# Privacy concerns over CGNAT?



## Francisco (May 1, 2014)

While replying to I realized there was

a topic we were missing in all of this IPocalypse - privacy concerns over CGNAT.

Is there anyone here that is behind CGNAT? I'm really curious what VPN platforms still work with it.

I'd assume that IPSEC is completely out of the picture, same with pretty much any tunneling platform.

What does everyone have planned in the off chance they get CGNAT'd? OpenVPN'ing to a VPS I guess?

I mostly see providers in North America only moving their cheapest plans (aimed at light 'net users)

behind CGNAT, and most other plans on a dedicated. Then again, I can see companies like AT&T & Verizon

forcing people to get a business plan if they want that.

Francisco


----------



## wlanboy (May 1, 2014)

We are allready NATed all around the world.

Mobile connections, land lines, DSL, all our private internet connections are behind NAT.

Currently my private LAN is NATed and then my internet connections is NATed too until it reaches the real internet.

Carrier-grade NAT will just add an additional layer of it.

Privacy is only one topic on the list of bad things that happen with CGNAT:


Scalability: Heck yet another layer to enforce quality of service bills
Reliability: Hopefully that NAT machines handle the load well
Sense: If any service has to be provided you still need a routable IP, or do we then have to pay for open ports?
I use VPN on all hotel/airport and visited company WLANs right to be sure that I am not visible with their IP address.

It is not about to hide myself - I am paying for my vps so it is not about privacy at all - but to not use a IP where someone else might did bad things.

And of course that they cannot sniff or try to do MITM attacks.


----------



## manacit (May 1, 2014)

Personally I have no idea with ISPs bringing out CGNAT *on an opt out basis* for their customers. Obviously, I want my own address, but my parents sure as hell don't need one, nor do lots of casual internet users. 

Comcast/Verizon/AT&T could save millions of addresses by doing this, and take a lot of the pressure for the last scramble from ARIN.


----------



## William (May 1, 2014)

If you want to test something - I have a Three Austria SIM, the largest CGNAT in Europe.

(everyone in NAT, at any time, even if you buy an external static IP)


----------



## Francisco (May 1, 2014)

wlanboy said:


> We are allready NATed all around the world.
> 
> Mobile connections, land lines, DSL, all our private internet connections are behind NAT.
> 
> ...


If you have NAT on your WAN then CGNAT won't do much minus renumber you into the CGNAT designated /10.



William said:


> If you want to test something - I have a Three Austria SIM, the largest CGNAT in Europe.
> 
> (everyone in NAT, at any time, even if you buy an external static IP)


Is this a mobile network? A lot of mobile networks have some form of NAT in place already.


----------



## willie (May 1, 2014)

I'm wondering what the CGNAT privacy issues are that don't exist for ordinary ISP-supplied ipv4.  Is it just that connections from the same ipv4 address x.y.z.w could be coming from multiple people?  That may actually help their privacy rather than impair it.

I'm rather more concerned about ARIN demanding more and more identifying info about VPS/VPN customers, as mentioned in the linked thread.

I'm also wondering about the impending death of network neutrality and whether it means something more insidious than a cost for speed tradeoff.  The usual criticism is that small companies may have to pay more than big companies to run fast web sites.  Right now as we on vpsboard all know, most small businesses can run perfectly good web sites on $5/month vps's or shared hosting, but they instead pay maybe 10x that much to run on EC2.  They are perfectly aware of cheaper options but $50/month is just of no concern to any ongoing business in reasonable health.  So I wonder if deneutralization might really involve ipv4 exhaustion and transfer of ipv4 space to the big guys.

Another issue is that if you want fast delivery you may be forced to use a CDN with access to the "good" bandwidth.  Cost and monopoly issues aside, the way you serve SSL pages over a CDN is that the SSL endpoint is on the CDN's servers and they get the traffic back to you through other means.  This means the CDN sees the plaintext and may have to turn it over to 3-letter agencies without your knowledge.  Right now that's a trade-off you can make by choosing between reasonable options, the convenient CDN if your traffic is less sensitive, or a more annoying DIY route if you have sensitive traffic that you don't want to expose.  But if we're headed to a situation where the only way to deliver good end-user performance is to go through a monopoly CDN, that messes up privacy as well as shovelling money to rentiers. 

Does that make any sense?  Maybe I'm imagining things.


----------



## rds100 (May 1, 2014)

@willie when every customer has a real IP if some random user does something bad, like upload child porn or hack the NSA, the ISP can easily map the IP to the user.

When using NAT, this is not easy. So the big ISP HAS TO log all the traffic to be able to identify the guilty user in such cases. There goes your privacy, all your traffic is logged.


----------



## willie (May 1, 2014)

rds100 said:


> @willie when every customer has a real IP if some random user does something bad, like upload child porn or hack the NSA, the ISP can easily map the IP to the user.
> 
> When using NAT, this is not easy. So the big ISP HAS TO log all the traffic to be able to identify the guilty user in such cases. There goes your privacy, all your traffic is logged.


Wouldn't they have to just log the mapping between NATted port numbers and users?  Is it that hard?  Corporate firewalls already do that.


----------



## Francisco (May 1, 2014)

It'll be a lot easier for people to go sniffing traffic with CGNAT in place.

I wouldn't doubt a lot of ISP's will use commodity hardware to do their CGNAT deployments

meaning you're just a TCPDUMP away.

I know you can do port mirrors with physical gear but still, it's a lot more effort or

in some cases not physically possible.

On the topic of details, ARIN has grown more and more 'needy' in regards to VPS customer data.

They seem to really hate customers being given a static /32 and aren't designated residential.

I bet every VPS provider on here that has sent justification forms with /32's defined has

had to dish out complete user information.

Francisco


----------



## drmike (May 1, 2014)

CGNAT is one IP on public side and internally mapped/referenced IPs... No?

Tracking users in these systems is certainly comprehensive.  Every other aspect of the infrastructure and the deployment specs and regs are burdensome.

As a customer, generally, long overdue to always tunnel, hell multiple tunnels.

Problem is, VPN (OpenVPN being the biggie), most use shared IPs from VPN providers and those are soiled, blacklisted, etc.

Private VPN is a bunch of work to basically say I always originate from over here.  Make tracking and identity very much simple.

My big question, cause I went all over, to Fran, is what are the perceived end customer risks he sees with CGNAT? List please


----------



## Francisco (May 1, 2014)

drmike said:


> CGNAT is one IP on public side and internally mapped/referenced IPs... No?
> 
> Tracking users in these systems is certainly comprehensive.  Every other aspect of the infrastructure and the deployment specs and regs are burdensome.
> 
> ...


They have no choice but to, but CGNAT could lead to a lot easier monitoring/surveillance. The inability to use IPSEC as well as many other VPN products is also a major concern.

Setting up a port mirror can be an annoying thing, especially if you have a super complex network or just very loaded switches (like any major ISP likely does). Adding a linux user that has sudo access to tcpdump? not so much.

Francisco


----------



## willie (May 1, 2014)

I'd expect someone with access to the raw network segment would be able to tcpdump all the IP's on the segment as easily as just specific ports.  Wireshark has a nice GUI that makes that easy.  Am I missing something?

I'm more bothered by this ARIN thing as I can't help wondering if 3 letter agencies are leaning on them for the info, which seems very invasive and valuable (knowing who is serving what).  I feel a little safer with LowEndSpirit-style VPS's where a single ipv4 address is NATted to a bunch of separate VPS, which also have ipv6 connectivity.  Have you had to turn over any user info for ipv6 addresses where there's no sign of a legitimate investigation going on?  I guess going ipv6-only is still problematic for public-facing servers (even limited audience ones) but it will improve.

How does ARIN check that info anyway?  Do they call phone numbers at random and ask "are you so-and-so and do you really have a vps at x.y.z.w from whathost.com?"

(Added): I wonder if the increased use of domain privacy services has anything to do with the ARIN info requirements.  It of course defeats the purpose of domain privacy, if someone has all the user info in a single place.

By the way, please check your PM's when you get a chance-- I messaged you about something unrelated a couple days ago.


----------

