Carrier Grade Network Address Translation (CGN/CGNAT): AX Series Advanced Traffic Manager
Network Address Translation (NAT) is a technology that has been used for a long time and by now has a ubiquitous presence in firewalls and Internet gateways. Carrier Grade NAT (CGN/CGNAT), also known as Large Scale NAT (LSN) is now becoming the new standard. Initially, traditional NAT was used for translating the address ranges between two networks. In the last decade, NAT has been used for virtually every household or enterprise connection, as part of a home Internet router. The main contribution to NAT's popularity is the ability to share a global (public) IP address among multiple local (private) IP addresses. IP addresses have become increasingly scarce over the last decade; ISPs would only hand out one IP address per home subscriber. The depletion has gotten even worse recently: In 2011, the Internet Assigned Numbers Authority (IANA) issued the last remaining /8 address blocks to the Regional Internet Registries (RIR). NAT can help in alleviating the IPv4 address shortage by oversubscribing the remaining global IP addresses.
The problem with NAT is that it breaks the end-to-end principle of networking. Applications such as peer-to-peer (P2P), VoIP, video streaming, tunneling or any application that uses IP addresses in the payload, suffer from this. NAT behavior is not fully standardized among network equipment vendors, though there are IETF RFCs that help make a NAT more transparent and deterministic.
Evolution to CGN
CGN is the next level for NAT implementations; it aims to provide a solution for Internet Service Providers (ISPs) and carriers, but also is a good replacement for NAT devices in an enterprise network. CGN enables these organizations to deliver transparent IPv4 connectivity and a seamless user experience while oversubscribing their limited global IPv4 addresses. Carriers can assign local (private) IPv4 addresses in their access network, and use a centralized device to manage the address translation to the global (public) Internet. This setup has one level of NAT, and is also referred to as NAT44. CPE NAT devices create a second translation layer; this setup is also referred to as NAT444.
- Transparent connectivity (EIM/EIF)
- User Quotas
CGN provides the most transparent NAT connectivity for a device because it has features such as Endpoint Independent Mapping (EIM), Endpoint Independent Filtering (EIF) and Hairpinning. Traditional NAT implementations do not allow any traffic that is initiated from the outside (EIM, EIF), or for inside protocols to loop their traffic back to the inside (Hairpinning).
Another important aspect of CGN is the ability for an administrator to limit the amount of TCP and UDP ports that can be used by a single subscriber. This is crucial in order to maintain fairness in sharing port resources among subscribers. "Botnets" used in Distributed Denial of Service (DDoS) attacks use a large amount of connections per end device, which rapidly depletes port availability. If left unregulated, the overall connectivity for other subscribers can easily be compromised by external individuals.
While CGN provides the most transparent NAT connectivity, some protocols require special consideration, for example they may use separate control and data IP/port combinations in their communications, which have to be translated. An Application Layer Gateway (ALG) provides deep-packet inspection to identify and allow correct NAT traversal for these applications.
Because the local private IP address is not shown to the public Internet, logs are another major aspect of CGN that have to be considered. All devices that connect to the Internet produce a multitude of sessions. Tracking all sessions produces a vast amount of log messages. A CGN device must provide various advanced techniques that help reducing the volume of logs, such as Port Batching, Zero-Logging, compact logging and others.
CGN is designed for larger scale global IP address oversubscription, while providing the most transparent connectivity for a user. This means it is not only a solution for ISPs and carriers, but for enterprises as well. This is why LSN and CGN are terms that are often used interchangeably. The industry is gravitating towards the term CGN. Typically, CGN devices handle large amounts of concurrent connections, and high bandwidth throughput. Note that when a NAT device (such as a firewall or legacy load balancer) claims to be carrier grade because it is able to handle large volumes of traffic, does not mean it is a Carrier Grade NAT device, as some vendors try to make their customers believe.
CGN Use Cases
A10 has many customers worldwide that have successfully deployed CGN as part of their IPv6 migration strategy. For example, a deployment at one of the nation's largest mobile carriers uses A10's CGN solution to maintain IPv4 connectivity for the ever growing mobile and smartphone market. The AX Series provides a feature-rich CGN solution, and superior High Availability (HA) because of active session synchronization. This means that all active sessions remain intact if a single AX device were to lose its power, for example. The AX Series leaves the competition behind because it has more features, superior processing power, while being extremely cost-efficient (typically 10x to 100x less per subscriber cost versus traditional network vendors). One single AX device provides more power than multiple hyper-expensive, chassis-based processing cards that are part of large networking vendor's NAT solutions. More features and more power out of the box means A10's CGN solution can fit in and adapt to any growing network. The AX devices can be easily clustered together, combining the processing power in a way that is easy to administer.
CGN is important aspect of the move to IPv6 connectivity by prolonging the growth of IPv4 connectivity. The AX Series provides a complete set of solutions for an IPv6 migration strategy. A key advantage of the AX Series is the all-inclusive licensing model: All features are available out of the box for operational simplicity. Due to Interplay capability, all subscribers can interconnect, regardless of what IPv6 technology they are connected with.
There are many IPv6 migration technologies, since all networks are different and not one solution is the best for every network. When IPv6 is starting to get presence in a network, 6rd can be used to transport IPv6 connections over an IPv4 core, or DS-Lite can be used to transport IPv4 over a core that is already migrated to IPv6. CGN is used in parallel to solve the IPv4 public address shortage. Once IPv6 is widely adopted in a network, NAT64/DNS64 technology provides access to IPv4-only resources.
AX Series Advantage
The AX Series provides extremely powerful, comprehensive and cost-effective solutions to connect a network to the IPv6 realm. If multiple technologies are used, the users can interconnect, a key feature known as Interplay. This critical capability is often not present in competitor offerings. Carrier Grade NAT is an integral part of most IPv6 migration strategies, and many configuration options are available to customize the CGN operation if needed.
- Endpoint Independent Mapping
- Endpoint Independent Filtering
- User Quotas
- Application Layer Gateways (ALGs)
- Comprehensive logging options
- Active Session Synchronization
- aVCS clustering
The AX Series also has a great advantage in terms of scalability with an unprecedented amount of concurrent sessions, and overall traffic throughput. The AX Series has superior HA support with Active Session Synchronization. While the AX Series provides the most comprehensive solution set, the best performance, the pricing is highly competitive. The price per subscriber is unmatched and while most competitors will nickel-and-dime their customers with a dazzling set of licensing schemes, the AX Series provide all this functionality, out of the box. No additional licenses required.