I definitely understand. Unfortunately, we started by rubbing nickels together, and everyone knows how expensive it is to be poor. Now we have space. We have IPv6 space, as well. Unfortunately, it often takes a crisis to get priorities in the right order. Eric ________________________________ From: Tim Burke via NANOG <nanog@lists.nanog.org> Sent: Friday, May 16, 2025 5:30 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Eric C. Miller via NANOG <nanog@lists.nanog.org>; Tim Burke <tim@mid.net> Subject: Re: Sudden surge in CGNAT blacklisting Meanwhile, I’m still over here dying on a hill stating that CGNAT has no business in fiber to the premises deployments… and this is just additional evidence. :-) Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”. If a company can spend thousands in construction costs to build to a house, hundreds per house on CPE, excessive quantities of money on marketing, $35 (and going down) per public IP on the secondary market is pennies in comparison when it comes to customer acquisition cost. Just my opinion, nobody else’s, as someone that is no longer involved in the eyeball network business ;-) Tim
On May 16, 2025, at 14:37, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
"You're getting away with 256:1 CGNAT and not having customers run out of ports?"
I would like to apologize to the greater community for the hack job that I have done in the name of getting users online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter.
We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, so we're assigning space at an average ratio of 40:1.
I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority.
Eric ________________________________ From: Jon Lewis <jlewis@lewis.org> Sent: Friday, May 16, 2025 9:46 AM To: Eric C. Miller via NANOG <nanog@lists.nanog.org> Cc: Eric C. Miller <eric@ericheather.com> Subject: Re: Sudden surge in CGNAT blacklisting
On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports?
Flagged (and presumably blocked) by who / what sorts of services/networks?
Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT?
I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable.
CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YH5HSIQC...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TYNLRAMR...