As Head of Sales at InterLIR, I’ve witnessed firsthand how the global IPv4 address shortage has fundamentally transformed network operations. Since our founding in 2020, we’ve been at the forefront of the IPv4 marketplace, helping organizations navigate the complexities of IP resource management. One of the most significant developments in this landscape has been the widespread adoption of Carrier-Grade Network Address Translation (CGNAT)-a technology that, while solving immediate resource constraints, creates profound challenges for security, user experience, and digital equity.
This article examines the innovative approaches to detecting CGNAT implementations and mitigating their unintended consequences, drawing on recent research and our practical experience in the IP address marketplace. Understanding these dynamics is crucial for any organization making decisions about IP resource allocation, security infrastructure, or global service delivery.
Throughout my career in IP resource management, I’ve observed how the fundamental assumptions about IP addresses have shifted dramatically. Historically, IP addresses served as stable identifiers for both routing and non-routing purposes, including geolocation, security operations, and user identification. Many critical security mechanisms-such as blocklists, rate limiting, and anomaly detection-were built on the assumption that a single IP address represents one coherent entity, typically a single user or device.
However, the Internet’s structure has fundamentally changed. Today, a single IPv4 address may represent hundreds or even thousands of users due to widespread implementation of technologies like Carrier-Grade Network Address Translation (CGNAT), virtual private networks (VPNs), and proxy middleboxes. This transformation has profound implications for how we approach network security, user authentication, and service delivery.
In our work at InterLIR, we help clients understand the different mechanisms of IP address sharing and their business implications. The distinction between these sharing mechanisms is crucial for developing appropriate security and access policies:
| Sharing Technology | User Awareness | Primary Driver | Key Characteristics |
|---|---|---|---|
| CGNAT | Users unaware | IPv4 scarcity | ISP-implemented, affects entire regions |
| VPNs | User-selected | Privacy/security | Voluntary, user-controlled |
| Proxies | Typically known | Performance/access | Often corporate or institutional |
Understanding these distinctions is essential for business decision-making. While VPNs and proxies represent voluntary adoption by users, CGNAT is typically implemented by Internet Service Providers (ISPs) without user knowledge or consent. This makes it an involuntary form of address sharing that disproportionately affects users in developing regions-a critical consideration for companies with global customer bases.
Working in the IPv4 marketplace since 2020, I’ve gained unique insights into how IP address distribution reflects historical patterns rather than current needs. The distribution of IPv4 addresses globally mirrors the early development of the Internet, with countries in North America and Europe receiving vast allocations during the 1980s and 1990s, while developing regions with later Internet adoption received significantly fewer addresses relative to their populations.
This imbalance creates a striking disparity in the user-to-IP ratio across different regions. In many parts of Africa and South Asia, a single IP address may serve hundreds or thousands of users, while in Australia, Canada, Europe, and the United States, the ratio is much lower. At InterLIR, we see this disparity reflected in market demand-organizations in regions with severe IPv4 scarcity often face difficult choices between expensive IP address acquisitions and implementing CGNAT solutions.
The implications of this disparity extend far beyond technical considerations and directly impact business operations. When security mechanisms, content delivery networks, or online services make decisions based on IP address behavior, they unintentionally create a form of socioeconomic bias that can affect market access and customer experience.
🌍 Regional impact – Users in developing regions face higher likelihood of collateral consequences from IP-based security measures, potentially limiting market reach
📱 Mobile dependency – Developing regions rely heavily on mobile networks, which commonly implement CGNAT, affecting mobile commerce and services
🚫 Access barriers – IP-based restrictions can unintentionally block legitimate users behind shared IPs, reducing conversion rates and customer satisfaction
⚖️ Digital inequality – These technical decisions amplify existing socioeconomic disparities in Internet access, creating ethical and business challenges
For businesses operating globally, these factors represent both challenges and opportunities. Organizations that understand and adapt to these realities can gain competitive advantages in emerging markets while those that ignore them risk alienating significant user populations.
In my role at InterLIR, I regularly advise clients on the technical and business implications of CGNAT deployment. Carrier-Grade NAT represents an enterprise-scale implementation of address translation technology that fundamentally changes how networks operate. To understand CGNAT’s impact, it helps to compare it with the familiar home router network address translation (NAT).
Most home networks use a simple form of NAT in their broadband router (Customer Premises Equipment or CPE). This first-level NAT translates private addresses within the home (typically in the 192.168.x.x range) to the single public IP address assigned by the ISP. This is a familiar technology that has been in widespread use for decades.
CGNAT introduces a second layer of translation at the ISP level, creating what we call “double NAT” scenarios. When implemented, the ISP assigns a private IP address (often from the 100.64.0.0/10 range defined in RFC 6598) to the customer’s router instead of a public IP. This private address is then translated again at the ISP’s CGNAT device, allowing many subscribers to share a single public IP address.
| NAT Level | Address Range | Managed By | Visibility | Business Impact |
|---|---|---|---|---|
| Home NAT (Level 1) | RFC 1918 (192.168.x.x, 10.x.x.x) | End user | Local network only | Minimal |
| CGNAT (Level 2) | RFC 6598 (100.64.0.0/10) | ISP | ISP network only | Significant |
| Public IP | Global IPv4 space | ISP | Internet-wide | Critical for services |
The primary driver for CGNAT deployment is the exhaustion of the IPv4 address space-a reality that defines our business at InterLIR. With only 4.3 billion possible addresses in the IPv4 system and over 5 billion Internet users globally, the mathematical shortfall is obvious. By the early 2010s, all Regional Internet Registries (RIRs) had depleted their pools of unallocated IPv4 addresses, creating the secondary market where we operate.
While IPv6 adoption continues to grow, its deployment remains incomplete. CGNAT serves as a bridge technology, allowing ISPs to maximize the use of their existing IPv4 allocations while the transition to IPv6 proceeds. What was initially conceived as a temporary solution has become, in many networks, a permanent feature. This reality shapes our strategic advice to clients: IPv4 resources remain valuable and necessary for the foreseeable future, even as IPv6 deployment accelerates.
One of the most complex challenges we discuss with clients at InterLIR involves identifying which IP addresses are used for CGNAT. Unlike VPNs or proxies, which can often be identified through published lists or service directories, CGNAT implementations are not publicly disclosed by ISPs. This lack of transparency creates significant challenges for services attempting to differentiate between single-user IPs and those shared among hundreds or thousands of users.
Leading technology companies have developed sophisticated detection methodologies that combine network measurement techniques, public data mining, and machine learning to identify and classify IP sharing at scale. These approaches build reliable training datasets through several complementary methods:
1️⃣ Distributed traceroutes – Using global probe networks to detect multi-level NAT implementations through hop analysis
2️⃣ WHOIS and PTR record analysis – Mining DNS and registry data for keywords indicating CGNAT usage, such as “cgnat,” “cgn,” or “lsn”
3️⃣ VPN and proxy directories – Compiling reference lists of known non-CGNAT address sharing services for comparison
4️⃣ Feature extraction – Analyzing HTTP request logs to identify distinctive behavior patterns that indicate shared usage
5️⃣ Machine learning classification – Training models to distinguish between different types of shared IPs based on behavioral signatures
Traceroute analysis provides powerful insights into NAT deployments that we often discuss with our technical clients. By examining the hop sequence from a client to its own public IP, researchers can detect the presence of shared address space (100.64.0.0/10) or multiple layers of private addressing that strongly indicate CGNAT implementation.
Additionally, many operators encode metadata about their network configurations in DNS reverse lookup (PTR) records. Keywords such as “cgnat,” “cgn,” or “lsn” (Large-Scale NAT) in these records can signal CGNAT deployment. Similarly, WHOIS records and Internet Routing Registry (IRR) entries may contain organizational details or remarks that reveal CGNAT usage. At InterLIR, we leverage these data sources to help clients understand the characteristics of IP address blocks they’re considering for acquisition.
The most sophisticated approaches to CGNAT detection leverage supervised machine learning to build classifiers that can distinguish between different types of IP addresses: standard single-user IPs, CGNAT-shared IPs, and VPN/proxy IPs. The success of this classification depends heavily on the quality of the training data and the selection of discriminative features.
The key hypothesis underlying effective feature selection is that the aggregated activity from CGNAT IPs shows distinctive patterns of diversity compared to other IP types. This diversity stems from the fundamental nature of CGNAT: hundreds or thousands of independent users sharing a single IP address will naturally generate more varied patterns than a single user or a more homogeneous proxy service.
🧩 Client-side signals – User agent diversity, language preferences, and browser fingerprints reveal the heterogeneous user base behind CGNAT IPs
🌐 Network behaviors – Port allocation patterns, connection properties, and timing characteristics differ significantly between CGNAT and single-user scenarios
📊 Traffic patterns – Request volumes, destination diversity, and temporal distribution provide strong signals for classification
🔍 Prefix-level features – Characteristics of the surrounding /24 IP block offer contextual information about deployment patterns
Importantly, the classification focuses not just on traffic volume but on diversity metrics. While high-volume scanners or bots might generate many requests, they typically show low information diversity. Conversely, CGNAT IPs demonstrate high diversity across multiple dimensions due to the varied user base behind them. This distinction is crucial for avoiding false positives that could impact legitimate high-volume users.
Using datasets of hundreds of thousands of labeled CGNAT IPs, VPN and proxy IPs, and non-shared IPs, advanced classifiers can distinguish between these categories with high accuracy. The resulting models enable more nuanced treatment of traffic based on the likelihood that an IP represents multiple users.
From a business perspective, this classification capability allows organizations to implement more sophisticated security and access policies. For instance, rate limiting might be applied differently to a CGNAT IP representing thousands of legitimate users than to a VPN exit node potentially being used for abuse. This nuanced approach can significantly improve customer experience while maintaining security posture.
The ultimate goal of CGNAT detection is to reduce the collateral damage caused by security mechanisms that treat all IP addresses equally. In my work at InterLIR, I’ve seen how organizations struggle with this balance-they need robust security but don’t want to alienate legitimate users, particularly in markets where CGNAT is prevalent.
Traditional security approaches often use binary decisions: an IP is either blocked or allowed. For CGNAT IPs, a more nuanced approach is necessary to avoid punishing hundreds of innocent users for the actions of one bad actor. Modern security architectures should implement:
🔄 Adaptive rate limiting – Scaling allowed request rates based on estimated user count behind an IP, preventing service disruption for legitimate users
👤 User-level rather than IP-level penalties – Targeting specific sessions or users through cookies, device fingerprinting, or authentication rather than entire IP blocks
🛡️ Progressive challenges – Implementing gradual security measures like occasional CAPTCHAs rather than outright blocks, maintaining access while verifying legitimacy
⏱️ Time-limited restrictions – Shorter penalty durations for shared IPs to minimize impact on innocent users who happen to share the same address
These approaches help balance security needs with user experience, particularly for users in regions where CGNAT is prevalent due to IP scarcity. For businesses, implementing these strategies can mean the difference between losing customers in emerging markets and successfully serving them.
The problem of CGNAT-related collateral damage extends beyond any single service provider and represents both a challenge and an opportunity for the industry. Security vendors, content delivery networks, and online services all make decisions based on IP reputation that could benefit from greater awareness of large-scale IP sharing.
At InterLIR, we see this creating market opportunities in several areas. Organizations that can effectively serve users behind CGNAT gain competitive advantages in high-growth markets. Additionally, the continued need for public IPv4 addresses-particularly for services that cannot effectively operate behind CGNAT-sustains demand in the IPv4 marketplace where we operate.
The Internet Engineering Task Force (IETF) has long recognized these challenges through standards documents like RFC 6269 and RFC 7021, but practical implementations of CGNAT-aware security remain limited. Organizations that invest in sophisticated IP classification and adaptive security measures position themselves for success in an increasingly CGNAT-prevalent Internet.
While IPv6 adoption continues to grow-a trend we actively support and encourage at InterLIR-CGNAT implementations are likely to persist for the foreseeable future. Several challenges and opportunities remain in this area that organizations should consider in their strategic planning:
🔄 Ongoing model refinement – As network configurations evolve, detection models must adapt, requiring continuous investment in data collection and analysis
📊 Ground truth challenges – Building reliable training data remains difficult without ISP disclosures, creating opportunities for data partnerships and industry collaboration
🌐 IPv6 transition effects – Hybrid networks with both IPv4 and IPv6 present unique classification challenges that require sophisticated dual-stack awareness
🔍 Privacy considerations – Balancing detailed traffic analysis with user privacy requires careful consideration and compliance with evolving regulations like GDPR
The research also points to the need for more standardized approaches to CGNAT implementation and disclosure. Greater transparency from network operators about address sharing practices would benefit the entire ecosystem. At InterLIR, we advocate for industry standards that balance operational needs with transparency, helping all stakeholders make better-informed decisions.
Based on our experience in the IP address marketplace and our understanding of CGNAT dynamics, I recommend organizations consider the following strategic approaches:
Invest in sophisticated IP classification – Don’t rely on simple IP-based security measures; implement or acquire technology that can distinguish between different types of IP sharing
Develop CGNAT-aware policies – Review and update security, rate limiting, and access control policies to account for large-scale IP sharing
Monitor emerging markets – Pay particular attention to user experience in regions where CGNAT is prevalent, as these often represent high-growth opportunities
Plan for dual-stack operations – While maintaining IPv4 capabilities, accelerate IPv6 deployment to reduce long-term dependence on address sharing technologies
Consider IPv4 resource strategy – Evaluate whether acquiring additional IPv4 addresses or implementing CGNAT makes more sense for your specific use case and market position
The widespread deployment of Carrier-Grade NAT represents both a technical solution to IPv4 exhaustion and a source of potential bias in Internet operations. Through my work at InterLIR since 2020, I’ve witnessed how the IPv4 address shortage has driven fundamental changes in network architecture and operations. By developing sophisticated methods to detect and classify large-scale IP sharing, service providers can implement more equitable security measures that reduce collateral damage, particularly for users in developing regions.
This research and practical experience highlight the ongoing need to rethink assumptions about IP addresses in security operations and business strategy. As the Internet continues to evolve, the one-to-one relationship between IP addresses and users has become increasingly outdated. Modern security systems must adapt to this reality, recognizing when hundreds or thousands of users might share a single IP address and adjusting responses accordingly.
For organizations operating in the global marketplace, understanding CGNAT dynamics is not merely a technical consideration-it’s a business imperative. Companies that fail to account for large-scale IP sharing risk alienating users in high-growth markets, while those that implement sophisticated, CGNAT-aware approaches can gain significant competitive advantages. At InterLIR, we’re committed to helping organizations navigate these complexities, whether through strategic IPv4 acquisitions, technical guidance, or market intelligence.
The future of Internet security and global service delivery lies not in treating all IP addresses equally, but in understanding their vastly different contexts and adjusting responses accordingly. Through continued research, implementation of more nuanced approaches, and industry collaboration, the Internet community can work toward greater digital equity while maintaining effective security measures. As we continue to bridge the gap between IPv4 scarcity and IPv6 adoption, technologies like CGNAT detection will remain critical tools for ensuring fair and effective Internet operations worldwide.
Alexei Krylov
Head of Sales