Residential networks --- they are all different in the same way

Feb 2, 2026
site

The major defining character of Residential Home Networks (called ``Home networks’’ from here on) is that they are inconsistent.

There a few standards for how they operate, and those that do exist are unequally applied. While some countries (or regions of countries) will have a dominant ISP, and that dominant ISP often supplies the same home routers (CPE) devices to all customers, even within such a monoculture, the devices will often not be maintained, and will have inconsisten versions.

Among the few consistent characteristics the following is observed:

there is a small routing device that connects the ISP network to the customers’ internal network.
the customer’s internal network has wired ethernet and wireless (Wi-Fi), often using bridging between them.
almost all customer have IPv4 with a single, dynamic IPv4 address on the outside, and NAT44 is used to connect the internal network (“LAN”) to the external (“WAN”) network.
in the developed world, most customers have public IPv4, but this is not the case worldwide. There may be multiple layers of NAT44, with the ISP operating so-called “Carrier-Grade NAT” (CGNAT), and this is occuring in the developed world as well. Although NAT44 was not specified until 2007, it is now sufficiently normalized that very few CPE devices do it “wrong”.
many ISPs offer IPv6, not all customer’s have routers that support IPv6, but an increasing number do. RFC7084 explains the minimum requirements for IPv6. The use of IPv6 locally ULA is a key part of RFC7084, and this can be done even when the ISP does not provide IPv6. The IETF SNAC WG is standardizing some of these interactions.
The firewall settings for IPv6 recommended in RFC7084 and RFC6092 (and technical necessity in IPv4) prevent incoming connections to internal devices by default. However, two major weaknesses undermine even this very minimal simulacrim of security: often weak security of the home router, and weaker security among commodity desktop operating systems. The end result is that most home networks should be considered to have an attacker on the inside already.