1. Add an IP that has been freed from another use to a CG-NAT Pool.
2. Get complaints from customers about being hard banned from things like Netflix, Sport Streaming and VPNs or other utilities.
3. Investigate, no IP reputation issues. Find some random GEO IP database that has a side business in selling lists of VPNS or other geo breakout tools. They have listed this IP for some random reason. Almost never nefarious.
4. Give it 3 weeks for the Geoip nard to update from the wrong classification (harmful) to some kind of also wrong but unharmful classification like "Datacentre"
5. Customers can stream The Witcher again. Yay.
Really while ipv6 should be a solution here, another very good solution would be the removal of such useless middlemen from the face of the earth.
As someone who read all books and played the third game: People should totally be banned from watching Netflix's Witcher.
On a more serious note, I used GeoIP when it was free and it was a godsend to reduce malicious connection attempts to my webserver without impacting 99 % of my "clients" (not paying customers).
These kind of services *are* helpful. Wehterh you should rely on them when you have millions of customers is a different story altogether.
> Isn’t essentially the entire US on CG-NAT for IPv4 on mobile data?
T-Mobile, for one, has had their handsets IPv6-only for a few years, so if your Android/iOS does a DNS lookup and gets an AAAA record back, it will skip CG-NAT. T-Mobile presenting at NANOG in 2018 on IPv6:
> Chances are if you use the Internet on your smartphone, you are connecting via IPv6. According to the Internet Society’s 2018 State of IPv6 Deployment,[1] 80% of smartphones in the US on the major cellular network operators use IPv6 and major mobile networks are driving IPv6 adoption with Verizon Wireless at 84%, Sprint at 70%, T-Mobile USA at 93%, and AT&T Wireless at 57%. Plus, some mobile networks are taking the step to run IPv6-only to simplify network operations and reduce costs.
Though some folks aren't happy with the implementation:
> But from my own experience, neither T-Mobile nor AT&T allows inbound traffic to the phone's IPv6 address. This negates some of the advantages of having a globally routable IPv6 address.
I’ve had IPv4 CG-NAT on mobile LTE since ever and for a decade on residential cable in europe. Cloudflare is being lazy, Google too. I get served “Captacha’s” at least 10 times a day.
Even when i have IPv6 assigned, iOS and macOS seem to prefer A TXT RR and proceed just using IPv4 almost always. On LAN mDNS link-local IPv6 is always prefered.
They need to come up with an ip solution that is useful enough that people actually want to upgrade to it.
When you compare it to other technologies like https, tls1.3, unicode, 5g cellular, wifi 6, wifi 5 or bluetooth versions, etc. It’s clear that ipv6 adoption is not what it should be if they launched a protocol with clearer benefits to the end user.
> It’s clear that ipv6 adoption is not what it should be if they launched a protocol with clearer benefits to the end user.
The "end user" has no idea about TLS 1.3 or many other things. It's the techies that work behind the scenes that make the changes 'on behalf' of everyone else.
And IPv6 traffic is, according to Google, the majority of traffic it sees in many countries (including the US at >52%):
The 'real' holdouts are enterprise companies and corporate networks as evidenced by the fact that IPv6 usage goes up on weekends (i.e., when most people aren't at work on said corporate networks). See also:
> Chances are if you use the Internet on your smartphone, you are connecting via IPv6. According to the Internet Society’s 2018 State of IPv6 Deployment,[1] 80% of smartphones in the US on the major cellular network operators use IPv6 and major mobile networks are driving IPv6 adoption with Verizon Wireless at 84%, Sprint at 70%, T-Mobile USA at 93%, and AT&T Wireless at 57%. Plus, some mobile networks are taking the step to run IPv6-only to simplify network operations and reduce costs.
Being able to connect your smartphone to the Internet seems like a clear benefit to the end user IMHO. Would hate to see what every mobile phone being behind CG-NAT would be like.
Yeah, IPv6 is heavily tuned to the needs of the large-scale network operators, and is actively worse for the regular user and small networks.
From user/small admin standpoint, the goal is to re-use as much admin knowledge as possible - and what's on the wire does not really matter. So the ideal IPv4 upgrade _for users_ is IPv4 with larger addresses, but otherwise behaving identically. Ideally all the admin tooling stays the same, and the software needs changing some struct names, and tweaking IP regex. And sure, it'll all be different on the wire and all the OS'es need to be upgraded - but that is not a problem, consumer OS'es live only for a few years anyway.
From large network operator standpoint, the goal is improve efficiency of the huge networks. So lets eliminate NAT everywhere, completely redo host addressing, get rid of DHCP, and so on - redesign everything from scratch so it's "better". Sure, it's a huge learning curve but they have departments full of network engineers, they can do it. They are not some part-time sysadmins who just want their network to keep functioning.
I grew up in Australia, and have spent a fair bit of time in India for over a decade, and now live in India (1⅓ years).
Every ISP that I have experienced, mobile and broadband, is using CGNAT. The easiest way I’ve seen this on broadband is https://iknowwhatyoudownload.com/ showing several movie downloads per day.
Cloudflare isn’t the only problem, but they are the worst, probably by dint of popularity. I get blocked outright occasionally (presented dishonestly as because my request matched attack patterns due to things like SQL injection in query string parameters, when I’m actually just trying to load any regular page), and blocked with hCAPTCHA frequently (normally presented dishonestly with their stock page as “example.com needs to review the security of your connection before proceeding”, though a few like blender.org customise it). It’s draining.
In Cloudflare’s actual article, they claim their bot detection to be resilient to CGNAT <https://blog.cloudflare.com/detecting-cgn-to-reduce-collater...>. Frankly, if it is so, I wonder if they just have a rule that amounts to “is user in India”. I definitely feel prejudged and discriminated against. I am idly curious if leasing a static IP from my ISP would help anything, in the short or long term.
In Australia, I think I experienced Cloudflare’s blocking page once in my life, and no others.
>Every ISP that I have experienced, mobile and broadband, is using CGNAT. The easiest way I’ve seen this on broadband is https://iknowwhatyoudownload.com/ showing several movie downloads per day.
From memory, APNIC was handing out a /22 to every new member, then a /23, then a /23 worth. Now it asks you to submit a plan on how you would allocate a /23 if you received those ips.
>and blocked with hCAPTCHA frequently (normally presented dishonestly with their stock page as “example.com needs to review the security of your connection before proceeding”
[+] [-] mcpherrinm|4 months ago|reply
Previously discussed (a bit) at https://news.ycombinator.com/item?id=45746509
[+] [-] protocolture|4 months ago|reply
1. Add an IP that has been freed from another use to a CG-NAT Pool.
2. Get complaints from customers about being hard banned from things like Netflix, Sport Streaming and VPNs or other utilities.
3. Investigate, no IP reputation issues. Find some random GEO IP database that has a side business in selling lists of VPNS or other geo breakout tools. They have listed this IP for some random reason. Almost never nefarious.
4. Give it 3 weeks for the Geoip nard to update from the wrong classification (harmful) to some kind of also wrong but unharmful classification like "Datacentre"
5. Customers can stream The Witcher again. Yay.
Really while ipv6 should be a solution here, another very good solution would be the removal of such useless middlemen from the face of the earth.
[+] [-] 7bit|4 months ago|reply
On a more serious note, I used GeoIP when it was free and it was a godsend to reduce malicious connection attempts to my webserver without impacting 99 % of my "clients" (not paying customers).
These kind of services *are* helpful. Wehterh you should rely on them when you have millions of customers is a different story altogether.
[+] [-] kotaKat|4 months ago|reply
Having to troubleshoot things like Playstation Network bans ("or is it a ban?") behind CGNAT is an interesting adventure that typically leads nowhere.
[+] [-] lxgr|4 months ago|reply
Isn’t essentially the entire US on CG-NAT for IPv4 on mobile data?
I’ve also had DOCSIS connections, i.e., fixed lines, with only CG-NAT in Europe years ago.
[+] [-] mcpherrinm|4 months ago|reply
[+] [-] throw0101a|4 months ago|reply
T-Mobile, for one, has had their handsets IPv6-only for a few years, so if your Android/iOS does a DNS lookup and gets an AAAA record back, it will skip CG-NAT. T-Mobile presenting at NANOG in 2018 on IPv6:
* https://www.youtube.com/watch?v=d6oBCYHzrTA
And Rocky Mountain IPv6 Taskforce in 2017:
* https://www.youtube.com/watch?v=nNMNglk_CvE
Further data:
> Chances are if you use the Internet on your smartphone, you are connecting via IPv6. According to the Internet Society’s 2018 State of IPv6 Deployment,[1] 80% of smartphones in the US on the major cellular network operators use IPv6 and major mobile networks are driving IPv6 adoption with Verizon Wireless at 84%, Sprint at 70%, T-Mobile USA at 93%, and AT&T Wireless at 57%. Plus, some mobile networks are taking the step to run IPv6-only to simplify network operations and reduce costs.
* https://www.arin.net/blog/2020/01/16/mobile-edge-of-the-inte...
Though some folks aren't happy with the implementation:
> But from my own experience, neither T-Mobile nor AT&T allows inbound traffic to the phone's IPv6 address. This negates some of the advantages of having a globally routable IPv6 address.
* https://isc.sans.edu/diary/27814
[+] [-] vitorgrs|4 months ago|reply
Basically only one single ISP don't use CGNAT...
Would be interesting if Cloudflare could give this info!
[+] [-] unknown|4 months ago|reply
[deleted]
[+] [-] 0134340|4 months ago|reply
[+] [-] userbinator|4 months ago|reply
[+] [-] winstonwinston|4 months ago|reply
Even when i have IPv6 assigned, iOS and macOS seem to prefer A TXT RR and proceed just using IPv4 almost always. On LAN mDNS link-local IPv6 is always prefered.
[+] [-] daft_pink|4 months ago|reply
When you compare it to other technologies like https, tls1.3, unicode, 5g cellular, wifi 6, wifi 5 or bluetooth versions, etc. It’s clear that ipv6 adoption is not what it should be if they launched a protocol with clearer benefits to the end user.
[+] [-] throw0101a|4 months ago|reply
The "end user" has no idea about TLS 1.3 or many other things. It's the techies that work behind the scenes that make the changes 'on behalf' of everyone else.
And IPv6 traffic is, according to Google, the majority of traffic it sees in many countries (including the US at >52%):
* https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...
The 'real' holdouts are enterprise companies and corporate networks as evidenced by the fact that IPv6 usage goes up on weekends (i.e., when most people aren't at work on said corporate networks). See also:
> Chances are if you use the Internet on your smartphone, you are connecting via IPv6. According to the Internet Society’s 2018 State of IPv6 Deployment,[1] 80% of smartphones in the US on the major cellular network operators use IPv6 and major mobile networks are driving IPv6 adoption with Verizon Wireless at 84%, Sprint at 70%, T-Mobile USA at 93%, and AT&T Wireless at 57%. Plus, some mobile networks are taking the step to run IPv6-only to simplify network operations and reduce costs.
* https://www.arin.net/blog/2020/01/16/mobile-edge-of-the-inte...
Being able to connect your smartphone to the Internet seems like a clear benefit to the end user IMHO. Would hate to see what every mobile phone being behind CG-NAT would be like.
[+] [-] ronsor|4 months ago|reply
What exactly would replace IPv6? It's just an implementation detail, but an important one if you want to make the rest of the stack suck less.
[+] [-] theamk|4 months ago|reply
From user/small admin standpoint, the goal is to re-use as much admin knowledge as possible - and what's on the wire does not really matter. So the ideal IPv4 upgrade _for users_ is IPv4 with larger addresses, but otherwise behaving identically. Ideally all the admin tooling stays the same, and the software needs changing some struct names, and tweaking IP regex. And sure, it'll all be different on the wire and all the OS'es need to be upgraded - but that is not a problem, consumer OS'es live only for a few years anyway.
From large network operator standpoint, the goal is improve efficiency of the huge networks. So lets eliminate NAT everywhere, completely redo host addressing, get rid of DHCP, and so on - redesign everything from scratch so it's "better". Sure, it's a huge learning curve but they have departments full of network engineers, they can do it. They are not some part-time sysadmins who just want their network to keep functioning.
[+] [-] Havoc|4 months ago|reply
If you’re on non cg Nat it’s likely a pretty high end connection
[+] [-] chrismorgan|4 months ago|reply
Every ISP that I have experienced, mobile and broadband, is using CGNAT. The easiest way I’ve seen this on broadband is https://iknowwhatyoudownload.com/ showing several movie downloads per day.
Cloudflare isn’t the only problem, but they are the worst, probably by dint of popularity. I get blocked outright occasionally (presented dishonestly as because my request matched attack patterns due to things like SQL injection in query string parameters, when I’m actually just trying to load any regular page), and blocked with hCAPTCHA frequently (normally presented dishonestly with their stock page as “example.com needs to review the security of your connection before proceeding”, though a few like blender.org customise it). It’s draining.
In Cloudflare’s actual article, they claim their bot detection to be resilient to CGNAT <https://blog.cloudflare.com/detecting-cgn-to-reduce-collater...>. Frankly, if it is so, I wonder if they just have a rule that amounts to “is user in India”. I definitely feel prejudged and discriminated against. I am idly curious if leasing a static IP from my ISP would help anything, in the short or long term.
In Australia, I think I experienced Cloudflare’s blocking page once in my life, and no others.
[+] [-] protocolture|4 months ago|reply
From memory, APNIC was handing out a /22 to every new member, then a /23, then a /23 worth. Now it asks you to submit a plan on how you would allocate a /23 if you received those ips.
[+] [-] gruez|4 months ago|reply
Isn't that from cloudflare, not hcaptcha?
[+] [-] xacky|4 months ago|reply
[+] [-] bethekidyouwant|4 months ago|reply
[+] [-] mrbluecoat|4 months ago|reply