Slashdot Mirror
Asia Runs Out of IPv4 Addresses
ZerXes writes "It seems that APNIC has just released the last block of IPv4 addresses and are now completely out, a lot faster then expected. Even though APNIC received 3 /8 blocks in February the high growth of mobile devices made the addresses run out even before the summer. 'From this day onwards, IPv6 is mandatory for building new Internet networks and services,' says APNIC Director General Paul Wilson."
jeasus!
"It seems that APNIC has just released the last block of IPv4 addresses and are now completely out, a lot faster then expected.
The headline says something to the effect that IP addresses are out yet the quoted line has the word 'seems', casting doubt as to whether the addresses are out for sure. What's really going on?
Network Address Translation could provide some relief I think...no?
This might have a really obvious answer, but is there any reason why mobiles necessarily need an IPv4 address? Surely they could get away with IPv6 and a bit of tunnelling. Hell, in the UK most mobiles share an IP anyway.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
IPv4 addresses may be running out, but we can all look forward to supporting them forever in a second stack, running parallel to our IPv6 software, now and forever, for the rest of eternity, Amen.
Unless the entire world magically switches over to IPv6 all at once like the designers planned for. Hasn't happened yet though.
May the Maths Be with you!
"Hello! PLEASE READ THIS!!!
Hey it is Andy and john the directors of MSN [...] we only have 578 names left [...]"
At least now IPv6 is mandatory!
Wouldn't it have been better to make it mandatory years ago?
A glance at the master IANA table here seems to say that the USA got the majority of ipv4 addresses, even though today the majority of devices is elsewhere.
GRAMMAR NAZI ALERT!
"a lot faster then expected"
Do people know the difference between then and than anymore?
Inappropriate use of your/you're there/their/they're then/than drives me nuts.
ZerXes, go back to digg.
http://xkcd.com/195/
Ask Ford for some?
So no they don't need their own public IPv4 address and indeed I've never seen one that has one. However you do need IPv4 addresses to access stuff on the Internet. Regardless of if you do IPv4 NAT or if you do IPv6 with gateways to v4, you need the IPv4 addresses.
There will be cats and dogs living together, mass hysteria
4,294,967,296 ought to be enough for anybody.
I won't ever say that unless it involves physical things in numbers greater than the number of atoms in the universe. And damn, if we start making memory out of quarks I'll even be wrong there too...
n/t
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
"""Network Address Translation [wikipedia.org] could provide some relief I think...no?"""
No.
BACKGROUND:
NAT, in the way which can be used by ISPs to reduce the need for IP addresses, works by mapping multiple internal IP addresses to a external one (or groups of external ones). So say you have a one thousand computers you need to keep online and you have only 100 addresses. NAT will allow you to logically map those 100 addresses to the one thousand computers.
NAT is able to do this by connection tracking. The router keeps in memory what connections were created with what external IP address and then routes the data from the reply back to the original host. So say my browser opens up a socket on 192.168.1.129:59343 and connects to Google on "www.google.com:80". The NAT router opens up a connection on 208.32.20.1:78190, connects to 'www.google.com:80'. When the machine listening on 'www.google.com:80' sends information back to 208.32.20.1:78190. Any data received on 208.32.20.1:78190 then automatically gets forwarded to 192.168.1.129:59343, which then is received by my browser.
WHY NAT IS FULL OF FAIL:
The reason that NAT + IPv4 is not a substitute for IPv6 is because the number of sockets that a router can open and manage is less then 16bits. That is the socket numbering scheme is 16bit scheme, of which a substantial number of sockets are reserved for specific protocols. That is less then 60,000 possible connections can be made by a router with a single public IP address.
Each new connection made by a machine behind a new router requires a new socket established. Just by having 3 tabs on my browser right now I am using roughly 20 connections. Each connection is going to a ad provider, google, different slashdot.org servers, etc etc.
Say that a internet user is using about 50 active connections at any one time then that means that 1 public address can only support about 1200 concurrent users. But it will break down long before that. People using bittorrent may use 300 TCP connections, which means that you can only support a 100-200 users.
The other aspect of this is that there is not enough IPv4 addresses for internet routers. That is a new ISP will run out of IP addresses long before they are even finish building their infrastructure!!! There wouldn't be enough addresses to even setup NAT routers!
This is taken care of by 'Carrier Grade NAT'. Which is you use NAT firewalls for your NAT firewall.
So....
Internet ----> NAT firewall -----(TCP tunnelled over TCP) ----> NAT firewall ----> Your home NAT router ----> Your PC.
Ever wonder why your bittorrent connections turn to shit!?
For Asia users this is already not good enough. They have RUN OUT. They cannot use NAT to extend it any further... they are over and done with.
Why not just make sockets 32bit or 64bit? Because that's retarded when you have IPv6, that's why.
I am currently running a IPv6 /32 network for my PERSONAL HOME NETWORK. All these are real, public, IP addresses.
79,228,162,514,264,337,593,543,950,336 addresses and 4,294,967,296 sub networks.
A subnet for IPv6 is a /64 network. 18,446,744,073,709,551,616 addresses in a /64 subnet.
When IPv6 rolls around most people will end up getting a /48 network address. This is _only_ 1,208,925,819,614,629,174,706,176 addresses and 65,536 networks.
There are 281,474,976,710,656 /48 network addresses in total to give away. We will now only have to worry about IP address exhaustion when the human race becomes interstellar.
So, yeah, IPv4 luddites with their NAT savior complexes can go screw themselves. I want a efficient, open, and secure internet. NAT precludes this.
I'm being serious here with this question: Why do people feel that EVERY new device needs a public address? 99.9% of mobile devices would be quite happy behind NAT. And, the vast majority of 'home' PC's would work behind NAT. Most corporate LANs are also sitting safely behind them.
Sure there are some exceptions, but most people really don't need unrestricted incoming connections.
Is wider use of NAT the 'answer'? Perhaps not, but it would extend use of v4 for decades..
---- Booth was a patriot ----
Here's what we got from APNIC this morning: Dear APNIC community We are writing to inform you that as of Friday, 15 April 2011, the APNIC pool reached the Final /8 IPv4 address block, bringing us to Stage Three
of IPv4 exhaustion in the Asia Pacific. For more information about Stage
Three, please refer to: http://www.apnic.net/ipv4-exhaustion/stages
Last /8 address policy:
APNIC's objective during Stage Three is to provide IPv4 address space
for new entrants to the market and for those deploying IPv6. ..but given how fast APNIC reached the final /8, you'd think it won't be long before they run out entirely.
"It is a moral imperative" -- Real Genius
Uh, Linux geek since 1999.
I'm a bit surprised that the parent was modded off topic. The fact is that when they were first passing out brains IP blocks 'way back when, most of Asia weren't players in the internet game. I recall a briefing from the beginning of the century stating that most of India was running behind a massive NAT gateway.... and thus suggesting that most Asian nations would be moving to ipv6 earlier than the OECD out of necessity.
So, yeah, APNIC is likely very motivated to go ipv6. But, don't discount the allure of the cheap fix.
Luke, help me take this mask off
They're the first to be forced into IPv6. So they'll be further along the learning curve. Welcome our new networking overlords indeed.
Have gnu, will travel.
That is less then 60,000 possible connections can be made by a router with a single public IP address.
That depends on how clever the NAT is. Technically each server you talk to doesn't know what ports you are using to talk to each other servers. So there is nothing stopping a nat using an internet side port to talk to multiple servers at the same time. Such a scheme will completely any protocol that tries to do "nat traversal" but it should keep the basics working at very high user:IP ratios.
Still I would expect IPv6 to seep in if only to try and reduce the load on the big nats.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Brilliant explanation. Thank you for taking the time to write that up.
IPv4 is inherently insecure. IPv4 is inherently immobile. IPv4 is inherently non-extensible.
IPv6 is inherently secure. IPv6 is inherently mobile. IPv6 is inherently extensible.
Now, tell me which makes the most sense for mobile devices?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Turn running out of IP addresses into a drinking game?
The other big issue with NATs is traversal. You can't run bittorrent at all unless most hosts on the internet can be directly reached; it relies on peers being directly addressable.
When the NAT is on your home gateway, you (or your software) can instruct it to forward certain ports to certain hosts inside the NAT. When the NAT is run by the ISP, shared by hundreds of users, you can't do that - contention for the well known ports makes it impossible.
But clever people have realised that a NAT will often redirect all connections on a particular port back to you if you open up just one connection on that port. So if you can find a willing host to report back what port you've just connected from, you can tell others to use that.
Which breaks if you try to be clever about using the full (host, port, port, host) tuple to identify each connection.
You also have a scalability issue if you try to shove thousands of users onto a single address; storing and searching the state table for hundreds of thousands of mappings requires hardware that hasn't been built yet.
But many IP devices do not have built-in firewall, so you -still- want to run a border router firewall right? And if every machine is behind your border router, then those limitations are still going to apply. So you want to let certain traffic in to certain hosts. Some hosts are dmz, some hosts are very private, and some are in the middle. Its still a lot to manage. The only thing it solves is peer-to-peer communications right? But you are going to have to deal on a host by host and service by service basis which peer to peer protocols will be allowed in and wont be.
Maybe NAT makes some kind of peer-to-peer relationships impossible. But, I dont think that IPv6 will make anything easy. And I think its going to permanently piss people off at the Internet and those responsible for the new design.
where are the ISP's With IPV6 and routers / modems?
how many have IPV6 some have it but only for revB so you have to re buy the router to get IPv6 and then it's up your ISP to have a IPV6 modem and IPV6 as well.
The US invented the Internet. The Internet originally started as ARPANET a research network designed by DARPA, Defense Advanced Research Projects Agency, an agency of the US Department of Defense. It started out as a link between a few US research universities and institutes. TCP/IP was then developed by Robert Kahn and Vince Cerf, working for DARPA. DARPA liked it and funded the development of the software to implement it.
After that various other government entities created TCP/IP networks based around ARPANET like the Department of Energy, the National Science Foundation and so on. Those unified in to what become the Internet.
Now that is not to say it did not become a global endevour. Around the time the Internet came to be, CERN made their own TCP network, CERNET, and then they started looking to link up with the US Internet and did so around 1989. Also CERN of course developed the basis of the world wide web. However the Internet itself started in the US.
That's why IANA, the ultimate top level controller of Internet numbers, is based in the US. It was created there to manage things on ARPANET.
You have to remember that nobody who was designing this was thinking "Global communications system that links every computer, every phone, every TV, etc on the planet." Such a concept was really pretty unimaginable. This was just an effort to get an efficient, interoperable network for linking big institutions.
So when IPs first started being handed out it was done inefficently. If you were real big, you got a Class A (/8, 16 million), if you were moderately sized a Class B (/16, 65 thousand) if you were small you got a Class C (/24, 256). Companies like AT&T and IBM got entire Class As for themselves. Most of that went to US entities, since they were the only ones who could get on at the time. ARPANET and some of the other research networks like NSFNET that started all this were only for research institutions and public entities. So only universities, research labs (like SRI), the military, and companies involved in the research could get on and thus get addresses.
Yes, yes, all bad in hindsight but who knew the Internet would become what it has? It also is just how shit goes. You invent something, you get to have it your way.
Neil Degrasse Tyson calls it "naming rights" and shows how it happens when various cultures are on the top of their game R&D wise. The US invented the Internet, so they got to have things like .gov for their government sites. The US invented the telephone system so they get 1 as their country code. The British invented the post office so they don't have to put their country on stamps, everyone else does.
The Internet shows a lot of slant towards the US because it started there, and developed most fully there first. The US by far had (and still has) the most advanced Internet infrastructure. The invented it, they were there first and best, that is why it is theirs in many ways.
Since general /. consensus (and I underscore that it is /. and not any of the other engineers I deal with) is that "ipv6 just works", I trried it on my Mac.
ifconfig en0 does helpfully suggest that there is an ipv6 address assigned (and it is based on my computer's Mac, leaking my identity all over the net, with Linux iptables developers specifically refusing to hide it for religious reasons, but that's another story)
ok, easy - I'll just ping my own address then to begin with.
ping - oops, "cannot resolve, unknown host"
traceroute - same deal. clearly they don't recognize this as an IP address, and try to use it as a host name.
Hmm, may be Firefox?
Let's try that Google ipv6 address - http://[2001:4860:0:2001::68]/ (oh, that'll be fun to explain to users)
Here we go - "Firefox can't establish a connection to the server at [2001:4860:0:2001::68]."
Well, at least it knows that's an address, I think...
I think I'll try again in 10 years.
And you think the ISPs care about your ability to run Bittorrent? I assure you the vast majority of them wish that protocol had never been invented. :-)
Looks like we are headed for another Y2K kind of a cyber-o-calypse
Do many devices need a built in firewall?
Your border router example is good, as a stateful firewall is very similar to a NAT system, and the latter implies the former anyway. However why should I put my TV behind a firewall? So a hacker gains access and displays a goatse image on it. I may even get a laugh out of it. My computer on the other hand does have a firewall since there is sensitive information on it. My mobile phone ... haven't a clue, but I'm guessing that the vast majority of mobile devices out there do not have firewalls either and run just fine.
It seems direct attacks are likely to occur on large networks. Computers are a great target due to their many attack vectors and usually associated bandwidth, but most of the consumer computers out there have a basic firewall in place. It doesn't seem to do much if anything at all as by a long shot the vast majority of attacks are social or occur in an authenticated way, i.e. user clicking on .scr file because they are stupid, or user typing their credit card number into www.palpay.com/accountreset. Against this a firewall is absolutely useless.
Already out there and have been for years. They sell IPv6-capable modems too.
One of their biggest issues was dealing with a "prominent NA router vendor starting with C" where their LNSs and other hardware would fail spectacularly running certain common dual-stack configurations. It took them years to develop a stable patch for it.
LOAD ".SIG"
PRESS PLAY ON TAPE
Of course, a firewall is merely a way of restricting certain services to a local network only. This does not apply to many appliance-type devices; usually they expose no services and instead only connect to services on other machines.
The only case where a firewall would have any meaning for these devices is if their core IP stack contained an exploitable bug. This kind of thing, however, has happened in the past. If you make every toaster individually addressable (no firewall), then every toaster is going to also need some method of updating the protocol stack in case a bug like this is discovered. Making only primary devices such as computers and routers externally addressable simplifies the problem, since these devices tend to already have an update method in place to deal with known exploits.
Also, even though your TV may not have an auto-update mechanism, it is likely it is running a somewhat complex OS if it is connected to the Internet. This means that if you don't care and allow TVs to be owned, they will present a large attack threat to everyone else by being added to botnets.
Unfortunately it's wrong in some places. Like listing the limitations based on the use of bittorrent. Bittorrent won't work if everyone in the swarm is NAT'd. NAT was the poor man's firewall for years because it hides the hosts. P2P can't work if everyone is hidden. There are some tricks that may work, but generally the actual number of people per address is higher than he indicated.
Additionally, if you read the article, they report that they are allowing 1000 addresses to new ISPs. If you can't set up a NAT-based ISP with 1000 addresses, then you shouldn't be setting up an ISP at all. You won't run out of addresses. In fact, there's nothing (other than violating the RFCs, which are as optional as the pirate laws) which would prevent you from setting up an entire ISP with millions of customers using one and only one public IP assigned to your equipment (the rest given RFC 1918 addresses). And even then, most often when you uplink you get the IP address from the carrier you uplink with. That leaves you with 1024 addresses to use for NAT (well, 1022 or less, depending on subnetting).
As such, his idealized 1200 per IP is probably closer to reality than his 100-200 number expecting everyone will be running P2P. So with 100 per IP, the worst case, they'll be able to handle 100,000 users. With the more realistic 1200, there can be more than a million users. They have more than 16k of those to give out, for a total amount of support with nat of 20 billion users. Oh, and if the worst-case 100 is used, that's still more than a billion people that could be supported on what's left there.
So yes, they are out, but it isn't the crisis of collapse yet.
Learn to love Alaska
Dating from 2006, so somewhat out of date, but still showing the biggies with their own class As (yes, I have a 9.xxx.xxx.xxx IP address right now thanks very much):
http://xkcd.com/195/
So why does APNIC not confiscate these lowlifes' addresses, and hand them out to honest customers? If they're reactive enough in doing so, the addresses might actually not yet be "burned" (on blacklists), and still usable...
I suppose but you could use the Apple defense here. Unless Microsoft of some major vendor comes and starts writing a standard system for toasters and TVs would someone bother finding a way to attack the device? I mean even already we have a LOT of portable devices running on some form of Windows CE, yet there are no serious documented cases of exploits in the wild. Even the so called "crisis" Nokia phones were experiencing in the past with SMSes that could brick devices, and bluetooth viruses that would infect everyone on a subway ... didn't. These potentially had a huge impact yet disappeared into the ether.
The other potential form of security by obscurity is the fact that each IPv6 block is allocated a /64. This makes network scanning virtually impossible, meaning that it is quite likely my toaster would have to go out looking for a virus, in which case the social angle again could be played to bypass everything.
Such a scheme will completely any protocol that tries to do "nat traversal" but it should keep the basics working at very high user:IP ratios.
At least they know what they are doing. It would be worse if they accidentally any protocol that tries to do "nat traversal".
Bullshit.
They are not out. They have a /8 remaining. Yes, a /22 is not a lot, but this will ensure that APNIC will not run out for the next few years (unless people start registering LIRs like crazy).
As all the large players have gotten their large allocations already, they will not run out themselves that quickly, either.
This still means that IPv6 must be deployed yesteryear, but APNIC has not, and will not, run out of IPv4 any time soon. They will just not hand it out like candy any more.
For many consumers P2P filesharing is the reason why they want a > 20Mb/s connection. It's what sells premium packages, even if ISPs will never admit it.
Fuck me! You serious? This post. Again?
You've either never read Slashdot before, and you didn't read the other posts of THIS EXACT SAME QUESTION, or you're an idiot.
Please, please, please. Stop asking this question. I've read so many responses to this, I'm almost an expert on low level routing protocols, completely against my will.
This is my footer. There are many like it, but this one is mine.
If they get a few big guys like Google and Yahoo to favor IPv6 hosted content over IPv4 when it comes to page rank, I think you would see a mad scramble to IPv6 with customers placing a crushing amount of pressure on their providers to get them a presence on IPv6. Not sure if I understand it right, but I *think* its not too difficult to serve content on both address spaces simultaneously?
Having a bookmark to Google does not make you an expert on everything.
Seriously, every cell phone and IP-enabled kitchen appliance out there does not need a live IP address...
DON'T APNIC! Incredibly lame, I know...
Come on, NAT is so widespread in China that you will not be surprised when you find you're actually four NATs away from the "Internet". The argument that NAT is a performance problem is completely bullshit in China. For the uninformed: the number of IPv4 addresses allocated to China is less than that of, say, UC Bekerley. You can barely satisfy half the netizens in Beijing with so many addresses.
So use a ULA prefix and a very simple firewall in those appliances allowing only fc00::/7 to connect them. No need for NAT whatsoever.
You probably don't want your printers to be on a public address unless you like adverts. :)