NAT (Network Address Translation) — is a mechanism applied in TCP/IP networks and allows to replace the local (private) IP address with a public one.
With Carrier Grade NAT (CGN) or Large Scale NAT (LSN) ISP can share one public IPv4 address with multiple subscribers, prolongs the use of the limited IPv4 addressing space, and simplifies the transition to IPv6 addressing.
Stingray SG solution is designed for telecom operators and Internet Service Providers, and also is suitable for NAT equipment replacement in corporate networks. Having a range of functions and possibilities the platform will fit into any growing network and adapt to it.
The addresses of the fourth version protocol, which is responsible for establishing a connection between network nodes (computers, servers, mobile devices, etc.), are currently insufficient: more than 4.3 billion devices are already used in the world.
IPv6 is the next generation protocol. Its main advantage is the increased address size from 32 to 128 bits, which gives an almost inexhaustible supply of unique IP addresses.
CG-NAT technology assumes using up to 64,000 ports on 1 public address. However, 3000 ports for TCP and UDP connections per subscriber are enough for comfortable operation. You get the optimal coefficient up to 1:10 (10 private IPs are translated to 1 public IP). This is the best practice due to the fact that many services (such as mail, video, search and others) use protection against BotNet attacks based on IP addresses. Therefore, the smaller the number of addresses, the lower the risk of blocking or enabling captcha.
We recommend using CG-NAT solution of Stingray platform as part of a smooth migration to IPv6 strategy and support for DualStack IPv4/IPv6, so that NAT v4 and v6 would work simultaneously.
Advantages of DPI-based CG-NAT
- Complies with industry standards defined in RFC 6888, RFC 4787
- Uses effectively the limited IPv4 addressing space
- High performance: the platform supports up to 128 million simultaneous sessions
- Allows to scale dynamically and to increase throughput without interrupting traffic
- Allows to limit number of TCP and UDP ports for the subscriber (DDoS protection)
- A complete set of DPI platform tools and options with centralized management.
Full Cone NAT
CG-NAT uses Full Cone NAT technology (a combination of EIM and EIF - Endpoint Independent Mapping and Endpoint Independent Filtering), which allows packets incoming from any external system via an external TCP/UDP port, which is a source of subscriber's traffic.
Full Cone NAT provides transparent operation of peer-to-peer protocols (such as P2P, torrents and games).
Use of Paired IP address pooling function
All the subscriber’s connections from one private internal address are anchored to one external public IP-address.
Usage of Hairpinning Technology
Subscribers inside NAT intercommunicate without addresses translation. Any device on the local network outside of NAT can access another device on the same network at the external address of the router.
Setting limits on TCP and UDP connections for subscribers
For each IP address pool, number of TCP and UDP connections is limited for the subscriber individually, which allows the carrier to allocate safely resources of addressing space between corporate and private clients. When not activated, connections are closed releasing ports.
Network broadcasts are written to a text file or sent to an external collector via the IPFIX protocol (aka NetFlow v10).
- The DPI has to be implemented in-line to deploy CG-NAT function.
- To ensure fail-safety, stand-by platform is recommended.
- License Stingray SG COMPLETE is necessary to make CG-NAT function available.
- Performance of the address translation function depends on the chosen hardware platform and the license for Stingray SG software (from 6 to 200 Gbps).