Summary
- The proper unit of account is the annual identity-compression externality per shared public IPv4 address/customer cohort: the recurring burden created when distinct subscribers are compressed behind one outward identity.
- Costs land in support, abuse handling, compliance, compute, customer time and failed transactions; address portability and explicit identity-quality contracts shift them towards operators and suppliers able to measure, price and reduce the harm.
The failed session shows why availability is the wrong invoice
Carrier-grade NAT is normally introduced as a way to stretch scarce public IPv4. That description is technically correct and economically incomplete. The operator has avoided, deferred or reduced a public-address cost by allowing many customers to appear through fewer outward-facing addresses. The question is what else has been created by that compression. The relevant unit is the annual identity-compression externality per shared public IPv4 address/customer cohort: the recurring burden generated when customers who remain distinct in contracts, complaints, abuse records and application sessions are merged into one public identity.
That unit deliberately avoids the neighbouring questions. It is not the broad parallel-operation bill examined in LACNIC dual-stack cost incidence, where two address families produce support, vendor and contract incidence across a customer base. It is not the retirement clock discussed in LACNIC IPv6 transition political economy, where the last revenue-critical IPv4 dependency keeps the old system financially alive. Nor is it the growth-financing problem in LACNIC emerging-market growth pressure, where signed demand cannot become cash until deployable public identity clears. This article begins after a different decision has already been made: the operator has chosen compression, and the bill now moves through sessions, ports, support, compliance, customer time and contract language.
The failed session matters because conventional availability measures can miss the harm. Packet delivery may look acceptable. Latency may remain within the product target. The access link may pass every ordinary test. Yet the customer’s transaction still fails because a counterparty sees a public address attached to too many accounts, too much recent abuse, too many port changes, or an address history that makes the session look less dependable than the bearer service suggests. The access product sold reachability; the application demanded recognisable identity.
This distinction is the first editorial discipline. If the article becomes a list of NAT inconveniences, it misses the economics. If it becomes a protocol sermon, it misses the customer. If it becomes a moral claim that sharing is always wrong, it ignores scarcity. The sharper question is incidence. Which costs are created by compressing identity, where are they booked, who can reduce them, and who lacks the bargaining power to avoid them?
The opening support bridge is therefore not colour. It is evidence of the accounting gap. The representative handling the call cannot see the whole cost object. The network technician can see translation state but not the customer’s lost sale or rejected login. The application provider can see risk but not the operator’s address scarcity. The customer sees a service that works for ordinary browsing and fails where identity matters most. The hidden tax exists because each party observes a fragment and the service contract rarely joins them into one annual burden.
The discipline of measurement should start from the particular. For one pool, how many customers share each outward-facing address at busy times? Which cohorts generate repeat identity-related complaints? Which failures are repaired by moving a customer to dedicated or less crowded identity? Which complaints become abandoned transactions rather than tickets? Which false positives land on customers who did nothing wrong? The answers need not become fake precision. They need to be comparable enough for management to decide whether the next unit of compression is cheaper than the next unit of usable public identity.
Scarcity becomes a stateful identity machine
A public IPv4 address began as a unique label in a routing system. Lu Heng’s note on the nature of IP addresses is useful because it strips the object back to uniqueness: the Internet does not function because a number has romance, but because incompatible claims over the same number are avoided. Markets then added a second fact. Once customers, banks, suppliers, cloud systems, security tools and counterparties rely on that unique label, it becomes part of a commercial identity stack.
CGNAT attempts to ration that stack. One outward-facing address carries many private customers through temporary translation entries. The address remains unique in the public routing sense, but its identity function becomes crowded. The translation device must remember who used which internal address and port, through which public address and port, at what time, for which protocol, and sometimes towards which destination. A static record has become a live state machine.
That state machine is not free. It allocates port ranges, creates and expires mappings, holds long-lived sessions, drops stale state, exports logs, survives failover and explains itself after the fact. It must avoid allowing one heavy user to consume too much shared capacity while also avoiding settings so tight that ordinary applications look unreliable. The operator is not merely dividing an address. It is creating an identity-rationing system whose fairness, resilience and evidentiary value depend on design choices that customers usually never see.
Scarcity has therefore changed form. It has not disappeared. Address scarcity becomes port scarcity when simultaneous flows compete for finite outward-facing identifiers. It becomes diagnostic scarcity when the cause of a partial failure sits between the access line and the outside application. It becomes trust scarcity when counterparties cannot decide whether one address represents one customer, a small office, a mobile gateway, a hotel, a neighbourhood or a crowd. It becomes accountability scarcity when a complaint names only the public address and time but lacks the port detail needed to identify a session confidently.
The annual externality is the cost of making that new scarcity tolerable. It includes stateful forwarding capacity, redundant equipment, logging, search, storage, software maintenance, power, abuse handling, help-desk training, customer time, credits, churn and product segmentation. It also includes the cost of ambiguity when no one can prove exactly why a session failed. The address saving may be visible in capital planning. The identity-compression burden recurs in operations.
This is why aggressive sharing ratios can be misleading. A spreadsheet can show more customers per public address and therefore a lower apparent address cost. But a denser pool may create more reputation collisions, more port pressure, more log volume, more application challenges and more support labour. The right comparison is not public-address cost versus zero. It is public-address cost versus the full annual cost of the machinery required to make shared identity acceptable for that cohort.
The denominator also changes the conclusion. Per-address analysis shows whether a pool is over-compressed relative to its support, evidence and equipment cost. Per-cohort analysis shows whether the burden falls disproportionately on particular users: remote workers, small merchants, gamers, hotels, clinics, schools, SIM-router fleets, supplier portals or business customers who depend on source recognition. A residential cohort with tolerant applications may justify dense sharing. A business cohort whose revenue depends on stable recognition may not. The economics become clear only when the cost object matches the use case.
The evidence chain breaks before the bearer service does
The first serious failure is often evidentiary. The outside service sees a public address. The operator sees a temporary mapping. The customer sees an account and a bill. The support representative sees a complaint. The compliance team may later receive a request that names an address and a time. None of those views is false. They are incomplete, and the incompleteness has a price.
Under shared addressing, a public IPv4 address alone no longer identifies a customer account. It identifies a crowd during a time window. To reconstruct a session, the operator needs precise time, port data, protocol, the correct time zone, retained logs and a defensible mapping back to a customer or subscriber record. If the outside party has not kept the source port, if clocks differ, if retention has expired, or if the complaint aggregates many events, attribution becomes uncertain. The line may never have failed. The evidence chain has.
That matters because commercial systems act before attribution is perfected. Fraud controls, login systems, rate limiters, abuse desks, marketplace risk teams and security vendors make decisions with the signals they possess. A shared public address with unusual activity can trigger challenges or blocks for customers who are unrelated to the cause. A platform may later learn that the address is carrier-grade translation, but the transaction has already been abandoned, the customer has already called, or the account has already been reviewed.
BTW’s earlier work on address-reputation contamination describes how history can attach operating debt to a scarce address. CGNAT creates a live variant of the same problem. Reputation is not merely inherited from a prior holder. It is produced continuously by the cohort currently sharing the outward-facing identity. Good customers can inherit suspicion generated by bad, infected, automated or merely unusual neighbours.
This is not a privacy polemic or a generic security argument. It is a cost-of-ambiguity argument. If the operator keeps extensive logs, the cost is storage, search, access control, governance and compliance labour. If it keeps weak logs, the cost is false attribution, unanswerable complaints and overbroad blocking. If platforms trust the shared address too little, innocent customers carry friction. If platforms trust it too much, abuse risk rises. The burden exists whichever side is favoured.
The ambiguity also weakens bargaining. The customer cannot prove that another subscriber contaminated the address. The operator may not obtain the risk reason from the application provider. The application provider may defend the challenge without exposing its model. Each party can plausibly point elsewhere. The cost often falls on the party with the least diagnostic power: the customer, or the front-line representative expected to solve a session whose decisive signal lies outside the access network.
A better evidence chain does not require turning every service into a surveillance system. It requires matching responsibility to the design that created the ambiguity. For a dense CGNAT pool, the operator must know what evidence it can supply, how quickly it can supply it, how often requests arrive without enough port or time data, and how often address-level suspicion harms unrelated customers. For a wholesale arrangement, the contract must say who holds the mapping data and who answers the downstream complaint. For an application provider, a blanket address-level block should not be treated as costless merely because it is easy.
Applications price ambiguity faster than operators can explain it
Applications are not passive recipients of the operator’s scarcity problem. They are counterparties with their own losses to avoid. A payment processor that wrongly accepts a fraudulent session may bear chargebacks or compliance questions. A workplace access system that admits the wrong session may expose a company. A marketplace that tolerates abusive signups may poison its own customer base. These systems therefore price ambiguity conservatively, often before the operator can explain why many customers are presenting through one public address.
The reaction is uneven. Ordinary browsing may work perfectly. Streaming may be fine. Messaging may never reveal the issue. The hidden tax appears when an application depends on public-source identity more heavily than the access product disclosed. A remote-work portal may expect a recognisable source. A bank may combine IP signals with device and account history. A game platform may treat shared behaviour as abuse risk. A supplier portal may maintain an allowlist. A cloud console may slow or challenge a login from an address associated with too many unrelated users.
The economic incidence differs by customer. A household user who repeats a verification step loses time. A small merchant whose payment session is rejected may lose revenue and staff hours. A clinic whose remote-support session fails may defer work. A hotel whose guest network is blocked may suffer reputation damage. A business customer whose supplier portal distrusts the shared address pays through escalation, manual work and loss of confidence in the access provider. The same shared address produces different financial effects because the customer functions differ.
The operator often learns about the cost late. It does not receive a direct invoice from the application provider saying that identity compression caused five failed sales or ten extra logins. The costs appear as support tickets, social-media complaints, churn, static-address requests, credits, manual allowlisting, engineering exceptions or the creation of a business tier that should have existed at the point of sale. Finance may not connect them to the CGNAT pool because they are booked under ordinary categories.
Lu Heng’s analysis of the agency problem helps explain the undercount. The team that records the address saving may not be the team that absorbs the support burden. The retail product manager may value a low headline price; the compliance head may later pay for better logs. The customer may pay with time while the tariff remains unchanged. The board may see less public-address acquisition while missing the fact that applications are lending trust to the access product and can withdraw it at any time.
The correct response is not to demand that every application treat shared addresses kindly. Some conservative treatment is rational. The response is to observe where application decisions convert shared identity into cost. Complaints resolved by a public-address change, repeated contact involving the same destination class, business customers requesting allowlisting assistance, clusters of authentication challenges, churn after unexplained application friction and support notes involving public-address reputation are all proxies. They are imperfect, but closer to the commercial effect than a translation-utilisation graph.
This also protects the article from false precision. There is no universal number for the price of CGNAT ambiguity in the LACNIC region. Networks, products and customer uses differ too much. But an operator can calculate a local range: support minutes, credits, known application blocks, moves to dedicated identity, compliance searches, log cost, equipment cost, power and observed churn. The discipline is to keep the denominator honest and the uncertainty visible.
Support becomes the first cash register
Support is where identity compression first becomes cash. A customer does not call to complain about a poorly allocated identity externality. The customer says the app does not work, the login keeps looping, the console disconnects, the bank dislikes the connection, the supplier portal has blocked the office, or the remote camera cannot be reached. The first-line representative must translate that frustration into a diagnosis without promising what the network cannot deliver and without blaming a distant application the customer cannot negotiate with.
These cases are expensive because they are partial. Total outages are easier to classify. CGNAT failures cross layers. The customer’s access link works. DNS may resolve. Another device may behave differently. A mobile hotspot may appear to solve the problem. The application provider may refer to suspicious source behaviour. The representative must decide whether the cause is premises equipment, application policy, address reputation, exhausted port state, logging ambiguity, a product tier mismatch, a wholesale issue, or a case that the operator cannot repair without moving the customer out of the shared pool.
Every minute spent sorting this ambiguity is part of the annual burden. The cost is not only wages. It includes training, call scripts, knowledge-base updates, escalation, network-engineering interruption, callbacks, credits, complaint handling and the opportunity cost of not solving clearer faults. Customer time belongs in the account too. A small business owner waiting for a support call is not a rounding error. It is labour transferred from the network’s identity design to the customer’s day.
The product problem is delicate. If the practical repair is a dedicated public address, the customer may feel charged to fix a service that was sold as Internet access. If the provider refuses to explain the identity trade-off, the customer sees incompetence. If it explains too much, the cheaper tariff can look deceptive: the headline product did not say that public identity was shared and that some counterparties might require a cleaner source. The cost is not only the extra address. It is the loss of trust in the original description.
Earlier BTW analysis of customer continuity treats network identity as relationship capital. CGNAT weakens that capital when the customer does not know what identity assurance has been purchased. A transparent ladder can be defensible: ordinary shared access for tolerant uses, a dedicated public address for customers who need stronger recognition, portable identity for customers whose counterparty trust must survive a change of access provider, and business assurance where evidence and escalation matter. Hidden segmentation is different. It makes failure the moment of product education.
Support data should therefore be treated as an observability layer. The operator should tag tickets involving application rejection, repeated verification, inbound failure, blocked gaming, payment trouble, VPN difficulty, supplier allowlisting, reputation complaints and moves from shared to dedicated identity. It should identify pools that generate clusters. It should record the time and authority required to test a different identity. It should distinguish education from remedy. The result is not a perfect scientific dataset. It is a management ledger of where compression is creating cash cost.
Failed self-help should be estimated as well. Customers reboot equipment, reinstall software, change passwords, repeat transactions, call their employer, contact a supplier, pay a local technician or abandon the task before reaching the provider. The operator will not see every abandoned attempt. It can still recognise that reported customer time is part of the burden. If the company prices only the call it answered, it undercounts the tax it created.
Abuse and compliance turn the public address into a disputed witness
Abuse handling is the harder version of the support case. A complaint arrives from a platform, security team, rights holder, victim, hosting provider or public authority. It names a public IPv4 address and a time. Behind CGNAT that address is not a witness with a single memory. It is a doorway through which many customers passed, separated only by temporary port state and the operator’s records.
The operator must hold enough evidence to distinguish them. Logs must exist, clocks must be coherent, port data must be preserved, access to records must be controlled, searches must be auditable, staff must understand the mapping, and legal or compliance review must know when a request is too vague to answer. The storage bill is only one part. There is also system design, security, staff training, policy judgement, and the risk of either over-disclosing or failing to identify a harmful session.
This is not an argument for indiscriminate collection. It is an accounting point about accountability. Once many customers share one outward-facing identity, the later cost of distinguishing them must be paid somewhere. If the operator pays in precise mapping and disciplined search, it carries storage and compliance cost. If it refuses or underbuilds that evidence layer, the cost appears as false positives, unresolved abuse, overblocking, customer suspicion and pressure to punish the shared address rather than the responsible session.
BTW’s analysis of hijack and fraud controls is relevant because it separates verification from discretionary control. Verification tied to evidence protects users and assets. Vague enforcement can turn ambiguous signals into punishment. CGNAT intensifies that boundary problem. The public identity is less precise, so the evidence system must become more precise to compensate. Otherwise the strongest party in the chain can push cost downwards.
Liability should follow control. If a wholesaler operates the translation platform while a retailer owns the customer relationship, the retailer cannot guarantee evidence it does not hold. If an application blocks an address after receiving more precise session information, it should not describe every false positive as an access problem. If the operator chooses a sharing design that makes timely reconstruction unreliable, the customer should not bear every consequence. Contracts will not remove ambiguity, but they can stop ambiguity becoming a licence for each party to pass the bill to someone weaker.
Lu Heng’s note on registry power detached from liability concerns a higher institutional layer, yet the principle translates: control over consequential identity inputs requires reviewability and consequence. In CGNAT, the operator controls the compression architecture; the platform controls much of the acceptance decision; the wholesaler may control the evidence path; the customer experiences the consequence. A serious cost model asks where control sat when the cost was created.
Precision has option value. A provider that can answer a well-formed complaint quickly is less likely to suspend a whole cohort, spend days reconciling records or keep innocent customers under suspicion. An application provider receiving a precise response can narrow a remedy. A customer wrongly attributed to an event can contest the finding. The return on good evidence includes the broad defensive actions that never need to be taken.
The translation layer has a physical balance-sheet cost
CGNAT can sound like a clever logical trick: one public address, many customers. In a live network it is also equipment, forwarding capacity, memory, redundancy, monitoring, software maintenance, log export, storage, rack space, power, cooling and specialist knowledge. The public address may be scarce, but the machine that multiplies it has weight on the balance sheet.
The physical cost is not limited to the translation appliance. High availability matters because the device holds live state. If it fails badly, sessions vanish in a way that customers experience as arbitrary application failure. Redundancy must preserve enough state to make failover tolerable, or at least fail cleanly enough for customers and applications to recover. Monitoring must distinguish access failure from translation failure. Capacity planning must consider session creation rates, long-lived idle flows, software-update bursts, gaming, streaming, business hours, school holidays, sporting events and local shocks.
Logging turns the physical layer into a storage and search problem. More customers behind each public address can mean more translation events per address. Shorter timeouts may reduce table pressure but break more applications. Longer timeouts may protect sessions but increase load. More detailed records improve attribution but raise storage, privacy, access-control and search cost. A cheap ratio in the planning spreadsheet can become expensive if equipment, evidence and support must compensate for it every year.
Power and compute overhead also affect resilience. A large stateful translation cluster is a concentrated failure domain. The component that saves public addresses becomes a choke point. Maintenance windows become more delicate. Traffic surges, denial-of-service events, malformed traffic, software defects or configuration mistakes can stress the identity layer in ways ordinary access monitoring may not explain quickly. The cost of compression therefore includes the precautions needed to prevent the sharing machinery from becoming the weakest commercial link.
The background argument in Lu Heng’s critique of the IPv6 escape-from-scarcity narrative should remain background here. This article is not centred on transition. The point is narrower: while customers and counterparties still rely on IPv4 identity, CGNAT is one way to ration it. The annual cost of that rationing must be compared with buying, leasing or preserving cleaner identity. It should not be hidden inside engineering heroics.
Insurers and lenders should care about the tail as well as the average. Most translated sessions may be uneventful. A short overload, defective change, evidence-system failure or address-pool reputation event may still produce a burst of credits, escalations, complaints and regulatory attention. A proper annual charge includes routine cost and a prudent allowance for concentrated incidents, based on observed near misses, capacity tests, redundancy plans and known failure modes. It need not pretend to know a universal probability. It must avoid pretending the probability is zero.
This is where smaller operators can be punished by scale. A large network may amortise specialist equipment, logs, legal review and platform relationships across a broad base. A small fixed-wireless or regional provider may face the same expectations with thinner engineering and compliance capacity. Dense sharing may be financially rational in the short term and still create a risk profile that is difficult to insure. The choice is not whether CGNAT is good or bad. It is whether the machine required to make it safe is being priced.
The saving is booked in access while the bill migrates through the company
The most important accounting question is who appears to save and who actually pays. The access network appears to save when more customers can be served per public IPv4 address. That saving can be real. It reduces purchased or leased addresses, preserves scarce inventory for higher-assurance products, and buys time before a public-identity acquisition is needed. But the bill migrates.
Customers pay through failed sessions, repeated verification, upgrades they did not expect, lost time and lost trust. Help desks pay through longer calls and escalations. Abuse and compliance teams pay through retained mappings, searches and uncertain attribution. Application providers pay through stricter risk systems and appeals from users they do not serve directly. Business customers pay when supplier allowlists, remote-work systems, payment processors or monitoring tools discount shared identity. Shareholders pay when churn, credits and product confusion erode margins. The saving lives in one ledger; the burden travels through many.
The distribution is not accidental. CGNAT makes a scarce input look like a network-planning issue while its consequences appear in product, support, legal, security and customer-experience accounts. A finance director who sees only public-address acquisition may approve aggressive compression. A support head who sees only ticket volume may ask for more staff. A compliance head may seek better retention and search. A product manager may create a static-address add-on. Unless those records are joined, the company cannot tell whether it saved money or merely moved the cost to departments with less visibility.
Contract opacity deepens the problem. Many retail customers do not know whether a service includes a public address, shared outward-facing identity, inbound reachability, attribution support or application-assurance duties. Wholesale buyers may know more, but even they may not know how pools, logs, failure evidence and emergency attribution will work during a dispute. If the product says only “internet access”, the identity question appears only after harm.
BTW’s work on transfer-price transparency matters because visible prices discipline hidden rationing. When public identity has a market cost, the operator can compare buying or leasing more identity, compressing more aggressively, or pricing dedicated identity for customers whose applications justify it. Without that comparison, CGNAT becomes the default because its avoided address cost is visible and its side effects are scattered.
The hidden tax is not anti-market. It is a demand for better market accounting. Scarce public identity should be priced honestly. Shared identity should be priced honestly as well. A provider can legitimately sell a cheaper shared tier if the dimensions of service are disclosed and if customers whose applications need stronger recognition can buy it before failure. It becomes extraction when the cheaper tier hides a material impairment and the remedy is offered only after the customer has paid through time, complaint or lost business.
The company can start with chargeback logic. The access product receives the benefit of avoided address acquisition, but it should also be charged for translation equipment, power, log retention, search labour, specialised support, customer credits and attributable churn. The business-services product should receive credit when moving customers to dedicated or portable identity removes those costs. The model will be approximate. Approximation is better than allowing one department to book a saving while several others finance the workaround.
The same accounting should be used before a new pool is expanded. Management should compare the expected address saving with the marginal cost of another year of shared identity for the customers being added. If the new cohort consists mainly of low-assurance residential users, the calculation may still favour compression. If it consists of merchants, schools, offices, public-service contractors or customers whose counterparties treat source identity as part of trust, the cheaper-looking design may simply defer a known bill. The point is not to make every customer buy a dedicated address. It is to stop treating shared identity as a free default when the customer’s actual work makes it a paid risk.
LACNIC's institutional boundary is the ledger, not the NAT policy
LACNIC matters here as regional registry context, not as the proper designer of operator NAT ratios. The institutional question is whether the number-resource layer remains a thin, portable and reviewable ledger that helps operators expose and reduce the CGNAT externality, or whether coordination expands into commercial control it cannot price.
A narrow ledger helps by making public identity easier to obtain, transfer, lease, verify and preserve. Accurate records lower due-diligence cost. Reviewable changes reduce fear that recognition will be interrupted. Transfer and portability rights let providers choose between acquiring more public identity and compressing customers behind shared addresses. Reliable proof of control helps counterparties trust that the operator’s public identity is usable. These functions reduce pressure to over-compress without telling any operator how to run its network.
A broad gatekeeper can do the opposite. If public identity is hard to move, uncertain to lease, slow to recognise or subject to broad discretion, operators ration more aggressively. CGNAT then becomes not only an engineering workaround but an institutional by-product. The registry may never order a provider to compress customers, yet registry friction can make compression the cheaper apparent choice.
The boundary is stated crisply in the Bill of Rights of Uniqueness Coordination: the common layer may record, coordinate and protect uniqueness; it may not rule. Running-Code Primacy supplies the operational test: what does the running network require from the shared layer? For CGNAT economics, the answer is not a central verdict on customer sharing. It is uniqueness, accurate holder records, proof of control, transfer history, contactability, security assertions, auditability, portability and non-destructive dispute handling.
The same distinction appears in the Registry Continuity Fallacy. Protecting the ledger does not require protecting every authority claim of the current gatekeeper. In CGNAT terms, protecting number-resource coordination means making public identity legible enough that operators can decide how much compression is efficient. It does not mean turning scarcity into a permanent permission system over product design.
Lu Heng’s note on why registries must never become enforcers also applies. Abuse and fraud are real, but the registry’s contribution is accurate records and reviewable coordination, not punishment through registration status or moral judgement over service architecture. When the shared layer remains narrow, CGNAT is an operator cost decision. When it becomes discretionary, CGNAT becomes another symptom of upstream control.
Measurement must not become permission. A registry could observe that shared identity creates abuse and support costs, then claim authority to prescribe product categories, customer ratios or commercial use. That would confuse evidence with jurisdiction. The operator is best placed to choose architecture and answer for its consequences. The shared ledger should make cleaner alternatives usable and claims reviewable; it should not turn an externality calculation into a licence to supervise the business.
Portability makes the externality measurable and reducible
The remedy is not to ban CGNAT. A ban would be crude, unrealistic and economically blind. The remedy is to make the externality measurable and alternatives credible. For each pool or customer cohort, the operator should be able to ask whether the annual cost of compression is lower than acquiring or leasing more public identity, creating a dedicated-address product, supporting portable identity for high-assurance customers, redesigning the service boundary or improving the evidence layer.
That calculation requires data. How many customers share each public address under each product? Which destinations or application classes produce complaints? How often are customers moved out of a pool to solve the issue? How many abuse or compliance requests lack port or time precision? How much staff time is consumed by log search? What storage, power and redundancy are attributable to translation? How often do platforms block or challenge shared addresses? How much churn follows repeated identity problems? The answers can be ranges. Ranges are enough to reveal whether the next unit of compression is still efficient.
Portability changes the calculation because it creates an outside option. A business customer that can bring or lease stable public identity that survives a change of access provider need not accept the identity quality of the cheapest bundle. A small ISP that can obtain recognised public identity on predictable terms can serve higher-assurance customers without overloading a shared pool. If transfer and lease evidence are clear, lenders and insurers can analyse the identity layer as controlled infrastructure rather than vague operating residue.
The doctrine in Minimum Initial Specification, Localized Future Decision and Voluntary Adoption prevents the remedy from becoming another command layer. The common system should specify only what must be common. Future operational choices should remain local unless they threaten uniqueness, proof, security integrity or interoperability. An operator can then choose compression, leasing, purchasing, static-address products and customer assurance under the discipline of measurable cost.
Number Resource Society belongs here, but proportionately. NRS is useful not because it should set NAT ratios or become a new central authority. Its value is holder-side coordination around exit, portability, redundancy and accountability. Lu Heng’s note on why NRS exists frames decentralisation as systems engineering, which is the right lens for the problem. The aim is not institutional theatre. It is reducing the single points of recognition that make operators accept opaque compression because cleaner identity is harder to secure.
Public tools and records matter only if they improve bargaining and evidence. The NRS case archive can make recognition-side harms visible rather than isolated. NRS Shield is relevant only insofar as it helps holders preserve continuity and present risk in a form counterparties can understand. The CGNAT hidden tax is reduced by visibility, portability and reviewability, not by replacing one opaque centre with another.
Over time the cost model becomes a capital-allocation instrument. A rising support or evidence burden can justify acquiring addresses, improving logging, segmenting high-assurance customers, changing pool design or offering portable identity. A falling burden may show that the existing compression level is efficient. Portability makes each option more credible because the operator is not trapped by the fear that recognition can be stranded elsewhere. Reviewability gives insurers, lenders and wholesale buyers a basis for treating public identity as infrastructure, not discretionary favour.
Contracts should buy identity quality, not merely bandwidth
Once the externality is visible, contracts must change. A retail or wholesale service should not describe only speed, data allowance, installation time and generic availability. It should state the identity qualities that matter for the product: shared or dedicated public IPv4, inbound reachability if any, attribution support, log-search capability, static-address options, business-assurance tiers, abuse-response duties, application-risk caveats and escalation paths.
This does not require turning every consumer contract into a networking manual. It requires stopping the concealment of material service differences. A household plan can say that ordinary access uses shared public addressing and does not include inbound reachability or application-specific identity assurance. A small-business plan can include a stable public address or a clear price for one. A managed enterprise service can define public identity, attribution, reverse-DNS handling, abuse response and support evidence as part of the service rather than as an afterthought.
Wholesale contracts need even more precision. A retail ISP buying access or upstream service should know whether the wholesaler supplies public identity, translation, logs, route evidence, diagnostic cooperation and emergency attribution. If the retailer owns the customer relationship while the wholesaler controls the identity path, the contract must prevent the retailer from becoming the default absorber of every ambiguity. CGNAT makes divided control more dangerous because the visible complaint may sit far from the device or pool that created it.
BTW’s earlier work on leasing contract risk shows why divided control is efficient only when duties are explicit. A public address leased for a customer, a shared address supplied through a wholesale translation pool and a portable identity arrangement distribute risk differently. Contracts should say who maintains evidence, who answers abuse requests, who pays for false positives, who supports application allowlisting, who funds extra logs and who bears credits when identity ambiguity is the cause.
LARUS One is useful here as a commercial analogy, not as a universal prescription. It separates public network identity from delivery. Lu Heng’s note on network identity and customer continuity explains why renumbering becomes a business event once customers and counterparties rely on an address. CGNAT is the inverse case: the customer may never receive an identity stable enough to rely on, while some applications behave as if it should. A product ladder that distinguishes access from identity gives the customer a real choice.
Contracting for identity quality also disciplines pricing. If a dedicated public address costs money, price it. If shared identity creates support and attribution cost, price that too. If an enterprise customer requires low-friction recognition by applications and counterparties, sell the assurance openly. If a customer chooses a cheaper shared tier, disclose what remains outside the promise. The hidden tax shrinks when it becomes a negotiated term rather than an unpleasant discovery.
Every assurance needs a review path. The contract should specify what evidence the customer must provide, how clocks and ports will be reconciled, when the operator will test a pool change, who can authorise movement to dedicated identity and how mistaken attribution is corrected. It should also state what is not promised. Clear exclusions are less damaging than a vague promise of access followed by refusal to examine the identity layer.
The board asks whether compression is insurable capital or unmanaged liability
The final scene is a board risk session at a LACNIC-region operator, with a compliance head, a wholesale buyer and an insurer’s adviser present. The network team has shown that CGNAT reduced public-address demand. The support report shows application failures, repeated verification, blocked sessions and static-address upgrades. Compliance shows rising log-search work and cases where external complaints lacked enough port or timing detail. Finance shows that translation equipment, storage, power, support labour and credits were never combined into one cost object. The insurer asks the question that should have been asked earlier: can the identity-compression burden be measured, contracted and controlled?
If the answer is yes, CGNAT becomes an investable architecture choice. The operator can say which customer cohorts are suitable for shared identity, which products require dedicated or portable public identity, what attribution standard is maintained, how abuse requests are handled, what customer-facing risks are disclosed, how many tickets are expected, what equipment and power costs are included, and when acquiring more public IPv4 is cheaper than further compression. Compression remains a tool. It is no longer a hidden subsidy.
If the answer is no, the board is not looking at a cheap access design. It is looking at an unmeasured liability. The company has moved a scarce input off the visible account and replaced it with uncertain support, compliance, customer-time, reputation and application-acceptance costs. The saving may still be real, but management cannot prove it. The insurer cannot price it. The wholesale buyer cannot contract around it. The compliance head cannot defend it confidently. The customer director cannot explain why some users must pay to escape a condition they did not know existed.
The institutional lesson remains narrow. LACNIC’s useful contribution is not to approve or condemn any operator’s NAT design. It is to support a number-resource environment in which public identity is portable, records are accurate, transfers and leases are legible, proof is reviewable and disputes do not destroy running customer continuity. A thin ledger lets operators compare compression with alternatives. A thick gatekeeper makes compression more likely by raising the cost and uncertainty of cleaner identity.
The hidden tax of carrier-grade NAT is therefore an accounting test, not a slogan. For each shared public IPv4 address/customer cohort, measure the annual identity-compression externality: port-state systems, log retention, search labour, support time, false positives, customer time, application friction, abuse ambiguity, equipment, power and contract opacity. Then ask who pays, who can reduce it, and who is being asked to carry a cost they did not choose.
The board’s decision need not be dramatic. Some customers will remain behind shared addresses because the cost is lower than the value of cleaner identity. Some business users will move to dedicated or portable identity because the opposite is true. Some wholesale terms will change. Some support scripts will improve. Some pools will shrink. Some will remain. What changes is that the burden becomes visible enough to finance.
That is the disciplined close. Scarcity has not vanished. It has been transformed. The question for the insurer, wholesale buyer, compliance head and board is whether that transformation is understood well enough to be priced. If it is, CGNAT is controlled compression. If it is not, it is a hidden tax on everyone forced to share an identity they cannot see, choose or defend.

