At Current Rates, Only a Few More Years' Worth of IPv4 Addresses

An anonymous reader excerpts from an interesting article at Ars Technica, which begins "There are 3,706,650,624 usable IPv4 addresses. On January 1, 2000, approximately 1,615 million (44 percent) were in use and 2,092 million were still available. Today, ten years later, 2,985 million addresses (81 percent) are in use, and 722 million are still free. In that time, the number of addresses used per year increased from 79 million in 2000 to 203 million in 2009. So it's a near certainty that before Barack Obama vacates the White House, we'll be out of IPv4 address[es]. (Even if he doesn't get re-elected.)"

Don't say "NAT"

Can we start the discussion by not immediately going to the "NAT will save us" argument? Just accept that while NAT deployments might put it off, IPv6 deployment is inevitably necessary.

Re:Don't say "NAT"

[sopssa]

No, not really. There's companies with whole fucking /8 that have no real purpose to own them, but they've just always had them:

003/8 General Electric Company 1994-05 LEGACY
004/8 Level 3 Communications, Inc. 1992-12 LEGACY
008/8 Level 3 Communications, Inc. 1992-12 LEGACY (two /8's ?)
009/8 IBM 1992-08 LEGACY
013/8 Xerox Corporation 1991-09 LEGACY
015/8 Hewlett-Packard Company 1994-07 LEGACY
016/8 Digital Equipment Corporation 1994-11 LEGACY
017/8 Apple Computer Inc. 1992-07 LEGACY
019/8 Ford Motor Company 1995-05 LEGACY
034/8 Halliburton Company 1993-03 LEGACY
044/8 Amateur Radio Digital Communications 1992-07 LEGACY
045/8 Interop Show Network 1995-01 LEGACY
047/8 Bell-Northern Research 1991-01 LEGACY
048/8 Prudential Securities Inc. 1995-05 LEGACY
052/8 E.I. duPont de Nemours and Co., Inc. 1991-12 LEGACY
053/8 Cap Debis CCS 1993-10 LEGACY
054/8 Merck and Co., Inc. 1992-03 LEGACY
056/8 US Postal Service 1994-06 LEGACY

Just get rid of the companies that are reserving such huge spaces without having a real reason to do so, other than that they were there to reserve them in start of 90's. Also US and UK army and defence and other ministers have several /8, but why really? Other countries do just fine without too.

Re:Don't say "NAT"

[causality]

Can we start the discussion by not immediately going to the "NAT will save us" argument? Just accept that while NAT deployments might put it off, IPv6 deployment is inevitably necessary.

It's not unreasonable to say that the increasing scarcity of a finite resource might put more pressure on all of us to utilize that resource more efficiently. Replacing the scarce resource (IPv4 with its 2^32 addresses) with one that is overabundant (IPv6 with its 2^128 addresses) is always an option, of course. But migrating to that option and more wisely using our existing resources are not mutually exclusive. So no, I don't recognize as invalid the discussion of NAT as a technique useful for mitigating this issue.

Re:Don't say "NAT"

[growse]

So we go through a huge difficult, expensive process to save us, what? A couple of years? Why bother?

Re:Don't say "NAT"

[swillden]

No, not really. There's companies with whole fucking /8 [iana.org] that have no real purpose to own them, but they've just always had them:

The block you listed contain a total of 301,989,888 addresses. At 2009's rate of 203 million addresses per year, returning those blocks would buy us less than 18 months. Big whoop.

Also, some of those companies actually do make significant use of the addresses they have. For example, I happen to know that IBM uses a good chunk of the 9.0.0.0 space.

Re:Don't say "NAT"

[sopssa]

Seeing the state of IPv6 and how many devices still don't support it, I think thats a pretty good idea. That being said, IPv6 support should be fully done in new devices, OS and programs already, because you need to give some time for old devices too so they can still work under IPv4.

But on another thing, I really doubt we are just a few years ago from IPv4 addresses going out of stock. There's still many /8 unallocated to anyone, most ISP's still give their users 5 ip addresses on home lines and from most hosting companies you can buy new ip's for $1-3 per piece. If we will be running out of them, we will first see hosting companies upping their prices and home ISP's limiting how many IP's they give to customers. And that will come far before we're actually out of address space.

Re:Don't say "NAT"

004/8 Level 3 Communications, Inc. 1992-12 LEGACY
008/8 Level 3 Communications, Inc. 1992-12 LEGACY (two /8's ?)

That's due to the acquisition of BBN who was the contractor that did a lot of initial ARPANET work. (The original defense contractor role of BBN was later spun back out and is now part of Raytheon but the network assets stayed with Genuity and then later Level 3) They also have the AS number "1", which gives them some severe old-school bragging rights.

Those assignments really aren't that bad -- they're a major ISP and would have huge chunks of IP space regardless. At least 4/8 is largely delegated to customers (I see 4.x.x.x IP addresses all the time) Not sure how much they've dipped into 8/8.

As other posters have pointed out, recycling them won't really give us much time. I'm not opposed to it personally, but it's not a fix

Re:Don't say "NAT"

I happen to know that IBM uses a good chunk of the 9.0.0.0 space.

For what? Do all their PCs have public IPs?

Where I work has an entire class B and all of our PCs are public and we're talking now about NAT'ing them all, for security reasons. Once upon a time this would have been a nightmare because all of our devices have static IPs, but now we have a process to easily map in MAC addresses of authorized devices into a DHCP address so they all get their own IP.

What I'm saying is, once upon a time having to give that class B back would have been a nightmare -- right now, not really. We could probably live with a class C.

(Posted anon since someone where I work would probably take great exception to this...)

Re:Don't say "NAT"

[petermgreen]

we will first see hosting companies upping their prices and home ISP's limiting how many IP's they give to customers. And that will come far before we're actually out of address space.
That depends on what the IANA and the RIRs do. with thier policies over the next few years.

Right now IMO the sane policy for an ISP is to allocate as many IPs to customers as they can get away with, that way they can "justify" getting new IPs from the RIR. When the final squeeze comes with no new IPs availible from the RIRs the ISPs can then claw back IPs from less lucrative customers and give them to more lucrative ones.

Re:Don't say "NAT"

[swillden]

I happen to know that IBM uses a good chunk of the 9.0.0.0 space.

For what? Do all their PCs have public IPs?

At present, yes. Also their phones. But the employees' PCs are a fraction of IBM's computers. Keep in mind that IBM runs large data centers all over the world.

Yes, were IBM to go through a very large and expensive network restructuring to move many of the internal networks to NAT, they could probably give a few million addresses back. Maybe as many as 15 million. And at the 2009 rate that would buy us 26 days.

Where I work has an entire class B and all of our PCs are public and we're talking now about NAT'ing them all, for security reasons.

That's silly.

There's no security value to NAT. NAT does provide a stateful firewall that disallows inbound connections, but you can do that just as well without NAT, and with a great deal more flexibility.

Re:Don't say "NAT"

[Hatta]

It'll be easier to give everyone a block of ipv6 addresses than it will be to take away legacy ipv4 allocations.

Re:Don't say "NAT"

[gmuslera]

Inertia could make your car crash even if you started to turn when saw the danger. A few meters more could be the difference between your life or death.

Re:Don't say "NAT"

[RalphSleigh]

Google run their public DNS on 8.8.8.8 and 8.8.4.4 so they are being used, this is probably because level 3 provide google with multicast on these addresses.

Re:Don't say "NAT"

[Jonner]

There's no security value to NAT. NAT does provide a stateful firewall that disallows inbound connections, but you can do that just as well without NAT, and with a great deal more flexibility.

Thank you for pointing that out. So many people seem to think NAT is a security tool. I think it's because just about any router capable of NAT also has a stateful firewall (since NAT requires tracking of connections) and many people don't understand the distinction.

Re:Don't say "NAT"

[Jeremi]

There is no scarcity of the "resource" to begin with, only design flaws

The scarcity may be caused by design flaws, but that doesn't mean the scarcity doesn't exist.

Re:Don't say "NAT"

[mysidia]

the ISPs can then claw back IPs from less lucrative customers and give them to more lucrative ones.

There's a term for that, it's called: Fraud. And I hope ARIN counts on that it will happen. I'm sure policies are already being considered as we speak, to provide for auditing of ISPs to validate compliance with the Registry Services agreements the ISPs signed.

It's a violation of the ARIN agreement ISPs have to sign, to give a customer more IP addresses than they have justified need for, just because you want to get a bigger PA allocation.

Allocations are provided to ISPs for re-assigning. Once re-assigned, the IPs belong to the end user, for use with services provided by the ISP.

The netblock belongs to the end user, as long as they keep services with the ISP, ARIN does not require them to return the addresses.

If the ISP retained the right to take back the IPs, then they violated the RSA by not properly recording the reassignment of the addresses, eg they never actually assigned them...

Re:Don't say "NAT"

[Trolan]

Repurposing the D and E spaces won't fly. The D space is used. Think of the hell entailed if 224.0.0.5 and 224.0.0.6 get routed. Bye bye OSPF. Plus you'd have to recode every OS and firmware that understands those as multicast addresses to treat them as unicast. That's not even discussing what might be coded in for the E space in random OSes and firmwares. And after all that work, it'd buy us maybe two more years. Just go v6, it's already in the OSes, and would be in the firmwares if the end-user ISPs would just push the CPE manufacturers a little bit.

Re:Don't say "NAT"

[tagno25]

If I were ARIN, I would start making v4 addresses and v6 addresses cheap.

To an ISP it is actually FREE to get IPv6 Addresses initially, ant then there is a wavier until 2012.

Fee Schedule

IPv6 Initial Allocation and IPv6 Assignment
ARIN charges a fee for the initial IPv6 allocation from ARIN to an ISP. This fee is currently waived for IPv4 subscribers. For organizations that aren't IPv4 subscribers, the fee is lowered by current fee waivers.

ARIN charges a fee for an IPv6 assignment (whether initial or additional) to an end-user. There are currently no fee waivers for IPv6 assignments.

Re:Don't say "NAT"

[rantingkitten]

There's no security value to NAT. NAT does provide a stateful firewall that disallows inbound connections, but you can do that just as well without NAT, and with a great deal more flexibility.

You can. I can. Aunt Myrtle can't. I for one am glad that most home users are behind NAT these days. It's better than nothing. Unfortunately, it does tend to cause issues with SIP, which is my industry, but I've learned to live with that.

Re:Don't say "NAT"

[mcrbids]

Let's say that you get all these companies to give up ALL their addresses. You've postponed the problem by about 18 months! Whoopee!

The thing is, technology tends to grow logarithmically, which is why we have things like Benford's Law. The problem shouldn't be being solved now, while we're at the 90% level, the problem should have been solved long ago, back when we were at about the 10-20% level, because the actual halfway mark as a function of time is somewhere near 20-25% completion!

That IPV6 has been bungled so bad is a consequence of the Second System effect and perhaps a bit of design by committee.

In any event, IPV6 fails to solve a couple of fundamental problems:

1) Piss poor backwards compatibility. This was even acknowledged publicly in a recent news article. It's not only not poorly backwards compatible, it just basically ISN'T backwards compatible. Want to talk to an IPV4-only resource from your IPV6-only address? You basically have to have some fancy trickery with NAT and DNS in order to do this - it isn't straightforward, and it requires coordination with the IPV4 resource. And the reverse is even worse!

2) Un-necessary complexity in implementation. Partly as a result of #1, implementing IPV6 will be costly, and will require expensive "transition tools" in order to work smoothly. But it's not just because of lack of backwards compatibility - issues such as strange hardware requirements (what... no MAC address?) and the like make the cost of implementing high. Sure, it's not that expensive per device, but multiply that by the entire Internet, and the problem becomes a bit more clear.

3) No net positive for implementing! You don't get "more" for implementing, you get "less". Some stuff that used to work won't, and other stuff that you need to work just isn't there. Sure, Yahoo and Google support IPV6, which is great for the 50 or so people who are on it. But, if anybody cares, it's on IPV4.

4) Tragedy of the Commons: The address shortages don't affect anybody who's already on the 'net. I have an IP address or two already. I don't care if *you* run out, I only care if *I* run out. So, I really don't much care about you so long as I get mine. That's called the "tragedy of the commons" - a common resource is exploited as quickly as possible by people who are motivated to get theirs before anybody else gets it, resulting in a destroyed public resource.

IPV6 sucks. The engineers had their chance, and they blew it. Now it's too late to change it because we don't have another 5 years to committee another solution, and there is already a significant amount of inertia from those poor souls who have already implemented it! (at great cost)

This is NOT going to end well.

Re:Don't say "NAT"

[demonlapin]

You can. I can. Aunt Myrtle can't.

And - let's face it - neither can most of /.'s users. I remember setting up an OpenBSD firewall back in the late 90s, and I did most of my firewall rules configuration by copying someone else's rules. I tweaked them for my specific needs, but there's no way I'd have come up with them on my own. Unless you are a real network admin, you are unlikely to be able to set this up properly.

Re:Don't say "NAT"

[mysidia]

That's already been thought of. As an ISP, you don't get to just make up whatever rules you want to determine how many IPs you can assign, beyond a certain point, you have to apply RFC 2050, per the name resource policies:

Because it is.

In actuality, need is defined as the minimum number of IP addresses that will be required within a certain period of time in the future, according to Network Engineering plans that get submitted to ISPs (LIRs and RIRs) in order to apply for IPs; efficient utilization means utilizing 80% of the IPs to address internet hosts. IPs that will be required in the near future are needed and part of the justification.

Currently 25% immediate utilization is required after 6 months, 50% required after 1 year.

All existing IP allocations must be 80% utilized.

ARIN NRPM, 4.2.3.1. Efficient utilization ISPs are required to apply a utilization efficiency criterion in providing address space to their customers.

ARIN NRPM, 4.2.3.6 Reassignment to multihomed downstream customers: Under normal circumstances an ISP is required to determine the prefix size of their reassignment to a downstream customer according to the guidelines set forth in RFC 2050.
Specifically, a downstream customer justifies their reassignment by demonstrating they have an immediate requirement for 25% of the IP addresses being assigned, and that they have a plan to utilize 50% of their assignment within one year of its receipt.

4.2.3.3. Contiguous blocks: if a customer moves to another service provider or otherwise terminates a contract with an ISP, it is recommended that the customer return the network addresses to the ISP and renumber into the new provider's address space. The original ISP should allow sufficient time for the renumbering process to be completed before requiring the address space to be returned.

RFC 2050.

Re:Don't say "NAT"

[Yaztromo]

Why have a legal battle? Just let the current holders auction off sub-blocks.

You're assuming that the holders of these /8's have been using some sane way in which to assign the IPs within their blocks such that large, contiguous regions are still readily available that make the unused addresses readily routeable. Which, from my experience, they don't. And as the Internet would become nearly unroutable if millions of /31's and /32's suddenly appeared, the only way you could make this work is by having each and every one of those organizations effectively defragment their address use to make large, routable blocks that could be reassigned (e.g., /24s or /16s) -- and for organizations of the size that we're discussing, the cost of that is going to be way more than they'll be able to charge for those address blocks, and they aren't going to do it, fight or no fight.

You can't take an entity the size of (for example) IBM and have them compress their address use into a /12 to free up 240 new /24's without it being a very significant cost in terms of effort and downtime -- particularly when they have absolutely no incentive to do so. Nobody in their right mind would spend the necessary amount of money to make it worth their time and effort, when they can get millions of addresses in IPv6 for next to nothing.

Yaz.

Re:Don't say "NAT"

[Z00L00K]

I'm still waiting for ISP:s to offer IPv6.

As soon as the ISP:s starts to offer IPv6 it will be easier in general to use and develop for IPv6

Re:Don't say "NAT"

I'm sorry, your post is off on a number of points. Let me clarify things for you.

The problem shouldn't be being solved now, while we're at the 90% level, the problem should have been solved long ago, back when we were at about the 10-20% level, because the actual halfway mark as a function of time is somewhere near 20-25% completion!

The IPv6 specs were drafted in 1994 and mostly finalized in 1998. That 95% of the world still is on IPv4 is not due to the IETF's tardiness.

1) Piss poor backwards compatibility. This was even acknowledged publicly in a recent news article.

Yes, in hindsight, more backwards compatibility would have been nice. It might have made the switchover period less painful and would have avoided the Game-theory deadlock that has withheld IPv6 adoption.

It's not only not poorly backwards compatible, it just basically ISN'T backwards compatible. Want to talk to an IPV4-only resource from your IPV6-only address? You basically have to have some fancy trickery with NAT and DNS in order to do this - it isn't straightforward, and it requires coordination with the IPV4 resource. And the reverse is even worse!

Why do you bring up IPv6-only addresses? They don't (yet) exist, and the situation you're describing is supposed to be painful: IPv6 was designed to not be backwards compatible. Such compatibility would introduce so much legacy/deprecated items in a new standard, that they opted to forego that option completely. The alternative for BC was also drafted at the same time: dual-stack operation. The only reason that your scenario may become real is because the industry's laziness. So if you have a problem with IPv6, take it up with your ISP who should have been offering IPv6 addresses for years. It's sad that the first major OS release to support the IPv6 stack was Windows Vista, even though the first working implementation dates from 1998 (KAME project). It's even sadder that up to this date, there are no end-consumer (NAT) routers that support IPv6 - well apart from the OpenWRT router I have running here.

2) Un-necessary complexity in implementation.

Where is the complexity, and which parts are unnecessary from your point of view?

Partly as a result of #1, implementing IPV6 will be costly, and will require expensive "transition tools" in order to work smoothly. But it's not just because of lack of backwards compatibility - issues such as strange hardware requirements (what... no MAC address?)

wha... what? MAC addresses are layer 2 addresses, and have nothing to do with IPv6, which is a layer 3 protocol. And besides, the MAC address is part of the autoconfigured IPv6 address...

and the like make the cost of implementing high. Sure, it's not that expensive per device, but multiply that by the entire Internet, and the problem becomes a bit more clear.

Which is why we could have had a ten-year transition period already...

3) No net positive for implementing! You don't get "more" for implementing, you get "less". Some stuff that used to work won't, and other stuff that you need to work just isn't there. Sure, Yahoo and Google support IPV6, which is great for the 50 or so people who are on it. But, if anybody cares, it's on IPV4.

Again the magic words: dual-stack operation. And about the net positives: no more fiddling with port-forwarding to get your online games to work, no more insecure UPnP implementations, automatic router discovery, automatic address discovery, full protocol support for IPSEC (instead of the tacked-on IPv4 version); no more portscan sweeps, ISPs can't limit the amount of addresses you use, to name just a few.

4) Tragedy of the Commons: The address shortages don't affect any

Re:Don't say "NAT"

[TheRaven64]

IPv6 is considered a to be a broken ill-designed protocol that screws up more than it fixes.

If this were wikipedia, that would be tagged with 'weasel words' and 'citation needed'. As it's Slashdot, can you point to someone who actually argues this rationally?

Its basically unusable with mobile networks (WiMax, WiFi, etc).

Absolute nonsense. Mobile IPv6 uses the fact that IPv6 requires IPSec support to allow the routing tables to be updated dynamically by the device (once you've been assigned an IP address, you can push routing table updates for that IP when you hop to a different network) which eliminates the triangle routing that Mobile IPv4 needs.

It significantly increases the cost of routers, switches, etc--the exceptions being those hardware that treat IPv6 in the slow-path. i.e., by trapping to the control CPU.

Again, nonsense. The sparse nature of IPv6 allocation means that it you need to inspect fewer bits in each packet to route it than with IPv4. Mobile IPv6 is an exception to this in some cases, but only if a host has moved a long way away from where it started without dropping connections (e.g. if you move from China to the UK overland keeping connections active).

No, that's propaganda

We'll never run out of IPv4 addresses. "Peak-IPv4" is a myth created by those who hate America and want Asia's IPv6 to take over. 4 octets forever!

Re:No, that's propaganda

[Zocalo]

I know you are joking, but there is a very good reason why Asia is so keen on IPv6 adoption; they are going to feel the crunch first and they know it. IANA has in place an agreement that as soon as one of the RIRs is assigned one of the five final /8s each of the other four RIRs receives one of the remaining /8s and IANA washes their hands of the whole mess. That's without a doubt the most critical milestone along the path to IPv4 exhaustion, so let's look at that instant from the point of each of the RIRs:

• AfriNIC: Incredibly slow burn rate. They're probably still good for another decade or two at this point.
• APNIC: Includes China and India, two of the fastest developing nations on the planet with correspondingly high IPv4 assignment requests. There's no two ways about it; without wholesale IPv6 adoption, they're going to be the ones running out first.
• ARIN: Capitalists to the end, they are on record as saying IPv4 exhaustion is not their problem to solve; it's first come first served and when they are all gone that's it. Even so, there are plenty of US institutions with /8s that could mostly be handed back and reassigned if push came to shove.
• LACNIC: Not quite as low AfriNIC due to developing countries like Brazil, but are still able to sit back and let any problems with IPv6 get resolved before they make the leap.
• RIPE: Have already got the strictest IP assignment policies of the RIRs and will probably just continue to tighten the screw right up until the point of exhaustion; LIR assignment windows are typically about one quarter of what they would have been five years ago. It's a pretty fair bet that APNIC and ARIN will both beat them to the wall.

Re:No, that's propaganda

[Nocterro]

IANA has in place an agreement

Is anyone else's brain tripping on this as badly as mine? I Am Not A "Has in place an agreement"? What the hell is a "has in place an agreement", and why would your lack of being one make you unqualified?

Stupid memes, acronyms.

::1

[sakdoctor]

I've already got MY ipv6 address.

Re:::1

[furball]

You can't reach loopback?

Let me be the first to say ...

[GNUALMAFUERTE]

4 octets should be enough for everyone.

I'll believe it when I see it

[haus]

It has not yet become a big enough of a problem for the large sections of unused address by universities such as MIT and Harvard to be recalled.

Re:I'll believe it when I see it

[swillden]

It has not yet become a big enough of a problem for the large sections of unused address by universities such as MIT and Harvard to be recalled.

At over 200 million new addresses needed per year, returning all of those class As wouldn't buy more than 2-3 years.

Re:I'll believe it when I see it

[fm6]

Do you think the current owners are hanging onto their address spaces out of pure spite? If they rely on the Internet to do business, this crisis hurts them more than anybody.

This mess happened because of the simplistic addressing schemes that were implemented without taking into account the explosive growth of the Internet. One result is that that some early adopters ended up with Class A networks (16 million addresses) because they needed more than the 64 thousand addresses in a Class B network. Only one Class A space belongs to a university (MIT). (There used to be two, but Stanford gave its IP space back.) Other owners include Halliburton, Apple, IBM, and Xerox PARC. HP has two, counting the one that was originally issued to DEC. DoD has eight.

Reassigning all these addresses would be a logistical nightmare, because you're changing the basic logic of network routing. Imagine all the routers that would have to be reprogrammed or replaced, and the expensive down time that would result. Much more cost effective to just go to IPv6 already. Plus there are other features of IPv6 we really, really need.

Except that nobody's doing it. I used to work at Sun, where I kept suggesting that our embedded lights-out management system (all Sun servers have them) start supporting IPv6. The answer I always got was, "customers aren't asking for it." Which means that everybody is putting off this problem until the last minute. As usual.

Re:How many more times are we going to run out?

[Burdell]

RTFS and do the math. 203 million addresses were allocated in 2009; a /8 is 16.7 million addresses; reclaiming a /8 (which would probably take a lot of time and effort, possibly in court) would put off the IPv4 depletion by about one month. It isn't worth the effort; better to put it into IPv6.

Bono should be pleased...

[fuzzyfuzzyfungus]

Anybody not paying for a business line will being going through so many layers of NAT in the near future that getting bittorrent to work will be quite difficult...

Re:Bono should be pleased...

[klapaucjusz]

BitTorrent is already running over IPv6. Anyone running Torrent on a recent enough version of Windows automatically uses IPv6 to cross NAT boxes using a technology known as Teredo.

The Free Software world is late with IPv6 adoption. In the words of one of the Torrent developers (Greg), "platforms which are not Windows [...] need to get their collective Teredo asses in gear."

Re:Bono should be pleased...

[klapaucjusz]

That should read "muTorrent", both times. The Greek letter didn't get through, for some reason.

Re:Ah but...!

[hedwards]

Ha ha, I'm pwning it as we spe

Re:How many more times are we going to run out?

[sopssa]

As long as they don't take away 69.69.69.69 from it's owner:

$ host 69.69.69.69
69.69.69.69.in-addr.arpa domain name pointer the-coolest-ip-on-the-net.com.

No real scarcity yet

[bizitch]

I just helped out a friend who lives in a remote rural section outside of Chicago. I tried for years and years to get her lit up on decent broadband service.

Finally, we got a relay from a WiMAX provider --

When I went to connect her broadband with a Cisco router - I discovered that she was assigned a FRIGGIN /27 of public numbers!! (i.e. she now personally burns 32 usefull IPV4's)

I was gonna call their support ... but why bother?

You never know if she's gonna need 30+ public ip numbers right? Just because she lives alone - she may get many friends real soon!

Re:No real scarcity yet

[wagnerrp]

NAT is not a security tool, has never been a security tool, and was never intended to ever be used as a security tool. It does no more good than a basic 'block all inbound' firewall, and only serves to limit and complicate every application you wish to use.

If I want to run multiple computers accessible over SSH or VNC, I have to run them on separate ports. If I want to run multiple web servers, I again have to run on different ports, or otherwise proxy them all through a single external server. SIP and other protocols that embed the address in the protocol are outright broken by NAT. Like XanC said, it is a necessary evil that should be dumped with extreme prejudice.

Great... now do I switch?

I live in one of the most tech-focused parts of the country (downtown San Francisco) and as far as I can tell there's no way for a normal consumer to order native (i.e. not tunneled) IPv6 here.

When I moved to my current apartment in 2004 I specifically went with Speakeasy because they were talking about rolling out IPv6 to customers. Over 5 years later, those plans are still stalled as far as I can tell. None of the other providers seem to be even making a peep about it. If I'm wrong, someone please correct me - I'd love to switch to an IPv6-capable provider.

I've pretty much concluded that IPv6 just isn't going to happen -- instead providers will just force all of us normal people into shared IP addresses. From a technical perspective this isn't hard to do: just move the software that's currently running in your home NAT router onto the DSLAM and only provide a NATed view. For the ISPs there's no downside to this since not only can they avoid rolling out IPv6, it means they have complete control of your network connection.

I bet in 10 years we still won't have IPv6 in our homes, and the idea of having your own IP address (even a dynamically allocated one) will just be a memory. It's a shame.

Re:Great... now do I switch?

[swillden]

None of the other providers seem to be even making a peep about it.

Comcast is planning to start deploying residential IPv6 this year. They haven't said how long it will take for a full rollout to all of their customers, but if they do get there, that will be a significant chunk of the US residential market that has native IPv6.

On the other hand...

[192939495969798999]

... we won't run out, because more and more of the addresses in use will also become available, and as ipv6 uptake accelerates, ipv4 uptake will dramatically decelerate, and it will stop just shy of actually running out.

Pre-emptive strike

[fbjon]

"IPv6 addresses are too long and complicated to type"

...is like saying solar panels are too hard to build when you run out of slave labor in hamster wheels.

"We don't need IPv6 since there is NAT"

...is like saying we don't need new energy solutions because beeswax candles are a tried and trusted technology.

"The Internet will be overrun by zombies when NATs no longer protect us."

...is like saying avoiding antibacterial soap will cause untold misery and disease.

"Just re-allocate some of the wasted space in Class A nets."

...is like saying overcrowding of the planet can be mitigated by decreasing the size of houses.

Re:Pre-emptive strike

[Athanasius]

"...is like saying avoiding antibacterial soap will cause untold misery and disease."

Well, actually, it has some potential to be a problem, if not used correctly:

http://news.bbc.co.uk/1/hi/health/8427399.stm

Re:Pre-emptive strike

[fbjon]

Precisely, NAT is part of the problem.

Re:Pre-emptive strike

[Midnight+Thunder]

Hoarding of scarce v4's undeniably aggravates the shortage almost by definition.

And asking said entities to return unused blocks is like asking the government to return unused tax money. In other words: good luck with that.

Only a Few More Years' Worth of IPv4 Addresses...

[jimpop]

Only a Few More Years' Worth of IPv4 Addresses

They (vested interest groups) have been saying that for a decade now.... guess what, we haven't run out yet.

Now if IPv6 could get fixed...

[Junta]

There are so many ways IPv6 remains broken and too many of the people with influence can tend to say 'working as designed'.

I know that's controversial, so I'll enumerate my pain points:
-DHCPv6 DUID is a pain to 'pre-provision'. When any operating system or firmware instance dhcpv6 for the first time, it sends out something that you'll never know what it would be ahead of time. In 99% of cases, the DUID is a generated value at 'OS Install time' that is used only for that specific OS, and a reinstall or livecd boot will change it out completely. stateless boot, multi-boot systems and multi-stage booting (i.e. pxe -> os) cannot hold together a coherent identity because DHCPv6 is explicitly designed not to do that. Binding by MAC is considered 'evil', but it has been the strategy used for ages. I wouldn't mind so much if DUID was commonly implemented as a value retrieved from motherboard firmware tables, but no one is stepping up to drive that behavior in a spec visible to all parties.

No PXE/bootp boot. I believe they are trying to reinvent, from scratch the boot design from IPv4, and are nearing completion. I fear the extent to which the baby has been tossed out with the bathwater (i.e. 'root-path' was dropped and no one has pulled it into dhcpv6).

Some standards are missing the capability to operate in IPv6. I.e. IPMI hase some IPv4 specific portions of the standard without IPv6 capable equivalents.

Re:Now if IPv6 could get fixed...

[swillden]

Why use DHCPv6? I much prefer stateless autoconfiguration. I was amazed at how well it works. The first time I fired up the radvd daemon on my home gateway (which is using a tunnel broker service to get v6), I was amazed at how every device on the LAN instantly had v6 access, with no action whatsoever on my part.

I don't have any comment on PXE/bootp. Haven't looked into that in the v6 world. It seems like v6 should make that trivial, though. Just pick a standard reserved local suffix to hold the boot service. The booting device should wait for a router advertisement to find out what network it's on, append the standard suffix and open a connection to get boot code. Done. That's just off the top of my head, of course.

Re:Every two years? Hah. More like twice a year

[Bigjeff5]

No no, after December 21, 2012 all the addresses will be available!!

one address per two world citizens

[wwwillem]

Agreed, look at it another way: 2**32 is four billion address, which is one address per two world citizens. OK, I could share that IP with my wife, but given the number of devices in between us, that won't really work. Now I know, that places like Africa currently don't follow the pattern of "personal" computers, but how long will that last.

More realistically, given that my phone, web-server, car, camera, email, GPS unit, home security system, etc. all should have their own IP address, we need at least 20x what a 32 bit address space can provide. And then you've to add the 'wasted space' so that we can allocate blocks of addresses in a logical fashion.

So yes, IPv6 is the only way to go, if you like it or not. Couple of /8 blocks or NAT won't help us.

Re:On Which Planet?

[mini+me]

An improperly configured NAT gateway may also allow outsiders access to the internal, private network. Improperly configured network devices are always a security risk. NAT does not help here.

Your JetDirect card would presumably be behind a firewall, so even with a public IP, it would not be accessible to those on the general internet.

Re:On Which Planet?

[swillden]

Of course there is - it allows all manner of insecure and misconfigured gear to avoid being probed from the other side of the planet?

That's not an advantage of NAT. That's an advantage of a stateful firewall that disallows inbound connections. NAT is not required to get the same benefit.

All of the machines in my home have public IPv6 addresses, but I have a firewall that blocks inbound connections to all of them. Same security result. No address translation.

idea: switch to alphanumeric

[Ralph+Spoilsport]

So, an address might look like:

1h2.tyj.56j.0as

I think that would solve the problem permanently.

The real answer...

[John+Hasler]

...is to go back to UUCP bang addresses. Pathalias can handle routing.
--
ihnp4!stolaf!bungia!foundln!john

Re:Demand IPv6 and it will come

[JSBiff]

Or you could get a router which supports IPv6 *today* and use 6to4 to use a single public v4 address to address multiple IPv6 hosts on your network, and to talk to other IPv6 capable hosts. If you want a router that's ready out of the box, my understanding is that Apple's Airport routers support IPv6. If you don't mind a little bit of tinkering, you can get a router which is compatible with a third-party firmware replacement (such as OpenWRT, load OpenWRT on it, and use IPv6 (I just got a Linksys WRT54GL for $70 at Microcenter - it's a bit more expensive than some of the other 802.11g routers, but still not too bad - and I'm going to flash it sometime in the next week or two, as I get time).

Re:On Which Planet?

[bill_mcgonigle]

An improperly configured NAT gateway may also allow outsiders access to the internal, private network.

I can't think of any that are this way by default.

Improperly configured network devices are always a security risk. NAT does not help here.

Sure it does, they're not reachable from the Internet. How is that not helpful?

Your JetDirect card would presumably be behind a firewall, so even with a public IP, it would not be accessible to those on the general internet.

Yes, mine would be, but most people don't properly secure their networks. NAT buys them some security despite their misconfiguration.

Re:On Which Planet?

[phtpht]

That's great - your network is properly configured. Most aren't.

NAT isn't required, it just makes up for poor administration.

Bah. You just gotta love that attitude. Actually the most plain view of the NAT security is not the inbound firewall but the persumably unroutable private block that's behind it. "We can't do our work properly so we stick our gear where they can't attack it. After all, our network has private addresses so the evil asian guys can't get to it. Right? RIGHT?" Wrong.

Wrong in oh so many ways.

First off, private addresses are NOT unroutable, they just happen to be dropped on their way through your ISP (if they do their job properly). Just try a traceroute to a private address and see how far the trace gets. (And try it from a public traceroute server ;) Try putting a server on the other side of your beloved NAT and you might just discover that you can ping into your private network.

Second, even if this works as advertised it does not pose any great advantage over a stateful firewall. To the contrary, NAT not only tends to fuck up many L4 protocols, but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.

The third problem is the NAT admin's typical mentality. People tend to satisfy themselves with such a global protection shield (tm) and neglect going into the detail of securing their private network properly. "LAN hosts" are often left with their own firewall off, with simple or even default admin passwords, a lot of non-pc appliances (printers, phones) left to their own fate etc. That just makes a perfect base for the all-or-nothing principle, which goes so against any security reasoning. Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!

Finally AND MOST IMPORTANTLY please ask yourself how much of the total security is provided by blocking inbound traffic. Most client boxes run absolutely no services (maybe ssh), even windows can have a great deal of its server capability disabled. Further, service exploits were the music of the early 2000's, by now almost all of the services can withstand direct exposure to the Internet (with the exception of silly newcomers). The real security threat comes from outbound connections, people going to nasty sites, or people going to legit sites (banks) with silly passwords, flipped staff, and so on and so on. The vast majority of compromised zombie machines is on broadband, which means a router with NAT or "stateful firewall".

Criticising is easy.

[anti-NAT]

Helping solve the problem is much harder.

Are you part of the problem, or part of the solution? If all you're willing to do is criticise, then I think you're part of the problem.

alphanumeric means errors

[freaker_TuC]

Why recreate the wheel if they already got ipv6 for that?

By using that approach of alphanumeric [a-z] you'll also get a lot more errors in spelling, O & 0, I & 1, ..
HEX solves that entirely by only allowing [0-F].

Re:So, how many applications break?

[tftp]

The number of applications that make this assumption is not small, but it is not unmanageable.

I would say that IPv4-only apps are majority:

#include <netinet/in.h>

struct sockaddr_in {
short sin_family; // e.g. AF_INET
unsigned short sin_port; // e.g. htons(3490)
struct in_addr sin_addr; // see struct in_addr, below
char sin_zero[8]; // zero this if you want to
};

struct in_addr {
unsigned long s_addr; // load with inet_aton()
};

You need to hack the source to use in6_addr and sockaddr_in6 wherever appropriate, and change the code that processes them (such as inputs addresses, compares them, works with netmasks, etc.) I'm sure most coders never even thought of adding IPv6 support to their specialized, made to order applications. They weren't paid to add features that nobody asked for, and they never even had an IPv6 network to test the code on. In my career I had only one (1) customer specifically asking to support IPv6 - and he paid for it, and he got it. Everyone else got IPv4 only - as a business we had to be lean.

This is a lot of work, both coding and testing, and you will never see it done to a legacy software as a free patch. Software is sometimes very expensive - tens of thousands of dollars per seat. There is zero chance that this investment will be just scrapped, and you'd have to do that if your PADS Layout or SolidWorks or, $deity forbid, CST can't talk to its license server. The latest releases may, of course, fix all that, but they are never free. And the worst news is that some of *your* production software, like your beloved OrCad 10.3, is not supported any more, and you can't upgrade to the latest OrCad, jumping over six revisions, because it will break millions of things in your business process (or your bank.)

Address scarcity predictions

[oojah]

I'm sure many of you have seen the IPv4 Address Report, which attempts to predict when the IANA and RIRs will exhaust the unallocated pool of IPv4 addresses.
I've been tracking the results of those daily predictions for a while now and since this time last year, they've moved further away by about 6 months. There are graphs online at http://atchoo.org/ipv4/
We're still roughly at the same place we were back when this was discussed in April (ARIN Letter Says Two More Years of IPv4).

Cheers,
Roger