In the early days of the Internet, computer scientists created the standard for Internet Protocol addresses, known as IPv4. They predicted that it would accommodate all the future Internet addresses that would ever be needed around the world. Unfortunately, as we have known for over two decades now, their prediction turned out to be incorrect; the number of devices connected to the Internet exploded and, despite best efforts, the world officially exhausted its supply of IPv4 addresses in late November of 2019.
The problem was actually recognized back in 1998, when a draft standard for v6 of the IP protocol was created, with a sufficient number of addresses to accommodate well over a billion billion Internet-connected devices. However, this didn’t stop creative Internet engineers spending the next two decades squeezing every last drop of value from the remaining available v4 address space. In fact, this led to it taking until 2017 for the IETF Network Working Group to update IPv6 to a full Internet Standard. The challenge for Internet Service Providers (ISPs) was the time, money and upheaval required to enable their entire infrastructure to support IPv6. This led to ISPs adopting the use of Carrier-Grade Network Address Translation (CGNAT), so they could keep using their allocated IPv4 address space publicly on the Internet, and keeping their costs under control. As this became increasingly challenging, the Internet Engineering Task Force (IETF) also published a specification for An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition.
CGNAT was a welcome arrival, as it enabled ISPs to extend their limited IPv4 addresses to support hundreds, to tens-of-thousands of end-user customers. The ISPs just had to create an intermediate private network. Each customer’s modem or router is then configured with a private IP address and, when the customer accesses the internet, they are transferred across to a shared public IP address.
Perfect solution, right? Well, not exactly. For one thing, it poses some cybersecurity and law enforcement challenges, which we won’t delve into here. But what it means, in practical terms, is that some (not all) ISP customers (residences or businesses) who share an IPv4 address may experience problems over and above just browsing the Web or using email, such as delivering Internet connectivity for multiple devices like printers or servers. Or, in another example, the use of shared IPv4 addresses could be unsupported by a gaming provider, stopping users from accessing multi-player games.
Increased Collateral Damage from DDoS Attacks
CGNAT creates other, less obvious problems; including when one IP address in a shared network is attacked by a volumetric Distributed Denial of Service (DDoS) attack it can take down a “whole neighborhood,” so to speak. An attack may appear small and sub-saturating to the ISP, but their customers can still suffer service degradation or damaging downtime. ISPs must seriously consider protecting their CGNAT intermediate networks from DDoS attacks.
What can businesses and their ISPs do, without IPv6?
Businesses that are concerned about optimal Internet connectivity should find out whether their ISP supports native IPv6, or is using CGNAT. Increasingly, ISPs are now able to offer dedicated IPv6 addresses upon request. However, regardless of whether an ISP offers IPv6 or IPv4 addresses, they are still at risk from DDoS attacks, unless they have effective DDoS defenses which cover both versions. And, the risk of collateral damage and broader SLA claims are greater for carriers using NAT, because an attack on one IPv4 address will impact all the customers who share that same address. ISPs can, and should, remove the risk of collateral DDoS damage by investing in real-time, always on, automated DDoS protection that detects and blocks attacks of all types, sizes and durations, without resulting in downtime or the need for operator intervention.
Corero Network Security is a global leader in real-time, high-performance, automatic DDoS defense solutions. Corero’s industry leading SmartWall and SecureWatch technology protects on-premise, cloud, virtual and hybrid environments with a scalable solution that delivers a more cost-effective economic model than ever before.For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.