IPv4 Address Crunch In 2 Years, IPv6 Not Ready

An anonymous reader writes "We've known for ages that IPv4 was going to run out of addresses — now, it's happening. IPv6 was going to save us — it isn't. The upcoming crisis will hit, perhaps as soon as 2010, but nobody can agree on what to do. The three options are all pretty scary. This article covers the background, and links to a presentation by Randy Bush (PDF) that shows the reality of the problem in stark detail."

Well duh

[n3tcat]

It's not hard to figure out why we haven't solved this problem. It costs MORE to fix it now than it does to wait.

So just wait until it costs more to live with IPv4 than to migrate to new systems. Then EVERYONE will be working on a solution.

Re:Well duh

[eln]

The problem is that Y2K was handled so well, and as a result the consequences of it were so ridiculously minor, that most people in the general public feel that it was all overblown hype. Yes, there was a lot of hype, but the fact is a lot of programmers worked a long time to make sure things that needed to be fixed got fixed.

However, since most people feel that Y2K was overblown and the money spent on it was wasted, they're unlikely to take seriously any new "crisis" in IT, and will simply refuse to spend any money on it.

Re:Is this REALLY a problem?

[totally+bogus+dude]

Sure, but that's because you control the NAT and can forward ports, so you can still accept incoming connections. If your public IP address (i.e. what other torrent clients will try to connect to) is controlled by your ISP, you're going to have a hard time getting them to forward the ports you need to you. In fact, they would have a hard time providing this service in a usable and cost-effective manner, even if they wanted to.

Also, there's a good chance OpenBSD + PF is more accommodating of various protocols than an ISP's oversubscribed NAT gateway is likely to be. Even if they do their best, it can still get in the way. For example most gateways can handle FTP by watching for "PORT" or "PASV" messages and dynamically opening/forwarding the requested port (or rewriting it to use the port it wants), but this doesn't work if your FTP session is encrypted.

Finally, a lot of the ISPs seem to be actively discouraging P2P, and will simply use "no more IP addresses" as an excuse to slap in NAT gateways that restrict people to web and email. If you want "raw internet", then you'll have to pay.

With any luck there'll still be enough competition in the ISP space in 2010 to push the rollout of IPv6 onwards. A lot of the big ISPs will probably resist it, as a) it would cost a lot to upgrade and re-engineer their infrastructure to support it and b) they can make lots of money by charging a massive premium for routeable IPs. Not to mention that the media cartels will probably have convinced most people and politicians that the only reason one would want "raw internet access" is for piracy, child porn, and terrorism.

Re:Is this REALLY a problem?

[johannesg]

NAT is a really, really bad solution. It creates two classes of internet user: those that may run servers, and those that may not; a second-rank type of internet citizen, so to speak.

Do you really want to live in world where you can only connect to the servers of your corporate overlords? Wasn't the internet supposed to be offering equal opportunity for everyone?

Re:Is this REALLY a problem?

[$pace6host]

Really, I bet there are huge tracts of IP real estate that would function just as well on NATted private networks. I work at a place that owns lots of IP networks, and 1) we're not allowed to run our own web servers, or any other kind of servers for that matter, and 2) all our outbound traffic is through corporate control points and filtered anyway. Still, the PC on my desk at the office has a public IP address. Do I NEED a public IP address? No. Not really. Most of my traffic is to internal company data anyway (share drives, internal sharepoint intraet collaboration site, outlook servers, inward facing development servers, etc.) The rest is already going through proxy servers. You couldn't get any packets direct to me, either, the routers on the edge of our network filter practically all inbound traffic out. I, and most of my collegues, are wasting our public addresses. I'd bet it's the same in a lot of places. Corporate security policies essentially ensure that the majority of cubicle workers can't possibly make use of any of the "benefits" a publicly routable IP address would actually have, but every PC (and telephone and printer) has one.

I'm not saying NAT is the best solution, or even the right long term solution, just that I think it could be used (fairly successfully) in many more places while we get our collective asses in gear and go IPv6.

Re:Is this REALLY a problem?

[gnuman99]

NAT is *the* *wrong* solution.

Public IP addresses make it simple to have *proper* routing tables.

There is also the ability to track users easily. Imagine you have one of your computers compromised. The computer is then used to control another box that controls another one that drives some botnet. If you have a NAT, the 3rd party that discovered their box compromised will trace it back to ... your NAT! And the NAT is not tracked 99% of the time. So, the compromised box on your site cannot be easily discovered without packet sniffing.

Or an employee is involved in something illegal. The 3rd party produces their logs that list your NAT as the source of the problem. Which computer was used in that activity? You are stuck with tracing the stuff though screen loggers and other invasive BS just because NAT has to exist.

NAT is the wrong solution because of liability. NAT is wrong solution from routing point of view. NAT is wrong solution from technical point of view. IPv4 would have been replaced years ago if it wasn't or stupid NAT gateways everyone has now. Yeah, these will be obsolete with IPv6.

When I left school I thought NAT was the greatest thing in the world aside from sliced bread. Then real world experience forces you to realize that maybe the university usage of public IP on its internal network wasn't such a stupid thing after all. Public IP should be assigned to ALL devices, and then you can use a statefull firewall to protect these assets. Private IP networks should NEVER be connected to public IP networks - let's hope that dies with IPv4. The sooner the better.