"once the world started to run out of IPv4 addresses, engineers devised network address translation (NAT) so that multiple devices can share a single IPv4 address. NAT can handle tens of thousands of devices, but carriers typically operate many more. Internetworking wonks therefore developed Carrier-Grade NAT (CGNAT), which can handle over 100 devices per IPv4 address and scale to serve millions of users."
"CGNATs also create significant operational fallout stemming from the fact that hundreds or even thousands of clients can appear to originate from a single IP address," wrote Cloudflare researchers Vasilis Giotsas and Marwan Fayed. "This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity." "Blocking the shared IP therefore penalizes many innocent users along with the abuser."
Historical skewed IPv4 allocations left many countries with small public address pools, prompting the development of network address translation (NAT) to let multiple devices share a single IPv4 address. Carrier-Grade NAT (CGNAT) multiplexes over a hundred devices per address and can scale to serve millions of subscribers. Carriers with limited IPv4 resources, particularly in parts of Africa and Asia, rely heavily on CGNAT. IP-based security controls, blocklists and rate-limiting typically assume a one-to-one IP-to-user relationship. When hundreds or thousands of clients share an IP, a single abuser can trigger blocking or throttling that affects many innocent users.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]