» ISP News » 

Europol Calls on Internet Providers to End CGNAT IP Address Sharing

Tuesday, October 17th, 2017 (1:55 pm) - Score 5,421

Europol, which helps the 28 member states of the EU (inc. UK) to fight serious international crime and terrorism, has called on broadband and mobile providers to end the use of Carrier Grade NAT (CGN) in order to “increase accountability online” and stop people “sharing the same IP address as a criminal.

Generally everybody needs an Internet Protocol (IP) address to go online and your ISP is responsible for assigning one to your connection (it’s the internet equivalent of a phone number). Most fixed line ISPs tend to use Dynamic IP addresses for domestic connectivity, which changes each time your broadband link is disconnected and isn’t shared with other subscribers (not at the same time you’re using it).

Some providers will also allow you to take a Static IP address, which remains the same no matter how many times you switch the connection on and off (usually more of a premium / business feature). However the shift from the old IPv4 (ran out of spare addresses) to newer IPv6 addressing system has caused some providers, which don’t have a large stockpile of IPv4s, to adopt Carrier Grade Network Address Translation (CGN).

CGNAT enables a single IP address to be shared between many users and is thus seen by some ISPs as a useful solution for IPv4 shortages (e.g. Hyperoptic use it and BT / other ISPs have toyed with it), at least until IPv6 is fully implemented (this will take years). Now there are many reasons to dislike CGNAT, most of which stem from the fact that it can disrupt certain internet services, such as those that expect each individual to have their own IP.

For example, CGNAT can cause connectivity problems for some multiplayer games and it may also prevent a login to other services, such as if two users are trying to connect from the same IP (security check). Likewise if an online survey restricts votes by IP address then you could find yourself excluded if somebody votes from the same address. Similarly if another user with your IP is banned from a service.. you get the picture.

However we should say that a properly maintained and well configure CGNAT setup can still work quite well and often you won’t even know it exists. Never the less Europol and the Estonian Presidency of the EU Council are concerned that CGNAT can also disrupt the ability of law enforcement to correctly identify criminals.

Rob Wainwright, Europol’s Executive Director, said:

“CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime.

It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90% of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers.

On behalf of the European law enforcement community Europol is grateful to the Estonian Presidency of the EU Council for actively exploring ways to address this urgent problem with stakeholders in the EU and industry.”

Europol states that the number of subscribers sharing a single IP has increased in recent years (in some cases thousands of users can share one address) and it has thus become “technically impossible” for ISPs to comply with legal orders to identify individual subscribers. This is relevant as in criminal investigations an IP address is “often the only information that can link a crime to an individual” (this seems to ignore the merits of traditional evidence gathering).

The EU policing agency also fears that CGNAT “may lead to innocent individuals being wrongly investigated by law enforcement because they share their IP address with several thousand others – potentially including criminals.” Admittedly there is a certain irony to this, not least with respect to new laws that seek to cast IP addresses as “personal information” (despite them being so unreliable at accurately identifying a specific person).

However simply calling for an “end” to CGNAT seems to overlook one of the key reasons why the technology exists. How do Europol propose to solve the issue of IPv4 address shortages for those with CGN? An ISP can’t adopt a native IPv6-only network, not until such time as the vast majority of internet connected hardware and software is ready for it (this is not going to happen for a long time), otherwise a big chunk of the online world would become inaccessible.

Europol are consulting “industry experts” (Proximus, CISCO, ISOC, the IPv6 Company etc.) in order to try and find a solution. One option is a Voluntary Code of Conduct for ISPs to reduce the use of CGNs, while another “solution” might involve ISPs being required to log source port numbers or the possibility to adopt regulations to increase IPv6 deployment. The latter would be more productive but upgrading the industry is only half the battle; you can’t leave end-users with old IPv4-only systems isolated (until recently a lot of modern hardware and software still shipped as IPv4-only).

At least the hunt for a solution to such a tedious issue should be very entertaining.

Leave a Comment
14 Responses
  1. Avatar Simon Lockhart says:

    Those of us running CGNAT responsibly are logging NAT translations to allow for trace-back of offending traffic. However, this depends on law enforcement agencies providing us with not just the IP address but also the source port. This information is easily logged by content providers, they just choose not to (because it wasn’t necessary in the past). With source IP, source port and accurate timestamp, we can tell you exactly which of our subscribers generated the traffic.

    As you suggest at the end of your article, the problem here isn’t the access providers, it’s the content (and other similar servce) providers.

    1. Avatar Mrs Slocombe says:

      Apologies, a pedantic point: Identify Which account generated the traffic not the person using the account at the time the traffic was generated. An important distinction.

  2. Avatar wireless pacman says:

    Why don’t they just lock up the muppets who dreamt up IPv6 20 odd years ago but failed to enforce a switch over whilst the Internet was still very young? 🙂

    Oh, and keep them locked up for making sure by design that IPv6 was not backwards compatible!

    1. Mark Jackson Mark Jackson says:

      If you delve into the history of this then you’ll soon see why there would be no easy fix for the backwards compatibility problem, even if you simply adopted IPv4 to handle a wider range (note: this would merely push the problem further down the road rather than solve it and you’d still have compatibility issues).

      In this case it’s not so much the fault of those who dreamt up IPv6 as the fact that at the time too many were ignorant of it, including key regulators and politicians (many still are). Heck 20 years ago most people in the UK hadn’t even heard of the internet.

  3. Avatar Mike says:

    And they wonder why we’re leaving…

    1. Mark Jackson Mark Jackson says:

      The UK government and security services have raised similar concerns in the recent past.

    2. Avatar CarlT says:

      The UK plans to remain in Europol regardless of the Brexit talks but, facts, who needs them?

  4. Avatar Marcus says:

    CGNAT (or the lack of it) is why I use Three Mobile for my 4G based backup to ADSL / FTTC lines.

    Three, with the right APN, allows you to have a real routable IP address (for no extra fee). All the other ISPs either charge much much more for this or simply do not offer it.

    I don’t like CGNAT as it prevents outside initial contact of services on my IP address for example hosted websites or VOIP connections.

    1. Avatar Jonathan says:

      Would you mind sharing the APN? I’ve added a Huawei router into my network and connected it up via pfSense but it’s currently got an EE SIM in and they use CGNAT so the IP isn’t routable. I’d can switch to a Three SIM if certain APN’s allow routing.

  5. Avatar David Holder says:

    Back in 2013 I was the lead technical author for an Ofcom report on CGN entitled Report on the Implications of Carrier Grade Network Translators (http://www.ipv6consultancy.com/ipv6blog/?p=83). One big concern, out of many that we had, was the significant implications for legal intercept, auditing and forensics. If you want a quick overview, then you might be interested in my recent presentation on CGN at the North American IPv6 Task Force (NAv6TF) earlier this year. It can be found here: https://www.youtube.com/watch?v=fbk4H6EmZzI

  6. Avatar Ross Chandler says:

    The only way they’ll get less CGN is with more IPv6 deployment end to end.

  7. Avatar Clark Gaylord says:

    I think it’s imperative that we don’t refer to IPv6 as a future technology. For the foreseeable future the internet will be dual stack but IPv6 itself is completely here and working and deployed. As a major research university, we are finding frequently over half our wide area and in some cases over three-quarter of internal traffic is IPv6. Consider that Google, Facebook, Netflix, and many other major services are already available on the current generation of the internet, and a Windows domain will happily work quite well without any legacy addressing at all.

    We need to stop apologizing for network professionals burying their head in the sand and deliver the message: if you are not deploying IPv6, you are being irresponsible.

    We needn’t qualify it with the version number: the current version number of the internet protocol is 6. If you still require the use of legacy IP, it will likely continue to be supported for several years as well.

    1. Mark Jackson Mark Jackson says:

      No reference is made to IPv6 being a “future” technology in the article, but there is a logical reference to the fact that complete adoption could take years (i.e. the point where everybody has IPv6 and so all IPv4 can be switched off). Otherwise you’d risk leaving a huge chunk of the internet closed off to masses of people and businesses or networks who cannot communicate via IPv6-only yet. In the meantime IPv4 and CGNAT will still have a role.

    2. Avatar spurple says:

      @Mark Jackson

      I Think Clark means that there is no excuse for not being Dual-Stack at this time, as more and more big players are becoming dual-stack.

      The apologies we make on behalf of IPv4 must in some way be enabling the complacency of many organisations to roll out IPv6 (a-hem, Virgin Media etc).

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • TalkTalk £21.00 (*29.95)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Vodafone £21.50
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £21.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2889)
  2. BT (2818)
  3. FTTC (1809)
  4. Building Digital UK (1770)
  5. Politics (1707)
  6. Openreach (1659)
  7. Business (1485)
  8. FTTH (1343)
  9. Mobile Broadband (1274)
  10. Statistics (1270)
  11. 4G (1099)
  12. Fibre Optic (1081)
  13. Wireless Internet (1044)
  14. Ofcom Regulation (1040)
  15. Virgin Media (1034)
  16. EE (727)
  17. Vodafone (702)
  18. TalkTalk (688)
  19. Sky Broadband (684)
  20. 5G (562)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact