Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

William Herrin bill at
Thu Jan 17 23:21:28 UTC 2013

On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard <Lee at> wrote:
> On 1/17/13 9:54 AM, "William Herrin" <bill at> wrote:
>>On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives at> wrote:
>>> The people on this list have a influence in how the Internet run, hope
>>> somebody smart can figure how we can avoid going there, because there
>>> is frustrating and unfun.
>>"Free network-based firewall to be installed next month. OPT OUT HERE
>>if you don't want it."
> I haven't heard anyone talking about carrier-grade firewalls.  To make CGN
> work a little, you have to enable full-cone NAT, which means as long as
> you're connected to anything on IPv4, anyone can reach you (and for a
> timeout period after that).  And most CGN wireline deployments will have
> some kind of bulk port assignment, so the same ports always go to the same
> users.  NAT != security, and if you try to make it, you will lose more
> customers than I predicted.

Hi Lee,

Then it's a firewall that mildly enhances protection by obstructing
90% of the port scanning attacks which happen against your computer.
It's a free country so you're welcome to believe that the presence or
absence of NAT has no impact on the probability of a given machine
being compromised. Of course, you're also welcome to join the flat
earth society. As for me, the causative relationship between the rise
of the "DSL router" implementing negligible security except NAT and
the fall of port scanning as a credible attack vector seems blatant

>>It's not a hard problem. There are yet plenty of IPv4 addresses to go
>>around for all the people who actually care whether or not they're
>>behind a NAT.
> I doubt that very much, and look forward to your analysis supporting that
> statement.

If you have the data I'll be happy to crunch it but I'm afraid I'll
have to leave the data collection to someone who is paid to do that
very exhaustive work.

Nevertheless, I'll be happy to document my assumptions and show you
where they lead.

I assume that fewer than 1 in 10 eyeballs would find Internet service
behind a NAT unsatisfactory. Eyeballs are the consumers of content,
the modem, cable modem, residential DSL customers. Some few of them
are running game servers, web servers, etc. but 9 in 10 are the email,
vonage and netflix variety who are basically not impacted by NAT.

I assume that 75% or more of the IPv4 addresses which are employed in
any use (not sitting idle) are employed by eyeball customers. Verizon
Wireless has - remind me - how many /8's compared to, say, Google?

If you count from the explosion of interest in the Internet in 1995 to
now, it took 18 years to consume all the IPv4 addresses. Call it
consumption of 1/18th of the address space per year.

>From my assumption, 25% of the addresses are consumed by non-eyeball
customers who will continue consuming them at 1/(18*4)= 1/72 of the
address space per year. Assuming that server ops still need that many
addresses when acquiring them is not so close to free.

>From my assumptions 75% * 0.9 = 67.5% of the addresses are currently
consumed by eyeball customers who can convert to NAT. Match the
previous paragraph's math at 49/72's of the address space recoverable
at some cost that while not trivial is also not exorbitant.

Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1
in 10 needs a global address that slows to 3/720's.

13/720's per year consumes 490/720's after 37 years.

37 years.

So, where am I wrong? Is it more like 1 in 5 customers would cough up
an extra $5 rather than use a NAT address? The nearest comparable
would be your ratio of dynamic to static IP assignments. Does your
data support that being higher than 1 in 10? I'd bet the broad data
sets don't.

Is the current use pattern more like 50/50 between server users and
eyeball users? That'd cut things closer to a decade and a half but
what data I've glanced at from CAIDA, ARIN and the like doesn't seem
to support a belief that eyeballs aren't the major direct user of IPv4

Perhaps consumption is accelerating, but a lot of that has been
low-key hoarding during the past 5 years or so. Even with accelerating
consumption we're still looking at a couple decades before we have to
really scrape for IPv4 addresses.

Perhaps I fouled the math itself. I've been known to miscarry a 1. All
the same, the sky doesn't seem to be falling.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list