China To Run Out of IPv4 Addresses In 830 Days

JagsLive writes "China is running out of IP addresses unless it makes the switch to IPv6. According to the China Internet Network Information Center, under the current allocation speed, China's IPv4 address resources can only meet the demand of 830 more days and if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet. Li Kai, director in charge of the IP business for CNNIC's international department, says that if a netizen wants to get access to the Internet, an IP address will be necessary to analyze the domain name and view the pages. At present, most of the networks in China use IPv4 addresses. As a basic resource for the Internet, the IPv4 addresses are limited and 80% of the final allocation IP addresses have been used."

What is the point in having a public IP address

[jeffmeden]

When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that! Flatten it to a /8 network in 10.0.0.0 and put it all behind one public IP. Problem solved!

Netizen?

Netizen is really stupid word, we really don't need more buzzwords.

China will be first to use IPv6

[QuoteMstr]

I predict that we'll see China begin to use IPv6 addresses before most other people. Why?

• Extreme scarcity of IPv4 addresses: China gained internet access well after the era of enourmously wasteful address assignment ended.
• The great firewall is always set up as a traffic relay. Not only does it provide a natural point to set up an IPv6->IPv4 NAT gateway, but running IPv6 internally makes it that much more difficult for dissidents to bypass the firewall.
• China's strong central state would allow mandating of IPv6 and near-instantaneous implementation.
• Chinese sites are accessed by relatively few non-Chinese. Therefore, the penalty for running an IPv6-only site inside China would not be very great.

Granted, I'm no fan of China's human rights policies. But it definitely has an advantage in terms of adopting IPv6. Hopefully, when China switches protocols, it'll catalyze the rest of the world to do so as well.

Re:830 days? China?

[mollymoo]

If 25 companies (are there even that many with /8s?) gave back their entire allocation, that would still only add 10% to the pool. That might buy a little time (a year, if we're at 80% and have two years left), but it's hardly going to solve the problem.

NAT is not a solution

[QuoteMstr]

NAT is not a solution. It's a huge, gigantic clusterfuck of a problem. Some people only started their careers after NAT was widespread, so they can't imagine how wonderful the world is without it. The internet is much simpler when you can assume that all nodes can directly address all other nodes.

Look: this is what we've done.

In the beginning, each endpoint of a TCP (or UDP) connection looked like this:

[octet][octet][octet][octet][16-bit port]
[(------- host-------------)(--service--)

Each octet was routed hierarchically, and the port acted as an additional level of routing within a single node.

With CIDR, the model moved to this:

[32-bit opaque address][16-bit port]
(-------host----------)(--service--)

This change didn't hurt anything, aside from an increase in router complexity. Allowed the 32-bit address space to be used much more efficiently.

Now with the IP address shortage, the situation looks like this:

[48-bit address]
(----?---------)

Note how we've lost the distinction between host and service and smushed them all together into one huge opaque number. We've caused ourself lots of problems with this:

1. One can no longer tell which service is being used based on part of an endpoint address (i.e., the port.). Firewalls, proxies, and so on become much more complicated.
2. Only part of the endpoint address is provided by DNS. (I'm ignoring SVR records, which nobody uses.) Thus, part of the address needs to be hardcoded:
   • Every damn piece of software has to have a knob to control what port to use.
   • When software is too much trouble to configure, we use hardcoded port-parts. Consider SMTP and HTTP. When the port-portion of the big smushed address is hardcoded, Herculean efforts have to be made to route these services through NAT. Good luck if you want to run more than one SMTP server behind a given NAT gateway.
3. 48 bits still isn't enough to satisfy growing demand. What happens when you can't address the endpoint you want even if you use all the address bits and all the port bits? Do we start piling on in-band multiplexing? Should every protocol necessitate something like HTTP 1.1's host header?
4. Getting a publicly-routable endpoint address involves talked to one or more routers, which may or may not allocate a port for you. And this portion of the endpoint address is highly dynamic.
5. Because of the last reason, protocols that involve callbacks are complicated. FTP, for example, made perfect sense in the days before NAT. Now, it's viewed as a problematic pain in the ass that always needs special NAT rules and connection tracking to accommodate it.

These days, instead of saying "connect to mydomain.foo.cx", for example, you have to say "connect to mydomain.foo.cx at port 12345". That's out of band address information, and should never be needed. Imagine if DNS only gave you the first three octets an IP address, and every application requires you type in the last one in manually. That's what the world is like today!

Re:NAT is not a solution

[QuoteMstr]

Let's ignore in-band multiplexing being messy a hack. Let's ignore the lack of consistency between multiplexing schemes. Let's ignore the immense complexity of making routers understand every stupid little application-level protocol. Let's ignore the latency introduced by waiting for a connection to open before knowing where the next hop goes.

Even after all that ignoring, your proposal won't work. Not with anything resembling today's equipment anyway.

I'm Bob, you're Alice. (We can switch; I'm flexible.) You want to initiate a call to me. Let's say we've registered with a central directory, and the directory tells you that I'm at address A.B.C.D:12345.

But wait -- back up. What right do I have to use A.B.C.D:P? As far as I'm concerned, I'm at 192.168.1.1. So I connect to the directory and tell it I'm at 192.168.1.1, listening on port 12345.

The directory replies "what the hell are you talking about? That's not a public IP. Your public IP is A.B.C.D.". If you, Alice, try to connect to me at 192.168.1.1, the connection will fail, or go to your annoying friend Carol, whom you really don't want to talk to. OTOH, if the directory replies with A.B.C.D, how are you supposed to connect to me? Remember, I'm listening at 192.168.1.1 at port 12345.

Either I have to talk to my ISP and tell it "give me an external port and forward traffic on that port to 192.168.1.1 port 12345", or the directory server has to talk to A.B.C.D and tell it "Oh yeah. Your client 192.168.1.1. He's listening on port 12345. He told me so. Give me a port I can connect to you on that will have traffic go there."

The second scheme is clearly a security problem. The first requires cooperation from ISPs. UPNP sort-of addresses the issue, but not really very well at all.

Basically, you're reinventing an entire routing protocol. Poorly.

You need to upgrade ISP equipment to allow this sort of chit-chat to go on whenever somebody wants to listen for a connection.

What happens if your ISP is itself behind a NAT? What happens when you run out of ports?

The way you propose, it's turtles all the way down. It'd still be cheaper to just adopt IPv6 in the first place.

Why is everyone talking about pushing back IPv6?

[bugg]

Why is everyone in the comments talking about various steps (reallocating large blocks, more widespread NAT, etc.) that would allow us to push back IPv6?

It seems that we very close to the point where every device supports IPv6 (Vista adoption is helping this) but just isn't using it. Let's start turning it on. What better way to help the adoption than by having users who are IPv6 only complaining?

Re:Blocks vs. sub-blocks.

[Darth_brooks]

in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week, we will quickly run into a situation where no more IPv4 address can be assigned to a new machine

And tell me again why my fridge will be on a public IP, rather than the 192.168.1.xxx address my Best Buy $49.99 Linksys router will give it?

Even better, explain to me why I, as Joe Sixpack will *need* my fridge on a public IP where every flaw and exploit will be passed directly to it, rather than dropped at the NAT box?

Or better still, explain why a small business with 60 users should have every last user on a public IP?

Or why a college or university needs to put every last workstation, printer, AP, and toaster on a public IP address?

NAT exists because NAT works. No, it is not the be all end all for any perceived IPv4 woes, but there is a metric assload of stuff out there with a public IP that either should be, or desperately NEEDS to be on a 10.xxx.xxx.xxx network.

Re:Blocks vs. sub-blocks.

[TheRaven64]

So you can connect to your fridge and see if your milk has gone off from outside your home? NAT does not give security. A firewall gives security, and most NAT devices also do firewalling. If you don't want your fridge to be accessible from anywhere outside your network, or only from a set of VPN locations, then you can easily configure your firewall to block inbound connections to it (which is likely the default anyway).

Does your small business with 60 employees want to use IP telephony? In this case, each PC (or each telephone) needs a public IP. You can get away with routing this at the application layer, but why bother when it doesn't actually gain you anything?

Re:Blocks vs. sub-blocks.

[NFN_NLN]

Even better, explain to me why I, as Joe Sixpack will *need* my fridge on a public IP where every flaw and exploit will be passed directly to it, rather than dropped at the NAT box?

What you want is a firewall not a NAT. A firewall will protect you just the same and allow people to initiate communication as YOU desire.

Or better still, explain why a small business with 60 users should have every last user on a public IP?

There are quite a few examples why this is important but here's one. Why can't all students / businesses have a public IP with an exposed port for VoIP? Why do VoIP products have to have complicated NAT traversal software that doesn't always work and at the very least just adds useless overhead.

It's called a firewall. Set one up and stop spreading FUD.

Re:830 days? China?

[Midnight+Thunder]

A year is a lot of time. Think how much cheaper computers/routers get in a year. That's a lot of expense saved if they can delay switching over for a year.

Its simpler if people just started accepting that IPv6 is going to happen and adjust accordingly. For me its like having to accept Y2K was going to happen and acting accordingly. Believe me its much simpler to code the applications than go through the politics, and possibly technical issues, of getting someone to give back a block they don't appear to be using.

Get your ISP and your router manufacturer to provide you an IPv6 solution. That too is probably not easy, but if we all start making noise then they will start doing something - hopefully.

Re:Blocks vs. sub-blocks.

[QuoteMstr]

Actually NAT DOES provide some sort of security.

Sure, in the same sense that crushing an airliner into a cube makes it useless for terrorists. NAT breaks the internet, and when you break something, it's useless because it's broken.

You can filter packets with a firewall without doing any NAT at all. In fact, your life would be a lot easier without NAT. There would be no need for configuring ports. There would be no need for mapping and configuring and making and unmaking.

You'd plug things in, and they'd just work. Globally. You can allow connections to your fridge from work, or from anywhere. A firewall could do that. The fridge itself could do it. But you'd still be connecting to your fridge, and not some random port on some arbitrary gateway machine somewhere.

Going with your fridge analogy, why should it be a bad thing for a grocery store to connect to all the fridges it knows about in order to tell them about new products? Why this artificial distinction between "inbound" and "outbound" traffic?

Re:More to the point

[deraj123]

I'll answer your question with another:
Why not?

Seriously. This whole "X doesn't NEED to be on the internet" is a ridiculous argument. It's simply saying "oh, having a PC and computer type equipment on the internet should be enough for anybody". The whole point of this internet thing is innovation. Sure, a fridge doesn't NEED to be on the internet. Unless I want it to have some functionality that requires internet connectivity. Same with my computer. It functions just fine, and doesn't NEED to be on the internet.

And why is "fridge can reorder beer for you" drivel? Is there some reason that a fridge SHOULDN'T reorder your beer? Sure, it's not a vital function, but neither most of the stuff that our technology does. Again, this is what innovation and technology is all about - improving the standard of living, making this easier, etc.