Slashdot Mirror
The exhaustion of IPv4 address space
FireFury03 writes "Cisco has an interesting article talking about estimates for the exhaustion of the IPv4 address space, and the inevitable move to IPv6. It predicts that the IPv4 address space will be exhausted in 2 - 10 years and suggests that it isn't worth trying to reclaim old allocations. With the mainstream use of IPv6 now potentially within the ROI period of many products the manufacturers need to start including support, but will the ISPs roll out native IPv6 networks before they absolutely have to? IMHO, ISPs providing native IPv6 support would be a Good Thing since it opens up the door for peer-to-peer technologies such as SIP without needing nasty NAT traversal hacks, but a major stumbling block seems to be a complete lack of IPv6 support on current consumer-grade DSL routers (tunneling over IPv4 is an option but requires more technical know-how from the end user)." Of course, Cisco may have some vested interest in driving up the IPv6-compatible router sales *cough*, but the bottom line is that the transition will have to happen at some point in the near future.
Most of the major ISPs have already rolled support for IPv6. They started the rollout about five years ago when the lack of IP address began to be a problem. I know for a fact that Sprint is ready to roll it, they are just waiting for other networks to support it. T-Mobile is also ready to roll it as is AOL. It's not really a big deal. It's already been done. Everyone is just waiting to push the big red button and turn on the support. Hell, even Windows supports it.
"and suggests that it isn't worth trying to reclaim old allocations."
Isn't worth it to whom?
"Draco dormiens nunquam titillandus."
Good eye. That's a huge range. When you're talking about small numbers it makes a bigger difference too. When they say 2-10 years, that's much more fuzzy than a prediction of, for example, 102-110 years.
It's almost like me saying that any random new car model from Detroit will get between 20 and 100 miles per gallon. We all know how fuzzy EPA figures are, but even those are more precise than Cisco is here.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
I'd say this is going to be a huge test of the internet and all the various pieces.
Can IPv4 and IPv6 coexist? When do the root servers transfer over? (have they already?) If they can co-exist, what's the motivation for *everyone* to switch?
What happens to smaller countries that don't have the resources to make hardware changes to keep up to date.
From a laymen's perspetive this seems a lot like Y2K in terms of the scope of changes required.
People in cars cause accidents....accidents in cars cause people
Besides the huge amount of fully routable IP addresses IPv6 will open up, what are the benefits to the average end-user? I mean, will anyone accessing a 4 Mb cable connection through NAT really notice any difference by upgrading? Even large corporations, who also use private IP address space, (as far as I know) don't need fully routable addresses for every machine. So, what exactly is the major benefit? Just asking...
It will be interesting (and perhaps this has already been all worked out, I haven't looked into it much) how they allocate the IPv6 addresses. It seems fairly clear now that the life of the v4 address space was definitely shortened -- although by how much is not clear -- because of the very large chunks of space that were handed out and never fully utilized. (Class A allocations; IIRC IBM had a massive one and I'm not sure ever used much of it, and I'm sure they're not the only one.) Of course this wasn't viewed as a problem at the time because there were so many more addresses than anyone imagined there would ever be devices.
I just wonder how we're going to resist the temptation to do the same thing again, now that we have another glut of address space. On one hand we don't want to end up with vacant blocks of addresses, but we don't want to be too niggardly about it either, or else individual static addresses won't ever 'trickle down' to end users and we'll be stuck with the same mess of NAT traversals and subnets that we have now.
I'm sure that this issue has been addressed (or will be addressed) but I'm just curious how the IANA will find the 'balance point' between assigning enough high-level blocks to make sure end users can get static global addresses, while not overassigning. Perhaps there should be some sort of a periodic review process for high-level address block assignments to see how fully utilized they are, and either assign an entity more addresses or reallocate underutilized resources.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
There's no technical reason you can't 'NAT' your IPv6 address is there?
The majority in new IP address growth comes from all the future gadgets, your house, the washing machine, fridge, etc. So PCs can still 'hide' behind a NAT if they need protecting.
People in cars cause accidents....accidents in cars cause people
Why don't more routers that are sold today tout their IPv6 compatibility?
Because IPv6 isn't yet a buzzword that non-technical buyers are looking for. This will probably change in the next few years when the business world becomes concerned with it. Once a company CIO hears that his internet connection will die without IPv6 support, there will be a huge marketing effort on the part of Cisco and other router makers.
Don't use real IP addresses after the gateway. I do IP
MASQUERADING. I get only 1 ip address from my provider.
I've got a wireless webcam, a zaurus wireless pda, company assigned laptop, my linux development desktop computer, my Apple G3 running LinuxPPC (my gateway, web, imap server),
My oldest son't room with a Linux based AMD 64bit server, a
mini mac, a sharp zaurus, my 2 youngest boys room and thier
computer and a laptop up in thier room, my hombrew robot,
a hacked compaq IA-1 that runs linux that I use to monitor my firewall, email, etc.. All these devices get to the outside world on 1 ip address. I have multiple servers that
are accessed by the outside world via port redirection as
well.
My point is that we should be tighter with ip address allocation.
Most of them have flash firmware, and can probably be adapted to work with IPv6.
If the IP 4 address space was properly allocated then we could probably get another ten years out of the system. We have for example BBN occupying three class A blocks and HP taking another two or three. Set against this is the continent of Africa which is assigned one block.
Ed Almos
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
I have worked in the internet service business for over a decade now. I have seen a lot of things come and go, and a lot of predictions about when we would run out of IP space.
The bottom line is that the only people who realy WANT a rollout of IPv6 is Cisco. Why? Because the vast majority of their existing installed routers will not support IPv6 with anywhere near the same feature set and packet rate as those routers can handle with IPv4. Thus, IPv6 means people upgrading equipment that isn't really deficient.
Most people have no concept of:
a) How much IP space we have left.
b) How extremely inefficent we have been with a large percentage of the address space.
c) How much assigned, announced, and routed space is completely unused.
d) How much the rate of growth has flattened.
e) How wrong every prediction about when we run out of IP space has been thus far.
If you search the nanog archives, you'll see posts by myself going back many years stating essentially "Somebody tell me why we need IPv6 again?"
Do not hold your breath. We're 10-15 years away from IPv6, because it will take an even larger gross expenditure for the service providers to upgrade to support IPv6 than it did for the broadcast industry to upgrade to HDTV.
This is what industries that rely on revenue growth do when their customer growth flattens. They invent a new widget, come up with reasons why everybody needs it, market it, and hopefully everybody buys the product all over again. IPv6 is admittedly a good bit different; it was created by geeks in attempt to solve a perceived problem. However, it was siezed upon by the router vendors as a future "upgrade when growth flattens" path.
Don't buy into the hype. IPv4 is here to stay for a long time. Even when IPv6 starts to have some decent degree of market penetration, you will always find most of the devices on the net are IPv4 behind IPv6 to IPv4 NATs.
I don't think that IPv6 will see the end of NAT at all. NAT is a very quick and covenient technique for consumer DSL routers to use.
/28), even with the increased address space. And even when you do have multiple addresses allocated, what about the users that have one more machine than usable addresses? Small company networks etc? Now matter how many addressed IPv6 supplies, we will run out eventually, and much sooner than we expect.
For a start, a lot of ISPs only offer one address, partly to encourage people to buy more expensive packages with multiple addresses, and NAT transparently solves that issue.
There is no reason to assume that increased avilability of addresses will cause ISPs to offer more addresses to consumers - after all if they anticipate 100,000 single PC broadband connections, they are going to find it hard to get approval for 800,000 addresses (to allow a
Also low end ADSL connections often force NAT upon a user, allowing the vendor to create a differentiator between it's commercial and domestic offerings.
In the end NAT offers security, independence of allocated IP space to available addresses, simplified network management with an excellent delineation point between vendor and consumer (the ISP dosen't have to worry about what is inside the end user network), and a reasonable form of security. It's great for a small internet connected network.
NAT is not defense. The stateful firewall is defense.
NAT *is* a stateful firewall. That's how it works. It has to keep track of outgoing connections to remap those ports on the external interface. No outgoing connections == no port remapping on the external interface.
If you disagree, then explain to me how one could connect to a machine behind a NAT device if said machine has initiated *no* connections to the Internet. Sounds like stateful filtering at work.
Now, stateful firewalls are just as easy to implement on IPv6, so NAT is certainly not a valid reason for sticking with IPv4. But NAT is indeed a stateful firewall.
The majority in new IP address growth comes from all the future gadgets, your house, the washing machine, fridge,
Ah yes, the fabled "Internet Devices". When will the companies realise that I have no need to control my washing machine from the other side of the world, or from work, for that matter. I survived this long without the useless feature, I think I'll manage. For nearly a decade I've heard about IP-enabled white goods, in that time I've seen precisely one device, an IP fridge. And it still can't ring up Tesco's & place your order.
I know that Azeurus happily opens up a few ports on my router every time that I start it up. Whether this is a good idea security wise is another story...
NAT is not a security tool.
NAT is not a security tool.
NAT is not a security tool.
Network Address Translation was never intended to function as a firewall or a packet filter, it was designed exclusively to allow multiple computers to share the same IP at once. That's it.
The fact that NAT has some side effects which are similar to a firewall has been a big problem for network security, because it leads users and even administrators to believe that their network does not need a firewall because they use a NAT system.
We are finally, after many years, starting to see real firewall use become commonplace, and a XP even has an automatic software firewall now, but if it hadn't been for NAT, I bet people would've been implementing real, security-focused firewalls a lot earlier.
They'll still charge for static IPs even with IPv6. After all, there's not much reason for cable and DSL providers not to offer them for free right now. Most cable and DSL modems are always on and occupying an IP address anyway, and there's never been any mention of an address crunch at any big ISP (Cablevision, Comcast, etc.), so there's no technical reason to avoid offering static IPs.
Charging for static IP addresses is pure profit for these companies. A small change to the DHCP servers to indicate that a particular modem should always get a particular IP is all it takes (and only needs to be done once), but the money for that keeps rolling in. Opening up more addresses isn't going to change that.
This has been a test. Had this been a real emergency, we would have fled in terror and you would not have been informed.
IPv6 implements some nice features that aren't aimed at a larger address space.
IPv6 provides for priority and quality of service information in the packet, allowing for better priority based routing.
It also doesn't permit for fragmenting packets, which makes life easier for both routing and stitching it back together at the destination.
And distrobution of the addresses is done more fairly. It's not the US and western Europe (to a lesser extent) grab the address space they'd like and the rest of the world can scrounge for what's left.
NAT does blur the line between Network layer and transport layer somewhat. NAT uses TCP or UDP ports to do routing. Good design would dictate that independant modules of a system should stay indepedant, NAT doesn't do that. Not that it's really a big deal here, there's not much change of a new transport layer protocol grabbing hold anyomre.
Actually, NAT is better because it provides address space isolation. If your organisation has 500 computers that all have a public IP address, it is harder for you to switch providers (500 IPs is too small to get your own address space for). When you switch your provider, you have to renumber all hosts, fix config files, fix DNS servers etc -- a royal pain in the ass. A NAT allows your to keep your internal structure exactly the same while you switch providers. That address isolation is very important for small-mid sized companies.
... and each site advertising its own address space is expensive for the ISP's because they cannot perform route aggregation (since your address space may not line up with the address space of each ISP). NAT solves this by having each site be NAT'ed behind that ISP's IP address (convinient for the ISP, cheaper for the company). The internal company network runs in the private space and when traffic crosses to the public internet, it gets an IP from the ISP it came out of ... consequently replies come back in through the ISP. Read: If you send a packet out of India, the response won't come back inthrough America ... which would otherwise require you to then forward it to India through your company's routers.
Second, NAT helps multihomed corporations. For large companies, your 10k hosts are going to be distributed over many states/countries/ISPs
It is this address isolation and multihoming support that drives NAT use in small and large companies. Address space depletion has nothing to do with it. IPv6 does not fix these problems; companies will continue using NATs because NATs do.
The EU is so hot and fired up to wrench control of the intarweb from the US, so let THEM deal with it. If we can't be trusted with the DNS system, seems logical to me that the EU would be much better off orchestrating and paying for the upgrade to IPV6.
-Those who dance are considered insane by those who can't hear the music.
But will this increase the depletion of IPv4, or just result in home NAT starting to support the use of CIDR/16 chunks of of 172.16/12 instead of CIDR/24 chunks of 192.168/16? As an example, my Zyxel DSL Modem was pretty trivial to switch over to using 10/8 on the inside its NAT, and would have been easier if it was a model that the manufacturer intended to allow a normal sized NAT pool. (The Zyxel firmware tries to prevent use of spaces above CIDR/30 for non-router hardware.) While my five-year old router isn't thrilled at this sort of thing, my 1 yr old Belkin router is completely content with any IP space I want to assign it.
So the question is, how many of these devices will have Internet (as opposed to LAN) VISIBILITY (as opposed to merely connectivity) be a feature?
//Information does not want to be free; it wants to breed.
NAT and firewalls (FW) are 2 separate things, as you can have NAT without a FW, and you can have a FW without NAT. Now, NAT, by its nature, inherently has some features in common with FWs, such as that it effectively hides ports unless they're mapped.
A second item is that moving to IPv6 will not necessarily remove NAT or the current 1 router many PCs setup so many of us have. ISPs in general have charged per IP connection/computer, considering each IP a separate computer. Do you honestly think that will change with IPv6? That ISPs are going to be nice and just let you wire up however many systems you want to their network?
I don't think they'd give up that type of revenue stream. (Besides, think of the security nightmare of locking down and managing security for all those items, like your refrigerator! You'd want some sort of appliance FW/NAT box, both to secure you and keep you from paying extra each month. The latter would be the selling point for most normal users.)
The cesspool just got a check and balance.
The only admins who don't like IPv6 are those who are either ignorant of the way it works, or who are too hooked on being worked to death. Both need help, treatment and beer.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You, sir, are a moron.
There's nothing inherently more secure about NAT, it's just the way it's set up on most home routers. As a little experiment you can take a Windows box and put it in the "DMZ" of a normal home NAT box, which means that all ports and protocols get forwarded to it, just as if it was sitting on the public internet itself. It should end up getting owned by viruses and spyware just as quickly as if you plugged it into the modem, even though it's subject to NAT. The point being: the address translation isn't providing any security itself, its only because it's being applied selectively.
Of COURSE the Windows machine will get "owned" (as it were) if you TELL your FIREWALL/NAT device to forward all unexpected incoming connections to it!
Here. I've got one for you. Here's a condom. You can wear it while you have sex with whatever partners, but there is one particular partner for which I'm going to poke a hole in it for you.
Geez..
bork bork bork!
Interesting, but is 2 - 10 years as precise as they can be?
8 years seems to be a long time, to me.
Yep, and thirty years ago they said that we would be out of oil in twenty years. Go figure...
Click here or here.
Sure, the hardware /supports/ IPv6, but if you try to do both IPv4 and IPv6 on the hardware, you take the load way up.
As long as IPv6 isn't required to get everywhere, they can save money by using smaller/fewer routers to do IPv4 work.
In terms of just memory, you almost double the use by having a separate table for IPv4 and IPv6.
Well yes. But, security, like ogres, onions, cake, and parafait should have layers. NAT provides a, yes rather weak, layer. But it is still a layer. So doing both is a good thing.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Yup, this is a big issue. People want to have the liberty to do what they want in their own home. After all when you put a nail into your own wall, do you have to phone up the regional governing entity or pay to do so? Why should we have to do the same for our private computers?
Jumpstart the tartan drive.
As long as IPv6 isn't required to get everywhere, they can save money by using smaller/fewer routers to do IPv4 work.
I think that rather depends on how much of the network is IPv6 only - if there's a large chunk that's only on IPv6 then refusing to support it would be like telling the customers "we've decided to not route any of your traffic to the US anymore because that's cheaper for us". Customers would be leaving them in droves - they don't need to understand _why_ parts of the internet are inaccessible, it will just become known that this ISP is crap because they have "firewalled" off part of the internet in the interests of cost saving.
http://blog.nexusuk.org
Seriously... it is better in this case to be proactively preparing for the transition than to one day realize we *really* need IPv6 and are not capable of making it happen effectively. No one is saying it has to be a hard and fast cutover today. I don't see anything wrong with getting some momentum going and starting to work out some unexpected kinks before the need is *real and imminent*.
Mr. President, is that you?
I mostly work in tech pubs (when I'm working), and this has been a constant issue for me. At some badly managed companies, I've seen engineers add SuperKewl Features to the product without authorization, thinking they can just throw them over the wall to the customers and forget about them. Wrong. I have to document their damn features, and that costs. If I don't document their damn features, then tech support has to handle the resulting calls, and that costs even more. And if tech support tries to tell a big customer, "Oh, that's an unofficial feature, we don't support it," that really costs!