Hacker News new | past | comments | ask | show | jobs | submit login

This would be completely mitigated by rolling out CG-NAT for all customers. Orange Espana has been working on this for their fibre customers (I think almost all of them are behind CG-NAT already), but ADSL customers are still waiting for it.



Well, except for attackers behind the CG-NAT.

Also, CG-Nat is a HORRIBLE technology that causes lots of problems for subscribers all fo the sake of allowing an ISP to sell their IPV4 space off at a premium and pump up their numbers if a quarter demands it.

I'm with Virgin cable in the UK and they are going to IPv6 soon ... but with DS-Lite, so CG-NAT for IPv4 (yay, I can't connect back to my home VPN if I'm on an IPv4 only network) but native IPv6 (sort of yay).

You then also have the issues with online services, IP bans etc. etc. etc.

CG-NAT is nothing to be cheered on, and is worse than useless for "security".


Is that definite on Virgin? Seems uncertain still...


It's the method LG have decided on for all their cable networks, and according to this presentation from earlier this month, it's still the plan (and let's face it, if they changed to dual stack now it would take them another 4+ years to get it rolled out ... snails have NOTHING on the LG network operations team): https://www.ipv6.org.uk/wp-content/uploads/2018/11/LG-Virgin...


It is not reasonable to apply "carrier-grade NAT" to residential internet connections.

I'm paying for internet service, I don't want some locked-down system that can't receive inbound connections.


I specifically requested (and got) to be outside their CG-NAT. It worked horribly (the ports got reset every other day, and some other customer could have taken the port you wanted at that point) and some applications with ports hardcoded over number 2000 did not work. People with PPTP VPNs could not use them anymore. Plus, enjoy getting banned from things because you share your IPv4 with plenty of strangers.


You specifically requested to be outside their CGNAT, and now look at your CPE, wide open to the WAN.


"Orange's CGNAT, at least better than our compromised CPE" is certainly catchy PR.


Ehm, what?

So you trust the ISP to implement CG-NAT properly when they can’t manage to secure a simple CPE router?


This is possibly the worst reason I’ve ever heard of for CG-NAT.

CG-NAT has so many issues for consumers that will end up hoisted onto other services/applications support departments. The internet is not a one way street and there are many legitimate reasons for listening ports that I’m surprised anybody would push for CG-NAT.

I can’t even imagine trying to be get through to an ISP to fix their CG-NAT issue. It’s hard enough to get them to fix routing issues without being established on an industry mailing list or having an existing contact.

Nobody wants the AOL internet of yesteryear and IMO CG-NAT is just a step in that direction.


What you're really asking for is carrier-grade stateful firewalls. It just so happens that NAT has a firewall-like effect, along with lots of issues for peer to peer applications (something obscure called Skype used to do that, among others) and power users. NAT is not a solution but a problem.


Your argument is as bad as saying: "Well, that could be mitigated by not having internet"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: