Slashdot Mirror
China To Run Out of IPv4 Addresses In 830 Days
JagsLive writes "China is running out of IP addresses unless it makes the switch to IPv6. According to the China Internet Network Information Center, under the current allocation speed, China's IPv4 address resources can only meet the demand of 830 more days and if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet. Li Kai, director in charge of the IP business for CNNIC's international department, says that if a netizen wants to get access to the Internet, an IP address will be necessary to analyze the domain name and view the pages. At present, most of the networks in China use IPv4 addresses. As a basic resource for the Internet, the IPv4 addresses are limited and 80% of the final allocation IP addresses have been used."
Try the whole world. According to this counter, the world will be out of IPv4 addresses in 768 days.
Sounds like it will be easier than ever to ring the Wong number!
Smivs on the intertubes!
Do any Chinese citizens even have "normal" 'net access now? Thought NAT was used heavily, not to mention the GFWOC
Don't blame me, I voted for Kodos
To get a quick infusion of 700 billion IP4 addresses -- NOW!
The dangers of knowledge trigger emotional distress in human beings.
When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that! Flatten it to a /8 network in 10.0.0.0 and put it all behind one public IP. Problem solved!
Or will they just open up reserved addresses or something stupid like that?
---- Liquid was a patriot ----
Netizen is really stupid word, we really don't need more buzzwords.
A: Because it breaks the flow of a message.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
.
C'mon HP, be a good netizen and give back the bulk of those IP addresses. Try using NAT instead of hoarding IP addresses that others so desperately need.
I predict that we'll see China begin to use IPv6 addresses before most other people. Why?
Granted, I'm no fan of China's human rights policies. But it definitely has an advantage in terms of adopting IPv6. Hopefully, when China switches protocols, it'll catalyze the rest of the world to do so as well.
...and enable NAT.
Problem solved. :)
To error is human, to forgive, beyond the scope of the OS.
Slashdot runs it's 15th story about IP addresses running out "real soon now". The first was something like 5 years ago :)
These stats ignore the fact that there are huge available allocations that can go behind NAT's. An ISP can NAT big chunks of its user network. Charging even a modest amount per IP would free up huge numbers of IPs. There are abandoned blocks (companies out of business) and wildly oversized blocks (MIT etc).
Plus, we've been hearing these stories for years. The idea that the internets resources are going to become ipv6 anytime soon is unlikly. So folks are going to figure out a way to manage the existing pool, where there is lots of room for improved efficiency.
Fun to keep on reading these stories... they're always written as breaking news :)
They're even running out of RFC 1918 addresses.
the LHC will end it quicker than that. They estimate some 90 days until they've got their repairs done ;)
--- Eat my sig.
Impose a one IP address per family rule...
Task Mangler
What actually happens for domestic users when the addresses run out? I get my one, dynamic address at home from the ISP and I guess tomorrow they give that to some other subscriber (DHCP lease seems to be 24 hrs). If there are too few addresses, then what? No more new subscribers; or do they, the ISPs, allow over-subscription and not all customers can get an IP address every day?
Seriously their government is hell bent on controlling what goes into and out of that nation and what better way to do that than by forcing people to use a proxy..
"Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
Pease porridge hot
Pease porride cold
Pease porridge in the pot
Nine days old!
----------------------------------- My Other Sig Is Hilarious -----------------------------------
IP4 doesn't have enough addresses, of course a managers solution is to put of the inevitable so that it happens on someone elses watch rather then taking the time we got now to develop and implement a solution.
IF pushing IP6 doesn't work in the roughly 2 years remaining THEN we can use the buffer of under-used blocks as a last reserve. if we use the reserves now, and do nothing then we still have the same problem, just a bit further away but this time with no reserves remaining and no work chance of it being solves in time.
You should run for president, you would do well with your solutions.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
NAT is not a solution. It's a huge, gigantic clusterfuck of a problem. Some people only started their careers after NAT was widespread, so they can't imagine how wonderful the world is without it. The internet is much simpler when you can assume that all nodes can directly address all other nodes.
Look: this is what we've done.
In the beginning, each endpoint of a TCP (or UDP) connection looked like this:
[octet][octet][octet][octet][16-bit port]
[(------- host-------------)(--service--)
Each octet was routed hierarchically, and the port acted as an additional level of routing within a single node.
With CIDR, the model moved to this:
[32-bit opaque address][16-bit port]
(-------host----------)(--service--)
This change didn't hurt anything, aside from an increase in router complexity. Allowed the 32-bit address space to be used much more efficiently.
Now with the IP address shortage, the situation looks like this:
[48-bit address]
(----?---------)
Note how we've lost the distinction between host and service and smushed them all together into one huge opaque number. We've caused ourself lots of problems with this:
These days, instead of saying "connect to mydomain.foo.cx", for example, you have to say "connect to mydomain.foo.cx at port 12345". That's out of band address information, and should never be needed. Imagine if DNS only gave you the first three octets an IP address, and every application requires you type in the last one in manually. That's what the world is like today!
Am I the only one that noticed Hey, they can only have one baby, but we'll give them 3 IP addresses? Sounds like the Chinese government is getting liberal or something
Support NYCountryLawyer RIAA vs People
Heck, they already firewall everybody -- why not just break IPs up into NATted subnets? The 10.x.x.x range should give them enough room for awhile, right?
Hmm.... 16,777,216 IP addresses divided by 1,300,000,000 citizens.....
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Carly Fiorina's ego. It's so big that it was necessary to support all of her ego's operations. If it grows any more, the IPv6 address space will be screwed as well.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
So the world runs out of addresses before China runs out?
The world will run out of new blocks to allocate (as in "254.xxx.yyy.zzz"), before China gives out all addresses in the allocated blocks it has (as in "www.254.254.254").
Nonetheless, IPv4 can only provide a little lower than 253^4 different addresses. What makes it worse is that it's allocated in chunks (some chunks are reserved like the 127.x.y.z family - other addresses may be free but land in a range which is allocated to some company and thus can't be used by your computer).
Thus even if some providers use dynamic IP (only those machine which are connected have an IP address - thus an ISP needs a chunk only as big as the number of simultaneously connected users, not as the total number of subscriber), and lot of router use NAT (only 1 single IP address is visible on ther internet. all the machine are visible through this address and use a private address on the internal network),
in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week, we will quickly run into a situation where no more IPv4 address can be assigned to a new machine :
- the ISP has ran out of addresses in its chunk because there are more simultaneous connection (because everyone stays perpetually connected) that there are free address in the chunk (china will reach this point in 2-3 years)
- and there are no more new free chunk to allocate for the providers (all are already either reserved like the 10.*.*.* and 192.168.*.* range, or have already been allocated to others) thus now way to give more chunks with more IP to the ISPs (the world will reach that point too in about 2 years).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
stop saying "netizens".
It must have been something you assimilated. . . .
Don't you mean "netizens"?
My company has a quarter million employees. That means a quarter million desktop computers, a quarter million automated parking spaces, a quarter million employee badges, a quarter million IP phones, a quarter million cell phones, a quarter million ....
And that's not even counting our publicly-accessible web servers and our employee kitchens, where every microwave, coffee pot, ice machine, and vending machine is online.
All these things need network connectivity.
ISPs will not be able to oversell their DHCP pool. Back in the days of dial-up, yes, but now that every broadband ISP installs a router/modem that is on 24 hours a day not a chance. Most people will turn off or suspend a computer when it's not in use, but will never do the same for their router.
Why is everyone in the comments talking about various steps (reallocating large blocks, more widespread NAT, etc.) that would allow us to push back IPv6?
It seems that we very close to the point where every device supports IPv6 (Vista adoption is helping this) but just isn't using it. Let's start turning it on. What better way to help the adoption than by having users who are IPv6 only complaining?
-bugg
We've only used half the available numbers.
Just start using negative numbers: -248.100.-97.-201
Cress, cress, lovely lovely cress
8.3 * 10^2 days
An ISP can NAT big chunks of its user network
And in so doing break any application that needs to receive incoming connections.
This behavior is by design. The standard terms for residential service plans already restrict "running a server". FTP clients can use passive mode.
Why can't some of the owners of /8 address spaces return them back to be re-allocated?
For example, HP owns 15.0.0.0 through 16.0.0.0 (~33m ip addresses) can't they get by on just ONE class A network?
Apple owns 17/8
MIT own 18/8
US Postal Service 56/8.
http://www.iana.org/assignments/ipv4-address-space/
Do all these companies need to have ALL of their devices on publicly routable IP addresses? From a security standpoint, I would hope not. Odd since IBM, a company much larger than MIT and Apple can get by on just one /8, and I'm having trouble believing that HP requires 2 /8 networks.
We talk about making our datacenters "green" by consuming less power, there's got to be an equivalent for consuming fewer public IP addresses.
I've just finished re-IPing our datacenter (~5000 servers), not to 'release IP addresses back, but to undo the damage done by years of seemingly randomly assigning IP addresses to servers in our datacenter. Yes it's a pain, but so is any form of cleaning up your datacenter (cabling for example).
The exhaustion of IPv4 address space - dated 17th October, 2005
You are right, there's a whole lot of articles talking about this problem. And there have been people touting the NAT silver bullet for as long as the shortage has been known about. The interesting thing is that the rate of IPv4 consumption has kept increasing regardless.
That sounds like a huge step backwards. Hopefully it won't come to that.
Why will white goods need to be on the internet at all?
I mean a *good* reason , not just the usual re-hashed fridge-can-reorder-beer-for-you Jetsons style drivel that is laughably spoken about as some vital function by techno evangelists.
Ordinary users of the IPv6 Internet should be allocated as a minimum two /64 subnets. One /64 subnet would be for a private LAN network and the other /64 subnet would be for a public facing DMZ network. The DMZ network would be useful for any kind of reachability which only selected people can access content. IPv6 capable VoIP PBXs would be especially useful here like Asterisk and Freeswitch. Imagine the possibilities of assigning every phone call or user its own IPv6. This should elimiate VoIP spam.
Other notes: Point to point links should be a /126, not a /64. Businesses of differing sizes don't need a full /48. This would be like giving out blocks of IPv4 Class A addresses all over again. The size of the allocated IPv6 for a business should match their real size and needs. Applications and operating systems need to be more IPv6 aware.
Peak IP4 is a myth; there are still plenty of addresses buried in the Canadian tar sands. However, in the short term, the only solution is to lift the ban on coastal drilling for IP4 addresses.
Thank goodness, maybe they will take away the Chinese spam houses IPs and use them for something less irritating.
Has anybody noticed that the summary is basically repeated twice?
I wonder if anybody noticed the summary was repeated twice.
IPv6 allows addresses to be assigned very sparsely, which simplifies routing tables a lot. Back in the early days of IPv4, you could look at the first octet of an address and make a routing decision. The next router would look at the next octet, and so on, and so you only needed 256 routing table entries in each one. The network was conducted as a tree. You'd send a packet to the local router, which would say 'this isn't in my local network, send it up a tier' until it got to one that could start sending it down again.
With CIDR, you stopped being able to do this. Addresses were allocated in blocks of 256, so you had to look at the first three octets to make a routing decision. This meant you need up to 16,777,216 routing table entries. With IPv6, this is no longer required, and you can go back to having the IP addresses roughly corresponding to the network topology.
I am TheRaven on Soylent News
Isn't the problem that nobody who could fix this is motivated to do so?
If we all switch to ipv6 now, then everyone on the existing internet has incurred a cost, but will see no benefit; the benefit will go to currently-unconnected Chinese who will not pay the cost because the work will already have been done by the time they join up.
The only way that the switch to ipv6 is going to happen, is if someone finds a way of making the currently-unconnected Chinese population pay for it. That could be done, for example, by waiting until ipv4 addresses become very scarce, then auctioning the remaining ipv4 addresses for large sums of money, and using that money to switch everyone else over to ipv6. But then you've got the problem of distributing the money...
Had every router shipped since 3 or so years ago been required to have a) IPv6 support w/ stateful firewall on by default for internal hosts and b) a "turn on 6to4" button, we would have been near done already. That simple. You can do it with current routers with firmware mods and a lot of work.
"Strangers have the best candy" -Me
i heard they got a whole mess o' internet in california. enough for everyone!
You have absolutely no conception just how big a number 2^128 is, do you? Every human who has ever lived could have a billion devices, each with a billion sub-components with their own public IP address. Doing that would use less than one billionth of the address space.
Chernobyl 'not a wildlife haven' - BBC News
Its not that we're actually running out of IP addresses, its they were poorly allocated to begin with.
In total, there are 4.2 Billion IP's available in the IPv4 Space.
Summary of wasteful allocation:
1) 10.X.X.X for internal usage,
2) 192.168.X.X for internal usage
3) 172.18.X.X for internal usage
4) 127.X.X.X reserved for localhost,
5) 169.254.X.X for "I'm not on a network" IP's
6) Everything 1.X.X.X - 10.X.X.X is reserved for IANA.
So adding this up we've wasted
1) 16,581,375
2) 65,025
3) 65.025
4) 16,581,375
5) 65.025
6) 149,232,375 Total : 182,560,200 IP's unusable.
There is no reason why private networks need three different ranges of IP's for private use. Most, if not all businesses can get away with using the 192.168 or the 172.18 ranges(Exceptions would be google, governments, and research places with over 65k machines)
Then you have residential users who think they need an IP for each computer and their xbox.
Realistically, a company with a mail server, web server, ftp server etc... only needs one IP and a NAT to do port forwarding to the inside network.
If they clamp down on IP usage and free up some of the wastefully reserved IP ranges we wouldn't be having this discussion
The refrigerator is a poor example, but other appliances and home HVAC systems could realize significant energy savings by communicating with each other, and by being controlled remotely over the internet (or some other means).
There are a lot of interesting scenarios: if you had real-time, fluctuating power pricing, you might want to have appliances change their energy consumption or other settings in response to their cost. Only run some appliances when the spot price is below $0.15/kwh, for example.
Or even simpler, if you have a peak-load factor as a component of your bill, devices could communicate with each other to ensure the total draw at any one time doesn't exceed some predetermined maximum. Different appliances would each have a priority, and would have to shut down to accommodate higher-priority draws. (E.g.: the clothes dryer would shut off if you turned on the electric stove or microwave, because it would have a lower priority -- unless you were really obsessive about not having wrinkled clothes, I suppose, in which case you could set it the other way around.)
The two could be combined, as well: once you have the infrastructure in place, you could set up whatever rules you wanted, balancing preferences for certain services against costs, and prioritizing certain services at various times. It wouldn't be hard to produce detailed reports of what each appliance/service was costing to operate, and how new rules would affect costs based on past usage patterns. (There's the potential for a lot of complexity in the control system, but to a user it might seem very simple on the surface.)
Also, there's a wide range of appliances that really only need to run when people are in the house (or just before they enter the house) but tend to run continuously because it's a PITA to run them based on inflexible timers: HVAC, lighting, water heaters, possibly even water pressure-pumps. Devices would only be turned on when necessary for another device, or a user need was anticipated. I could easily imagine a system that was plugged into an online calendar and controlled this in a way that hid it from the user as much as possible. Heck, if you had a PDA with GPS, you wouldn't have to do anything.
The driving force behind "home automation" up until now has mostly been the geek factor of controlling all your lights/appliances/whatevers from a single point, but I think in the future, energy savings and integration will be the selling point. Since it seems unlikely that we'll really make significant inroads on alternative sources of energy before we start to run low on petroleum, there's a non-trivial chance that energy may become staggeringly expensive. I could easily see a future where the running costs of energy-intensive appliances greatly exceed -- even to the point of triviality -- their purchase price.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
There has been research, lots of it, and conferences and RFCs and discussion and development and testing and everything else and it led to IPv6. You seem to suggest that someone is going to come up with a magic 'new' network protocol from out of their arse, which seems unlikely. Nobody wants IPv6 because for the most part IPv4 works for them. When that stops happening there will be a shift towards IPv6 (hopefully, I can imagine there will be some horrible bodged setups that sort of work, but not on tuesdays if it's raining before then). The other issue is that people are afraid of having to remember longer numbers.
The reason organizations don't "give back" their IP assignments is that there is not much incentive to do so. Why not a market based solution?
One example: I am puzzled that radio amateurs (AMPRNET) own 44.00.00.00/8 and do not make significant use of it. As a ham myself, I'd be happy to convert that to, say, $10M for the betterment of the hobby.
Fiat Lux.
What is IPv6, 128-bit address space? That is what, 16 bytes?
Worse case in decimal (I added the dashes so *I* could make sure I typed it right :-)
216:126:59:03-58:95:58:32-126:43:55:129-59:59:59:1
Worse case in hex (same deal).
FA:FA:FA:FA-12:55:43:BA-55:DA:CC:DB-89:A1:C1:01
Basically, you are boned :-) Maybe we need a different number system that is like Base64 instead of Base16? Heck... why not just base64 encode the IP address. Base64 is what, A-Z, a-z, 0-9,+,=? A Base64 encoded IPv6 address is just:
Az.
Or make it Base32 instead so you can be case insensitive (A-Z, 0-9 and only drop a couple easy to mix up characters like i, l and o to get to 32 chars). A Base32 IPv6 is:
A1Y2.
You could even break out subnets with Base32:
A1Y:2/96 (subnet mask ZZZ0)
So yeah... why didn't they go Base64 or Base32 instead of Base16?
Seems to me like nobody wants IPv6.
They will - in about 831 days. It's like the idea behind Peak Oil, where instead of an instant failure one day, there will be a shift toward exponentially increasing prices. I don't know if Peak Oil will happen, but in about two years Peak IPs certainly will.
IPv6 is the working technology that we have available. There aren't any viable alternatives in the pipeline that I'm aware of, and certainly none far enough along that they'll be well-tested and ready for use in that short of a time period.
Dewey, what part of this looks like authorities should be involved?
Can't they just all use the same IP address just like they all shared the same license key of Windows XP?
your examples are wrong.
HEX: 4 bits per byte, takes 32 chars to encode IPv6 Address
Base32: 5 bits per byte, takes 26 char to encode an IPv6 address
Base64: 6 bits per byte, takes 22 chars to encode an IPv6 address
You can see the return on investment is pretty small for base32 and base64, since it costs you the transparency of the output.
try again.
Most of which is wasted, btw.
My ISP gave me a /48. I use 6 addresses.. that's a lot of wastage. Also the bottom 64 bits of an IPV6 address are basically mapped to the MAC address of the network card, so they're predefined.
The /48 is big but it's only 65k times as big as a /32 - the numbers aren't as huge as some would suggest.. still big, but not *huge* big - I could see scenarios where it could run out.
Dammit, slashdot ate my comment.
IPv6 has so many addresses that the IP address becomes opaque and meaningless (pretty much like we dont care what our MAC address is). The problem then becomes, how do you give every single device a unique, human readable name? Sure DNS will scale on the technical end find, but DNS as it exists today will fail in the human factors end. When your shoes have dozens of devices like moisture sensors in every part of them, "moisturesensor.shoelace.left.favorite-shoes.cust29534.seattle.wa.comcast.com" is not exactly an easy to remember name.
What will happen, I suspect, is your home router will start doing your DNS. You'll get your own private top level domain (say, .local). Then your kitchen sink will be "kitchensink.local", your dryer will be "dryer.local", etc. Your car and laptop will use your netgear DNS server instead of somebody elses.
The problem will then become how to two homes talk to each other when they both have a device named "xbox.local"? Will both have to get a "real" hostname from their ISP? Sounds a bit like NAT to me, only now it is NAT'ing DNS addresses instead of IP addresses.
in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week
And tell me again why my fridge will be on a public IP, rather than the 192.168.1.xxx address my Best Buy $49.99 Linksys router will give it?
Your's will probably be on a private address. But as it has 100% uptime, it will be constantly connected to the web, which will cause your router to stay connect almost 24h (except, when the ISP forcefully reset the connection and forces a DHCP renewal), which in turn makes that your router will constantly hold and never let go its public IP adress (except for an occasional DHCP renewal). Netword connected appliances that periodically phone home already aren't unheard of (gaming console checking for firmware upgrades, media player checking DRM licenses, multimedia systems downloading various data such as news, meteo and/or TV guides, etc.).
And they dangerously bring the "amount of simultaneously connected users" close to the "total amount of subscribers".
Even better, explain to me why I, as Joe Sixpack will *need* my fridge on a public IP where every flaw and exploit will be passed directly to it, rather than dropped at the NAT box?
It's not about the need. It's about the fact that it's going to be anyway, and thousands of "shiny" features are going to be added afterwards. (And will inevitably end up exploited in every possible way as you are justly afraid).
People are currently already enjoying the ability to connect to their home tivo-like setup to remotely program recording, to be able to share data from their home computer (not as in "I'm geek and I have a nice home built Linux file server", but as in "I have a Mac and leave it on 100% of time, because thank iAirSomething, I can access my home photo at work to show them to my colleagues"). The imaginary future internet enabled fridge will probably be able to automatically generate a list of groceries. And Joe-6-pack will love to be able to log to his fridge (using some secure password as "joe" "beer" or "123456") to check how much six-packs he needs to buy on the way home.
Or why a college or university needs to put every last workstation, printer, AP, and toaster on a public IP address?
Lots of tools used in academia are old and date back before the age when NATs became pervasive. Internet was never designed with NATs in mind in the first place. At that time, it was just about a few academia linked together on the same network as some military. Back then it simply made sense to put everyone (of the few thousands of computers) on the same net because that was the way it was designed. Nobody was thinking that 20 years down the line not only everyone would have an internet connected computer, but everyone would even have 20-something online appliances at home AND AT THE SAME TIME still use a deprecated addressing scheme designed at a time when the net was just about a thousand of computers spread over twenty faculties all talking together.
What happened is that the same designs remained in the same place, simply more computers were appended to the same old network. Every decade maybe cables were upgraded, but nobody bothered changing the topology of the network.
Also, lots of (old and not so old) networked application require both ends to be visible to each other and sitting on the same net (lots of old-school unix phone apps, or even recent VoIP systems simply start listening on local ports and assume that, wherever the user is).
People are still using them and still need to be able to quickly setup a connection between the relevant computers. Which may now be in separated buildings and/or departments.
NAT exists because NAT works. No, it is not the be all end all for any perceived IPv4 woes, but there is a metric assload of stuff out there with a public IP that either should be, or desperately NEEDS to be on a 10.xxx.xxx.xxx netwo
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Seriously, that's not the point. Everybody does that, because that's what you have to do; but trust me, for having dealt with the low level stuff of VoIP, this is a major pain in the ass. And that DHCP server is a major spof. Pof pof.
I've been using IPv6 since about 2001, but after the BT Exact Tunnel Broker stopped, I was lost as to where I could get access from. I signed up with Sixxs, but they have rather tight (anal, some would say) policies. They'll give you access, etc, but a single bounced/rejected email, and they disable your account. http://www.sixxs.net/faq/account/?faq=bounces.
Then I gave Hurricane Electric's Tunnel Broker a try. What a breath of fresh air. It takes about 2 mins from sign-up to being connected - they give you the relevant commands to run too, if you're not familiar with it. If you've got 2 mins to try it out, give them a go.
And Slashdot - how can you be one of the top tech sites, and not be accessible over Ipv6? And throw in SSL too, while you're joining the 21st century.
Get your own free personal location tracker
There will be 2 more years until we run out of IPs and about 4 more years if we use big corporations IPs.
2008 + 4 = 2012 = end of the world
I guess the mayans were right after all...
Okay, I'm a little sick of seeing this argument.
Network/port address translation is /not/ a security system. It is /not/.
A NAT box is two things: an address translation system, and a /router/. The router is just the same as any other router - if you send it a packet with a destination address that it knows how to route, it will forward it along to that destination, regardless of any NAT rules you might have in place. If you send it a packet addressed to 192.168.1.23 from the public side, and that address is routable as far as the NAT box is concerned, /it will forward it on/. I could sit on the public side of that NAT box and spam it with connection requests on common ports (443? 22? 13[789]?) - ~65000 packets could map out the contents of the NATed network without ever hitting the NAT rules. NAT would have supplied /zero/ security, even through obscurity.
In order to provide security the NAT box has to refuse to forward those packets, unless they meet one of the NAT rules. Oh, look - it's suddenly become a /firewall/.
Now change that scenario to an IPv6 router: you could indeed set it up such that anyone outside could send anything they wanted into the site network, but that would be the same as the NAT box. Alternatively, you could set it up to block incoming traffic unless it matches certain rules - a firewall, and in fact /exactly the same/ firewall as existed on the NAT box. The only difference is that the machines behind the IPv6 firewall are publically addressable, meaning that they can be used for /anything/ a public Internet host can, assuming they're granted permission by the firewall. No futzing around with DNAT and non-standard ports, just simple, reliable operation, exactly the way the Internet was originally designed.
/Now/ do you see why people keep saying that NAT has nothing to do with security? Any security you get from sitting behind a NAT box is entirely due to the firewall that is almost always implemented alongside the NAT. And /that/ can be replicated on the non-NATed network, without replicating the management headaches that NAT introduces.
</rant>
Now that I've got that off my chest, I'll concede that it's rather more difficult to get an rfc1918 address across the public Internet to your NAT box than it is to get a publically routable IPv6 address there (modulo the limited IPv6 availability, of course). That said, with the increasing prevalence of wireless networking it's becoming easier and easier, and even without that it's possible that rfc1918 addresses won't be dropped by intervening routers (ironically, increasing use of NAT will likely make that more of an issue, as companies demand the ability to route their NATed traffic across semi-public WANs). So, although there /are/ some valid arguments that NAT combined with rfc1918 addressing provides significant security benefits, they're not as great as people generally like to think, and they're a lot less reliable than a firewall which doesn't make /any/ assumptions about address routability.
himi
My very own DeCSS mirror.
The Chinese are using NAT very extensively already. Residential customers don't get a public IP address. If China is running out, that means that businesses can't get addresses either.
The US hasn't started feeling the pain even for residential yet, AFAIK. Europe is seeing deployment of NAT in some mobile broadband networks, but so far not much in regular broadband.
Finally! A year of moderation! Ready for 2019?
It's dead easy to control, track, trace, and monitor IPv4, and even to do automatic man-in-the-middles. It is in fact so cheap that some ISP's do it just to insert advertising. IPv6 won't change anything about that.
Finally! A year of moderation! Ready for 2019?
You're likely seeing NAT'ted addresses. If there are a thousand hosts behind a NAT, it's likely that at least one of them will be infected.
These are many, many unique public IPs. From a wide variety of subnets all owned by chinanet. Yes some might be NATing more hosts behind them, but then the owner of the public IP still should be required to police the hosts on his/her network.
It's not his network. He's just the ISP.
My first post was at least half tongue-in-cheek, but to say the ISP (if we are talking ISP) is not responsible for activity happening on its network is just plain wrong-headed. ISPs have AUPs. Nations have laws. These ISPs are on notice that bad things are happening on their networks and are being provided evidence of exactly what sort of bad behavior is going on. They choose to look the other way or be actively complicit. I'm just suggesting revoking access to those who can't behave.