[JPDeckers]

Problem with CGNAT is the costs involved in bookkeeping for law enforcement.

Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.

Which requires A LOT more storage and much more expensive equipment.

Going rate per IPv4 is up to $40 nowadays, selling of your v4 block might not be cost-efficient.

[minimaster]

Disclaimer: I work with this stuff and might be a little biased to certain vendor solutions.

A good CGNAT implementations have support for static blocks: the subscriber always ends up a a specific ipnumber+portblock combination. (Each subscriber is assigned a specific number of exit ports and this all just logged once during startup so you always know where each subscriber ends up).

Should they run out of their assigned portblock, there are pools which you can borrow from (these need then to be logged who borrowed at what time etc). So all in all there is less logging than when everything was dynamic.

[endre]

And law enforcement inquiries barely contain source port information, or precise time. Most of then go like: who had this IP in $this-two-weeks-window. No source port, no destination IP/port.

[t0mas88]

"We don't have the ability to determine a specific subscriber based on the information provided" and close the request.

[kazen44]

this is not how most of these laws works. As an ISP, you are required to have this bookkeeping, and are audited for it in (most) countries.

Usually, the law has specific procedures about how this information is requested, what responsibilities are with which party, and how long the response time should be for suchs a request.

When starting (or already being an ISP). You already know what kind of system you need to build that matches all these requirements by law. Simply saying, we do not have the required information wouldn't work because the law has very specific details about the requested information.*

* this is in a european country, so no clue if this is applicable to the US.

[t0mas88]

In my European country the law very specifically tells ISPs what to record. It doesn't require them to produce any conclusions or other data, so if you ask for a subscriber name without enough details (port and destination in this example) the response I gave is totally legal. I have in fact seen that kind of thing happen and compliance departments tend to favor exactly this, do what the letter of the law said, not a byte more unless a court orders them. The risk otherwise is that you're illegally violating the privacy of a customer just to please some law enforcement agency.

As a follow-up the agency, with the right court order, could get all the raw connection records and try to figure it out themselves. But if you don't know the exact time and (source IP, port, destination IP, port) combination you're not going to figure it out in a network with large scale NAT.

[philderbeast]

that will just lead to a whole lot of "we dont have that information" or alternativly, "all of these 10000 people used that, have fun!"

[floatboth]

And isn't that the privacy we all would really enjoy? :D

[IntelMiner]

The "I'm Spartacus!" of torrenting

(For those who haven't heard the reference https://www.youtube.com/watch?v=FKCmyiljKo0#t=0m40s )

[_Algernon_]

Anything that makes mass surveillance more expensive is a plus in my book.

[ButterWashed]

Whilst I don't necessarily disagree with the sentiment, all the costs an ISP might incur will almost certainly be passed into the consumer. We're paying to be surveilled in many different ways.

[technion]

I'm finding more and more that I go to some random website, and get a message about an IP ban. That or a 401 error with no context.

If cgnat keeps scaling, these ip Limiters need to phase out.

[p1mrx]

> If cgnat keeps scaling, these ip Limiters need to phase out.

This problem would be easy to solve, if only there were some way for a website operator to phase out CGNAT and see a user's 128-bit IP address instead...

[elithrar]

> I'm finding more and more that I go to some random website, and get a message about an IP ban. That or a 401 error with no context.

The association between IP and user/endpoint is changing, especially with the advent of Apple’s Private Relay, other privacy-protecting proxies, and increased CGNAT.

Website & hosting providers will have to adapt, but right now we’re certainly in a transition state.

[tbrownaw]

> Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.

Why does each individual connection have to get a port from the global allocator, rather than any of the pooling or hierarchical techniques that high performance memory allocators use?

[netr0ute]

The allocators already use pooling, but there are only so many source ports to choose from.

[driverdan]

Even better idea, don't keep those logs in the first place. Tell LE you have nothing for them.