Home / Blogs

Limitations of Carrier Grade NAT, and Some Workarounds

Brough Turner

Qtel, the largest carrier in Qatar (and nearly the only Internet provider) appears to connect all their users (~600K) to the Internet through just one or a very few public IPv4 addresses. 82.148.97.69 was their single public address in 2006-2007. How can network address translation (NAT) put all those users through just one IP address?

Well, both UDP and TCP include 16-bit port numbers, so for each IP address there are 2**16 = 65,536 unique IP address/TCP port number combinations which can support network address translation (NAT) for more than 65K simultaneous connections. Of course, individual browser sessions may open multiple connections so each on-line user can tie up several such connections, even several dozen.

But there are more unique fields that come into play. On the Internet side of the NAT, each active IP session has five fields of interest: source IP address, source port, protocol, destination address; destination port. So you can use the same source address and port number for multiple independent sessions if the sessions are going to different destinations or using different protocols. With this approach, one public IP address can clearly support millions and millions of connections.

But what if most of your users are trying to reach just a few destination addresses? That's a problem Qtel had (or at least their users had) when accessing Wikipedia in 2006.

One obvious solution is to devote more than one public IP address for the whole country! Indeed, if a few hundred people are attempting to access the same address simultaneously, then having a few hundred IP addresses (for the whole country!) would do it. Of course, if the destination IP address is that of Google's search bar, you might need more than a few hundred IP addresses.

There is another path, one which Geoff Huston alludes to in a recent article on the IPv6 transition.

… we may expect to see a push to re-architect content into Content Distribution Networks that have points of presence in major access networks.

Today, major content distribution networks (CDNs) like Akamai, Amazon Cloudfront, Limelight and Google each maintain thousands of servers close to the edges of the Internet. These servers cache popular content close to where the users are.

When many, many users in Qatar simultaneously try to access the same content, the load on Qtel's NAT boxes could be dramatically reduced by putting the appropriate CDN's caching servers within Qtel's private address space. Then requests for popular content wouldn't even go through the NAT, reducing total traffic and dramatically reducing the occasions when two users are going through the NAT to the same public IP address.

It's not in line with the Internet's original end-to-end design, but as IPv4 addresses get more expensive, we can expect to see more and more use of NAT and CDN servers moving into carriers' private address domains.

By Brough Turner, Founder & CTO at netBlazr
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Workaround for a workaround? Marcel Doe  –  Oct 04, 2011 8:19 AM PDT

Brough, I'm missing the point of the article I'm afraid. Are you proposing a workaround (CDNs) for a workaround (NAT)? Wouldn't it be easier, cheaper, faster, more scalable, more sensible to just use IPv6? Or for the time of being, buy a few more IPv4 addresses? Cash is not an issue in Qatar.

If you take the way of thinking in your article a little further, we end up with the solution of putting the internet on a DVD and handing it out to every internet user, so we just need 127.0.0.1 for 6 billion people.

Marcel, I'm not advocating either carrier grade Brough Turner  –  Oct 04, 2011 9:01 AM PDT

Marcel, I'm not advocating either carrier grade NAT or CDNs within local NAT address spaces, but I'm suggesting we will see them. Yes, IPv6 would solve the problem, but after 17 years of discussion and 14 years since the first IPv6 RFC (2460 in 1998) we're left with a lumpy migration path that most enterprises cannot justify investing in.  So we will see CG-NAT, CDNs and who knows what else for years to come.

In any event, I wrote this post on my personal blog when I stumbled on the Qtel situation and was bemused. I wasn't expecting it to be republished here - but I don't mind. :)

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign