China To Run Out of IPv4 Addresses In 830 Days

JagsLive writes "China is running out of IP addresses unless it makes the switch to IPv6. According to the China Internet Network Information Center, under the current allocation speed, China's IPv4 address resources can only meet the demand of 830 more days and if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet. Li Kai, director in charge of the IP business for CNNIC's international department, says that if a netizen wants to get access to the Internet, an IP address will be necessary to analyze the domain name and view the pages. At present, most of the networks in China use IPv4 addresses. As a basic resource for the Internet, the IPv4 addresses are limited and 80% of the final allocation IP addresses have been used."

830 days? China?

[suso]

Try the whole world. According to this counter, the world will be out of IPv4 addresses in 768 days.

Re:830 days? China?

[morgan_greywolf]

There would be a lot more available addresses if companies that were given entire /8 blocks in the 80s and 90s (Ford, IBM, AT&T, Halliburton, etc.) were to give back those blocks. Most of those companies aren't even really using their /8 blocks anymore, with most of the addresses going unadvertised.

Re:What is the point in having a public IP address

[Artraze]

> When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that!

The firewall is more figurative than literal. My understanding is that it basically bans certain IPs/domains. That can be done with a stateless system, while a true NAT/firewall would need to track all packets of all connections of all users. Not impossible, but insanely expensive. Plus it would have the unpleasant side effect of actually firewalling China (i.e. no incoming connections), whereas now they just don't let you view certain things.

The whole point is largely moot anyway. First, as was pointed out above, the entire world is estimated to run out in about 780 days, so they've apparently got more time then the rest of use. Second, the primary usage of IPs comes from blocks assigned to institutions and businesses, with the latter _requiring_ incoming connections. Could a business have one public IP and NAT/load balance their servers and whatnot? Sure, but they could always switch to IP6, which is gonna be a lot cheaper than all these NATs

Re:NAT?

[Shakrai]

Heck, they already firewall everybody -- why not just break IPs up into NATted subnets? The 10.x.x.x range should give them enough room for awhile, right?

Hmm.... 16,777,216 IP addresses divided by 1,300,000,000 citizens.....

Blocks vs. sub-blocks.

[DrYak]

So the world runs out of addresses before China runs out?

The world will run out of new blocks to allocate (as in "254.xxx.yyy.zzz"), before China gives out all addresses in the allocated blocks it has (as in "www.254.254.254").

Nonetheless, IPv4 can only provide a little lower than 253^4 different addresses. What makes it worse is that it's allocated in chunks (some chunks are reserved like the 127.x.y.z family - other addresses may be free but land in a range which is allocated to some company and thus can't be used by your computer).

Thus even if some providers use dynamic IP (only those machine which are connected have an IP address - thus an ISP needs a chunk only as big as the number of simultaneously connected users, not as the total number of subscriber), and lot of router use NAT (only 1 single IP address is visible on ther internet. all the machine are visible through this address and use a private address on the internal network),
in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week, we will quickly run into a situation where no more IPv4 address can be assigned to a new machine :
- the ISP has ran out of addresses in its chunk because there are more simultaneous connection (because everyone stays perpetually connected) that there are free address in the chunk (china will reach this point in 2-3 years)
- and there are no more new free chunk to allocate for the providers (all are already either reserved like the 10.*.*.* and 192.168.*.* range, or have already been allocated to others) thus now way to give more chunks with more IP to the ISPs (the world will reach that point too in about 2 years).

Re:Blocks vs. sub-blocks.

[dnoyeb]

What will likely happen, especially in China, is the government will force NAT on companies.

Unless you are running a server, NAT will work for you. If you are running a server, then a NATed address is not going to work. Most of our large companies in the US only run so many servers that are externally visible. The majority of desktop computers can easily be NATed.

Where I work, our desktops are NATed.

Re:Blocks vs. sub-blocks.

[truthsearch]

In our small business IP telephony is handled with DHCP. All calls get routed through an asterisk server. So we only need one static IP address for the whole phone system. We need asterisk as a PBX anyway, so it's no extra fuss.

Re:Blocks vs. sub-blocks.

[Bryansix]

Actually NAT DOES provide some sort of security. That is because by default nobody can see which devices sit behind the NAT. They also can't directly address them. So you want to see if your milk expired at home while you are at work so you can buy more if you need to? That problem has been solved. Your fridge had NO problem making outbound connections. It CAN upload the latest stats to a website that either you host yourself or a service from your fridge manufacturer. Need a better solution? Map the Public IP of the NAT but with a high unused port number to your fridge. Then whenever you connect to your SINGLE IP address but on that specific port it will serve up the stats on the fridge.

See there are two solutions already to your perceived problem.

Does your small business with 60 employees want to use IP telephony? In this case, each PC (or each telephone) needs a public IP. You can get away with routing this at the application layer, but why bother when it doesn't actually gain you anything?

Wrong! I deployed 100 Hosted VOIP phones in a NAT environment. My Router has 11 public IP addresses but the phones all use the same one. If I used SIP trunks instead it would be the same deal. Only the phone server would need a public IP for the SIP trunks; not each phone.

Re:Blocks vs. sub-blocks.

[ydrol]

"Actually NAT DOES provide some sort of security"

I agree, though being pedantic it's PAT and not (just) NAT

Re:Blocks vs. sub-blocks.

[genner]

What will likely happen, especially in China, is the government will force NAT on companies.

Unless you are running a server, NAT will work for you. If you are running a server, then a NATed address is not going to work. Most of our large companies in the US only run so many servers that are externally visible. The majority of desktop computers can easily be NATed.

Where I work, our desktops are NATed.

Most servers can and should be NAT'd as well with simple port forwarding. It's only when you have multiple servers that use the same ports that you run into problems.

Re:Blocks vs. sub-blocks.

[X0563511]

Your average NAT box doesn't allow traversal without explicitly forwarding ports anyway.

That's by virtue of what it is. How exactly should the NAT box know to direct port 22 to your server? It can't know unless you tell it so.

Re:Blocks vs. sub-blocks.

[QuoteMstr]

So why do you need NAT instead of a non-translating firewall?

Re:Blocks vs. sub-blocks.

[QuoteMstr]

IP addresses can already be tied semi-reliably to individuals. That's why we have Tor, which works just as well in an IPv6 world.

Re:Blocks vs. sub-blocks.

[surgen]

>Actually NAT DOES provide some sort of security. That is because by default nobody can see which devices sit behind the NAT.

You could also use a firewall to block some ICMP traffic. That is what the college I attend does, and they do it specifically so that, among other things, people can't see what devices are sitting on the network. Granted IPv4 gives the outside user some idea because of how many IP addresses are allocated to us, but with IPv6 that won't happen either.

TOS already restricts "running a server"

[tepples]

An ISP can NAT big chunks of its user network

And in so doing break any application that needs to receive incoming connections.

This behavior is by design. The standard terms for residential service plans already restrict "running a server". FTP clients can use passive mode.

Yeah, it is an old problem.

[ichigo+2.0]

IPv4 Unallocated Addresses Exhausted by 2010 - dated 25th May, 2007

The exhaustion of IPv4 address space - dated 17th October, 2005

You are right, there's a whole lot of articles talking about this problem. And there have been people touting the NAT silver bullet for as long as the shortage has been known about. The interesting thing is that the rate of IPv4 consumption has kept increasing regardless.

An ISP can NAT big chunks of its user network. Charging even a modest amount per IP would free up huge numbers of IPs.

That sounds like a huge step backwards. Hopefully it won't come to that.

Re:What is the point in having a public IP address

[steelfood]

Obligatory XKCD.

As you can see, Asia has several /8 blocks allocated to it. I'll bet China has a few of those /8 blocks.

Besides, NAT's can only handle 65536-1024 connections (number of ports minus 1024 reserved).

Re:In other news

5 years? People were saying the same thing when I was in grad school 15 years ago.

Re:Counting the wrong things

[TheRaven64]

IPv6 allows addresses to be assigned very sparsely, which simplifies routing tables a lot. Back in the early days of IPv4, you could look at the first octet of an address and make a routing decision. The next router would look at the next octet, and so on, and so you only needed 256 routing table entries in each one. The network was conducted as a tree. You'd send a packet to the local router, which would say 'this isn't in my local network, send it up a tier' until it got to one that could start sending it down again.

With CIDR, you stopped being able to do this. Addresses were allocated in blocks of 256, so you had to look at the first three octets to make a routing decision. This meant you need up to 16,777,216 routing table entries. With IPv6, this is no longer required, and you can go back to having the IP addresses roughly corresponding to the network topology.

Nothing is on it

[coryking]

It isn't backwards compatible in any real sense with IPv4. You might as well switch to a different protocol entirely then switch to IPv6. IPv6 can talk back to IPv4 through crazy tunnels that nobody but people on slashdot understand. But nobody on IPv4 can talk with IPv6 easily (from my understanding, anyway)

Plus, IPv6 doesn't solve any other problem besides address space. It doesn't solve:

1) Roaming between different networks and keeping your sessions alive.
2) Multicast in any kind of sane way. Nobody cares about where a named document is served from--chunks might come from my microwave, my cell phone, my neighbors dog collar... I dont care. All I care about is that the document originally came from the right source, it is the most current version, and it hasn't been modified. Think BitTorrent meets GNUtella meets Freenet, only way down in layer 3, not the application layer.
3) Mesh networks. Ever try to set up a mesh of wireless network access points and maintain a sane address scheme? Think of the hacks your cell phone provider must use.
4) Doesn't do a damn thing about DDOS attacks or other kinds of network nasties. It doesn't matter how good your firewall is if an attacker can flood one end of it.
5) Doesn't provide any real authentication. The network itself should let you be as anonymous or as "real" as possible. Fixing SPAM of all forms requires real authentication at the deepest bowls of the network stack. Layer 3 could be handling authentication for SMTP, IMAP, HTTP, AIM, whatever-- right now every protocol has to re-invent their authentication scheme... some suck (OpenID, which doesn't work with anything but HTTP) some are pretty slick (SSH + public key crypto), some are even at layer 2 (WiFI - WEP/WAP).
6) Doesn't somehow magically fix the ability for people to use botnets or open proxys to screw you over. I dunno how you fix this, or if you even really can. All I know is right now the IP address is meaningless... it is useless to block IP's, it is useless to to use an IP for tracking a session (a single AOL user hitting your page will use several IP addresses). Maybe layer 3 needs some kind of "cookie" or way to maintain a session that doesn't require a stable network address. That way, a session could be maintained even if I hop between access points and change network addresses.

Does Intrade take bets on IPv6 adoption? I'd like to put money on it never getting widely adopted. I'd wager some guy like Vint Cerf will pimp a new, better protocol by the time we really, really run out of IP addresses. I'd also wager this magical new protocol will solve at least a few of the problems I've given above. I also would bet it will challenge how we look at the network... maybe the OSI network model isn't the best way to think about networking?

Re:In other news

First, big players already NAT.

For law enforcement, many big players log mappings (ip:port -> ip:port), but not all packets unless you are in perhaps a corporate situation where it may be going through a filter.

For incoming connections, when we really do get close to running out, it's inevitable you'll pay the $5/month for an ip address. You can usually do this through a static IP address option already.

IPv6 config generator for Debian and Ubuntu

http://debian6to4.gielen.name/

generates a configuration specifically for your computer, based on its IPv4 address.

This way your entire local network will have real IP addresses, while you only need a single IPv4 address.

Re:Wow, I suck

[Srin+Tuar]

your examples are wrong.

HEX: 4 bits per byte, takes 32 chars to encode IPv6 Address

Base32: 5 bits per byte, takes 26 char to encode an IPv6 address

Base64: 6 bits per byte, takes 22 chars to encode an IPv6 address

You can see the return on investment is pretty small for base32 and base64, since it costs you the transparency of the output.

try again.

IPv6 - get yours at tunnelbroker.net

[caluml]

I've been using IPv6 since about 2001, but after the BT Exact Tunnel Broker stopped, I was lost as to where I could get access from. I signed up with Sixxs, but they have rather tight (anal, some would say) policies. They'll give you access, etc, but a single bounced/rejected email, and they disable your account. http://www.sixxs.net/faq/account/?faq=bounces.
Then I gave Hurricane Electric's Tunnel Broker a try. What a breath of fresh air. It takes about 2 mins from sign-up to being connected - they give you the relevant commands to run too, if you're not familiar with it. If you've got 2 mins to try it out, give them a go.

And Slashdot - how can you be one of the top tech sites, and not be accessible over Ipv6? And throw in SSL too, while you're joining the 21st century.