IPv4 Address Crunch In 2 Years, IPv6 Not Ready

An anonymous reader writes "We've known for ages that IPv4 was going to run out of addresses — now, it's happening. IPv6 was going to save us — it isn't. The upcoming crisis will hit, perhaps as soon as 2010, but nobody can agree on what to do. The three options are all pretty scary. This article covers the background, and links to a presentation by Randy Bush (PDF) that shows the reality of the problem in stark detail."

Well duh

[n3tcat]

It's not hard to figure out why we haven't solved this problem. It costs MORE to fix it now than it does to wait.

So just wait until it costs more to live with IPv4 than to migrate to new systems. Then EVERYONE will be working on a solution.

Re:Well duh

[eln]

The problem is that Y2K was handled so well, and as a result the consequences of it were so ridiculously minor, that most people in the general public feel that it was all overblown hype. Yes, there was a lot of hype, but the fact is a lot of programmers worked a long time to make sure things that needed to be fixed got fixed.

However, since most people feel that Y2K was overblown and the money spent on it was wasted, they're unlikely to take seriously any new "crisis" in IT, and will simply refuse to spend any money on it.

Re:Well duh

[argiedot]

Absolutely, reminds me of an old joke:

• Visitor: If there's quicksand in this part near the town why don't you put up a sign?!
• Man: We did, but nobody was falling in so we thought it was useless.

Ha ha.

Dupe

[suso]

Here is the story from a few weeks ago

And as I said before, the solution is to take back some of those huge class A blocks from companies like HP, Ford and GE, which are not using all the space. That would buy a few years.

Is this REALLY a problem?

[wild_quinine]

Is this really a problem for most people? NAT really.

Re:Is this REALLY a problem?

[ModMeFlamebait]

Except you can't NAT a NATted connection.

Sure you can.

Re:Is this REALLY a problem?

[Tranzistors]

Last I heard, two NATted clients can't talk to each other.

Unless you have port forwarding (or how do you kids call it these days)

Re:Is this REALLY a problem?

[totally+bogus+dude]

Sure, but that's because you control the NAT and can forward ports, so you can still accept incoming connections. If your public IP address (i.e. what other torrent clients will try to connect to) is controlled by your ISP, you're going to have a hard time getting them to forward the ports you need to you. In fact, they would have a hard time providing this service in a usable and cost-effective manner, even if they wanted to.

Also, there's a good chance OpenBSD + PF is more accommodating of various protocols than an ISP's oversubscribed NAT gateway is likely to be. Even if they do their best, it can still get in the way. For example most gateways can handle FTP by watching for "PORT" or "PASV" messages and dynamically opening/forwarding the requested port (or rewriting it to use the port it wants), but this doesn't work if your FTP session is encrypted.

Finally, a lot of the ISPs seem to be actively discouraging P2P, and will simply use "no more IP addresses" as an excuse to slap in NAT gateways that restrict people to web and email. If you want "raw internet", then you'll have to pay.

With any luck there'll still be enough competition in the ISP space in 2010 to push the rollout of IPv6 onwards. A lot of the big ISPs will probably resist it, as a) it would cost a lot to upgrade and re-engineer their infrastructure to support it and b) they can make lots of money by charging a massive premium for routeable IPs. Not to mention that the media cartels will probably have convinced most people and politicians that the only reason one would want "raw internet access" is for piracy, child porn, and terrorism.

Re:Is this REALLY a problem?

[johannesg]

NAT is a really, really bad solution. It creates two classes of internet user: those that may run servers, and those that may not; a second-rank type of internet citizen, so to speak.

Do you really want to live in world where you can only connect to the servers of your corporate overlords? Wasn't the internet supposed to be offering equal opportunity for everyone?

Re:Is this REALLY a problem?

[$pace6host]

Really, I bet there are huge tracts of IP real estate that would function just as well on NATted private networks. I work at a place that owns lots of IP networks, and 1) we're not allowed to run our own web servers, or any other kind of servers for that matter, and 2) all our outbound traffic is through corporate control points and filtered anyway. Still, the PC on my desk at the office has a public IP address. Do I NEED a public IP address? No. Not really. Most of my traffic is to internal company data anyway (share drives, internal sharepoint intraet collaboration site, outlook servers, inward facing development servers, etc.) The rest is already going through proxy servers. You couldn't get any packets direct to me, either, the routers on the edge of our network filter practically all inbound traffic out. I, and most of my collegues, are wasting our public addresses. I'd bet it's the same in a lot of places. Corporate security policies essentially ensure that the majority of cubicle workers can't possibly make use of any of the "benefits" a publicly routable IP address would actually have, but every PC (and telephone and printer) has one.

I'm not saying NAT is the best solution, or even the right long term solution, just that I think it could be used (fairly successfully) in many more places while we get our collective asses in gear and go IPv6.

Re:Is this REALLY a problem?

[anticypher]

I'm so glad someone else is aware of this problem, NAT can't be infinite, or even large.

I saw a Cisco presentation years ago on their experiences from rolling out NAT internally. They started with an address overload of a /24 (251 usable addresses) into a single external IP address. For an office with about 120 active machines, the NAT box (biggest, beefiest box they made at the time) completely fell over. With only light internet use, the NAT tables filled to take over all of the outgoing 65k ports in short time. That was in 1998, when most internet use was web pages, some email and simple IM. At the time, they recommended no more than a /26 (59 usable addresses) per external address.

Move forward to 2007, and I made an updated presentation (for Cisco and non-Cisco NAT kit) that took into account all the new kinds of traffic we see, office workers who listen to internet radio, streaming video, youtube, multimedia conferences with H.323, peer-to-peer apps like Skype, other internet telephony apps, etc. Turns out that more than 15 to 20 active office users stuck behind a single overloaded external address would be the limit, even with a tight policy to prevent non-work traffic.

It is much worse for ISPs with home users, who are not limited by workplace rules against peer-2-peer for popular TV shows or looking at pr0n pages. If you look at the typical pr0n page (it was a tough job, but I did it in the spirit of improving my understanding of the industry ;-), there will be between 200 and 300 embedded elements or links to affiliate sites and advertising partners. So every pr0n page view going through NAT takes 200 new external ports, with associated timeouts and state tables. A typical pr0n user (I'm guessing here, you the /. reader can supply your own values), can open a dozen or more pages in tabs in a relatively short period of time, leading to 10s of thousands of entries in the NAT state table. Remember, you have 65,533 maximum entries in the state table for a single external IP, or for a typical saturday night in basement-dweller-land, about 4 machines.

Don't get me started about how many NAT states a typical 3Mbyte facebook page can open, and leave open for quite a while.

If you think you can hide many ISP customers behind NAT, there are limits if you don't want a ton of calls to the support lines when your users can't effectively use the net. For modern home connections, that already have a NAT box with a handful of machines behind the NAT (Mom keeping 20 eBay pages open and doing Skype, Dad doing gaming, teenage son looking at pr0n and daughter with 20 different IM chats going while she P2Ps the latest TV episode and looks at 50 different bebo and facebook pages), you just can't NAT much more than that.

That post was the voice of experience, if you want the nice real-world figures in a printed report and a keynote or powerpoint presentation to your CTO, you have to give me money.

the AC

Re:Is this REALLY a problem?

[gnuman99]

NAT is *the* *wrong* solution.

Public IP addresses make it simple to have *proper* routing tables.

There is also the ability to track users easily. Imagine you have one of your computers compromised. The computer is then used to control another box that controls another one that drives some botnet. If you have a NAT, the 3rd party that discovered their box compromised will trace it back to ... your NAT! And the NAT is not tracked 99% of the time. So, the compromised box on your site cannot be easily discovered without packet sniffing.

Or an employee is involved in something illegal. The 3rd party produces their logs that list your NAT as the source of the problem. Which computer was used in that activity? You are stuck with tracing the stuff though screen loggers and other invasive BS just because NAT has to exist.

NAT is the wrong solution because of liability. NAT is wrong solution from routing point of view. NAT is wrong solution from technical point of view. IPv4 would have been replaced years ago if it wasn't or stupid NAT gateways everyone has now. Yeah, these will be obsolete with IPv6.

When I left school I thought NAT was the greatest thing in the world aside from sliced bread. Then real world experience forces you to realize that maybe the university usage of public IP on its internal network wasn't such a stupid thing after all. Public IP should be assigned to ALL devices, and then you can use a statefull firewall to protect these assets. Private IP networks should NEVER be connected to public IP networks - let's hope that dies with IPv4. The sooner the better.

Just buy a cheap SOHO router

[blake1]

And put China behind it. IPv4 addresses, plenty. Botnet problem, solved.

Time for the Government(s)?

[grumbel]

One thing is rather clear to me: We won't run out of IPv4 addresses anytime soon, instead the price will increase more and more and thus people will end up behind ISP enforced NATs, because IPs are to expensive for the average consumer. This is after all already the case, at least in part, static IPs are a premium service, not something you get for free from most ISPs.

So how to fix this? How about some good old government regulation? If you want to provide a "Internet service", you have to provide IPv6 or you can't call it "Internet". With a little force it shouldn't take all that long till the switch to IPv6 is done. But unless that happens the rarity of IPv4 addresses will simply be seen as a nice way to make money, instead of a problem that needs to be fixed.

Re:Time for the Government(s)?

[zsau]

Or just ban porn sites from using IPv4. Everyone's happy then: Think of the Children types will have porn apparently banned, techies will see IPv6 adopted widely, and civil liberties types will have porn available if they want it.

People are starting to work on solutions

The basic solution to this problem is to deploy IPv6 as soon as you can, figure out what problems remain to be solved before you can use IPv6 100% and then put pressure on your ISPs, vendors, etc. to solve these problems. That's how the Internet grew like topsy in the first place, and its not too late to get this going. Two to three years is enough time.

ARIN has published a web site which collects information about how to move to IPv6 here: http://www.getipv6.info/
It's oriented towards the things that ISPs and other service providers (hosting centers, large IT depts) need to do to get IPv6 working in production.

Soon, the stock market analysts will be asking the big ISPs and telecom companies what actions they are taking to avoid going bankrupt in two years when the crunch hits. Any company that can't get new IPv4 addresses will have to stop growing their IPv4 networks. If they have an IPv6 network to take up the slack, no problem. If not, then customers will flock to the providers that have IPv6 ready to roll.

There was a network operator meeting at NANOG recently where they showed that it is almost possible to provide full Internet access, both IPv4 and IPV6, using an IPv6 connection. Yes, I know, "almost" means there were problems, but they were not massive problems. They were the kind of things that people were working on fixing with IPv4 networks back in the early 90's. And they did that because they went ahead and built IPv4 networks and tried to make them work for everything imaginable. When things broke, they fixed the bugs and moved on, eventually becoming the global Internet that we know today.

There is a way to avoid going bust when the address crunch hits in two-to-three years and that is: Get yourself IPv6 Ready!

Three Things for Widespread IPV6 Acceptance:

[JoeD]

1. Home routers that support IPV6 off the shelf.

2. Cable/DSL modems that support IPV6 off the shelf.

3. (The biggie) ISPs that hand out IPV6 addresses.

In a vain attempt to forestall the inevitable followups:

Yes, I am aware that I could install new software in my WRT-54G, and convert my home network to IPV6. But as long as my upstream connection is IPV4, this gains me NOTHING except a bunch of aggravation and downtime getting the thing set up. No thanks. When my ISP supports IPV6, then and only then will it make sense for me to convert.