The exhaustion of IPv4 address space has driven many Communication Service Providers (CSP) to deploy Carrier Grade Network Address Translation (CGNAT) gateways within and on the edges of their networks. These gateways enable a large number of internally routable IP addresses assigned by the CSP to its customers from a private address pool to temporarily be bound to a much smaller number of publicly routable IP addresses allocated to the CSP, enabling hosts on the Internet to reach the CSP's customers and vice versa.
The maximum number of concurrently assigned address bindings possible is limited by the total number of public IP addresses, which may be owned by the CSP. As a result, many gateways also use the 65,535 possible ports for each IP address as a means to extend the possible number of concurrent bindings. These are called Network Address and Port Translation (NAPT) gateways. Furthermore, to maximize the usage of the public IP and Port range, these bindings are kept only so long as there is traffic traversing the “pinholes” through the NAPT gateway, i.e. the bindingsetween the private and public addresses.
In addition, in order to solve the limits of IPv4, the IETF created IPv6 with a greatly expanded address space. However, that also leads to the issue of how to transition both clients on customer hosts and servers supporting applications on company hosts as they independently transition from IPv4 to IPv6. That transition has led to a plethora of NAPT-based services to map between the two address types, such as NAT64 and NAT464, to enable IPv4 clients to access IPv6 servers, IPv6 clients to access IPv4 servers, IPv4 hosts to communicate over IPv6 intermediate networks, and IPv6 hosts to communicate over IPv4 networks. All such address translations need to be supported and logged.
Unfortunately, many of these gateways have substantially inadequate logging facilities resulting in major logging errors or even no logs even at utilizations substantially lower than the platform maximum. Because the primary purpose of NAPT is to set up and tear down bindings (pinholes), when CPU and memory resources become constrained during busy periods, secondary processes like logging stop. When logging and accounting record generation stops, that leaves network operators blind as to what traffic is entering and leaving their network and where that traffic is terminating insides there networks. As a result, any sort of forensic traffic analysis is not possible.