At Current Rates, Only a Few More Years' Worth of IPv4 Addresses

An anonymous reader excerpts from an interesting article at Ars Technica, which begins "There are 3,706,650,624 usable IPv4 addresses. On January 1, 2000, approximately 1,615 million (44 percent) were in use and 2,092 million were still available. Today, ten years later, 2,985 million addresses (81 percent) are in use, and 722 million are still free. In that time, the number of addresses used per year increased from 79 million in 2000 to 203 million in 2009. So it's a near certainty that before Barack Obama vacates the White House, we'll be out of IPv4 address[es]. (Even if he doesn't get re-elected.)"

Don't say "NAT"

Can we start the discussion by not immediately going to the "NAT will save us" argument? Just accept that while NAT deployments might put it off, IPv6 deployment is inevitably necessary.

Re:Don't say "NAT"

[causality]

Can we start the discussion by not immediately going to the "NAT will save us" argument? Just accept that while NAT deployments might put it off, IPv6 deployment is inevitably necessary.

It's not unreasonable to say that the increasing scarcity of a finite resource might put more pressure on all of us to utilize that resource more efficiently. Replacing the scarce resource (IPv4 with its 2^32 addresses) with one that is overabundant (IPv6 with its 2^128 addresses) is always an option, of course. But migrating to that option and more wisely using our existing resources are not mutually exclusive. So no, I don't recognize as invalid the discussion of NAT as a technique useful for mitigating this issue.

Re:Don't say "NAT"

[growse]

So we go through a huge difficult, expensive process to save us, what? A couple of years? Why bother?

Re:Don't say "NAT"

[sopssa]

Seeing the state of IPv6 and how many devices still don't support it, I think thats a pretty good idea. That being said, IPv6 support should be fully done in new devices, OS and programs already, because you need to give some time for old devices too so they can still work under IPv4.

But on another thing, I really doubt we are just a few years ago from IPv4 addresses going out of stock. There's still many /8 unallocated to anyone, most ISP's still give their users 5 ip addresses on home lines and from most hosting companies you can buy new ip's for $1-3 per piece. If we will be running out of them, we will first see hosting companies upping their prices and home ISP's limiting how many IP's they give to customers. And that will come far before we're actually out of address space.

Re:Don't say "NAT"

[petermgreen]

we will first see hosting companies upping their prices and home ISP's limiting how many IP's they give to customers. And that will come far before we're actually out of address space.
That depends on what the IANA and the RIRs do. with thier policies over the next few years.

Right now IMO the sane policy for an ISP is to allocate as many IPs to customers as they can get away with, that way they can "justify" getting new IPs from the RIR. When the final squeeze comes with no new IPs availible from the RIRs the ISPs can then claw back IPs from less lucrative customers and give them to more lucrative ones.

Re:Don't say "NAT"

[Hatta]

It'll be easier to give everyone a block of ipv6 addresses than it will be to take away legacy ipv4 allocations.

Re:Don't say "NAT"

[Jeremi]

There is no scarcity of the "resource" to begin with, only design flaws

The scarcity may be caused by design flaws, but that doesn't mean the scarcity doesn't exist.

Re:Don't say "NAT"

[rantingkitten]

There's no security value to NAT. NAT does provide a stateful firewall that disallows inbound connections, but you can do that just as well without NAT, and with a great deal more flexibility.

You can. I can. Aunt Myrtle can't. I for one am glad that most home users are behind NAT these days. It's better than nothing. Unfortunately, it does tend to cause issues with SIP, which is my industry, but I've learned to live with that.

Re:Don't say "NAT"

[mcrbids]

Let's say that you get all these companies to give up ALL their addresses. You've postponed the problem by about 18 months! Whoopee!

The thing is, technology tends to grow logarithmically, which is why we have things like Benford's Law. The problem shouldn't be being solved now, while we're at the 90% level, the problem should have been solved long ago, back when we were at about the 10-20% level, because the actual halfway mark as a function of time is somewhere near 20-25% completion!

That IPV6 has been bungled so bad is a consequence of the Second System effect and perhaps a bit of design by committee.

In any event, IPV6 fails to solve a couple of fundamental problems:

1) Piss poor backwards compatibility. This was even acknowledged publicly in a recent news article. It's not only not poorly backwards compatible, it just basically ISN'T backwards compatible. Want to talk to an IPV4-only resource from your IPV6-only address? You basically have to have some fancy trickery with NAT and DNS in order to do this - it isn't straightforward, and it requires coordination with the IPV4 resource. And the reverse is even worse!

2) Un-necessary complexity in implementation. Partly as a result of #1, implementing IPV6 will be costly, and will require expensive "transition tools" in order to work smoothly. But it's not just because of lack of backwards compatibility - issues such as strange hardware requirements (what... no MAC address?) and the like make the cost of implementing high. Sure, it's not that expensive per device, but multiply that by the entire Internet, and the problem becomes a bit more clear.

3) No net positive for implementing! You don't get "more" for implementing, you get "less". Some stuff that used to work won't, and other stuff that you need to work just isn't there. Sure, Yahoo and Google support IPV6, which is great for the 50 or so people who are on it. But, if anybody cares, it's on IPV4.

4) Tragedy of the Commons: The address shortages don't affect anybody who's already on the 'net. I have an IP address or two already. I don't care if *you* run out, I only care if *I* run out. So, I really don't much care about you so long as I get mine. That's called the "tragedy of the commons" - a common resource is exploited as quickly as possible by people who are motivated to get theirs before anybody else gets it, resulting in a destroyed public resource.

IPV6 sucks. The engineers had their chance, and they blew it. Now it's too late to change it because we don't have another 5 years to committee another solution, and there is already a significant amount of inertia from those poor souls who have already implemented it! (at great cost)

This is NOT going to end well.

Re:Don't say "NAT"

[demonlapin]

You can. I can. Aunt Myrtle can't.

And - let's face it - neither can most of /.'s users. I remember setting up an OpenBSD firewall back in the late 90s, and I did most of my firewall rules configuration by copying someone else's rules. I tweaked them for my specific needs, but there's no way I'd have come up with them on my own. Unless you are a real network admin, you are unlikely to be able to set this up properly.

Re:Don't say "NAT"

I'm sorry, your post is off on a number of points. Let me clarify things for you.

The problem shouldn't be being solved now, while we're at the 90% level, the problem should have been solved long ago, back when we were at about the 10-20% level, because the actual halfway mark as a function of time is somewhere near 20-25% completion!

The IPv6 specs were drafted in 1994 and mostly finalized in 1998. That 95% of the world still is on IPv4 is not due to the IETF's tardiness.

1) Piss poor backwards compatibility. This was even acknowledged publicly in a recent news article.

Yes, in hindsight, more backwards compatibility would have been nice. It might have made the switchover period less painful and would have avoided the Game-theory deadlock that has withheld IPv6 adoption.

It's not only not poorly backwards compatible, it just basically ISN'T backwards compatible. Want to talk to an IPV4-only resource from your IPV6-only address? You basically have to have some fancy trickery with NAT and DNS in order to do this - it isn't straightforward, and it requires coordination with the IPV4 resource. And the reverse is even worse!

Why do you bring up IPv6-only addresses? They don't (yet) exist, and the situation you're describing is supposed to be painful: IPv6 was designed to not be backwards compatible. Such compatibility would introduce so much legacy/deprecated items in a new standard, that they opted to forego that option completely. The alternative for BC was also drafted at the same time: dual-stack operation. The only reason that your scenario may become real is because the industry's laziness. So if you have a problem with IPv6, take it up with your ISP who should have been offering IPv6 addresses for years. It's sad that the first major OS release to support the IPv6 stack was Windows Vista, even though the first working implementation dates from 1998 (KAME project). It's even sadder that up to this date, there are no end-consumer (NAT) routers that support IPv6 - well apart from the OpenWRT router I have running here.

2) Un-necessary complexity in implementation.

Where is the complexity, and which parts are unnecessary from your point of view?

Partly as a result of #1, implementing IPV6 will be costly, and will require expensive "transition tools" in order to work smoothly. But it's not just because of lack of backwards compatibility - issues such as strange hardware requirements (what... no MAC address?)

wha... what? MAC addresses are layer 2 addresses, and have nothing to do with IPv6, which is a layer 3 protocol. And besides, the MAC address is part of the autoconfigured IPv6 address...

and the like make the cost of implementing high. Sure, it's not that expensive per device, but multiply that by the entire Internet, and the problem becomes a bit more clear.

Which is why we could have had a ten-year transition period already...

3) No net positive for implementing! You don't get "more" for implementing, you get "less". Some stuff that used to work won't, and other stuff that you need to work just isn't there. Sure, Yahoo and Google support IPV6, which is great for the 50 or so people who are on it. But, if anybody cares, it's on IPV4.

Again the magic words: dual-stack operation. And about the net positives: no more fiddling with port-forwarding to get your online games to work, no more insecure UPnP implementations, automatic router discovery, automatic address discovery, full protocol support for IPSEC (instead of the tacked-on IPv4 version); no more portscan sweeps, ISPs can't limit the amount of addresses you use, to name just a few.

4) Tragedy of the Commons: The address shortages don't affect any

Re:How many more times are we going to run out?

[Burdell]

RTFS and do the math. 203 million addresses were allocated in 2009; a /8 is 16.7 million addresses; reclaiming a /8 (which would probably take a lot of time and effort, possibly in court) would put off the IPv4 depletion by about one month. It isn't worth the effort; better to put it into IPv6.

Re:No, that's propaganda

[Zocalo]

I know you are joking, but there is a very good reason why Asia is so keen on IPv6 adoption; they are going to feel the crunch first and they know it. IANA has in place an agreement that as soon as one of the RIRs is assigned one of the five final /8s each of the other four RIRs receives one of the remaining /8s and IANA washes their hands of the whole mess. That's without a doubt the most critical milestone along the path to IPv4 exhaustion, so let's look at that instant from the point of each of the RIRs:

• AfriNIC: Incredibly slow burn rate. They're probably still good for another decade or two at this point.
• APNIC: Includes China and India, two of the fastest developing nations on the planet with correspondingly high IPv4 assignment requests. There's no two ways about it; without wholesale IPv6 adoption, they're going to be the ones running out first.
• ARIN: Capitalists to the end, they are on record as saying IPv4 exhaustion is not their problem to solve; it's first come first served and when they are all gone that's it. Even so, there are plenty of US institutions with /8s that could mostly be handed back and reassigned if push came to shove.
• LACNIC: Not quite as low AfriNIC due to developing countries like Brazil, but are still able to sit back and let any problems with IPv6 get resolved before they make the leap.
• RIPE: Have already got the strictest IP assignment policies of the RIRs and will probably just continue to tighten the screw right up until the point of exhaustion; LIR assignment windows are typically about one quarter of what they would have been five years ago. It's a pretty fair bet that APNIC and ARIN will both beat them to the wall.

Pre-emptive strike

[fbjon]

"IPv6 addresses are too long and complicated to type"

...is like saying solar panels are too hard to build when you run out of slave labor in hamster wheels.

"We don't need IPv6 since there is NAT"

...is like saying we don't need new energy solutions because beeswax candles are a tried and trusted technology.

"The Internet will be overrun by zombies when NATs no longer protect us."

...is like saying avoiding antibacterial soap will cause untold misery and disease.

"Just re-allocate some of the wasted space in Class A nets."

...is like saying overcrowding of the planet can be mitigated by decreasing the size of houses.

Re:Pre-emptive strike

[Athanasius]

"...is like saying avoiding antibacterial soap will cause untold misery and disease."

Well, actually, it has some potential to be a problem, if not used correctly:

http://news.bbc.co.uk/1/hi/health/8427399.stm

Re:Pre-emptive strike

[fbjon]

Precisely, NAT is part of the problem.

Re:Pre-emptive strike

[Midnight+Thunder]

Hoarding of scarce v4's undeniably aggravates the shortage almost by definition.

And asking said entities to return unused blocks is like asking the government to return unused tax money. In other words: good luck with that.

Only a Few More Years' Worth of IPv4 Addresses...

[jimpop]

Only a Few More Years' Worth of IPv4 Addresses

They (vested interest groups) have been saying that for a decade now.... guess what, we haven't run out yet.

This again?

We all know that IPv4 addresses will be bought and sold like any other commodity once new ones run out.

Re:On Which Planet?

[swillden]

Of course there is - it allows all manner of insecure and misconfigured gear to avoid being probed from the other side of the planet?

That's not an advantage of NAT. That's an advantage of a stateful firewall that disallows inbound connections. NAT is not required to get the same benefit.

All of the machines in my home have public IPv6 addresses, but I have a firewall that blocks inbound connections to all of them. Same security result. No address translation.

Re:On Which Planet?

[bill_mcgonigle]

An improperly configured NAT gateway may also allow outsiders access to the internal, private network.

I can't think of any that are this way by default.

Improperly configured network devices are always a security risk. NAT does not help here.

Sure it does, they're not reachable from the Internet. How is that not helpful?

Your JetDirect card would presumably be behind a firewall, so even with a public IP, it would not be accessible to those on the general internet.

Yes, mine would be, but most people don't properly secure their networks. NAT buys them some security despite their misconfiguration.

Re:On Which Planet?

[phtpht]

That's great - your network is properly configured. Most aren't.

NAT isn't required, it just makes up for poor administration.

Bah. You just gotta love that attitude. Actually the most plain view of the NAT security is not the inbound firewall but the persumably unroutable private block that's behind it. "We can't do our work properly so we stick our gear where they can't attack it. After all, our network has private addresses so the evil asian guys can't get to it. Right? RIGHT?" Wrong.

Wrong in oh so many ways.

First off, private addresses are NOT unroutable, they just happen to be dropped on their way through your ISP (if they do their job properly). Just try a traceroute to a private address and see how far the trace gets. (And try it from a public traceroute server ;) Try putting a server on the other side of your beloved NAT and you might just discover that you can ping into your private network.

Second, even if this works as advertised it does not pose any great advantage over a stateful firewall. To the contrary, NAT not only tends to fuck up many L4 protocols, but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.

The third problem is the NAT admin's typical mentality. People tend to satisfy themselves with such a global protection shield (tm) and neglect going into the detail of securing their private network properly. "LAN hosts" are often left with their own firewall off, with simple or even default admin passwords, a lot of non-pc appliances (printers, phones) left to their own fate etc. That just makes a perfect base for the all-or-nothing principle, which goes so against any security reasoning. Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!

Finally AND MOST IMPORTANTLY please ask yourself how much of the total security is provided by blocking inbound traffic. Most client boxes run absolutely no services (maybe ssh), even windows can have a great deal of its server capability disabled. Further, service exploits were the music of the early 2000's, by now almost all of the services can withstand direct exposure to the Internet (with the exception of silly newcomers). The real security threat comes from outbound connections, people going to nasty sites, or people going to legit sites (banks) with silly passwords, flipped staff, and so on and so on. The vast majority of compromised zombie machines is on broadband, which means a router with NAT or "stateful firewall".

Criticising is easy.

[anti-NAT]

Helping solve the problem is much harder.

Are you part of the problem, or part of the solution? If all you're willing to do is criticise, then I think you're part of the problem.