Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    A relatively recent technology, not too well known, unfortunately, since we should be aware of it, which is known as  CGNAT (Carrier Grade Network Address Translation) . CGN (Carrier-grade NAT) allows a public IP to serve multiple clients, providing private addressing. Know the problems

    What is NAT?

    Probably many will know NAT (Network Address Translation) . It is the mechanism, with which the majority of users connect to the Internet during the last years . The connection is made through a device, usually a router, that has a public IP address connected to the Internet.
    The device that is connected to the Internet is the router, through the lines of your corresponding provider, and behind the router we set up a private address.
    The mechanism that makes the private address of the devices that are in the network can access the Internet , is done by substituting the requests that leave the private IP addresses, substituting that private IP for the public IP of the router. 

    Finally it arrives at the corresponding server, the response arrives and the router undoes the change so that the response reaches the machine that made it. 

    Simple network scheme that we all have in our home:

    NAT limitations

    NAT is an important limitation in what is the use and perception of Internet users, since most think that the Internet is that. Originally the idea was that all the equipment was connected from end to end , that is, that all the equipment was accessible from anywhere in the world. 

    So we would have had a much less centralized and controlled Internet than we have today . But at the time there was no other option than to opt for NAT, and it is what we have experienced in recent years that we use networks, mainly domestic, virtually all, and in many cases also corporate networks.

    NAT types

    In NAT, two different processes are distinguished:

    • SNAT (Source Network Address Translation) , is the mechanism through which customers have access to the Internet.
    • DNAT (Destination Network Address Translation) , through a configuration in the router, allows requests that reach certain ports of the same, to its public address, to be redirected to a specific equipment of the private network . This allows access, in a limited way, since it is only to certain ports, to equipment from the private network abroad, allowing us to have certain services within the private network. It is widely used in p2p networks in the domestic sphere, or else used in a non-domestic environment to mount web servers, mail servers or any service that wants to be mounted within the private network. This mechanism allows, with its limitations, to give something of greater functionality to computers in the network.

    What is CG-NAT?

    A few years ago, the CGNAT mechanism developed, due to the exhaustion of IPV4 addresses. With it, the IP address that is provided to the router is not a public IP , it is an IP of rank CGNAT, that is to say it is block, which makes the router does not have a public address and therefore is not accessible.

    Actually that NAT does not affect the use that many end users make of the Internet, as they continue to access services such as Google, Facebook or any other. What happens is that instead of doing once, they do NAT twice, an aspect that in most cases is negligible, so users still think they have access to the Internet. 

    It really is not an access like having a public address on the router, because it makes any DNAT mechanism absolutely impossible, so we can not redirect any port, since the IP address to which they are redirected is in turn a private address. Not exactly private as in NAT, but it is also inaccessible from the Internet, and therefore you can not have services inside, or web servers, or mail servers, or p2p servers, or any service that requires that a communication be established between a Internet team to a team in my local network. 

    The router that makes the NAT of the public IP address is in the hands of the operator, therefore, forget about the typical "open ports to this PC to use this application", you simply can not open ports . Of course,you will not have the possibility to change the public IP address either , that is in the hands of the operator directly. 

    If in your home you have a web server, an FTP server, an SSH server, a VPN server, if you have Nextcloud for example to synchronize your files wherever you are, or if you want to play games that need to open ports online, you simply can not do it , it will be impossible for you to host services. You will have a private IP address, and not a public IP, so you will no longer have point-to-point communication with the Internet, everything will pass through CGN.

    Importance of knowing CGNAT

    It is important that we are aware of this, that we are aware of the technologies that are being used, because this type of Internet access, which some Internet providers are selling to their users, is sold as an Internet access, and It is not exactly the same Internet access . 

    Therefore the user should be perfectly informed and also administrations should take measures to limit it or inform consumers of what is being given to them. 

    In fact, there is an initiative on the part of the European Union, with the idea of ​​forcing the Internet providers that CGNAT is a process simply to use, temporarily, up to the massive and extensive use of the double stack with IPv6, which is really the solution that arises and that would change a lot the use of Internet that users are currently doing. 

    Adoption of IPv6 in Spain