[cbhl]

Carrier NAT has lots of bad consequences.

It means that NAT-punching may stop working (because there may be two or three levels of it).

It makes fraud detection harder.

Plus, it's error prone -- once in a while, you'll get data that happens to look like your IP address, and you'll find that you can't send that precise sequence of bits in a packet ever because it'll get mangled by the NAT.

[tjgq]

> once in a while, you'll get data that happens to look like your IP address, and you'll find that you can't send that precise sequence of bits in a packet ever because it'll get mangled by the NAT

How so? Those bits should only matter to the NAT logic if they are found in their expected position in the IP header, not in the payload portion of the datagram.

[0x0]

Some cheap NAT devices rewrites stuff that "looks like" the internal IP addresses inside the TCP payload, in a hackish attempt to "fix" things like FTP and other protocols that send addresses in the payload. A really stupid and dangerous way to do things, but it's been known to happen.

[tjgq]

Crazy. Has that been observed in carrier-grade NAT boxes, though? Or only in el-cheapo residential devices? It seems an incredible risk to the carriers to do things that way.

[otterley]

It also breaks IP-to-geography mapping.