CgNAT ip range overlap

With the ipv4 addresses exhaustion, ISPs use CgNAT ip range. What if 2 users that are sharing the same ip from their ISP, have the same also ip ranges into their zerotier networks? can that be a security problem? can user1 have access to the zt network of user2?

Normally this should not be an issue for workstations since they will see the subnet in question connected to the local virtual zerotier interface so will send packets out directly over that interface and across the tunnel but if you are running zerotier on a router, you’ll need to make sure you don’t re-use the same subnets since it will have (potentially) two local interfaces (zerotier and the WAN) on the same subnet and will use whatever internal rules it has to choose which interface to forward packets on.

It’s not a security issue in the workstation case since the zerotier connection overlay requires a cryptographically validated connection to communicate over the overlay and the workstation will only know about other members of their networks.

But with the router configuration you may end up sending packets destined for the zerotier subnet to some unknown machine on the service providers network. If the service provider is doing their job correctly, these networks should be PVLANs that refuse to allow communications between clients even on the same subnet range but YMMV based on the seriousness of the provider.

Simple answer: If you’re just joining machines, don’t worry about it. If you’re using routers, avoid using 10.0.0.0 ranges and stick to 172.x.0.0/16 or 192.168.x.0/24 subnets. (Service providers almost always use 10.0.0.0/8 ranges to get a maximum number of IPs)