What is Carrier Grade NAT (CGN/CGNAT)?
Carrier Grade Network Address Translation (CGN or CGNAT), also known as Large Scale NAT (LSN), is an extension of traditional Network Address Translation (NAT) technologies for large scale networks and Internet Service Providers (ISPs). CGN provides a solution to relieve IPv4 exhaustion and is an integral part of IPv6 migration. The adoption of Carrier Grade NAT is mainly due to the ability to share a global (public) IP address among multiple remote sites.
Network Address Translation technology appeared soon after Internet usage exploded in the early 1990’s. The Internet Protocol (IP) version 4 addressing scheme was not designed to scale and IP address depletion became a serious issue. About this time, both IP version 6 (IPv6) and NAT appeared as solutions for this dilemma.
NAT provides a translation technology which allows multiple end customers to use common and overlapping private address ranges internally. Any number of end customers can use the same Private address ranges. To route to external Internet IP addresses, NAT translates private IP address to public IP addresses. Each customer could be provided a single or a small range of public IP addresses to support hundreds to thousands of internal machines.
This technology is commonly referred to as NAT44 for Network Address Translation from IPv4 to IPv4 addresses. The diagram below depicts a simplified diagram of a NAT Customer Premises Equipment (CPE) gateway translating private addresses to public addresses.
NAT deployments reduced the problem of IPv4 address depletion, though the expansion of the Internet continued to accelerate.
NAT deployments soon expanded beyond business networks to other network customers including home and mobile networks. Each customer CPE required a public IP address, and Internet address completion became dire. Internet Service Providers required a technology to stretch the limited pool of Public IP addresses.
Carrier Grade NAT
CGN was developed to allow Internet Service Providers to use public IP addresses to support ever more end customers.
Standard NAT or NAT44 translates Private to Public IP addresses. One major function of CGN is NAT444. NAT444 translates Private to Private IP addresses, then to Public IP addresses. ISPs using CGN were able to replace Public IP addresses with Private IP addresses on customer’s CPE devices. This allows multiple customer networks to share a common Public IP address.
The diagram below shows three customer networks using private IP addresses on the Internet facing network ports. The NAT444 (Private, Private, Public) feature of CGN allows multiple end customers to share a single Public IP Address.
With CGN, Internet Service Providers, Carriers and Mobile Network Providers can provide services to large groups of customers. This is why CGN is often called Large-Scale NAT (LSN).
NAT64 is a technology where IPv6-only clients can still access legacy IPv4-only content. The NAT64 device mediates between the client’s DNS requests (using DNS64), and synthesizes an IPv6 DNS response, if one does not exist. Then, the NAT64 will mediate between the IPv4-only webserver and the IPv6-only client.
For more information about the IPv6 transition for carriers, refer to the Internet Engineering Task Force (IETF) specification An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition.
IP was originally designed with an “End-to-End Principle for Networking”. Application protocols often expect to communicate directly without intermediate systems modifying the packet headers or payload. NAT clearly modifies packet headers, the IP addresses at the very least. Other protocols attempt to make reverse connections on alternate ports.
NAT breaks these protocols. Some of the more common protocols are:
- SIP (VOIP)
- IRC (Chat)
- IPsec VPNs
Application Level Gateway (ALG) is a technology developed to solve these problems. ALG has application level intelligence of these protocols and modify the packet headers and payload to conform to the protocol.
Other network issues not managed by standard NAT are:
- Transparent connectivity (EIM/EIF)
CGN provides transparent NAT connectivity for a device with features such as Endpoint Independent Mapping (EIM), Endpoint Independent Filtering (EIF), and Hairpinning. Traditional NAT implementations do not allow any traffic that is initiated from the outside (EIM, EIF), or for inside protocols to loop their traffic back to the inside (Hairpinning).
Application Level Gateway and CGN
CGN performs the same NAT functions as standard NAT, so will also cause the same network protocol problems, therefore ALG is a critical function for any CGN solution.
Carrier Requirements for Carrier Grade NAT
Carrier networks, business enterprises and ISPs require capabilities which are not as critical in end-customer and home networks. Carrier infrastructures have high-end requirements for performance, reliability and manageability.
- Performance – CGN solutions must support millions of simultaneous network connections.
- Scale-out – Carrier solutions must be able to scale dynamically, adding additional throughput without interrupting existing network traffic
- High-Availability – Solutions require 24/7 uptime without downtime for component failures or upgrades
- Central Management – Solutions must integrate with various central network management and DevOps infrastructures with advanced Restful API capabilities
- Advanced Logging – Because the local private IP address is not shown to the public Internet, logs are another major aspect of CGN that have to be considered. All devices that connect to the Internet produce a multitude of sessions. Tracking all sessions produces a vast amount of log messages. A CGN device must provide various advanced techniques that help reducing the volume of logs, such as Port Batching, Zero-Logging, compact logging and others.
Additional Service Provider Requirements
Internet Service Providers and Mobile Network Providers have additional requirements to support vast numbers of subscribers and an incredibly complex network infrastructure.
- Subscriber Awareness – A complete CGN solution will provide visibility into the data flows by network subscriber. This is required to provide various paid services depending on the levels of services purchased by the subscribers
- User Quotas – Another important aspect of CGN is the ability for an administrator to limit the amount of TCP and UDP ports that can be used by a single subscriber. This is crucial in order to maintain fairness in sharing port resources among subscribers. Botnets used in Distributed Denial of Service (DDoS) attacks use a large amount of connections per end device, which rapidly depletes port availability. If left unregulated, the overall connectivity for other subscribers can easily be compromised by external individuals
How A10 Networks Can Help
A10 has many customers worldwide that have successfully deployed CGN as part of their IPv6 migration strategy. For example, a deployment at one of the nation’s largest mobile carriers uses A10’s CGN solution to maintain IPv4 connectivity for the ever growing mobile and smartphone market. The A10 devices provide a feature-rich CGN solution, and superior high availability because of active session synchronization.
The A10 devices leave the competition behind with large number of features supported, superior processing power, while being extremely cost-efficient (typically 10x to 100x less per subscriber cost versus traditional network vendors). One single A10 device provides more power than multiple hyper-expensive, chassis-based processing cards that are part of large networking vendor’s NAT solutions.
More features and more power out of the box means A10’s CGN solution can fit in and adapt to any growing network. The A10 devices can be easily clustered together, combining the processing power in a way that is easy to administer.