Definition
Carrier-grade NAT — also called large-scale NAT (LSN) or NAT444 — is an IP address sharing architecture defined in IETF RFC 6598 (published April 2012) that allows an internet service provider or mobile carrier to serve large numbers of subscribers using a much smaller pool of public IPv4 addresses than would be required if each subscriber received their own dedicated address. The term “carrier-grade” distinguishes this deployment scale from the household-level NAT performed by a home router: CGNAT operates on carrier infrastructure and may translate traffic for tens of thousands of simultaneous subscribers through a single public IP address.
CGNAT emerged as a response to the exhaustion of the IPv4 address space. The Internet Assigned Numbers Authority (IANA) allocated the last blocks of IPv4 addresses to Regional Internet Registries in February 2011. Mobile carriers, which had rapidly expanding subscriber bases, faced the choice of deploying IPv6 — which solves the address exhaustion problem permanently — or implementing CGNAT to extend the operational life of IPv4 infrastructure. Most carriers deployed both.
How CGNAT Works
In a CGNAT deployment, a subscriber’s device receives a private IP address from the RFC 6598 shared address space — the 100.64.0.0/10 block specifically reserved for CGNAT use — or from a conventional RFC 1918 private range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). This is the subscriber’s address within the carrier’s internal network.
When the subscriber initiates an outbound internet connection, the traffic passes through the carrier’s CGNAT equipment — typically large router platforms from vendors including Cisco, Juniper, and A10 Networks. The CGNAT device translates the private source address to one of the carrier’s public IPv4 addresses and assigns a dynamic source port to distinguish this subscriber’s connection from other simultaneous connections sharing the same public IP. This technique is called port address translation (PAT) or network address port translation (NAPT).
The destination server — a contest website, for example — receives a packet with a source IP belonging to the carrier and a source port assigned by the CGNAT device. It has no means of determining the subscriber’s private address or identity from this information alone. All subscribers sharing the same CGNAT exit IP are indistinguishable at the IP layer from the destination’s perspective.
When the session ends, the CGNAT device reclaims the port assignment and may reassign the same public IP and port combination to a different subscriber within minutes. This address reuse means that two entirely different subscribers can appear to come from the same IP address at different times within the same day — or even within the same hour.
RFC 6264 documents the implications of large-scale IPv4-to-IPv6 transitional approaches, of which CGNAT is one component. The Internet Engineering Task Force (IETF) has published multiple guidance documents on CGNAT operational considerations for service providers.
Where You Encounter It
CGNAT is pervasive in mobile carrier networks worldwide. T-Mobile, AT&T, Vodafone, Orange, Jio, and virtually all major carriers use CGNAT for IPv4 subscriber traffic. Fixed-line ISPs in regions with severe IPv4 scarcity — including parts of Asia-Pacific and sub-Saharan Africa — also deploy CGNAT on broadband connections.
In online contest environments, CGNAT creates a fundamental tension with IP-based vote deduplication. A naive one-vote-per-IP policy on a contest where most participation comes from mobile devices will incorrectly prevent multiple legitimate voters who happen to share a CGNAT exit address from casting votes. Conversely, a bad actor on a CGNAT network could theoretically submit votes from many private IP addresses that all appear as the same public IP, with the contest platform unable to distinguish them from a single voter.
Practical Examples
A charitable vote competition targeting audiences in India — where Jio Platforms serves hundreds of millions of subscribers — observes that certain IP addresses each appear on thousands of vote submissions during the contest window. Technical investigation reveals these are CGNAT exit addresses for Jio’s 4G network. The platform’s fraud analysis team determines that cookie and session data shows distinct browser instances behind each submission, consistent with genuine participation from multiple subscribers. The IP-clustering signal that would normally indicate fraud is correctly attributed to CGNAT rather than to vote manipulation.
A contest platform in the United Kingdom receives an abuse complaint from a contestant who claims the platform is blocking legitimate votes from their supporters. Investigation reveals that the supporters are all on the same mobile carrier’s CGNAT network, and the platform’s rate limiter has applied a per-IP vote cap that affects all subscribers sharing the carrier’s exit IP. The platform adjusts its logic to use cookie-based deduplication as the primary control for sessions where IP geolocation indicates a mobile carrier network.
A university research team studying online voting fraud uses RFC 6598 address ranges as a classifier in their dataset labeling process, separating CGNAT-origin votes from genuinely unique-IP votes before training their anomaly detection model. The separation improves model accuracy by preventing the CGNAT clustering pattern from being incorrectly labeled as fraudulent behavior in the training data.
Related Concepts
Mobile carrier IP describes the subscriber-facing characteristics of mobile network IP addresses, of which CGNAT is the underlying address-sharing mechanism. Residential IP encompasses both fixed-line and mobile addresses in contrast to datacenter IPs, but CGNAT is a distinguishing characteristic of the mobile subset. Rate limiting is the contest control most directly affected by CGNAT: per-IP rate limits must account for shared-address environments to avoid incorrectly blocking legitimate voters.
Limitations / Caveats
The widespread deployment of CGNAT means that IP addresses alone are an unreliable basis for vote deduplication in any contest targeting a significant mobile audience. IPv6 adoption partially resolves this problem — IPv6 typically assigns a unique global address to each device — but IPv4 CGNAT will remain a significant factor in contest traffic as long as IPv4 remains the dominant protocol for consumer internet access. Platform designers should treat IP as one of several deduplication signals rather than as a definitive voter identifier.
