Cloudflare recently released research indicating that internet service providers (ISPs) are more likely to throttle connections of users who access the internet through Carrier-Grade NAT (CGNAT). This issue disproportionately affects individuals in regions with limited allocations of IPv4 addresses, such as parts of Africa and Asia.
The study outlines the origins of CGNAT, which was developed as a solution when the availability of IPv4 addresses began to dwindle. This technology allows multiple devices to share a single IPv4 address, accommodating vast numbers of users. While CGNAT is beneficial for ISPs, it can lead to significant operational challenges. As noted by researchers Vasilis Giotsas and Marwan Fayed, “hundreds or even thousands of clients can appear to originate from a single IP address.” Consequently, if one user engages in malicious behavior, entire groups may be unfairly penalized.
Traditional methods for mitigating abuse, such as blocklisting or rate-limiting, assume a one-to-one correspondence between IP addresses and users. However, with CGNAT”s architecture, this assumption fails, resulting in many innocent users being affected when a shared IP address is blocked. The researchers assert that “CGNAT is a likely unseen source of bias on the Internet,” particularly in developing areas where the user-to-IP ratio is skewed.
To investigate the extent of this issue, the researchers employed various techniques including traceroute, WHOIS, and reverse DNS pointer records to identify CGNAT implementations. Their analysis produced a dataset containing over 200,000 CGNAT IP addresses, alongside data on VPNs and proxies. Through this dataset, they found that traffic from CGNAT IPs is subject to throttling at a significantly higher rate compared to non-CGNAT IPs, despite the former often originating from legitimate human users.
The findings point to a critical need for accurate detection of CGNAT IP addresses to minimize negative impacts on network operations and ensure fairness in security applications. The researchers encourage ISPs utilizing CGNAT to collaborate in addressing these challenges and to work towards solutions that do not introduce bias.
Moreover, the researchers highlight that transitioning to IPv6 could eliminate many of these complications, as CGNAT was intended as a temporary workaround. The persistence of CGNAT usage today underscores the adage that “nothing is more permanent than a temporary solution.”
