The year 2011 marked a critical turning point in internet infrastructure. As the last blocks of IPv4 addresses were allocated by IANA, Internet Service Providers faced an unprecedented challenge: how to continue serving growing customer bases with a finite and exhausted address pool. RFC 6598 emerged as a pragmatic solution, introducing Carrier-Grade NAT (CG-NAT) and the 100.64.0.0/10 address space. Having implemented and troubleshot CG-NAT deployments across various ISP environments, I want to share the realities of this technology that has become both salvation and complication for modern internet infrastructure.
RFC 6598 established a unique 100.64.0.0/10 address space, spanning from 100.64.0.0 to 100.127.255.255. This allocation provides 4,194,304 total addresses specifically designated as shared address space between ISP equipment and customer premises equipment. Unlike RFC 1918 private addresses, this range serves a very specific purpose in the ISP-customer relationship.
What makes this address block special is its position in the networking hierarchy. These addresses aren't meant for end-user devices or internal corporate networks. Instead, they exist in the liminal space between your ISP's infrastructure and your connection, creating a buffer zone that enables address sharing while maintaining network functionality.
Carrier-Grade NAT represents one of the most significant architectural shifts in ISP networking since the widespread adoption of broadband. The technology creates what network engineers often call "double NAT" – a two-stage address translation process that maximizes the utility of available public IPv4 addresses.
When you send data from your home network, it travels through two distinct NAT layers. Your device might use a familiar 192.168.1.100 address, which your home router translates to a 100.64.x.x address assigned by your ISP. This traffic then passes through the ISP's CG-NAT equipment, which performs a second translation to a public IPv4 address shared among multiple customers.
This architecture allows ISPs to serve hundreds or even thousands of customers behind a single public IPv4 address. From a resource utilization perspective, it's brilliant. From a network complexity standpoint, it introduces challenges that ripple through the entire internet experience.
One of the most complex aspects of CG-NAT implementation involves managing port allocations. With multiple customers sharing a single public IP address, ISPs must carefully distribute the available 65,536 ports across their customer base. A typical deployment might allocate 256 or 512 ports per customer, which sounds generous until you consider modern internet usage patterns.
A single web page load can consume dozens of simultaneous connections. Streaming services, cloud backups, and IoT devices all compete for these limited port resources. ISPs must balance customer experience with technical limitations, often implementing sophisticated algorithms to manage port allocation dynamically.
Legal requirements in many jurisdictions mandate detailed logging of NAT translations for law enforcement purposes. This creates enormous data management challenges for ISPs. Every connection must be logged with timestamps, customer identifiers, internal addresses, and public IP mappings. The storage and processing requirements for this data can be staggering in large deployments.
Certain categories of applications face significant challenges in CG-NAT environments. Peer-to-peer applications, which rely on direct connections between users, often struggle with the double NAT architecture. Gaming consoles that need to establish inbound connections for multiplayer functionality may require special configuration or simply not work properly.
VPN connections present another challenge. Many VPN protocols expect to have direct control over NAT behavior, which becomes impossible when customers don't control the primary NAT device. This has led to increased adoption of VPN protocols specifically designed to work through multiple NAT layers.
The additional translation layer introduces latency, though typically measured in microseconds rather than milliseconds. More significant is the potential for connection limits. Customers who exhaust their allocated port range may experience connection failures or timeouts, leading to degraded internet performance that's difficult to diagnose without specialized knowledge.
For network professionals, identifying CG-NAT deployment is straightforward: check whether the router's WAN interface receives an address in the 100.64.0.0/10 range. For end users, the symptoms are more subtle – reduced performance with certain applications, inability to host services, or mysterious connection failures that resolve after waiting.
Understanding these symptoms helps network professionals diagnose and explain connectivity issues that might otherwise seem random or inexplicable.
CG-NAT was always intended as a transitional technology, a bridge to buy time while IPv6 deployment matured. The most forward-thinking ISPs implement dual-stack architectures, providing customers with both IPv4 service (through CG-NAT) and native IPv6 connectivity.
This approach allows customers to access IPv4-only services through the CG-NAT while taking advantage of IPv6's abundant address space for direct connectivity to IPv6-enabled services. As the internet continues its gradual transition to IPv6, the importance of CG-NAT will diminish, but that transition is measured in years, not months.
Successful CG-NAT deployments require careful attention to several operational factors:
Port Allocation Strategy: Implement dynamic port allocation that can adapt to customer usage patterns while maintaining fairness across the customer base.
Monitoring and Alerting: Establish comprehensive monitoring for port pool utilization, connection rates, and customer-specific usage patterns to identify issues before they impact service quality.
Application-Aware Policies: Develop policies that recognize different traffic types and allocate resources accordingly. Gaming traffic might need different treatment than web browsing.
Customer Communication: Provide clear documentation about CG-NAT deployment and its implications. Customers who understand the technology are better equipped to adapt their usage patterns.
IPv6 Preparation: Use CG-NAT deployment as an opportunity to accelerate IPv6 rollout, treating the technologies as complementary rather than competitive.
RFC 6598 and CG-NAT represent more than just a technical solution to address exhaustion – they represent the internet infrastructure's ability to adapt under pressure. The technology demonstrates how the networking community can develop pragmatic solutions to seemingly insurmountable challenges.
For network professionals, understanding CG-NAT provides insight into the economic and technical pressures shaping modern internet infrastructure. It's a technology born of necessity, implemented with ingenuity, and destined to be superseded by IPv6 – but one that continues to enable internet connectivity for millions of users worldwide.
The lessons learned from CG-NAT deployment – resource sharing, translation complexity, and customer impact management – inform broader discussions about network architecture scalability and the ongoing evolution of internet infrastructure.