5

I'd like to deploy a Wireless WAN using IPV6 for at least the wireless bits given that 6 offers higher through-put. I'm exploring the concept of CGN and what strikes me immediately is the liability.

Suppose you use a single IP address for 14 Apartments. Now suppose Ronnie in apt 1 plays a game with Jerry in apt 2. They connect to a public game server on different computers. Ronnie does something naughty and the admins outright ban his IP address as per normal. Despite doing nothing wrong, now Jerry can't play.

Given that even professional sites implement IP bans it's safe to say you can neither trust administrators to A) block accounts exclusively and B) respond to generic customer tickets (depending the website)

Is there actually a way to get around this or is that just a cost of using Carrier Grade NAT?

(I am wholly aware that IPV6 is becoming all the rage, but without some kind of tunneling users wouldn't have access to many websites. At that I would still need Public IPV4 addresses.)

Guitarax
  • 67
  • 2
  • 2
    You state you want to use IPv6, ipv6 has 2^128 addresses, can I ask why you are skimping on IPs? Why doesn't each apartment get there own? Every device? Because the ipv4 is sold out, basically requires NAT today, but not ipv6. – cybernard Sep 02 '17 at 14:06
  • @cybernard: I feel like you didn't understand the question. The CGN is for v4, not v6. – user541686 Sep 02 '17 at 20:13
  • 2
    Then why are you mentioning IPv6 if your question isn't about IPv6? Also, there's nothing "carrier grade" about this NAT setup you propose. – womble Sep 07 '17 at 00:47
  • 1
    To address the ipv6 issue, many websites still don't support an ipv6 exclusive network. I would love to hand everyone an ipv6 address and wipe my hands of this but that means people wouldn't be able to access some sites. – Guitarax Sep 08 '17 at 02:16

1 Answers1

14

That is indeed one of the problems with CGN. Sharing a resource means that all suffer the consequences when one abuses the resource.

A bank that I consulted for implemented IPv6 on the server side exactly for that reason: more and more users end up behind CGN, hopefully also with IPv6. When their security department has to block an IPv4 address of a CGN, the users with IPv6 will still be able to access their servers.

They even presented about their IPv6 experience: https://ripe74.ripe.net/archives/video/70/

Sander Steffann
  • 7,712
  • 19
  • 29
  • It can also work the other way round: CGNAT can protect the innocent (and prevent punishing the guilty). EUROPOL has been complaining that CGNAT makes criminal investigations much harder. – Kevin Keane Feb 02 '18 at 07:51