Re: Sudden surge in CGNAT blacklisting

["Eric C. Miller via NANOG" <nanog () lists nanog org>]

"You're getting away with 256:1 CGNAT and not having customers run out of
ports?"

I would like to apologize to the greater community for the hack job that I have done in the name of getting users 
online. 256:1 in our early networks was based on retail adoption in a community, and it quickly falls down when 
penetration improves. We use dynamic port allocation, so power users can get more ports from users that are lighter.

We've published our RFC8805 geofeed, and that helps with some groups like Maxmind, and we've also communicated with IP 
Quality Score about how we do CGNAT, but I'm not sure if they just reset their database, or if something else occurred. 
We had to roll CGNAT IPs for about 10,000 customers across 3 regions (CA, TX, FL) in 72 hours. We have more space now, 
so we're assigning space at an average ratio of 40:1.

I really don't believe that the Cat and Mouse gets "fixed" for IPv4 CGNAT. IPv6 has to be made a priority.

Eric
________________________________
From: Jon Lewis <jlewis () lewis org>
Sent: Friday, May 16, 2025 9:46 AM
To: Eric C. Miller via NANOG <nanog () lists nanog org>
Cc: Eric C. Miller <eric () ericheather com>
Subject: Re: Sudden surge in CGNAT blacklisting

On Thu, 15 May 2025, Eric C. Miller via NANOG wrote:

> Has anyone else experienced a sudden increase in the past 2 weeks of blocks getting flagged as "VPN" or "Proxy?" We 
> have some older leased space from HE and Cogent that got hammered seemingly all at once. We've started accelerating 
> our migration to our ARIN space, but it's still odd why it's all of a sudden.
>
> Most of the addresses are between 32:1 and 256:1 CGNAT pool IPs, and there are other 256:1 IPs that remain 
> unaffected. Each customer behind an IP is in the same subdivision.

You're getting away with 256:1 CGNAT and not having customers run out of
ports?

Flagged (and presumably blocked) by who / what sorts of services/networks?

Have you done anything (SWIPs, suggestive PTRs, etc.) to indicate to
outsiders that the IP blocks in question are CGNAT?

I know some VPN providers have utilized NAT for years, and some content
providers (i.e. streaming services) have played a years long game of cat &
mouse / whack-a-mole trying to block these VPNs to prevent "out of region"
eyeballs from accessing content they're not supposed to be permitted to
see.  To their algorithms, I wouldn't be surprised if VPNs using NAT and
service providers using CGNAT were indistinguishable.

CGNAT is an unfortunate fact of life for many service providers in a world
that's running out of v4 space but unwilling to fully (or even mostly)
transition to v6...so I would hope nobody is blocking service
provider CGNAT space intentionally.

----------------------------------------------------------------------
  Jon Lewis, MCP :)              |  I route
  Blue Stream Fiber, Sr. Neteng  |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/YH5HSIQCTFPBKSWZ6XECR534IIYC3RJ2/