Carrier Grade NAT (CGNAT) or Large Scale NAT has a very unique place in both mobile and residental (fixed) networks. Let’s start with what NAT is?Then move forward with what CGNAT is and which problem does it solve? After that lets have a look at how LSN solve’s this problem. Lastly lets look at some definitions in RFC’s and clear them out a little bit.
Network Address Translation (NAT)
The Definition
As far as i know it was first mentioned in RFC 1631 and later corrected checksum adjustment algorithm and published as RFC 3022. If you are working in IT, you must come across with this term NAT. RFC 1918 Section 3 says that :
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)This IP blocks can be used anywhere except Internet. So how two private IP’s in different domain’s will talk? Almost all companies can use those addresses inside their network. For communication between two end devices to take place their IP’s must be unique. That’s why we need to translate those private IP’s in to public ones. Which can be routed on the Internet. Let’s make the definition, NAT is a translation procedure which translates private IP adresses into public ones in order to communicate with each other.
Carrier Grade NAT / Large Scale NAT
The definition
First things first, Carrier grade NAT and Large Scale NAT are interchangable terms. Here you can see the draft calling it as LSN. Anyway we can say that CGNAT is the ISP version of traditional NAT. It also overcomes some of the traditional NAT’s drawbacks. Here is a good article from MIT that explains the things that NAT break.
Before we go any further lets answer some of frequently asked questions about NAT in general.
Frequently Asked Questions
Question: Why don’t we just use public ipv4 adresses on every device?
Answer : We don’t have that much ipv4 addresses. According to this stackoverflow post there are 3,706,452,992 public addresses. Which seems to be much but not. If you still don’t convinced just search “how many IoT devices are there”. Also think about mobile phone numbers that has access on internet in your country.
This wiki article is also helpful on this subject.
Question: Why are we still bother using NAT ? Can’t we just use ipv6?
Answer : Short answer is yes we can. Long answer is money, money, money! Transition from ipv4 to ipv6 is costly. That’s why lots of companies try to avoid it.
Question: Will ipv6 solve the problem (ipv4 exhaustion) once it for all?
Answer: IPv6 has an address space of 2^128. It has 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. It still has a finite number.
The problem and the solution
So let’s name the problem. It is ipv4 exhaustion. While transition from ipv4 to ipv6 is a solution to this problem, using CGNAT is another. CGNAT is also a better and easier solution for ISP’s. CGNAT helps ISP’s transition to ipv6 easily, also helps on logging and regulations.
How CGNAT works?
As i mentioned previously in RFC 3022 there is a section (Section 2 in page 3) that is very important you to understand before reading further.
Traditional NAT would allow hosts within a private network to transparently access hosts in the external network, in most cases. In a traditional NAT, sessions are uni-directional, outbound from the private network. Sessions in the opposite direction may be allowed on an exceptional basis using static address maps for pre-selected hosts. Basic NAT and NAPT are two variations of traditional NAT, in that translation in Basic NAT is limited to IP addresses alone, whereas translation in NAPT is extended to include IP address and Transport identifier (such as TCP/UDP port or ICMP query ID).
I made bold some parts of the explanation. I will explain them later.
Now lets go back to RFC 4787. Page 5 , Section 4.1 explains that an endpoint and port duo is called as tuple. If an internal endpoint:port wants to communicate with an external endpoint:port or vice versa via a NAT device assignment process is called as endpoint mapping. For further explanation for Endpoint Mapping check RFC 5128. I will just copy and paste the illustration from RFC 4787 and try to explain it.
E
+------+ +------+ x
| Y1 | | Y2 | t
+--+---+ +---+--+ e
| Y1:y1 Y2:y2 | r
+----------+ +----------+ n
| | a
X1':x1' | | X2':x2' l
+--+---+-+
...........| NAT |...............
+--+---+-+ I
| | n
X:x | | X:x t
++---++ e
| X | r
+-----+ n
a
l
Address and Port MappingX is an endpoint and has an ip adress within private address space.
X:x is a notation of an private ip and port.
X1′:x1′ is a notation of translated version of X:x. It is now has a public ip address.
Y1 is an endpoint that has a public ip address.
Y1:y1 is a notation of a tuple that has a public ip address and port.
I told that i made bold to some parts. Lets go back to that memo and remember first part. “In a traditional NAT, sessions are uni-directional” In CGNAT if same internal endpoint:port wants to communicate with any external endpoint:port its called Endpoint-Independent Mapping (EIM).
Let’s say i have a custom service inside my home network and i want everyone access to my service. It has an ip address of 192.168.1.100 and has a port number of 8000. If i want people to connect my service i would need a public ip and port tuple. So from the above illustration X:x equals to 192.168.1.100:8000 and X1′:x1′ equals to its mapped public ip:port. Any external public ip:port must make a request to X1′:x1′ in order to access 192.168.1.100:8000. In CGNAT this is called as Endpoint-Independent Filtering(EIF). So any external endpoint using X:x <—> X1′:x1′ mapping on CGNAT is called Endpoint-Independent Filtering. EIM and EIF are two technologies that CGNAT is using.
I tried to simplify and summarize the RFC’s a little bit. If you have a question or an addition to the article feel free to comment below.
