISPs to delay the inevitable, costly transition to using IPv6.
I’ve since changed ISPs to AussieBroadband and have been impressed with the service, they communicate outages fast and have a good quality service and have reasonable pricing around static IP allocations, though they are still to make the jump to supporting IPv6 which some telcos have started to exclusively support (https://www.sidn.nl/en/news-and-blogs/australias-telstra-switches-mobile-users-to-ipv6-only) .
I’ve always believed that IPv6 and the end of NAT and port-forwarding is key to having an open, peer-to-peer internet and CGNAT is another step which takes away our power as internet users forcing us to use web-services providers such as AWS to host a public-facing service. I’m looking forward to society being able to maintain and use more privately-hosted, decentralised, encrypted applications so I can stop having my data hosted on an untrusted parties’ opaque server..