I guess there's a large pool of IP addresses used by residential ISPs that could be recycled relatively easily.
When I lived in Ireland I only got a public IPv6, my IPv4 was behind CG-NAT. The nerd in me wasn't a fan of that on paper, but in reality I didn't have any issues with it.
I could see ISPs making a quick buck by switching to CG-NAT on IPv4 so they can sell off their IPv4 blocks.
Those IPs being recycled for servers/services doesn't seem too risky, given that they're not typically hosting anything.
Problem with CGNAT is the costs involved in bookkeeping for law enforcement.
Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.
Which requires A LOT more storage and much more expensive equipment.
Going rate per IPv4 is up to $40 nowadays, selling of your v4 block might not be cost-efficient.
Disclaimer: I work with this stuff and might be a little biased to certain vendor solutions.
A good CGNAT implementations have support for static blocks: the subscriber always ends up a a specific ipnumber+portblock combination. (Each subscriber is assigned a specific number of exit ports and this all just logged once during startup so you always know where each subscriber ends up).
Should they run out of their assigned portblock, there are pools which you can borrow from (these need then to be logged who borrowed at what time etc). So all in all there is less logging than when everything was dynamic.
And law enforcement inquiries barely contain source port information, or precise time. Most of then go like: who had this IP in $this-two-weeks-window. No source port, no destination IP/port.
this is not how most of these laws works.
As an ISP, you are required to have this bookkeeping, and are audited for it in (most) countries.
Usually, the law has specific procedures about how this information is requested, what responsibilities are with which party, and how long the response time should be for suchs a request.
When starting (or already being an ISP). You already know what kind of system you need to build that matches all these requirements by law. Simply saying, we do not have the required information wouldn't work because the law has very specific details about the requested information.*
* this is in a european country, so no clue if this is applicable to the US.
In my European country the law very specifically tells ISPs what to record. It doesn't require them to produce any conclusions or other data, so if you ask for a subscriber name without enough details (port and destination in this example) the response I gave is totally legal. I have in fact seen that kind of thing happen and compliance departments tend to favor exactly this, do what the letter of the law said, not a byte more unless a court orders them. The risk otherwise is that you're illegally violating the privacy of a customer just to please some law enforcement agency.
As a follow-up the agency, with the right court order, could get all the raw connection records and try to figure it out themselves. But if you don't know the exact time and (source IP, port, destination IP, port) combination you're not going to figure it out in a network with large scale NAT.
Whilst I don't necessarily disagree with the sentiment, all the costs an ISP might incur will almost certainly be passed into the consumer. We're paying to be surveilled in many different ways.
> If cgnat keeps scaling, these ip Limiters need to phase out.
This problem would be easy to solve, if only there were some way for a website operator to phase out CGNAT and see a user's 128-bit IP address instead...
> I'm finding more and more that I go to some random website, and get a message about an IP ban. That or a 401 error with no context.
The association between IP and user/endpoint is changing, especially with the advent of Apple’s Private Relay, other privacy-protecting proxies, and increased CGNAT.
Website & hosting providers will have to adapt, but right now we’re certainly in a transition state.
> Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.
Why does each individual connection have to get a port from the global allocator, rather than any of the pooling or hierarchical techniques that high performance memory allocators use?
It might not be so niche if we weren't all behind NAT firewalls. There would probably be a whole lot more applications that do direct connections between two people, and eliminate the middle-man. There's a reason every major service out there has their applications set up in some cloud to relay the messages back and forth between clients.
That makes me realise there is an incentive for ISPs to hold out on supporting IPv6. If IPv6 was widely supported then their IPv4 blocks would be worthless. I wonder how many will be holding out on deploying IPv6 until they can offload their still-valuable IPv4 addresses.
IPv6 adoption is just sad. Sharing an anectode: Back in 2002, I was using a 56k modem on a linux box 24/7 from home with a dialup flatrate. Being an avid IRCnet user, I setup an IPv6 tunnel with a tunnel broker (I think it was Hurricane Electric - it was before Aiccu was a thing) and connected to the IPv6 IRCnet servers. There was once a channel #uptime which was a contest: On start of contest, everybody in channel got voice - and the person to last hold voice would win (you lose voice when your TCP connection disconnects). Even so I had a forced disconnect every 24h, amongst over 100 users (mostly Servers, Bouncers, Universities etc.) I ranked 6th place in the end (after couple of weeks), because my ipv4 dialup was reconnecting fast enough to receive the buffered ipv6 tunnel pakets from the broker. Today I have no more IPv6 since SIXXS shut its doors a couple of years back, and my provider (o2/Telefonica) hasn't roled it out to me yet.
Looking back those 19 years, the availability and state of IPv6 has worsened for me - even though IPv4 shortage was known back then.
Same story here. I think I had IPv6 around 2000 with HE and then SIXXS, and my university back then already assigned IPv6 addresses. Now in 2021, I don't think I have had an IPv6 address assigned either at home or at work for quite some time.
It's hard to understand why they don't just push through since there clearly are no real technical problems as witness by those few countries with major providers that actually actively use IPv6 (only).
I used to have that. Then all residential customers were put under a CGN, and you can ask for a dedicated, public IP, free of charge. I imagine 99.9% of users can't tell the difference so the ISP saved a lot of IP space, while customers are just as happy.
Yup, ISPs in countries that got a nice big block if addresses in the early days can still manage this. I have a cable connection that was originally provided by NTL (now Virgin Media). My IPv4 address changes about once a year now as they do upgrades/maintenance. It used to change even less.
I find the ipv6 address scary because IP geolocation gives that in the same city district. Cgnat would be better because the server would see ipv4 of the ISP.
I don't know, is there a way to not show my ipv6 and fall back on cgnat address because that looks much more secure in terms of not getting doxed and ad tracked.
That’s not inherent to IPv6 though, your ISP chose to be more specific in the location data for those addresses. If it’s sufficiently detailed as to “dox” you, maybe ask them not to do that?
Yeah, NTL/Virgin Media in the UK do the same in that their IPs geolocate to where the node/head end is. In a city, it's not going to be specific enough to uniquely identify you but it's still weird seeing ads that aren't that far away.
On the other hand, the IPv4/v6 addresses on my A&A connection geolocate to either London or Bracknell (where their office is), about 400 miles away. I get a lot of pointless ads for things in Surrey that I have no intention of visiting.
i have never used google search but the other day someone used that infront of me and on the bottom i saw what appeared to be "pin code for approximating your current location for local results" and something to that end. that scared me big time because this was like my home pin code, my small city has like 30 so this is narrowing me down to a single one which i am not comfortable with
Right, but is Google doing this with the information they get from your IP address or something else entirely? Is it just coincidence that your IP address corresponds to your ISP’s office which happens to be relatively local?
With loose enough permissions your browser has a geolocation API that, depending on your device, will be a hell of a lot more accurate (if you have Wi-Fi hardware it can use that to work out where it is relative to the known locations of the SSIDs it can see, or straight-out use GPS).
None of this has anything to do with IPv6 - you give away some location information with your username and profile on this very site, for example.
I believe Google has their own IP geolocation database, likely seeded from all their apps that have location access because the location given at the bottom of the search results pages is always far more accurate than any other IP geolocater I've seen and there are others on my WiFi network who use Google services with location.
When I lived in Ireland I only got a public IPv6, my IPv4 was behind CG-NAT. The nerd in me wasn't a fan of that on paper, but in reality I didn't have any issues with it.
I could see ISPs making a quick buck by switching to CG-NAT on IPv4 so they can sell off their IPv4 blocks.
Those IPs being recycled for servers/services doesn't seem too risky, given that they're not typically hosting anything.