Millions of Internet Addresses Are Lying Idle

An anonymous reader writes "The most comprehensive scan of the entire internet for several decades shows that millions of allocated addresses simply aren't being used. Professor John Heidemann from the University of Southern California (USC) used ICMP and TCP to scan the internet. Even though the last IPv4 addresses will be handed out in a couple of years, his survey reveals that many of the addresses allocated to big companies and institutions are lying idle. Heidemann says: 'People are very concerned that the IPv4 address space is very close to being exhausted. Our data suggests that maybe there are better things we should be doing in managing the IPv4 address space.' So, is it time to reclaim those unused addresses before the IPv6 crunch?"

screw ipv4

[k3v0]

lets just switch to IPv6, it's more functional and future proof

Re:screw ipv4

Hello. I am Hunvi Maguay, premier of Swaziland. If you have an unused IP address we will buy it from you for $6,000,000 right now. In order for us to send you the money, please send us your bank account number along with proof of identity. Your Social Security number would be good. Please tell us your mother's maiden name too. Hurry, our offer will not last long.

Re:screw ipv4

[Finallyjoined!!!]

Right....

So you've configured all of your network equipment to use IPv6 then.

Tell me: What is your IPv6 address, what's the address of your router/gateway and what's the size of block you are using?

Re:screw ipv4

[Synn]

Nobody has configured for IPv6 because there's been no forced set date to switch over so everyone is still just using IPv4 which is working just fine.

But when the date comes it'll be a long weekend for a lot of admins, but I'm guessing the switch will happen just fine.

Re:screw ipv4

[Finallyjoined!!!]

Internally yes. Externally no. However my point was; everyone who stands up and says "Screw IPv4 let's move to IPv6" should be sat in front of a border router & told to get on with it.

Everyone can eat salami, precious few can make it.

Re:screw ipv4

Indeed.

So why isn't IPv6 widely adopted yet?

Because

1> IPv4 still works fine AND
2> It costs money to implement IPv6 AND
3> Implementation cost of IPv6 is more likely to drop than to raise over time.

The implementation cost is most likely to drop, hardware prices have nothing but dropped ever since there was hardware for sale. Another couple of years from now the price of those routers will probably be cut in half again.

So there's nothing strange going on, it's just business as usual. If someone somehow finds more IPv4 address space to use they'll probably claim they've saved the entire internet from collapsing but in my opinion it'll just postpone the switch to IPv6 and save everybody a couple of bucks.

Re:screw ipv4

[vux984]

Nobody has configured for IPv6 because there's been no forced set date to switch over so everyone is still just using IPv4 which is working just fine.

Sure my PCs can all switch without too much trouble; just configuration issues.

Will an xbox, xbox360, PS3, Wii, PSP or DS do ipv6? Will my ipod touch? What about my cell phone? Does my dlink nat/router do it? What about my dlink voip box? My network printer? My cable/adsl modem?

Seriously.

I can't abandon v4 at home (Wii doesn't do ipv6 afaik, nor does my router). Nor can I do it at work... the LaserJet 4050s don't do it unless I upgrade the jetdirect module (which is stupid expensive). I also doubt my cell phone supports ipv6. My parent's have a Wii and a usb-print server that don't d ipv6. My brother in-law has a PS3 and a Wii that doesn't appear to support ipv6. My parents in-law have an xbox and a wifi router that doesn't do ipv6... my cousin has a DS... she's stuck on WEP because it doesn't do WPA... I highly doubt its going to do ipv6.

Re:screw ipv4

[goofyspouse]

Get it on with a border router? That is wrong on so many levels.

Re:screw ipv4

[hedwards]

What you'd do is upgrade the router. That's it.

Basically new routers would do a 1:1 version of NAT going from IPV6 externally to IPV4 internally. You'd likely still be using the set aside non-connected blocks without problems. As things evolve you'd probably be able to do IPV6 easily internally and ditch that as the network devices support it.

The difficulty of upgrading to IPV6 has never been on that end it's the other infrastructure and the ISP services which were where the actual work, challenge and money were located.

I'm sure that there are other ways of doing it, but that's really the simplest and it allows people to transition on the less important end as they care to or not. It wouldn't make a difference for anybody else.

Re:screw ipv4

[Anpheus]

All of those things can add IPv6 functionality in firmware, I'd put money on it. Just because the companies are too lazy to do so doesn't mean it's unpossible.

The FCC should just mandate a switch to IPv6, if the US leads, the rest of the world tends to follow. Ridiculous foreign policy demands aside.

Re:screw ipv4

[Chris+Pimlott]

If you're like most of us, all your devices at home are living behind NAT. There's no reason they can't keep living in an ipv4 private network behind an ipv6 router.

Re:screw ipv4

[__aamnbm3774]

I love all meat references.

Screw the car-analogy people. Explain how this situation affects me in terms of meats!

Re:screw ipv4

[mini+me]

Will my ipod touch

I don't see why it wouldn't. It runs pretty much the same operating systems that Macs do.

Re:screw ipv4

[catxk]

Everyone who says we still need IPv4 and should focus on reusing the millions of idle addresses, should be sat in front of the internets and told to get on with it. I for one wouldn't have a clue.

Re:screw ipv4

[Anpheus]

Future proof? Everyone says IPv6 is future proof. No one will ever need more than 2^64 addresses.

That's ridiculous. If we have the addresses, we'll find some way to use them. Instead, it should be IPvX. We should have an extensible standard that the IANA or -someone- can flip a switch on and the routers will add another 8 bits to the address automatically. Need more IPs? Done, 256 times more. This scales well, means we'd never have to go through this again and in thirty years no one will be mocking our generation for this silly attitude of "2^X IPs is enough for the whole world."

Re:screw ipv4

[omgitsthr33]

DD-WRT has been working on the implementation of IPv6 within their firmware. http://www.dd-wrt.com/wiki/index.php/IPv6

Re:screw ipv4

[Sechr+Nibw]

Only if you stick it in the Outgoing jack.

Re:screw ipv4

[Cajal]

The FCC has no authority to dictate IPv6 usage in the US.

Re:screw ipv4

[coolsnowmen]

We should have an extensible standard that the IANA or -someone- can flip a switch on and the routers will add another 8 bits

IANA? You are not a ____? A computer engineer.

Anyway, we should not have such a thing. Yes it would be easy in software to make such a conditional, but the high performance backbone needs to be just that. And when you add that "option" the hardware engineer needs to decide whether that condition should be done in serial (costs you in transient lag), or do all options in parallel (costs you in $$).

But it really comes down to keep.it.simple.stupid engineering. Why add complicate a standard when you can't justify it?! Your attempt at future proofing ipv# is short sighted because ipv6 will easily last 20 years, and after that noone knows. They don't know because it is impossible to predict how technology will evolve, people will adopt it, and politics will allow it in 30 years. So as an engineer you pick a point, and you say with 99.999% probability this will be good enough for X years. At which point you change it.

Re:screw ipv4

[TheRaven64]

Do you have any idea how big a number 2^64 is? There are currently just under 2^33 people in the world. This means that 2^64 is almost enough for every person to have as many IP addresses as there are currently people. It is enough for 2^35 IPs per square kilometre of the Earth - including the sea - or, to put it another way, enough for every 0.29cm^2 of the Earth's surface to have a unique IP. It is enough not just for every computer you own to have an IP address, but for every item of clothing, every item of furniture, and every object in your fridge to have a unique, public, IP, and still have a lot left over. IPv6 will last until nanotech becomes widespread and you want to have networks of nanoscopic devices online - and possibly even then since it would make sense to treat personal area networks as a single public device.

Re:screw ipv4

[gnick]

The FCC should just mandate a switch to IPv6, if the US leads, the rest of the world tends to follow.

Exactly.

Listen up world! We've decided that you all should be using miles, feet, inches, Fahrenheit, and gallons. Please upgrade your silly metric system.

Re:screw ipv4

[Cramer]

Actually, it is far more complicated than current generation IPv4 NAT/PAT. IPv4/IPv6 requires a protocol bridge. I guess you are too young (and I'm really not that old) to remember when IPv4 ("IP") was new. Everybody had networks built with Appletalk, IPX, etc. A company that wanted to "get on the internet" either had to replace equipment and completely restructure their network into a "dual stack" rig -- while you could install a TCP/IP package in windows and Mac System 6, none of the services commonly in use (i.e. the reason for the network in the first place) would use IP. It took many more years for IP to finally become the backbone. For example, a decade (+) ago game makers were still using IPX for network play. And even as recent as 2003, the telco I was working for still had, and used, a large IPX network. (luckily, they had fazed out all the token ring hardware in the mid/late '90s.)

It's not as simple as rewriting the source or destination in a packet. Both have to be changed and the entire packet rebuilt. Plus, there has to be logic to dynamically turn the IPv6 world into an IPv4 world -- because a legacy device has zero understanding of v6, it cannot understand a v6 address at all.

Re:screw ipv4

[NatasRevol]

You forgot the real reason.

IPv6 numbers are damn hard to remember.

Seriously, what's easier?

192.168.0.1 or
2001:0db8:85a3:0000:0000:8a2e:0370:7334

Re:screw ipv4

[Cramer]

You are underestimating the amount of work necessary as well as the amount of "legacy" equipment still in use today. Just look around your home/office and count up the number of devices for which the manufacturer has gone out of business (bought out, etc.) or has been declared "end-of-life" and is no longer supported. All of those devices are obviously working and providing some utility or they wouldn't be there.

Bottom line: it's going to cost people/companies a lot of money and time to replace equipment and software, and reconfigure systems in order to support IPv6. Right now, no one is willing to spend that much money for something that Is Not Necessary.

Re:screw ipv4

[Sancho]

Some perspective:
Right now, there are over 6 billion people on Earth. IPv4 has a theoretical maximum of 2^32 (4.3 billion) IP addresses. IPv6 has a theoretical maximum of 2^128 IP addresses, which works out to more than 2^90 addresses per person currently on the planet. Yeah. Each person could have a whole bunch of IPv4-sized address spaces. A bunch of a bunch. Our planet probably isn't capable of holding so many people that each person would only get 2^32 addresses (size of the IPv4 address space.)

I'd bet a couple of bucks that the human race will never ever need anything more than IPv6.

Re:screw ipv4

[fm6]

The good grammar tells you he's a fake, but what kind? Obviously, a fake scam artist. In other words, a fake fake.

But if he's not a real fake, what is he really? The only possibility that makes sense is that he really is the premier of Swaziland. I suggest you send him the information he requested. Or better yet, send it to me, and I'll handle the transaction for you.

Re:screw ipv4

[BitZtream]

Its already well defined, there is no need for anyone to 'agree' on it, it was agreed on years ago.

You are confusing NAT and PAT. I seriously doubt you use NAT anywhere. You are likely refering to PAT, NAT just translates addresses from one to another, a one to one mapping, one address external is used by one address internal. What you are used to using is PAT, with is Port and Address translation, which allows for one external address and many internal addresses.

NATing between IPv6 and IPv4 is well defined and not difficult to do, there are already plenty of cheapy boxes for home use that do it. Hell mine will even setup an IPv6 Tunnel to someplace like he.net.

PAT on the other hand is something no one cares about because the ridiculous amount of IPv6 addresses means we can just give EVERYONE a /64 and they can use REAL NAT rather than PAT to get the job done.

Finally, part of the IPv6 protocol requires support for making IPv4 address space available over IPv6. Practically any router on the planet which supports both IPv4 and IPv6 will have the support to deal with both and bridge between them.

So your statement is incorrect in that NAT is supported by pretty much every router that supports IPv6, what you are thinking of is not NAT, its PAT which no one in the IPv6 world cares about since its an old hack that doesn't need to exist in the new world of IPv6. Because of that, no routers are going to bother supporting it.

For reference, since the defacto standard at the moment appears to be giving individual users a /64 block, From: http://en.linuxreviews.org/Why_you_want_IPv6

Number of IP Addresses in a IPv6 /64 prefix, the typical space a home user gets: 18,446,744,073,709,551,616

IPv6 gives citizens the opportunity to become real Internet participants. IPv4 makes citizens into passive consumers who are only able to connect to compartmentalized networks run by companies or governments. This is why the establishment does not want IPv6.

There is a total of 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 unique IPv6 adresses. That's roughly 667 quadrillion addresses per square millimeter of the Earth's surface!

Basically, we can not possibly exhaust this address space on the planet earth, there simply isn't enough matter on the planet to do so, and adding the matter required to do so would result in a gravitaional singularity forming as the matter collapsed onto itself. So ... there is no actual NEED to do it with IPv6.

If you wanted to pick something to worry about, it would probably be the lack of stateful firewalling in those home/cheapie routers which the NATs of today effectively provide a outbound only initiation of connections, with IPv6 and the fact that cheapie routers aren't firewalling by default, we'll end up with a lot more machines fully exposed to the Internet by default.

Re:screw ipv4

[joeman3429]

oh god, I'd never thought of that.

I guess routers will have to have names now. 192.168.0.1 was easy to remember, but jesus christ. How will we locate our routers (among other things of course)? I'm honestly asking lol

Re:screw ipv4

[Fastolfe]

IPv6 will last until nanotech becomes widespread and you want to have networks of nanoscopic devices online - and possibly even then since it would make sense to treat personal area networks as a single public device.

So your solution to running out of IPv6 addresses is.. NAT?

Re:screw ipv4

[joeman3429]

I'm not going to let your ignorance keep my children from having their fridge/microwave/cellphone/shirt/hat/dog/cat/fishtank/monitor/3 dozen computers/swarm of spy-bot bees/printer/coffee mug/mouse/keyboard/envelope stamps/individual pages in their books/speakers/light bulbs/doors from having their own IP address.

Insensitive bastard...

Re:screw ipv4

[BitZtream]

You're missing the fact that an IPv6 /64 is what a home user gets, not the total address space. The IPv6 address space is 128 bits, meaning you get 2^64 blocks of 2^64 addresses.

Meaning every square millimeter of the earths surface can be assigned approximately 667 quadrillion unique addresses. With your math, I personally can assign every 0.29cm^2 of the Earth an address out of my block alone.
Please see:
http://en.linuxreviews.org/Why_you_want_IPv6

Re:screw ipv4

[Bishop+Rook]

Or 2001:0db8:85a3::8a2e:0370:7334? You can shorthand out those all-0 octets.

Re:screw ipv4

[BitterOak]

If the router is handling the conversion and talking ipv4 internally, why would the devices need to support ipv6 again?

Ok, so let's say you have your router converting packets from IPv6 and IPv4, and translating your internal IPv4 addresses to external IPv6 addresses. Now, let's say you're sitting at your IPv4 computer connected to this magic router. You launch Firefox and type type the Slashdot URL. (More likely, you'd have it bookmarked.) So, what does your computer do? It sends a DNS request to get Slashdot's IP address. Now, in an IPv6 world, this IP address would have 128 bits instead of 32. How is your IPv4 operating system going to make sense of this?

So you might suggest a fancier router that is DNS aware, and translates those addresses back and forth, effectively acting as a DNS proxy. But there is a problem. How do you translate all IPv6 addresses to IPv4 addresses? Considering that the address space for IPv6 has 4 times as many bits, I don't see how this is even possible: you can't assign a unique 32 bit number to each 128 bit number.

So the problem is much more complicated than it first appears.

Re:screw ipv4

[Cajal]

I'm not confusing NAT and PAT. There was a nice writeup at ars technica recently about the IETF's efforts to define a v6/v4 NAT - http://arstechnica.com/news.ars/post/20081006-ietf-working-on-making-ipv6-and-ipv4-talk-to-each-other.html

Credit crunch

[Harmonious+Botch]

This is curiously similar to the current credit crunch. When a fix is not guaranteed to happen soon, people start hoarding.

Re:Credit crunch

[toleraen]

I was going to use the oil analogy. It's going to run out eventually, so why not switch to something better now before we run out?

Re:Credit crunch

[Samantha+Wright]

That's a little silly. These allocations were made in the 70s and 80s, before the Internet really existed outside of the US. At the time, the recipients of the addresses were those who were most likely to use them. No hoarding is going on.

Re:Credit crunch

[Chaos+Incarnate]

That is hoarding.

No, that's life outside a police state.

Re:Credit crunch

[Kadin2048]

Actually this is exactly why nobody wants to change.

Or rather, everyone knows they'll have to change eventually, but nobody wants to be first. Optimally, everyone wants to be last. There's no benefit to being an early adopter -- you spend a lot of money figuring out how to do everything right, upgrading stuff, maybe rewriting software; the Johnny-come-latelies just ride in on the coattails of everyone else. They hire a couple of consultants to do the worst of the work, who've gotten their experience on the early adopters, buy COTS software, cheap hardware, etc.

Right now we're in a sort of 'Mexican standoff' where nobody wants to move first, because there's a risk by using up all that capital being first, your competitors will sit, and watch, and learn, and then leapfrog you when they get around to doing it later.

(Similarly, both the U.S. and China need to move away from oil, but neither want to go first; both would prefer to let the other guy go first, and take the big economic hit from switching over to something else, and burn out the rest of the fossil fuels themselves, and then buy the alternative technology once it's cheap and being mass-produced, with all the R&D subsidized by the other guy.)

Re:Credit crunch

[hob42]

Nah, you have two, but can get by with one. Just let us buy the other, and if you really do need it in the future, you can always buy another one.

(That sounded funnier in my head.)

Give back class As

[Neil+Watson]

Perhaps some of the institutions that still have class A networks reserved from the old days, with no reasonable need for them, should give them back.

Re:Give back class As

Yup, I work for one of them, GE - the entire "3.x" class-A network, 16million addresses - most of our internal network is those 3.x addresses, behind firewalls so basically useless - and even better, I pinged a few external GE sites I know of, and none of them even use 3.x addresses!!

maybe 500K employee's & contractors, even add 500K more for servers and unallocated IP's in the ranges, that's still 15*million* unused. Besides which, we could easily run on 10.x internal networking and NAT/Proxy to outside.

Don't be in a hurry to get them back though... its not a priority! (haha)

Re:Give back class As

[t0rkm3]

As a network security guy in a company with 9 Class B's that are used within the company. (1 is Internet facing) The internal usage of public IP address space is justified by one thing, acquisitions. Every time a company is bought up by our company we have to integrate them into our network. We are already using some RFC1918 space at stub networks(plants/refineries) and for VoIP applications. However, the challenge of integrating 25,000 new IP devices with a conflicting address scope per merger is painful and wasteful.

Re:Give back class As

[mordred99]

Hell .. some of the companies have all their stuff on public IPs. Once in particular (I won't say who) I can get to the manufacturing PLCs since they use public IPs on everything. I can shut off their machines if I wanted to. Yes I used to do security for them, but I was let go because I brought up too many things that would cost them money. Their security manager said "If I don't know about it, and something goes wrong, we can pay to fix it then. However it is cheaper to not tell upper management about it, as they will be forced to act and the last thing we need to do is spend money." Yeah .. I left.

Re:Give back class As

[Bill+Barth]

Isn't this what DHCP is for? I'm a little surprised you have 25k boxes come in via a merger with static addresses.

Re:Give back class As

[qwertphobia]

Core routers don't get DHCP addresses. Servers don't get DHCP addresses. Infrastructure, for the most part, should not be dynamic, and should never rely on other infrastructure unnecessary.

It can take years to transition between addressing policies.

Re:Give back class As

[Sique]

NAT is a hassle, when it comes to more complex protocols than simple TCP. I've worked at a customer site which had a slightly... lets put it like this... unorthodox allocation of internal IP addresses. They just gave every site a 10.X.0.0/16, and then they had more than 256 sites (it's a large retailer, that's why). So they started expanding (yes I know, shame on them) into the 9.0.0.0/8 and 8.0.0.0/8 space.

When they bought a company in another country, the sysadmins there absolutely refused to route those nets into the VPN (right they were). So now the customer starts heavily to NAT, so the new company never sees any internal 9.0.0.0/8 and 8.0.0.0/8 addresses.

And now lots of things break. Videoconferencing and VoIP are among the worst offenders, but some complex logistics software they use is playing silly buggers too. And with more than 256 sites it's just not feasible to start readdressing all the IPs. They just don't have the people to do it, and they don't have the time to do it (it has to happen all at once, otherwise just more applications break during the transition period), and they don't have the money to hire enough external people to do it.

It's a lesson why violating RFC1918 never was a good idea, but it is also a lesson that NAT gets you only so far.

And for just 10 dollars a month...

[lobiusmoop]

you can give one of these poor unwanted IP's a home.

Re:And for just 10 dollars a month...

[NeverVotedBush]

Do I get a picture of it and a thank-you letter?

Leftovers from before NAT?

[LeotheQuick]

Maybe these addresses are simply leftovers from before people started to make wide use of NAT, which cut down a whole lot on the # of addresses in circulation

Why bother?

[Timothy+Brownawell]

Would giving them back do anything other than encourage network providers to procrastinate on IPv6 for another couple years?

Re:Why bother?

[hedwards]

I doubt that will be a bigger problem than what we currently have. The most likely thing will be for the IPV6 stuff to end at the modem and be IPV4 internally. At least until the security and configuration utilities are easy enough for people to use. I'd be surprised if it weren't opt out in some fashion.

The big thing is for the ISPs and the rest of the net to be ready for IPV6, the home user is sort of the last part that needs to be changed. And they aren't the ones that are pushing for more time.

Re:Why bother?

[Just+Some+Guy]

Isn't that a good thing? I imagine there are going to be serious security issues when ipv6 is implemented and EVERYTHING is routable.

So we move back the crisis another 18 months. What then? We find some ultra-short-term "fix" to put it off another 18 months for "security issues"? At some point, you've gotta do what you've gotta do.

IBM, Ford, Microsoft, etc.

[Spazztastic]

If the big fortune 100 companies would dump their IP blocks that they don't use more then 10% of the whole sensationalist scare of "OH MY GOD WE'RE RUNNING OUT OF ADDRESSES" wouldn't even be relevant.

Also, to quote someone from the last three articles related to IPv4 running out, it seems like one of these articles shows up on the main page at least once per month and nothing has changed.

I don't see why any company, even in the expandable future, would use every address in a /8 subnet... unless they have everything open to the internet, which is moronic.

Why is anyone surprised?

[gstoddart]

People setting up networks aren't trying to use every single address in their space.

It's far easier to use an entire a.b.c.* as a logical sub-domain than fiddling with netmasks and all that stuff so that a.b.c.1 and a.b.c.200 are on different subnets.

The amount of work people would need to invest to use every single IP address with no holes would be cumbersome. (I'm not saying you can't do it, it's just tedious.) And, you never know when you're going to need to allocate more machines -- I remember getting blocks of IP addresses for static machines in case I needed another machine in the future.

Now, why most people aren't using 10.*.*.* as their internal stuff I'll never know. Since the overwhelming majority of machines on the internet aren't (and shouldn't) be directly routable, it's an awful waste to not have organizations behind NAT-ed firewalls and not drawing from the common pool of route-able IP addresses.

Cheers

Re:Why is anyone surprised?

[Finallyjoined!!!]

Quite right, there's no reason whatsoever why 98% of users shouldn't be behind NAT gateways. I've seen stupid situations where bloody printers are assigned a public IP - so people can print to them over the internet - Whaaat??? Furthermore pretty much all VPN client software (excluding Microsoft shite, of course) is NAT-T aware.

One other point, not related to the above, TFA states they are using icmp to determine if a host is alive. Really? What is the margin for error here? Pretty much every device I configure with a public IP & connected to the net, will not respond to icmp (except from designated hosts/host blocks) Guess we can take their figures with a pinch of salt then.

Re:Why is anyone surprised?

[spaceyhackerlady]

Now, why most people aren't using 10.*.*.* as their internal stuff I'll never know. Since the overwhelming majority of machines on the internet aren't (and shouldn't) be directly routable, it's an awful waste to not have organizations behind NAT-ed firewalls and not drawing from the common pool of route-able IP addresses.

This is exactly how the company I work for does it. We use one public IP address, and our computers (all private IPs, as they should be) are NATted behind our router. I do the same thing at home, partly to circumvent how many computers my ADSL provider will let me plug in to their connection without giving them more money. :-)

If everybody did things like this we would need a lot fewer IP addresses.

...laura

Re:Why is anyone surprised?

[camperdave]

The amount of work people would need to invest to use every single IP address with no holes would be cumbersome. (I'm not saying you can't do it, it's just tedious.)

It's not so much about the little holes, but the ones so big that you could drive a tank through and still have enough room on either side to comfortably fit an aircraft carier through sideways: like the class A block owned by Digital Equipment Corporation, which went belly-up in 1998; or the Computer Sciences Corporation which employs 98 thousand people, but has 16 million IP addresses (for 17 computers apiece, I guess); or the class A loopback adresses, there because somone occasionally pings 127.0.0.2 just for variety.

And speaking of waste, why blow a 10.0.0.0/8 on a LAN when 192.168.x.0/24 will do just fine? It's this mindset that has lead us to where we are now. I'm switching to IPv6 as soon as my ISP can provide it. ping ::1 is so much easier to type.

Re:Why is anyone surprised?

[bendodge]

NAT is a hack, not a firewall.

Re:Why is anyone surprised?

[sl3xd]

It's a useful hack, but it also causes as many problems as it creates.

People who worry about IPv6 being routable everywhere on the internet really need to get their heads examined. It's quite simple to set up a packet filter that acts more or less identical to a NAT packet filter. It's quite simple to keep packets from getting where you don't want them to go - no more difficult than IPv4 with the NAT hack.

Many addr's may be behind firewalls...

We get this all the time from our ISP's. "Our scans reveal that you're not using much of the space we've allocated to you." In reality, those IP's are behind firewalls that only permit certain customers to reach them. Otherwise they don't respond - even to pings. The IP's appear dead to everyone except authorized users, and our ISP's aren't authorized.

Re:Many addr's may be behind firewalls...

[Timothy+Brownawell]

I wonder what the opposite strategy would do... have the firewall intercept pings, but instead of just dropping them, pretend to be the target and answer them itself.

Re:Many addr's may be behind firewalls...

[sl3xd]

You gotta love the assumption they're making that "not pingable means not in use."

In reality, it can quite easily mean that most of the IP addresses on the internet are firewalled off, because they're not serving anything to the rest of the internet. If anything, I like to think of it as a good sign that at least rudimentary security measures are being taken by consumers.

Grandma doesn't need her own web server, mail server, etc. Neither do most consumers - heck, I only have a couple of ports open - SSH and a gaming VoIP server.

Guess what ping does? Yup. Nothing.

Fallow-Field Legislation

[VE3OGG]

In the oil-business (and in many other fixed-resource industries, more then likely) there is a particular kind of legislation that would likely work very well in such a situation. It is known as 'fallow field legislation'.

It works like this:

If a company finds (or buys) rights to an oil field, they are given five years to start producing from it. If they do not, cannot, or are otherwise unwilling after those 5 years, the rights are revoked and the government (or governing body) will find someone who will and can.

Fast forward to IPv4 -- any address that isn't being used (and by used I mean that there is no web presence, to use of e-mail, etc.) after a certain time period (perhaps 1-2 year(s)) then the address is revoked and put back into the public pool.

Obviously, the easiest way to get around this little regulation would be to put up a place holder page, or redirect it to the main site. This would be much trickier. Likewise, it would not stop the name squatters (and increasingly the registrars) from putting up those SPAM pages, but like I said, it would fix the problem of people just sitting on a resource without using it.

My $0.02

TCP and ICMP

[IceCreamGuy]

I drop ICMP entirely, and besides our website and mailservers, we don't have any standard tcp ports open on any of our other external IPs. I really can't imagine it's that much different for other medium and large businesses; am I to believe they nmapped the entire Internet? (It's clear FTA that they did not) To me, these findings are not that surprising in the security-oriented world we live in today.

Re:TCP and ICMP

If none of the ports are open on any of your external IPs, then why do you need to have more than one external IP?

Re:TCP and ICMP

I drop ICMP entirely

Then you're an idiot who has no business managing a firewall.

Bankrupt companies

[sunderland56]

What happens to the IP addresses allocated to companies that are now (a) bankrupt, or (b) bought out by larger companies, or (c) allocated to companies now significantly smaller in size? There must be a significant pool of addresses that could be reclaimed there.

e.g. dec.com, compaq.com, sco.com, sgi.com....

Millions more have been hijacked

[Arrogant-Bastard]

In addition to all those lying idle because of excessive address space allocation, there are huge swaths of space which have been hijacked. Recent discussion on the NANOG list has highlighted some of these; the Spamhaus DROP list features others. And other researchers have found still more that are obviously no longer under the control of their putative owners, and are being use for spam, spyware, phishing, and worse. Attempts to get network operators, registrars, ICANN, ARIN, and others to effectively disable these resources -- and eventually to reclaim them -- have been largely unsuccessful. Yes, in some isolated cases, limited action eventualy takes place, but it's far too little far too late to be considered anything close to "effective". We need a concerted, worldwide effort to not only reclaim this space, but to blacklist for life those found currently possessing that -- because (as we've seen repeatedly) they won't be deterred by anything else.

MIT is 18.*.*.*

[Dogun]

Last I checked, MIT had all of 18.*.*.*...

Wrong! Lying is the correct form.

[DigitalReverend]

http://www.grammarmudge.cityslide.com/articles/article/992333/8992.htm

http://www.askoxford.com/betterwriting/classicerrors/grammartips/lyingandlaying

If you are in the process of putting something down, you are laying it down, but that object once it is there, it is lying. The verb lay has a direct object that the action is performed on. He is laying the book credenza. She is laying her purse on the counter. Once it has been laid, it is now lying. The book is lying on the credenza. The purse is lying on the counter. IP addresses are lying unused.

http://en.wikipedia.org/wiki/Laying

Need a Class C to do BGP

[WisePug]

I just setup redundant internet connectivity, and needed to get a class C address space, even though I only use a dozen or so addresses. I guess this is to limit the size of routing tables. Seems like a waste.

Interactive map

[citking]

There is an interactive map on their site that allows you to zoom into the IP space pretty nicely. Our uni has a B range of addresses and we use only two Cs of that right now. When we split off from the main building and got onto city fiber, they decided that, rather than give us a private IP range like the other campuses, we would be allocated one of the C ranges.

Of course, no one knew what they were doing so getting the ASA and default routes set-up properly was a nightmare, but hey, we're using more of our IP space now! (sarcasm intended)

They used ping!

[eihab]

From the article:

The USC research group used the most innocuous type of network packet to probe the farthest reaches of the Internet. Known as the Internet Control Message Protocol, or ICMP, this packet is typically used to send error messages between servers and other network hardware.

My home network is in complete stealth mode, and to them that's another "idle IP" address.

I also love how they arrived to their conclusion:

the team probed a million random Internet addresses using both ICMP and TCP, finding a total of 54,297 active hosts ...
In total, the researchers estimate that there are 112 million responsive addresses ...
but the overall conclusion--that the Internet has room to grow--is spot on

How did this ghetto-science experiment end up on Slashdot again?

IPv4 addresses running out:

[circletimessquare]

the IT hysteria of the early century. just as juicy a media hit as the Y2K panic and fear from last century, but not as much consulting opportunities

personally i'm waiting for 2012, when the elder gods of the mayan calendar awaken and in their rage at not being greeted by chocolate, peppers, and virgins, they reroute all null pointers in all code to the apocalypse. plenty of IT hysteria, plenty of consulting opportunities

just a few examples

[marvinglenn]

See http://www.iana.org/assignments/ipv4-address-space/

019/8 Ford Motor Company 1995-05 LEGACY
marvin@tribble:~$ host www.ford.com
www.ford.com is an alias for
www.ford.com.edgesuite.net.
www.ford.com.edgesuite.net is an alias for a1200.g.akamai.net.
a1200.g.akamai.net has address 96.17.109.74
a1200.g.akamai.net has address 96.17.109.18

013/8 Xerox Corporation 1991-09 LEGACY
marvin@tribble:~$ host www.xerox.com
www.xerox.com is an alias for www.xerox.com.edgekey.net.
www.xerox.com.edgekey.net is an alias for
e82.c.akamaiedge.net.
e82.c.akamaiedge.net has address 72.246.128.108

009/8 IBM 1992-08 LEGACY
marvin@tribble:~$ host www.ibm.com
www.ibm.com is an alias for www.ibm.com.cs186.net.
www.ibm.com.cs186.net has address 129.42.58.216

003/8 General Electric Company 1994-05 LEGACY
marvin@tribble:~$ host www.ge.com
www.ge.com has address 192.131.227.156

048/8 Prudential Securities Inc. 1995-05 LEGACY
marvin@tribble:~$ host www.prudential.com
www.prudential.com is an alias for web.prudential.com.
web.prudential.com has address 12.34.100.148

Apple (17) and HP (15) have their public website within their allocation. Eli Lil(l)y (40) appears also has their public website within their allocation, but I have a hard time believing that they could ever need that many public IP addresses.

So there... I just found an extra quarter million addresses. (5 x 2^16) Y'all can pay me by giving me my own /24.

Decades?

[Hikaru79]

The most comprehensive scan of the entire internet for several decades

As opposed to the great Internet scans of the 30s?

I have 11 Class C's with lots of empty numbers

[mschuyler]

and you can have them when you pry them from my cold, dead fingers. I would never be able to get them today, but way back in the early nineties they just gave them away. I had ten sites and wanted to start a Frame Relay network, so 'they' gave me a Class C for every site and one to knit them together. A couple of my sites had less than a dozen computers. Of course, these days even the copy machines have an IP address, so those sites are up around two dozen or so. One of them is doubling in space, so we'll be up to fifty or so. One of our sites closed, so that freed up an entire Class C, but our largest site is pushing the limits, so we moved the empty Class C to the large site. The numbers are scattered all over the place. .1 is always the router. Of course, the hubs have their own IP address. Public access stations started at .100 to be easily recognizable, but then the staff machines got up to .99 so we had to hop scotch over the public numbers and keep going with .200. The numbers are static because it's easy to track, and when we first started it seemed a reasonable path to take.

Could we do this differently. OF COURSE!! There are lots of ways to free up a ton of space. Please don't lecture me on how to do it. I know how to do it. It's just that the system is working now. The system just kinda grew on us. When we started we had no idea copy machines would have IP addresses. Even the damn VoIP phones have IP addresses! That was a big hit on our numbers. Are refrigerators next? We had no idea we'd have fifty servers instead of three or four. Life has changed and because we are realtively 'wealthy' in terns of addresses, we had the flexibility to change with it.

I look at our Class C's kinda like a fixed field database. There's a lot of air in there. It compresses really nicely if you need to, but disk space is cheap, so there's no real reason to conserve it.

The thing is, even though we have a bunch of empty addresses, our experience shows that we're going to grow into them. We've already encountered congestion a couple of places. As soon as those new fridges show up we'll need some more numbers. My guess is before too long we're going to have to do some subnetting and consolidate a couple of our small sites into one Class C to free up the other one to use in a large site. That should work fine. I don't see any problems pulling that off. Of course, if we build another big site, we'll have to think through what to do very carefully. e'll probably do the new site like y'all want us to. We may not have any choice.

But those Class C's are mine. I own them, and you can't have them back.

Won't SOMEBODY think of the appliances?

[SoundGuyNoise]

But my refrigerator, it needs, nay, craves an IP address, so it automatically orders my eggs and ravioli and orange creme soda, and orangutans, and breakfast cereals.....

My experience with RIPE

[Richard+W.M.+Jones]

This story rings true. I worked for a company during the dot-com boom and just after which requested an allocation from RIPE (the European equivalent of ARIN). I was the designated & trained "LIR" (I think that was the term?).

We received 8,192 IP addresses. We actually had them authorized to us in blocks of 256 addresses, and each time we needed another 256 we had to go back to RIPE and justify the expansion. However it is my understanding that the full 8,192 addresses were reserved for us.

We ended up using 3 x 256 addresses, but after a later downturn in the fortunes of the company, even many of those went unused.

I left the company many many years ago. However I notice the company that acquired it is still using those 3 x 256 addresses, and the original 8,192 are still reserved at RIPE. The IP addresses are even registered to the name of a director who was ousted when the company was taken over, at a street address that the company hasn't occupied for many years.

Rich.

Simpler Politics

[Midnight+Thunder]

lets just switch to IPv6, it's more functional and future proof

Yup and it is probably much simpler. Trying to reclaim addresses involves political issues, finding out who to talk to, bureaucracy and some technical issues. Switching to IPv6 is about technical stuff and just getting going. You are going to have to switch to IPv6 at some point, so why spend energy twice?

NAT is a hack.

[SanityInAnarchy]

Granted, it may be cheaper, in the short term, to use NAT than to upgrade to ipv6.

But imagine if no one was using NAT anywhere. This would have two effects:

First, techniques like Skype's UDP hole-punching would be completely unnecessary. You wouldn't even need a central server -- you could just use protocols like SIP the way they were meant to be used.

Port forwarding would be a thing of the past. Far more peer-to-peer technologies would just work.

Second, we'd run out of IPv4 a lot faster.

Re:NAT is a hack.

[entrigant]

You might want to sit down for this...

NAT is not a firewall.

Try this:

iptables -P INPUT Drop

Suddenly you have the same false sense of safety using a public IP.

Re:NAT is a hack.

[TheRaven64]

Rubbish. Which is more secure, of the following two options:

1. A public IP address, which you use to run a published protocol, on well-defined ports, through a firewall that blocks everything except the authorised ports.
2. A NAT'd IP, which requires you to do lots of tricks to bypass, preventing the firewall from being able to tell the difference between malware and VoIP traffic.

This is exactly the option people have now. If you want something like VoIP, and both endpoints are behind a NAT (they usually are these days) you need to rely on something like Skype, which is a security nightmare (see the paper 'Silver Needle in the Skype' for more details).

Re:Pedantic Correction for the Headline

[NeverVotedBush]

It's best, however, when you are laying someone else -- as in "I'm laying your girlfriend." "I got laid by your wife."

Re:Wrong! Lying is the correct form.

[nameendingwith]

Once it has been laid, it is now lying.

So in other words, there are no Slashdot users that are lying. If they say they are lying, then they are lying.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Rearranging Deck Chairs on the Titanic

[Detritus]

This whole discussion is a waste of time. You aren't going to get any of these address blocks without an expensive and prolonged fight. Wasting valuable resources that could be used to advance a real solution, IPV6.

Even if you "liberated" all of these address blocks, they would be quickly consumed by the natural growth of the Internet.

NAT is not a solution, it is a malignant blight that must be destroyed. If you want a firewall, get a real firewall.

TCP/ICMP not a good way to do this

[jimmyhat3939]

TCP and ICMP is not a good way to test this. Plenty of IPs won't respond to a ping and don't have any TCP ports open for inbound connections (SYN flag set).

Isn't there a better way to do this?

[damn_registrars]

It appears that all they did was ping every address they could, and then track which addresses responded and which ones did not. Consdiering how many systems are either configured to not respond to ping, or sit behind firewalls that stop the ping from getting through, this seems like a method of marginal value.

Wouldn't there be a better way to query the addresses than this? In some areas, I suspect checking DNS records might be more informative if what you are looking for is which addresses are unused (though of course DNS isn't mandatory either).

This is a peer review paper.

[kilocomp]

Yes I am sure the researchers have no idea what a firewall is. And everyone is a network admin with their home routers...

Of course these researches used logic to determine when a firewall is in place. One possible way would be to look at a subnet as a whole, if neighboring IPs are responding you can make a reasonable guess that other IPs should respond if binded to another node. This is a sampling of 4 billion, so no, individual circumstances where this doesn't hold up won't make a difference.

Wait for the actual paper to come out during the conference. If your research with your home router shows this is an incorrect paper, you can call them out. After all this is what peer review is all about.

Maybe some of them are hiding

[John+Jorsett]

My address is behind a firewall that doesn't respond to unsolicited incoming packets. It's in use, but you'd never know it from the outside.