RFC 6888 - Common Requirements for Carrier-Grade NATs (CGNs)

April 2013 Best Current Practice

Abstract

This document defines common requirements for Carrier-Grade NATs (CGNs). It updates RFC 4787 and is intended to help ensure that CGNs deployed by Internet Service Providers (ISPs) do not unnecessarily impair the user experience or break applications.

Carrier-Grade NAT Overview

Carrier-Grade NAT (CGNAT), also known as Large Scale NAT (LSN), is a type of Network Address Translation (NAT) used by Internet Service Providers (ISPs) to extend the life of IPv4 addresses. CGNAT allows ISPs to assign private IPv4 addresses to customers while sharing a smaller pool of public IPv4 addresses.

Key Characteristics

  • Large Scale: Supports thousands of simultaneous users
  • High Performance: Designed for carrier-grade throughput
  • Logging: Comprehensive logging for regulatory compliance
  • Redundancy: High availability and failover capabilities

CGNAT Architecture

Typical CGNAT Deployment

    [Customer] --- [CPE NAT] --- [ISP Network] --- [CGNAT] --- [Internet]
    10.0.0.0/8     192.168.x.x    100.64.0.0/10    Public IPs   Global
    (Private)      (Private)      (Shared Space)   (Scarce)     Internet

Address Spaces

  • Customer Networks: RFC 1918 private addresses (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
  • Shared Address Space: RFC 6598 addresses (100.64.0.0/10) between ISP and CGNAT
  • Public Address Pool: Globally routable IPv4 addresses shared among customers

CGNAT Requirements

Port Allocation

  • Minimum 1024 ports per customer
  • Dynamic port allocation preferred
  • Port range assignment for fairness
  • Well-known ports (0-1023) restrictions

Session Management

  • TCP session timeout: 2+ hours
  • UDP session timeout: 5+ minutes
  • ICMP timeout: 60+ seconds
  • Graceful session cleanup

Logging & Compliance

  • Log all port allocations
  • Timestamp accuracy requirements
  • Customer identification mapping
  • Data retention policies

Performance

  • High throughput capacity
  • Low latency translation
  • Concurrent session limits
  • Resource monitoring

CGNAT Challenges

Application Compatibility

Many applications assume end-to-end connectivity and may break behind CGNAT, including P2P applications, gaming, and VoIP services.

Geolocation Issues

Shared public IP addresses can cause geolocation services to incorrectly identify customer locations, affecting content delivery and compliance.

Abuse Mitigation

Shared IP addresses complicate abuse tracking and mitigation, as multiple customers appear to originate from the same IP address.

Performance Impact

Additional translation layer introduces latency and potential bottlenecks, especially under high load conditions.

Mitigation Strategies

Technical Solutions

  • Port Control Protocol (PCP) support
  • UPnP IGD compatibility
  • ALG (Application Layer Gateway) support
  • IPv6 transition mechanisms

Operational Practices

  • Adequate port allocation ratios
  • Customer communication and support
  • Monitoring and alerting systems
  • Capacity planning and scaling

Long-term Strategy

  • IPv6 deployment acceleration
  • Dual-stack implementation
  • Customer IPv6 education
  • Application IPv6 readiness

Industry Implementations

Hardware Solutions

  • Cisco ASR series with CGNAT
  • Juniper MX series with NAT
  • A10 Networks Thunder CGN
  • F5 BIG-IP CGNAT

Software Solutions

  • Open source implementations
  • Virtual network functions (VNF)
  • Container-based solutions
  • Cloud-native CGNAT services
View Official RFC 6888 ← Back to Resources