How to Use CGNAT Advanced Logging to Meet Legal Requests

Rich Sabin CGNAT

Carrier Grade NAT (CGNAT) has been a blessing for broadband service providers who need more IPv4 addresses. Rather than purchasing or leasing expensive IPv4 addresses, CGNAT helps providers share existing IPv4 addresses across multiple customers.

This sharing helps conserve limited IPv4 addresses but also creates challenges for law enforcement agencies (LEA). Before CGNAT, one IP address was typically associated with a single customer. This made it relatively straightforward for law enforcement to track someone using a specific IP address. However, CGNAT now enables one IPv4 address to be shared by many subscribers. Naturally, this creates challenges.

CGNAT and Law Enforcement Compliance

Most law enforcement agencies require internet service providers (ISPs) to turn over the IP address associated with suspected criminal activity and to do so quickly. As a result, ISPs need to promptly map the subscriber’s private IP address with the address used on the public internet. This is a daunting task since the public IP address may be used by 30 to 300 customers during any given time period.

CGNAT Logging

CGNAT logging enables service providers to log and analyze network traffic, which is a crucial tool to help ISPs comply with law enforcement agency (LEA) subpoenas and court-ordered records requests. However, CGNAT logging introduces new questions and considerations for the service provider, such as:

  • How do you manage the logs?
  • What are the best practices for storing logs?
  • How long do the logs need to be stored?
  • How much space is needed?

The tips below should help answer those questions.

Forwarding Logs to External Syslog Server or IPFIX Collector

Law enforcement agencies may require service providers to check IP addresses going back many years, which requires the long-term retention of logs. How do you accomplish this?

We recommend having an external server accept log feeds from one or more CGNAT routers. The server doesn’t need high performance or network capacity, just lots of storage. Administrators can easily set their own log rotation and retention policies based on local requirements.

Employing a Syslog server or IPFIX collector for CGNAT logs has additional benefits beyond longer retention. Tools and scripts can be run against the logs to parse and analyze the logs for network planning. Also, log management solutions such as open-source Graylog (graylog.org) can examine and store CGNAT log data as database fields (as they arrive). This will simplify searching and reporting whenever it’s needed.

Retention and Storage

The Communications Assistance for Law Enforcement Act (CALEA) is the primary set of regulations that service providers must follow in the United States, but all countries have similar laws and regulations. These laws typically require ISPs to identify the person using an IP address at a given time. Unfortunately, there is no single standard for how long this data must be retained. Many regulations require that information be available for a “reasonable amount of time.”

Most ISPs must store this data for six months to two years. To calculate the storage needed to do this, we’ve reviewed production environments from several service providers and have the following recommendations for calculating the storage needed:

NAT Sessions:

When a user is actively using the internet, the number of NAT sessions can range from 100 to over 2,000 sessions, with the average being around 200-300 sessions. When a subscriber is online but not actively using the internet, the background traffic usually only uses about 20-30 sessions. 

At any point in time, some users will be active, and others won’t. Given this, a good estimate for the average number of NAT sessions per user (for a large group of users) is around 100-120 sessions. However, we recommend you use 150 sessions per user for regions where peer-to-peer applications such as torrents are popular.

NAT Storage:

If you store NAT logging records locally, you must plan out the storage space needed. A good estimate for NAT session storage (in raw ASCII format) rate is 0.4MB/second per 1,000 users. For example, if you have 10,000 users, the NAT log storage will grow at 4MB/s or 346GB per day in raw ASCII format. The gzip compression ratio for the raw NAT log file is around 27:1. Based on these numbers, you should plan to have 13GB of disk storage growth per day for every 10,000 users. 

Extrapolating this out, you would need 4.7 terabytes of storage to retain full detail logging for 10,000 subscribers.

Summary and Next Steps

CGNAT continues to be the primary technology used to extend IPv4 network infrastructure . However, CGNAT’s advanced logging capabilities are needed to meet stringent law enforcement agency requests.

So, which CGNAT solution should you choose?

When comparing CGNAT vendors, netElastic’s software-based CGNAT is a cost-effective alternative to traditional solutions. netElastic CGNAT provides the flexibility and performance service providers need to deliver quality experiences for their subscribers. At the same time, its advanced logging capabilities allow ISPs to comply with law enforcement agency regulations. If you’re looking for an economical CGNAT, netElastic delivers unparalleled value with industry-leading price/performance.