Most network engineers with some experience know the RFC 1918 address space from the top of their head. No need to explain the use: to counter IPv4 address shortage, you put multiple hosts in a private subnet behind one public IP address.


While this does help against the shortage, a lot of routers performing NAT inside a service provider network still use a lot of addresses. For this reason, a provider can implement Carrier-Grade NAT (CGN). CGN does a NAT of the addresses of all these routers towards one or a few public IP addresses, hereby saving once more a lot of public address space.

But what address space should be used here? Obviously no public space, that would defeat the purpose. But RFC 1918 address space is not an easy option either: if one of the NAT-performing routers has the same subnet on the inside as on the outside (the outside being the service provider network here), no routing will be possible for this network. Since a service provider has no view on which RFC 1918 address space is exactly used by the end users, an overlap is possible.

This is where RFC 6598 comes into the picture. This RFC allocates an IPv4 prefix that can be used for internal addressing, separately from the RFC 1918 addresses. Result: no overlap, yet no use of publicly routable addresses. The chosen prefix is


Why an entire /10 range if addresses are so scarce already? The RFC mentions a /10 is the smallest prefix that would provide an address to all service points in the Greater Tokyo Area, the largest metropolitan area in the world.

The advantage is obvious, less public IPv4 addresses used. But this technique comes with mayor drawbacks:

  • The service provider router performing CGN needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
  • Tracking of users for legal reasons means extra logging, as multiple households go behind one public address.
  • Some NAT-discovering applications recognize NAT based on RFC 1918 addresses and may be unable to figure out the topology with the new address range.
  • Anything requiring incoming connections is broken. While this already was the case with regular NAT, end users could usually still set up port forwarding on their NAT router. CGN makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
  • Many networks and service providers (should) have access lists on the network boundaries preventing any IP packets with RFC 1918 addresses from entering the network to prevent spoofing attacks. If these access lists aren’t updated, IP packets with RFC 6598 addresses can enter the network.
  • Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGN this limit is reached more often and some services may be of poor quality in a CGN network.

A CGN network is also often referenced to as a NAT444 network, as opposed to a NAT44 network for a ‘normal’ NAT environment, because three different IPv4 address spaces are involved.

While this address range is something you’ll not likely encounter unless you’re working for a service provider, it is important because of the IP spoofing implications and it provides an alternative when working in a double-NAT environment.