China To Run Out of IPv4 Addresses In 830 Days

JagsLive writes "China is running out of IP addresses unless it makes the switch to IPv6. According to the China Internet Network Information Center, under the current allocation speed, China's IPv4 address resources can only meet the demand of 830 more days and if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet. Li Kai, director in charge of the IP business for CNNIC's international department, says that if a netizen wants to get access to the Internet, an IP address will be necessary to analyze the domain name and view the pages. At present, most of the networks in China use IPv4 addresses. As a basic resource for the Internet, the IPv4 addresses are limited and 80% of the final allocation IP addresses have been used."

What is the point in having a public IP address

[jeffmeden]

When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that! Flatten it to a /8 network in 10.0.0.0 and put it all behind one public IP. Problem solved!

Re:What is the point in having a public IP address

[nbert]

This solution provides 2^24 addresses which is about 16.7 million. I don't know how huge their address space currently is, but given their population size it's pretty obvious that this wouldn't work out (IIRC around 10% of the population had access to the internet in 2006).

Netizen?

Netizen is really stupid word, we really don't need more buzzwords.

China will be first to use IPv6

[QuoteMstr]

I predict that we'll see China begin to use IPv6 addresses before most other people. Why?

• Extreme scarcity of IPv4 addresses: China gained internet access well after the era of enourmously wasteful address assignment ended.
• The great firewall is always set up as a traffic relay. Not only does it provide a natural point to set up an IPv6->IPv4 NAT gateway, but running IPv6 internally makes it that much more difficult for dissidents to bypass the firewall.
• China's strong central state would allow mandating of IPv6 and near-instantaneous implementation.
• Chinese sites are accessed by relatively few non-Chinese. Therefore, the penalty for running an IPv6-only site inside China would not be very great.

Granted, I'm no fan of China's human rights policies. But it definitely has an advantage in terms of adopting IPv6. Hopefully, when China switches protocols, it'll catalyze the rest of the world to do so as well.

Re:830 days? China?

[mollymoo]

If 25 companies (are there even that many with /8s?) gave back their entire allocation, that would still only add 10% to the pool. That might buy a little time (a year, if we're at 80% and have two years left), but it's hardly going to solve the problem.

NAT is not a solution

[QuoteMstr]

NAT is not a solution. It's a huge, gigantic clusterfuck of a problem. Some people only started their careers after NAT was widespread, so they can't imagine how wonderful the world is without it. The internet is much simpler when you can assume that all nodes can directly address all other nodes.

Look: this is what we've done.

In the beginning, each endpoint of a TCP (or UDP) connection looked like this:

[octet][octet][octet][octet][16-bit port]
[(------- host-------------)(--service--)

Each octet was routed hierarchically, and the port acted as an additional level of routing within a single node.

With CIDR, the model moved to this:

[32-bit opaque address][16-bit port]
(-------host----------)(--service--)

This change didn't hurt anything, aside from an increase in router complexity. Allowed the 32-bit address space to be used much more efficiently.

Now with the IP address shortage, the situation looks like this:

[48-bit address]
(----?---------)

Note how we've lost the distinction between host and service and smushed them all together into one huge opaque number. We've caused ourself lots of problems with this:

1. One can no longer tell which service is being used based on part of an endpoint address (i.e., the port.). Firewalls, proxies, and so on become much more complicated.
2. Only part of the endpoint address is provided by DNS. (I'm ignoring SVR records, which nobody uses.) Thus, part of the address needs to be hardcoded:
   • Every damn piece of software has to have a knob to control what port to use.
   • When software is too much trouble to configure, we use hardcoded port-parts. Consider SMTP and HTTP. When the port-portion of the big smushed address is hardcoded, Herculean efforts have to be made to route these services through NAT. Good luck if you want to run more than one SMTP server behind a given NAT gateway.
3. 48 bits still isn't enough to satisfy growing demand. What happens when you can't address the endpoint you want even if you use all the address bits and all the port bits? Do we start piling on in-band multiplexing? Should every protocol necessitate something like HTTP 1.1's host header?
4. Getting a publicly-routable endpoint address involves talked to one or more routers, which may or may not allocate a port for you. And this portion of the endpoint address is highly dynamic.
5. Because of the last reason, protocols that involve callbacks are complicated. FTP, for example, made perfect sense in the days before NAT. Now, it's viewed as a problematic pain in the ass that always needs special NAT rules and connection tracking to accommodate it.

These days, instead of saying "connect to mydomain.foo.cx", for example, you have to say "connect to mydomain.foo.cx at port 12345". That's out of band address information, and should never be needed. Imagine if DNS only gave you the first three octets an IP address, and every application requires you type in the last one in manually. That's what the world is like today!

Re:NAT is not a solution

[QuoteMstr]

Let's ignore in-band multiplexing being messy a hack. Let's ignore the lack of consistency between multiplexing schemes. Let's ignore the immense complexity of making routers understand every stupid little application-level protocol. Let's ignore the latency introduced by waiting for a connection to open before knowing where the next hop goes.

Even after all that ignoring, your proposal won't work. Not with anything resembling today's equipment anyway.

I'm Bob, you're Alice. (We can switch; I'm flexible.) You want to initiate a call to me. Let's say we've registered with a central directory, and the directory tells you that I'm at address A.B.C.D:12345.

But wait -- back up. What right do I have to use A.B.C.D:P? As far as I'm concerned, I'm at 192.168.1.1. So I connect to the directory and tell it I'm at 192.168.1.1, listening on port 12345.

The directory replies "what the hell are you talking about? That's not a public IP. Your public IP is A.B.C.D.". If you, Alice, try to connect to me at 192.168.1.1, the connection will fail, or go to your annoying friend Carol, whom you really don't want to talk to. OTOH, if the directory replies with A.B.C.D, how are you supposed to connect to me? Remember, I'm listening at 192.168.1.1 at port 12345.

Either I have to talk to my ISP and tell it "give me an external port and forward traffic on that port to 192.168.1.1 port 12345", or the directory server has to talk to A.B.C.D and tell it "Oh yeah. Your client 192.168.1.1. He's listening on port 12345. He told me so. Give me a port I can connect to you on that will have traffic go there."

The second scheme is clearly a security problem. The first requires cooperation from ISPs. UPNP sort-of addresses the issue, but not really very well at all.

Basically, you're reinventing an entire routing protocol. Poorly.

You need to upgrade ISP equipment to allow this sort of chit-chat to go on whenever somebody wants to listen for a connection.

What happens if your ISP is itself behind a NAT? What happens when you run out of ports?

The way you propose, it's turtles all the way down. It'd still be cheaper to just adopt IPv6 in the first place.

Re:NAT is not a solution

[QuoteMstr]

*sigh* With people like you, who needs strawmen? Did you read my post?

Dividing the internet between "public, static" servers and "public, transient" ones results in a whole host of problems that I've mentioned. Even if you could make UPnP work reliable, and even if you could avoid running out of port numbers as well as IP numbers, you'd still be left with the problems I mentioned.

FTP is only legacy because it dates from a better, vanished time when simple, direct, bidirectional connection is possible. There's nothing wrong with FTP: there's something disturbingly wrong with UPnP!

Re:In other news

[fabs64]

Not a week goes by where someone doesn't trot out a new statistic on how P2P uses the vast majority of bandwidth on the internet. And you suggest NAT will be the solution to limited IP addresses.
*sigh*

Please

[fahrbot-bot]

stop saying "netizens".

Why is everyone talking about pushing back IPv6?

[bugg]

Why is everyone in the comments talking about various steps (reallocating large blocks, more widespread NAT, etc.) that would allow us to push back IPv6?

It seems that we very close to the point where every device supports IPv6 (Vista adoption is helping this) but just isn't using it. Let's start turning it on. What better way to help the adoption than by having users who are IPv6 only complaining?

Return more /8 addresses?

[HockeyPuck]

Why can't some of the owners of /8 address spaces return them back to be re-allocated?

For example, HP owns 15.0.0.0 through 16.0.0.0 (~33m ip addresses) can't they get by on just ONE class A network?
Apple owns 17/8
MIT own 18/8
US Postal Service 56/8.
http://www.iana.org/assignments/ipv4-address-space/

Do all these companies need to have ALL of their devices on publicly routable IP addresses? From a security standpoint, I would hope not. Odd since IBM, a company much larger than MIT and Apple can get by on just one /8, and I'm having trouble believing that HP requires 2 /8 networks.

We talk about making our datacenters "green" by consuming less power, there's got to be an equivalent for consuming fewer public IP addresses.

I've just finished re-IPing our datacenter (~5000 servers), not to 'release IP addresses back, but to undo the damage done by years of seemingly randomly assigning IP addresses to servers in our datacenter. Yes it's a pain, but so is any form of cleaning up your datacenter (cabling for example).

Re:830 days? China?

A year is a lot of time. Think how much cheaper computers/routers get in a year. That's a lot of expense saved if they can delay switching over for a year.

Re:Blocks vs. sub-blocks.

[Darth_brooks]

in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week, we will quickly run into a situation where no more IPv4 address can be assigned to a new machine

And tell me again why my fridge will be on a public IP, rather than the 192.168.1.xxx address my Best Buy $49.99 Linksys router will give it?

Even better, explain to me why I, as Joe Sixpack will *need* my fridge on a public IP where every flaw and exploit will be passed directly to it, rather than dropped at the NAT box?

Or better still, explain why a small business with 60 users should have every last user on a public IP?

Or why a college or university needs to put every last workstation, printer, AP, and toaster on a public IP address?

NAT exists because NAT works. No, it is not the be all end all for any perceived IPv4 woes, but there is a metric assload of stuff out there with a public IP that either should be, or desperately NEEDS to be on a 10.xxx.xxx.xxx network.

Re:Blocks vs. sub-blocks.

[TheRaven64]

So you can connect to your fridge and see if your milk has gone off from outside your home? NAT does not give security. A firewall gives security, and most NAT devices also do firewalling. If you don't want your fridge to be accessible from anywhere outside your network, or only from a set of VPN locations, then you can easily configure your firewall to block inbound connections to it (which is likely the default anyway).

Does your small business with 60 employees want to use IP telephony? In this case, each PC (or each telephone) needs a public IP. You can get away with routing this at the application layer, but why bother when it doesn't actually gain you anything?

More to the point

[Viol8]

Why will white goods need to be on the internet at all?

I mean a *good* reason , not just the usual re-hashed fridge-can-reorder-beer-for-you Jetsons style drivel that is laughably spoken about as some vital function by techno evangelists.

Re:More to the point

[deraj123]

I'll answer your question with another:
Why not?

Seriously. This whole "X doesn't NEED to be on the internet" is a ridiculous argument. It's simply saying "oh, having a PC and computer type equipment on the internet should be enough for anybody". The whole point of this internet thing is innovation. Sure, a fridge doesn't NEED to be on the internet. Unless I want it to have some functionality that requires internet connectivity. Same with my computer. It functions just fine, and doesn't NEED to be on the internet.

And why is "fridge can reorder beer for you" drivel? Is there some reason that a fridge SHOULDN'T reorder your beer? Sure, it's not a vital function, but neither most of the stuff that our technology does. Again, this is what innovation and technology is all about - improving the standard of living, making this easier, etc.

Re:More to the point

[Viol8]

"I'll answer your question with another:
Why not?"

Because its added complexity that will add to the price and probably reduce the reliability. Instead of the manufacturer spending money on important things like good energy efficiency they'll waste R&D on crap like this that only appeals to a tiny minority of geeks.

Re:More to the point

[kat_skan]

And why is "fridge can reorder beer for you" drivel? Is there some reason that a fridge SHOULDN'T reorder your beer?

Man, all kinds of reasons.

• Because I got two cases last time I was at the store, and the fridge only knows about the one that's cold.
• Because I already got some on the way home.
• Because my buddy gave me some that he brewed.
• Because I want a different kind this time.
• Because I threw a party and had ten times as much in my fridge as I normally want.
• Because money's tight this month, and I have to decide between beer and electricity.
• Because it's on sale at the store up the road if you also buy chips and dip.
• Because the place I like to shop doesn't do online orders.
• Because I'm going on a cruise and don't need to order more beer for a month.

My refrigerator—indeed every device I own—are too damn stupid for me ever think it'd be a good idea to let them spend my money. Especially when it's something I could effortlessly do myself.

Re:More to the point

[OverZealous.com]

When discussing putting every device online with a distinct IP (especially IPv6), I've never seen anyone mention the ISP element. What happens when you all of the sudden need to add several dozen new devices to you internet connection?

What I mean is, ISPs (at least, U.S. ISPs) right now are trying everything possible to charge money. They charge for every single static IP, small bumps in speed, etc. I remember when it they wouldn't even talk to you over the phone if you had a router in place.

So, imagine that every device expects to be statically placed online. Now, all of the sudden, to use your Wii or PS3, access your fridge's web server, log into your coffee pot, or update your in-home automation and security system, you have to pay your ISP a small add-on monthly fee.

My point here is that NAT or an equivalent cannot and will not go away. The overwhelming majority of devices just don't need open web access. Instead, these devices should be routed through some sort of obscuring and securing device. If a home-owner needs to access their fridge, they should first log into their home-portal, which provides access to their in-home network.

Besides, someone else mentioned the store sending advertisements to my fridge. Thanks but no thanks. I'll just visit your website if I'm interested in the current ads.

Re:Blocks vs. sub-blocks.

[NFN_NLN]

Even better, explain to me why I, as Joe Sixpack will *need* my fridge on a public IP where every flaw and exploit will be passed directly to it, rather than dropped at the NAT box?

What you want is a firewall not a NAT. A firewall will protect you just the same and allow people to initiate communication as YOU desire.

Or better still, explain why a small business with 60 users should have every last user on a public IP?

There are quite a few examples why this is important but here's one. Why can't all students / businesses have a public IP with an exposed port for VoIP? Why do VoIP products have to have complicated NAT traversal software that doesn't always work and at the very least just adds useless overhead.

It's called a firewall. Set one up and stop spreading FUD.

Re:830 days? China?

[SanityInAnarchy]

I imagine they could have more than one outward-facing IP. Two would mean they have two 16-bit port numbers to choose from. That would actually be enough, given that it's doubtful they're using more than a /8 network.

Of course, I'm assuming GP wasn't joking. I don't know -- never heard of China NAT-ing.

Duh

[lord_sarpedon]

Had every router shipped since 3 or so years ago been required to have a) IPv6 support w/ stateful firewall on by default for internal hosts and b) a "turn on 6to4" button, we would have been near done already. That simple. You can do it with current routers with firmware mods and a lot of work.

Re:IPv6 also temporary

[mollymoo]

You have absolutely no conception just how big a number 2^128 is, do you? Every human who has ever lived could have a billion devices, each with a billion sub-components with their own public IP address. Doing that would use less than one billionth of the address space.

Re:830 days? China?

[Midnight+Thunder]

A year is a lot of time. Think how much cheaper computers/routers get in a year. That's a lot of expense saved if they can delay switching over for a year.

Its simpler if people just started accepting that IPv6 is going to happen and adjust accordingly. For me its like having to accept Y2K was going to happen and acting accordingly. Believe me its much simpler to code the applications than go through the politics, and possibly technical issues, of getting someone to give back a block they don't appear to be using.

Get your ISP and your router manufacturer to provide you an IPv6 solution. That too is probably not easy, but if we all start making noise then they will start doing something - hopefully.

Re:Blocks vs. sub-blocks.

[QuoteMstr]

Actually NAT DOES provide some sort of security.

Sure, in the same sense that crushing an airliner into a cube makes it useless for terrorists. NAT breaks the internet, and when you break something, it's useless because it's broken.

You can filter packets with a firewall without doing any NAT at all. In fact, your life would be a lot easier without NAT. There would be no need for configuring ports. There would be no need for mapping and configuring and making and unmaking.

You'd plug things in, and they'd just work. Globally. You can allow connections to your fridge from work, or from anywhere. A firewall could do that. The fridge itself could do it. But you'd still be connecting to your fridge, and not some random port on some arbitrary gateway machine somewhere.

Going with your fridge analogy, why should it be a bad thing for a grocery store to connect to all the fridges it knows about in order to tell them about new products? Why this artificial distinction between "inbound" and "outbound" traffic?

Re:Maybe the market doesn't want IPv6?

[squizzar]

There has been research, lots of it, and conferences and RFCs and discussion and development and testing and everything else and it led to IPv6. You seem to suggest that someone is going to come up with a magic 'new' network protocol from out of their arse, which seems unlikely. Nobody wants IPv6 because for the most part IPv4 works for them. When that stops happening there will be a shift towards IPv6 (hopefully, I can imagine there will be some horrible bodged setups that sort of work, but not on tuesdays if it's raining before then). The other issue is that people are afraid of having to remember longer numbers.

Re:Maybe the market doesn't want IPv6?

[Just+Some+Guy]

Seems to me like nobody wants IPv6.

They will - in about 831 days. It's like the idea behind Peak Oil, where instead of an instant failure one day, there will be a shift toward exponentially increasing prices. I don't know if Peak Oil will happen, but in about two years Peak IPs certainly will.

IPv6 is the working technology that we have available. There aren't any viable alternatives in the pipeline that I'm aware of, and certainly none far enough along that they'll be well-tested and ready for use in that short of a time period.

Re:Blocks vs. sub-blocks.

[raju1kabir]

For the average user, they're interchangeable.

That's a consequence of the way things have evolved, not a characteristic of the essential nature of things.

The only reason we have these NAT boxes is because ISPs didn't give each customer a whole bunch of IPs. If they had, then we'd have the same boxes, but call them firewalls.

You are trying to justify something based on its existence. That's what we call a circular argument.

Why can't everyone have one? Because not everyone NEEDS one.

From such statements does infamy arise.

How do you possibly know whether or not it might be useful to have independent addressability for orders of magnitude more devices than have it now? Have you already invented all the things that this might bring about, and pronounced them useless? What a remarkably shortsighted view.

Re:830 days? China?

[jellomizer]

NAT is not ugly. It is actually an elegant solution. Take into the effect that most Computers are not servers, and don't need a Real IP Address. Many servers can host multiple domains with one Outside IP Address. The world population is about 6 Billion with 4 billion address available. With a proper network we can have clean Natted network for years to come on one Outside IP address for 6 people taking 1/4 of the of the addresses leaving an average of 3 servers per person which can also be natted down at a higher level of and average of 20 servers per IP Address. So we can bandaid the problem for a long time with no ill effects. Getting people to switch to IPv6 is tougher. If we were to do that we should have done it back in 1994.

Re:Nobody is motivated to fix this

[Xugumad]

> If we all switch to ipv6 now, then everyone on the existing internet has incurred a cost,

Erm, no? Okay, so there's a cost for the sys-admin time at backbones, DNS servers, and a few other places that need to be adapted. Customers out at the edges don't need to worry about this, IPv4 will continue to work well until they're ready to upgrade.

Why does everyone see these as mutually exclusive options?

(false) NAT security

[himi]

Okay, I'm a little sick of seeing this argument.

Network/port address translation is /not/ a security system. It is /not/.

A NAT box is two things: an address translation system, and a /router/. The router is just the same as any other router - if you send it a packet with a destination address that it knows how to route, it will forward it along to that destination, regardless of any NAT rules you might have in place. If you send it a packet addressed to 192.168.1.23 from the public side, and that address is routable as far as the NAT box is concerned, /it will forward it on/. I could sit on the public side of that NAT box and spam it with connection requests on common ports (443? 22? 13[789]?) - ~65000 packets could map out the contents of the NATed network without ever hitting the NAT rules. NAT would have supplied /zero/ security, even through obscurity.

In order to provide security the NAT box has to refuse to forward those packets, unless they meet one of the NAT rules. Oh, look - it's suddenly become a /firewall/.

Now change that scenario to an IPv6 router: you could indeed set it up such that anyone outside could send anything they wanted into the site network, but that would be the same as the NAT box. Alternatively, you could set it up to block incoming traffic unless it matches certain rules - a firewall, and in fact /exactly the same/ firewall as existed on the NAT box. The only difference is that the machines behind the IPv6 firewall are publically addressable, meaning that they can be used for /anything/ a public Internet host can, assuming they're granted permission by the firewall. No futzing around with DNAT and non-standard ports, just simple, reliable operation, exactly the way the Internet was originally designed.

/Now/ do you see why people keep saying that NAT has nothing to do with security? Any security you get from sitting behind a NAT box is entirely due to the firewall that is almost always implemented alongside the NAT. And /that/ can be replicated on the non-NATed network, without replicating the management headaches that NAT introduces.

</rant>

Now that I've got that off my chest, I'll concede that it's rather more difficult to get an rfc1918 address across the public Internet to your NAT box than it is to get a publically routable IPv6 address there (modulo the limited IPv6 availability, of course). That said, with the increasing prevalence of wireless networking it's becoming easier and easier, and even without that it's possible that rfc1918 addresses won't be dropped by intervening routers (ironically, increasing use of NAT will likely make that more of an issue, as companies demand the ability to route their NATed traffic across semi-public WANs). So, although there /are/ some valid arguments that NAT combined with rfc1918 addressing provides significant security benefits, they're not as great as people generally like to think, and they're a lot less reliable than a firewall which doesn't make /any/ assumptions about address routability.

himi

Re:specter of control?

[amorsen]

It's dead easy to control, track, trace, and monitor IPv4, and even to do automatic man-in-the-middles. It is in fact so cheap that some ISP's do it just to insert advertising. IPv6 won't change anything about that.

Re:Confiscate IPs from spammers

[Cmdr-Absurd]

You're likely seeing NAT'ted addresses. If there are a thousand hosts behind a NAT, it's likely that at least one of them will be infected.

These are many, many unique public IPs. From a wide variety of subnets all owned by chinanet. Yes some might be NATing more hosts behind them, but then the owner of the public IP still should be required to police the hosts on his/her network.