Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden. Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision. Eric
On May 16, 2025, at 02:34, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote: We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden. Have some of the folks sitting behind it I’ll-advisedly signed up, or been involuntarily subsumed into, some of the burgeoning residential proxy services which are being leveraged by spammers, phishers, credential stuffers, DDoSers, et. al.? There’s a growth in awareness of the threats they represent; & there are several sessions on this topic at the upcoming NANOG conference. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>
Eric, This is a total guess: There has been several takedowns of large residential proxy networks recently which may motivated security vendors to be more aggressive in their identification of known proxy hosts. Some of these proxy networks are more malicious than others that will force websites/shops/banks to deny access to IPs idenitfied to be part of these proxies as well. Thanks, Scott
On May 15, 2025, at 6:45 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On May 16, 2025, at 02:34, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Have some of the folks sitting behind it I’ll-advisedly signed up, or been involuntarily subsumed into, some of the burgeoning residential proxy services which are being leveraged by spammers, phishers, credential stuffers, DDoSers, et. al.?
There’s a growth in awareness of the threats they represent; & there are several sessions on this topic at the upcoming NANOG conference.
--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHUIGOC4...
I haven't been able to find any data service showing the IPs as sources for abuse, just proxy/vpn. Maybe I'm just not looking in the right places. Suggestions for places to check? I'm usually looking at Cloudflare Radar, CrowdSec, and IP Quality Score. Eric ________________________________ From: Scott Fisher Sent: Thursday, May 15, 2025 7:06 PM To: North American Network Operators Group Cc: Dobbins, Roland; Eric C. Miller Subject: Re: Sudden surge in CGNAT blacklisting Eric, This is a total guess: There has been several takedowns of large residential proxy networks recently which may motivated security vendors to be more aggressive in their identification of known proxy hosts. Some of these proxy networks are more malicious than others that will force websites/shops/banks to deny access to IPs idenitfied to be part of these proxies as well. Thanks, Scott
On May 15, 2025, at 6:45 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On May 16, 2025, at 02:34, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Have some of the folks sitting behind it I’ll-advisedly signed up, or been involuntarily subsumed into, some of the burgeoning residential proxy services which are being leveraged by spammers, phishers, credential stuffers, DDoSers, et. al.?
There’s a growth in awareness of the threats they represent; & there are several sessions on this topic at the upcoming NANOG conference.
--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHUIGOC4...
Are you subscribe to Shadowserver’s daily reports? That is another source - combing the sinkholes, honeynet/sensors, scanning, and reporting.
On May 16, 2025, at 9:27 AM, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
I haven't been able to find any data service showing the IPs as sources for abuse, just proxy/vpn. Maybe I'm just not looking in the right places. Suggestions for places to check?
I'm usually looking at Cloudflare Radar, CrowdSec, and IP Quality Score.
Eric
________________________________ From: Scott Fisher Sent: Thursday, May 15, 2025 7:06 PM To: North American Network Operators Group Cc: Dobbins, Roland; Eric C. Miller Subject: Re: Sudden surge in CGNAT blacklisting
Eric,
This is a total guess:
There has been several takedowns of large residential proxy networks recently which may motivated security vendors to be more aggressive in their identification of known proxy hosts. Some of these proxy networks are more malicious than others that will force websites/shops/banks to deny access to IPs idenitfied to be part of these proxies as well.
Thanks, Scott
On May 15, 2025, at 6:45 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On May 16, 2025, at 02:34, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Have some of the folks sitting behind it I’ll-advisedly signed up, or been involuntarily subsumed into, some of the burgeoning residential proxy services which are being leveraged by spammers, phishers, credential stuffers, DDoSers, et. al.?
There’s a growth in awareness of the threats they represent; & there are several sessions on this topic at the upcoming NANOG conference.
--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHUIGOC4...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ATRGGFSL...
On May 16, 2025, at 08:27, Eric C. Miller <eric@ericheather.com> wrote: Suggestions for places to check? Enabling flow telemetry export on your edge routers and collecting/analyzing it can help identify inbound and outbound abuse. There are both open-source and commercial systems one can leverage for this. [Full disclosure: I work for a vendor of such solutions.]
On May 16, 2025, at 08:27, Eric C. Miller <eric@ericheather.com> wrote: I haven't been able to find any data service showing the IPs as sources for abuse, just proxy/vpn. A lot of abuse is reflected through such services, so they’re being flagged more aggressively, these days. If in fact some of your customers are participating in residential proxy services, whether knowingly or not, your new allocation may well end up being flagged, too, FYI. Hopefully, your AUP disallows reselling/sharing of service, and/or has a general clause allowing service termination at your discretion, should things come to that. That being said, there’s a real need for proactive user education on the negatives of signing up for these services; and to the degree that time and resources allow, assistance for users in disentangling themselves from such arrangements.
I had to request a few removals from here, https://proxycheck.io There is at least other service that specializes on this kind of check but I can't remember the name from the top of my head. *Carlos Pizarro* El El jue, 15 may. 2025 a la(s) 10:28 p.m., Eric C. Miller via NANOG < nanog@lists.nanog.org> escribió:
I haven't been able to find any data service showing the IPs as sources for abuse, just proxy/vpn. Maybe I'm just not looking in the right places. Suggestions for places to check?
I'm usually looking at Cloudflare Radar, CrowdSec, and IP Quality Score.
Eric
________________________________ From: Scott Fisher Sent: Thursday, May 15, 2025 7:06 PM To: North American Network Operators Group Cc: Dobbins, Roland; Eric C. Miller Subject: Re: Sudden surge in CGNAT blacklisting
Eric,
This is a total guess:
There has been several takedowns of large residential proxy networks recently which may motivated security vendors to be more aggressive in their identification of known proxy hosts. Some of these proxy networks are more malicious than others that will force websites/shops/banks to deny access to IPs idenitfied to be part of these proxies as well.
Thanks, Scott
On May 15, 2025, at 6:45 PM, Dobbins, Roland via NANOG < nanog@lists.nanog.org> wrote:
On May 16, 2025, at 02:34, Eric C. Miller via NANOG < nanog@lists.nanog.org> wrote:
We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Have some of the folks sitting behind it I’ll-advisedly signed up, or been involuntarily subsumed into, some of the burgeoning residential proxy services which are being leveraged by spammers, phishers, credential stuffers, DDoSers, et. al.?
There’s a growth in awareness of the threats they represent; & there are several sessions on this topic at the upcoming NANOG conference.
--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com> _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHUIGOC4...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ATRGGFSL...
On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports? Flagged (and presumably blocked) by who / what sorts of services/networks? Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT? I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable. CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
"You're getting away with 256:1 CGNAT and not having customers run out of ports?" I would like to apologize to the greater community for the hack job that I have done in the name of getting users online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter. We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, so we're assigning space at an average ratio of 40:1. I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority. Eric ________________________________ From: Jon Lewis <jlewis@lewis.org> Sent: Friday, May 16, 2025 9:46 AM To: Eric C. Miller via NANOG <nanog@lists.nanog.org> Cc: Eric C. Miller <eric@ericheather.com> Subject: Re: Sudden surge in CGNAT blacklisting On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports? Flagged (and presumably blocked) by who / what sorts of services/networks? Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT? I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable. CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Meanwhile, I’m still over here dying on a hill stating that CGNAT has no business in fiber to the premises deployments… and this is just additional evidence. :-) Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”. If a company can spend thousands in construction costs to build to a house, hundreds per house on CPE, excessive quantities of money on marketing, $35 (and going down) per public IP on the secondary market is pennies in comparison when it comes to customer acquisition cost. Just my opinion, nobody else’s, as someone that is no longer involved in the eyeball network business ;-) Tim
On May 16, 2025, at 14:37, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
"You're getting away with 256:1 CGNAT and not having customers run out of ports?"
I would like to apologize to the greater community for the hack job that I have done in the name of getting users online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter.
We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, so we're assigning space at an average ratio of 40:1.
I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority.
Eric ________________________________ From: Jon Lewis <jlewis@lewis.org> Sent: Friday, May 16, 2025 9:46 AM To: Eric C. Miller via NANOG <nanog@lists.nanog.org> Cc: Eric C. Miller <eric@ericheather.com> Subject: Re: Sudden surge in CGNAT blacklisting
On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports?
Flagged (and presumably blocked) by who / what sorts of services/networks?
Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT?
I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable.
CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YH5HSIQC...
I definitely understand. Unfortunately, we started by rubbing nickels together, and everyone knows how expensive it is to be poor. Now we have space. We have IPv6 space, as well. Unfortunately, it often takes a crisis to get priorities in the right order. Eric ________________________________ From: Tim Burke via NANOG <nanog@lists.nanog.org> Sent: Friday, May 16, 2025 5:30 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Eric C. Miller via NANOG <nanog@lists.nanog.org>; Tim Burke <tim@mid.net> Subject: Re: Sudden surge in CGNAT blacklisting Meanwhile, I’m still over here dying on a hill stating that CGNAT has no business in fiber to the premises deployments… and this is just additional evidence. :-) Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”. If a company can spend thousands in construction costs to build to a house, hundreds per house on CPE, excessive quantities of money on marketing, $35 (and going down) per public IP on the secondary market is pennies in comparison when it comes to customer acquisition cost. Just my opinion, nobody else’s, as someone that is no longer involved in the eyeball network business ;-) Tim
On May 16, 2025, at 14:37, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
"You're getting away with 256:1 CGNAT and not having customers run out of ports?"
I would like to apologize to the greater community for the hack job that I have done in the name of getting users online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter.
We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, so we're assigning space at an average ratio of 40:1.
I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority.
Eric ________________________________ From: Jon Lewis <jlewis@lewis.org> Sent: Friday, May 16, 2025 9:46 AM To: Eric C. Miller via NANOG <nanog@lists.nanog.org> Cc: Eric C. Miller <eric@ericheather.com> Subject: Re: Sudden surge in CGNAT blacklisting
On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports?
Flagged (and presumably blocked) by who / what sorts of services/networks?
Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT?
I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable.
CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YH5HSIQC...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TYNLRAMR...
Totally understand and appreciate that. My statement is (mostly) centered around the companies pulling in boatloads of private equity money to build a so-called “superior service”. There are of course edge cases, and “not having the money right now” is a perfectly acceptable one! On May 16, 2025, at 16:35, Eric C. Miller <eric@ericheather.com> wrote: I definitely understand. Unfortunately, we started by rubbing nickels together, and everyone knows how expensive it is to be poor. Now we have space. We have IPv6 space, as well. Unfortunately, it often takes a crisis to get priorities in the right order. Eric ________________________________ From: Tim Burke via NANOG <nanog@lists.nanog.org> Sent: Friday, May 16, 2025 5:30 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Eric C. Miller via NANOG <nanog@lists.nanog.org>; Tim Burke <tim@mid.net> Subject: Re: Sudden surge in CGNAT blacklisting Meanwhile, I’m still over here dying on a hill stating that CGNAT has no business in fiber to the premises deployments… and this is just additional evidence. :-) Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”. If a company can spend thousands in construction costs to build to a house, hundreds per house on CPE, excessive quantities of money on marketing, $35 (and going down) per public IP on the secondary market is pennies in comparison when it comes to customer acquisition cost. Just my opinion, nobody else’s, as someone that is no longer involved in the eyeball network business ;-) Tim
On May 16, 2025, at 14:37, Eric C. Miller via NANOG <nanog@lists.nanog.org> wrote:
"You're getting away with 256:1 CGNAT and not having customers run out of ports?"
I would like to apologize to the greater community for the hack job that I have done in the name of getting users online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter.
We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, so we're assigning space at an average ratio of 40:1.
I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority.
Eric ________________________________ From: Jon Lewis <jlewis@lewis.org> Sent: Friday, May 16, 2025 9:46 AM To: Eric C. Miller via NANOG <nanog@lists.nanog.org> Cc: Eric C. Miller <eric@ericheather.com> Subject: Re: Sudden surge in CGNAT blacklisting
On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
You're getting away with 256:1 CGNAT and not having customers run out of ports?
Flagged (and presumably blocked) by who / what sorts of services/networks?
Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to outsiders that the IP blocks in question are CGNAT?
I know some VPN providers have utilized NAT for years, and some content providers (i.e. streaming services) have played a years long game of cat & mouse / whack-a-mole trying to block these VPNs to prevent "out of region" eyeballs from accessing content they're not supposed to be permitted to see. To their algorithms, I wouldn't be surprised if VPNs using NAT and service providers using CGNAT were indistinguishable.
CGNAT is an unfortunate fact of life for many service providers in a world that's running out of v4 space but unwilling to fully (or even mostly) transition to v6...so I would hope nobody is blocking service provider CGNAT space intentionally.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YH5HSIQC...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TYNLRAMR...
On 5/16/25 17:30, Tim Burke via NANOG wrote:
Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”.
If customers were willing to pay for it, they'd be more likely to get it. Unfortunately, getting a customer to pay more than what the incumbent LEC/MSO charges for legacy DSL/DOCSIS service is tough, and the only part of the equation that a new greenfield fiber carrier can compete on is speed since it's effectively unlimited for them. I've taken to putting residential customers behind statically-mapped 16:1 or 32:1 CGNAT444 (with native, hardware-forwarded IPv6) by default and then just moving them to 1:1 public space upon request or for any form of repeated trouble calls that seem like they may be related to NAT in one way or another. That drastically cuts down the number of addresses necessary while keeping almost everybody (including customer support on my end) reasonably happy. I'm trying very hard to get IPv4aaS-over-IPv6 usable so that I can make things even simpler and more transparent for my users. Sadly this has not taken off nearly as quickly as I would have liked aside from 464XLAT which really doesn't solve the problem I care to solve (in fact, it arguably makes it worse). I've also sadly still seen far too often CPEs and public Internet endpoints neglecting IPv6 to the extent that it performs noticeably worse than IPv4 even when the observed AS-paths are identical. This definitely does not help matters as it tends to drive end users to disable that native IPv6 that I do provide.
On 16/05/25 23:30, Tim Burke via NANOG wrote:
Meanwhile, I’m still over here dying on a hill stating that CGNAT has no business in fiber to the premises deployments… and this is just additional evidence. :-)
Trying to do hacky things with CGNAT to save a buck is, IMHO, inexcusable, especially when lots of FTTP operators are now overbuilding legacy ILECs/cablecos with fiber that is typically being promoted as “superior in every way”.
If a company can spend thousands in construction costs to build to a house, hundreds per house on CPE, excessive quantities of money on marketing, $35 (and going down) per public IP on the secondary market is pennies in comparison when it comes to customer acquisition cost.
Just my opinion, nobody else’s, as someone that is no longer involved in the eyeball network business ;-) Tim
There are more houses in the world than IP addresses, so I am curious to hear your plan to give an IP address to every house. There's IPv6. I wonder if all of /your/ Internet-facing services are accessible via IPv6. Globally, most aren't. As long as there are fewer X than Y, every plan to give a unique X to each Y is just pushing the can down the road - probably to ISPs in third-world countries which nobody on this list actually cares about. I hear that some of them have on the order of 1 IP address per city. After one IP per house, the next best distribution is for *everyone* to behind CGNAT at a similar ratio and feel the pain equally. Maybe it will catalyze more IPv6 adoption.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TYNLRAMR...
I remember reading about setting specific prefixes as residential maybe that was via geofeed or whois comments, also it seems like you basically need a separate AS for broadband customers if you do any type of hosting or colocation as it will likely get flagged as vpn On Thu, May 15, 2025 at 12:34 PM Eric C. Miller via NANOG < nanog@lists.nanog.org> wrote:
Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating our migration to our ARIN space, but it's still odd why it's all of a sudden.
Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain unaffected. Each customer behind an IP is in the same subdivision.
Eric _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LP3QJFMS...
participants (10)
-
Barry Greene -
Brandon Martin -
Carlos Pizarro -
Dobbins, Roland -
Eric C. Miller -
Jon Lewis -
nanog@immibis.com -
Scott Fisher -
Tim Burke -
TJ Trout