Carrier Grade NAT
Network Address Translation (NAT) is a technology that has been used for a long time and by now has a ubiquitous presence in firewalls and Internet gateways. Carrier Grade NAT (CGN), also known as Large Scale NAT (LSN) is now becoming the new standard. Initially, traditional NAT was used for translating the address ranges between two networks. In the last decade, NAT has been used for virtually every household or enterprise connection, as part of a home Internet router. The main contribution to NAT's popularity is the ability to share a global (public) IP address among multiple local (private) IP addresses. IP addresses have become increasingly scarce over the last decade; ISPs would only hand out one IP address per home subscriber. The depletion has gotten even worse recently: In 2011, the Internet Assigned Numbers Authority (IANA) issued the last remaining /8 address blocks to the Regional Internet Registries (RIR). NAT can help in alleviating the IPv4 address shortage by oversubscribing the remaining global IP addresses.
The problem with NAT is that it breaks the end-to-end principle of networking. Applications such as peer-to-peer (P2P), VoIP, video streaming, tunneling or any application that uses IP addresses in the payload, suffer from this. NAT behavior is not fully standardized among network equipment vendors, though there are IETF RFCs that help make a NAT more transparent and deterministic.
Evolution to CGN
Carrier Grade NAT (CGN/CGNAT), also known as Large Scale NAT (LSN), is the next level for NAT implementations; it aims to provide a solution for Internet Service Providers (ISPs) and carriers, but also is a good replacement for NAT devices in an enterprise network. CGN enables these organizations to deliver transparent IPv4 connectivity and a seamless user experience while oversubscribing their limited global IPv4 addresses. Carriers can assign local (private) IPv4 addresses in their access network, and use a centralized device to manage the address translation to the global (public) Internet. This setup has one level of NAT, and is also referred to as NAT44. CPE NAT devices create a second translation layer; this setup is also referred to as NAT444.
- Transparent connectivity (EIM/EIF)
- User Quotas
CGN provides the most transparent NAT connectivity for a device because it has features such as Endpoint Independent Mapping (EIM), Endpoint Independent Filtering (EIF) and Hairpinning. Traditional NAT implementations do not allow any traffic that is initiated from the outside (EIM, EIF), or for inside protocols to loop their traffic back to the inside (Hairpinning).
Another important aspect of CGN is the ability for an administrator to limit the amount of TCP and UDP ports that can be used by a single subscriber. This is crucial in order to maintain fairness in sharing port resources among subscribers. "Botnets" used in Distributed Denial of Service (DDoS) attacks use a large amount of connections per end device, which rapidly depletes port availability. If left unregulated, the overall connectivity for other subscribers can easily be compromised by external individuals.
While CGN provides the most transparent NAT connectivity, some protocols require special consideration, for example they may use separate control and data IP/port combinations in their communications, which have to be translated. An Application Layer Gateway (ALG) provides deep-packet inspection to identify and allow correct NAT traversal for these applications.
Because the local private IP address is not shown to the public Internet, logs are another major aspect of CGN that have to be considered. All devices that connect to the Internet produce a multitude of sessions. Tracking all sessions produces a vast amount of log messages. A CGN device must provide various advanced techniques that help reducing the volume of logs, such as Port Batching, Zero-Logging, compact logging and others.
CGN is designed for larger scale global IP address oversubscription, while providing the most transparent connectivity for a user. This means it is not only a solution for ISPs and carriers, but for enterprises as well. This is why LSN and CGN are terms that are often used interchangeably. The industry is gravitating towards the term CGN. Typically, CGN devices handle large amounts of concurrent connections, and high bandwidth throughput. Note that when a NAT device (such as a firewall or legacy load balancer) claims to be carrier grade because it is able to handle large volumes of traffic, does not mean it is a Carrier Grade NAT device, as some vendors try to make their customers believe.
CGN Use Cases
A10 has many customers worldwide that have successfully deployed CGN as part of their IPv6 migration strategy. For example, a deployment at one of the nation's largest mobile carriers uses A10's CGN solution to maintain IPv4 connectivity for the ever growing mobile and smartphone market. The A10 devices provide a feature-rich CGN solution, and superior High Availability (HA) because of active session synchronization. This means that all active sessions remain intact if a single A10 device were to lose its power, for example. The A10 devices leave the competition behind with large number of features supported, superior processing power, while being extremely cost-efficient (typically 10x to 100x less per subscriber cost versus traditional network vendors). One single A10 device provides more power than multiple hyper-expensive, chassis-based processing cards that are part of large networking vendor's NAT solutions. More features and more power out of the box means A10's CGN solution can fit in and adapt to any growing network. The A10 devices can be easily clustered together, combining the processing power in a way that is easy to administer.