Re: V6 still not supported

My apologies for expressing myself poorly.

What I meant to say is that this is primarily a problem caused by Sony and the Sonys of the world. Less so a problem inherent to IPv4. A root cause fix would address Sony's hostile behavior.

- Jared

Jordi Palet wrote:

No, isn't only a Sony problem, becomes a problem for every ISP that has customers using Sony PSN and have CGN (NAT444), their IP blocks are black-listed when they are detected as used CGN. This blocking is "forever" (I'm not aware of anyone that has been able to convince PSN to unblock them). Then the ISP will rotate the addresses that are in the CGN (which means some work renumbering other parts of the network).

You do this with all your IPv4 blocks, and at some point, you don't have any "not black-listed" block. Then you need to transfer more addresses.

So realistically, in many cases, for residential ISPs it makes a lot of sense to analyze if you have a relevant number of customers using PSN and make your numbers about if it makes sense or not to buy CGN vs transfer IPv4 addresses vs the real long term solution, which is IPv6 even if you need to invest in replacing the customer CPEs.

Regards,
Jordi
@jordipalet

El 30/3/22, 21:02, "NANOG en nombre de Jared Brown" <nanog-bounces+jordi.palet=consulintel.es at nanog.org en nombre de nanog-isp at mail.com> escribió:

    Not to necessarily disagree with you, but that is more of a Sony problem than an IPv4 problem.

    - Jared

    Jordi Palet wrote:

    It is not a fixed one-time cost ... because if your users are gamers behind PSP, Sony is blocking IPv4 ranges behind CGN. So, you keep rotating your addresses until all then are blocked, then you need to transfer more IPv4 addresses ...

    So under this perspective, in many cases it makes more sense to NOT invest in CGN, and use that money to transfer up-front more IPv4 addresses at once, you will get a better price than if you transfer them every few months.

    Regards,
    Jordi
    @jordipalet

    El 30/3/22, 18:38, "NANOG en nombre de Jared Brown" <nanog-bounces+jordi.palet=consulintel.es at nanog.org en nombre de nanog-isp at mail.com> escribió:

        Randy Carpenter wrote:

My guess is that fixing that means fixing tons of games/apps. They are somehow presuming that every user of the game has a different IP.

Note that we are talking only about PSN because it is probably the most affected one, but I heard about other services with similar problems and similar blockings.

I'm convinced that it will be cheaper and much easier to port to IPv6 those games/apps and at the same time be a long-term solution.

Regards,
Jordi
@jordipalet

El 4/4/22, 14:03, "NANOG en nombre de Jared Brown" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de nanog-isp@mail.com> escribió:

    My apologies for expressing myself poorly.

    What I meant to say is that this is primarily a problem caused by Sony and the Sonys of the world. Less so a problem inherent to IPv4. A root cause fix would address Sony's hostile behavior.

    - Jared

    Jordi Palet wrote:

    No, isn't only a Sony problem, becomes a problem for every ISP that has customers using Sony PSN and have CGN (NAT444), their IP blocks are black-listed when they are detected as used CGN. This blocking is "forever" (I'm not aware of anyone that has been able to convince PSN to unblock them). Then the ISP will rotate the addresses that are in the CGN (which means some work renumbering other parts of the network).

    You do this with all your IPv4 blocks, and at some point, you don't have any "not black-listed" block. Then you need to transfer more addresses.

    So realistically, in many cases, for residential ISPs it makes a lot of sense to analyze if you have a relevant number of customers using PSN and make your numbers about if it makes sense or not to buy CGN vs transfer IPv4 addresses vs the real long term solution, which is IPv6 even if you need to invest in replacing the customer CPEs.

    Regards,
    Jordi
    @jordipalet

    El 30/3/22, 21:02, "NANOG en nombre de Jared Brown" <nanog-bounces+jordi.palet=consulintel.es at nanog.org en nombre de nanog-isp at mail.com> escribió:

        Not to necessarily disagree with you, but that is more of a Sony problem than an IPv4 problem.

        - Jared

        Jordi Palet wrote:

        It is not a fixed one-time cost ... because if your users are gamers behind PSP, Sony is blocking IPv4 ranges behind CGN. So, you keep rotating your addresses until all then are blocked, then you need to transfer more IPv4 addresses ...

        So under this perspective, in many cases it makes more sense to NOT invest in CGN, and use that money to transfer up-front more IPv4 addresses at once, you will get a better price than if you transfer them every few months.

        Regards,
        Jordi
        @jordipalet

        El 30/3/22, 18:38, "NANOG en nombre de Jared Brown" <nanog-bounces+jordi.palet=consulintel.es at nanog.org en nombre de nanog-isp at mail.com> escribió:

            Randy Carpenter wrote:

I think you’re jumping to conclusions that Sony is doing this purely from the darkness in their hearts. The same thing could be said about Netflix and Hulu blocking traffic from addresses that appear as proxies/VPNs. Like it or not we had many years where the primary expectation of the Internet was that you could map a single ISP customer back to an IP address and MANY services still cling to this belief.

This is why we have situations like this where even law enforcement agencies can’t seem to wrap their heads around multiple customers all sharing the same IP address. You have to remember that a majority of people do not see all this behind the scenes stuff so as far as they are concerned the Internet will continue working as it always has and any deviation in that is a problem with the ISP when all of their friends can connect fine except for them.

Related to the LEA agencies and CGN:

Regards,
Jordi
@jordipalet

El 4/4/22, 16:12, "NANOG en nombre de Francis Booth via NANOG" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de nanog@nanog.org> escribió:

    I think you’re jumping to conclusions that Sony is doing this purely from the darkness in their hearts. The same thing could be said about Netflix and Hulu blocking traffic from addresses that appear as proxies/VPNs. Like it or not we had many years where the primary expectation of the Internet was that you could map a single ISP customer back to an IP address and MANY services still cling to this belief.

    6th Grader Expelled After Zoom Provided Possibly Inaccurate IP Address - Slashdot

    This is why we have situations like this where even law enforcement agencies can’t seem to wrap their heads around multiple customers all sharing the same IP address. You have to remember that a majority of people do not see all this behind the scenes stuff so as far as they are concerned the Internet will continue working as it always has and any deviation in that is a problem with the ISP when all of their friends can connect fine except for them.

And how is this really horribly different than all the Napster crap
where the "owner" of an ISP account got blamed for the activities of
a family member or guest?

Maybe the LEA agencies need some better clue. I'm fine with them
advocating for IPv6, but I have a suspicion that IPv6 is just another
can of worms, because when you have "an IPv4 internets worth of
internets" (64 bits) available as the host portion of an IPv6 address,
and stuff like RFC 4941, they're going to continue to mistarget the
account owner even in the absence of CG-NAT.

Finding a law enforcement compatible method of who generated traffic
currently ends up being an exercise in keeping detailed logs. Which
could be done with CG-NAT. Which makes the referenced article an
example of a failure to understand the true (and horrifying) nature
of the problem of traffic attribution.

Doesn't even begin to touch on pwnage issues.

... JG

. Less so a problem inherent to IPv4. A root cause fix would address Sony’s hostile behavior.

Disagree, to a point.

The problem isn’t technically with IPv4 itself, but with the lack of availability of V4 addresses. This tends to force things like CGNAT, which then compounds the problem when companies rely too heavily on ‘reputation’ services that put a scarlet letter on entire subnets, sometimes forcing providers to spent money to buy a new range on the open market that hopefully isn’t ‘tainted’, and tossing the old subnet back out to make it someone else’s problem.

IPv6 itself doesn’t solve that ; these reputation providers could still mark /64s as ‘bad’, but it wouldn’t impact entire ISPs worth of users when they did.

( Of course, the better solution is really on the service end to have a better system to associate bad activity to specific users, or other methods that aren’t reliant on reputation services , but that won’t happen unless they start seeing revenue loss from people who want to pay them for a service but can’t because of too much reputation blocking, and I think that’s a long way away, if it ever gets there.)

This is the actual solution. It was always a terrible hack to rely on IP addresses as an identifier and that's especially true for gaming consoles where they can use some pre-built identifier burned into the box. With browser fingerprinting it would be silly to incorporate IP addresses into the mix as DHCP from providers changes up the IP address reducing its fidelity.

This is clearly a Sony et al problem. Providers should point the finger at them to make them fix it.

Mike, not that I think cgnat isn't a gross hack

It appears that JORDI PALET MARTINEZ via NANOG <jordi.palet@consulintel.es> said:

Related to the LEA agencies and CGN:

Are you sharing the same IP address as a criminal? Law enforcement call for the end of Carrier Grade NAT (CGN) to increase accountability online | Europol

Before we freak out too much, you might note that this page is dated 17 Oct 2017.

I'm pretty sure that CGNs didn't disappear four years ago.

R's,
John

Changing providers only works in a competitive market, but even there a little bit of market segmentation isn't necessarily a bad thing.

The main thing is that ISPs should not be so accommodating to these malfeasants, who via their practices make a bad situation worse. Sony et al. are externalizing costs and that shouldn't be accepted.

- Jared

Francis Booth wrote:

I think you’re jumping to conclusions that Sony is doing this purely from the darkness in their hearts.

  I confess to being momentously surprised if this wasn't the driving reason

The same thing could be said about Netflix and Hulu blocking traffic from addresses that appear as proxies/VPNs.

  This is not quite the same. Netflix and Hulu have contractual reasons for not allowing out of market access, as they do not have distribution rights to content in all markets. Then there is also the question of password sharing, which is a legitimate reason to restrict access.

  IIRC Netflix will still let you watch Netflix originals even if they think you are using a proxy or VPN. They will even occasionally fix misdesignated IP space.

Like it or not we had many years where the primary expectation of the Internet was that you could map a single ISP customer back to an IP address and MANY services still cling to this belief.

  Even the courts are coming around to the fact that an IP address does not equal a person. When even ultraprogressive instances like these are starting to get it, maybe it's time for all the other neanderthals to get with the times?

- Jared

Jared Brown wrote:

If I'm a gamer, and one of my possible ISPs is using CGN, and from time to time stops working, and another ISP is providing me a public and/or static IPv4 address, always working, and there is not too much price difference, what I will do?

Changing providers only works in a competitive market, but even there a little bit of market segmentation isn't necessarily a bad thing.

The main thing is that ISPs should not be so accommodating to these malfeasants, who via their practices make a bad situation worse. Sony et al. are externalizing costs and that shouldn't be accepted.

- Jared

Like most things of this nature, there is a tipping point. Where exactly it is, either individually or communally, and whether it is ever reached is typically only viewable via hindsight.

Service providers tend to be on the "make it work" side of things, whether due to historical reasons or their users expectations or the nature of any technology centered business. Usually its more efficient and even cost effective to just fix it if you can. And yes, that is a self-reinforcing cycle.

But everything has its limits.

Increasing NAT, IPv4 re-use, IPv6 is likely to push the point away from Network-Address-as-Customer-Identity from being the service provider's responsibility.

Joe

Worse yet, this ship sailed anyway even farther with a ton of devices using private/dynamic MAC addresses …

FWIW, large-ish ISP here, originally an ipv4-only shop. A few years back we overhauled everything and naively tried to go all ipv6, since we owned the data/voice terminals and set top boxes. Didn´t quite work out that way, and wound up spending gobs of money on CGNAT … but our most demanding customers really appreciate the reduction in latency they get when using ipv6 and skipping that extra processing layer.

As usual, YMMV… jlr

(snip)

There are other problematic examples out there for CGN as well…

For example, Philips Hue assumes that if you are presenting the same public IP to the internet, you must be in the same household.

Yes, this means that an opportunistic neighbor behind the same CGNAT address as you can gain control of your lighting products if you
are not careful and they time their attack right.

Owen

Yeah, the would be very wishful thinking.

It would be nice if they did, but I doubt they are going anywhere any time soon, unfortunately.

Owen