UK Government Owns 16.9 Million Unused IPv4 Addresses

hypnosec writes "The Department of Work and Pensions in the UK has a /8 block of IPv4 addresses that is unused. An e-petition was created asking the DWP to sell off the block to ease the IPv4 address scarcity in the RIPE region. John Graham-Cumming, the person who first discovered the unused block, discovered that these 16.9 million IP addresses were unused after checking in the ASN database."

Who cares

[Formalin]

Just apply the real cure already... This is so ridiculous.

Re:Who cares

[GNUALMAFUERTE]

I know IPv6 is needed, and it'll be great having disposable addresses to throw at any device. I'll be certainly happy to get rid of NAT in many circumstances, but OTOH, IPv6 is going to suck. I have tens of IPs in my head, which I access daily by memory. IPv4 addresses are easy to remember, easy to pass over the phone, easy to type, and easy to operate (i.e, calculate things such as masks in your head, etc). IPv6 is going to make it way harder, and that's not taking into account he migration process ...

Re:Who cares

[multiben]

Agree completely, but how the hell did the DWP end up with that many ip addresses?

Re:Who cares

[mellon]

Dude, it's time to learn how to set up DNS. Honest, it's not that hard. Your DHCP server can automatically update the DNS for you. Try it—you'll like it!

Re:Who cares

[fm6]

As any climate scientist will tell you, the ability of people to deny impending disaster is remarkable, especially when doing something about it costs money. That includes people on Slashdot, who keep telling me that the whole address depletion thing is bogus, that we can keep going indefinitely by discovering unused blocks and using existing blocks more efficiently.

A few years ago, I was part of the product team that was working on a new Sun server. Now, every Sun server comes with an ILOM (Integrated Lights Out Manager), a little embedded Linux system that lets an administrator manage the server remotely. Naturally, the ILOM has its own network interface — but the one planned for this system did not support IPv6. I pointed out all the IPv4 address exhaustion issues, but was basically told to mind my own business. "No customer demand for this feature." Never mind that a few years down the pipe, customers would be very unhappy they didn't have it.

Re:Who cares

I think you'll find that this complaint comes mainly from folks that do know how to set up DNS.

The real difference isn't realizing that we have DNS, it's that with IPv6 and no more NAT, devices will do DNS and it won't be such an annoyance.

Re:Who cares

[DigiShaman]

Sometimes DNS fails or you need to validate routing tables and troubleshoot based on pure IP alone. Yes, IPv6 is going to suck badly in this regard. Feeble human mind. Oh well, I'll just have to get used to depending on an IPv6 calculator app on my smartphone. That and a TXT list that I can cut-n-paste in a terminal screen. Bah!

Re:Who cares

[fm6]

I think you need to ask yourself why you have to remember all those IP addresses. I'll bet that in each one could be dispensed with if you had the motivation to work out a DNS-based way to access these systems — with the possible exception of the DNS servers themselves.

Re:Who cares

[GNUALMAFUERTE]

mysql> select count(host) from systems;
| count(host) |
                  498 |
1 row in set (0.00 sec)

(stupid slashdot thinks mysql's output are junk characters)

Since most of those 498 servers I manage are behind NAT and have dynamic public IPs, I do have a system to track them (not ddns, but a homemade solution), and I have scripts in place that allow me to get any server's IP. Combine that with shell expansion and I can ssh root@`gethost customer_id server_id` and similar stuff. That doesn't mean you don't have to deal with IP addresses anyway, and it doesn't mean doing ifconfig eth0 2001:0db8:85a3:0042:0000:8a2e:0370:7334 is gonna be easy. Imagine debugging a routing table! Imagine reading the output of tcpdump with such meaningless addresses. IPv6 is gonna be a PITA.

Re:Who cares

[GNUALMAFUERTE]

Well, windows not being able to get into the internet is a big advantage of IPv6!

Re:Who cares

[slimjim8094]

I won't even get into how IPv6 makes it much easier to track you.

Because that's nonsense? (Almost) Everybody implements the privacy extensions, so your world-visible address is random and changes every 10-ish minutes.

Re:Who cares

[jibjibjib]

Yes. In IPv6, a home internet connection generally has a rarely-changing prefix that can be converted to a name and address with the ISP's cooperation.

But in IPv4, a home internet connection generally has a rarely-changing prefix that can be converted to a name and address with the ISP's cooperation.

How is IPv6 worse?

Re:Who cares

[phantomfive]

It won't be that bad at first, until a lot of addresses are used, because of the IPv6 notation shorteners. For example, ff06:0:0:0:0:0:0:c3 may be written as ff06::c3. Unless your ISP gives you a random number as an IP address, it'll still be fine to work with.

Re:Who cares

[93+Escort+Wagon]

No, that doesn't, but acting like the issue is settled and done with does. Pick something less controversial and more agreed on next time. There are plenty of examples you could have used to support your point which are not politically charged topics.

In other words, play it safe - use gay marriage as your example next time.

Re:Who cares

[wvmarle]

that's the price of progress

Re:Who cares

[burne]

I know I'm a bit of a nerd, but I know my prefix (2001:470:XXXX::) and after the double double colon I am master of my domain, so my website lives on ::10, the mailserver on ::20 etc. If you can remember a ipv4 address, ipv6 shouldn't be more difficult, in general.

Re:Who cares

[argStyopa]

Except for the fact that, when an emergency comes, the budget magically opens and people stop counting their pennies.
That would mean that if/when the IPv4 crunch comes to a point where we HAVE to confront it, IT dept's will get fresh new budgets to buy the NEW Sun server that *does* have IPv6 functionality.
I'm not saying omitting it was a good idea, but cynically it might make sense.

Re:Who cares

[FireFury03]

When IPV6 is what we have to work with, we will be swarmed by those bastard botnets with no way to block that many IP addresses that will be used to attack.

You'll probably want to just block the prefix rather than the address, which is just as easy under v6. In fact, having sparsely populated address space is good for security since it makes blindly scanning addresses much less effective for the malware.
ith it either.

Imo the botnet criminals have been trying to force the use of IPV6 by getting all new ranges of IPV4 allocated as soon as possible.

Huh? Botnets run on existing machines (frequently home PCs), how does that have anything to do with IPv4 exhaustion?

Rather than IPV6 globally and IPV4 internally, I think IPV6 should be what the countries that attack us, who just happen to have very large populations, can use for themselves.

Why do you want to penalise the "good countries" by forcing them to stay on an obsolete protocol? (that said, a good number of attacks against my servers come from the US)

Re:Who cares

[mjwx]

that's the price of progress

Why not make them human readable? Keep the hex numbers in the background but have a human readable translation for them in the foreground? IIRC, it's just the same 256 characters as IPv4 but there's 8 octets instead of 4. Obviously 255.255.255.255.255.255.255.255 is not ideal but I'm sure someone can come up with a better system.

Re:Who cares

[unixisc]

It's not so much DNS they are doing as much as ND (neighbor detection) and autoconfiguring. And the latter is I think what the GP's complaint was about. Difference in IPv6 is that unlike in IPv4, DHCP6 is more essential than DHCP4 was in IPv4.

Re:Who cares

[Znork]

IPv6 doesn't force you to use the autoconfig addresses, so with strategic use of shortening the addresses and assigning easy ones they're not really that much more difficult to remember than v4 addresses if you really insist on avoiding dns.

You can get away with something like 2002:0ca5:01f3:1::1 which means you'll basically just have to remember your routing prefix and then whatever addresses you decide yourself.

Re:Who cares

[TheRaven64]

For home users, it entails pretty much nothing. If you're running a commodity operating system, it probably already advertises its host name via mDNS. It may also already advertise its link-local IPv6 address. Try sshing to a Mac on your local network by its name and see which address it tries to connect to: you may be surprised...

Re:Who cares

[knorthern+knight]

> Which says "Privacy extensions do little to protect the user from tracking if only one or
> two hosts are using a given network prefix, and the activity tracker is privy to this
> information. In this scenario, the network prefix is the unique identifier for tracking."

No different than right now. That depends on whether or not the ISP hands you a dynamic IP address or a static IP address. Static IP addresses will allow/encourage people to set up servers. Most ISPs do not like that. So I expect dynamic IP addresses to remain the norm. In my case, I have a seperate electricity meter for my condo. This is a financial incentive to turn off my PC and ADSL-router-modem off when not in use, I get a different IPV4 address every day.

What reason do you have for believing that ISP's will start handing out static IPV6 prefixes?

Re:Who cares

[TheRaven64]

When IPV6 is what we have to work with, we will be swarmed by those bastard botnets with no way to block that many IP addresses that will be used to attack.

Don't block the address, block the prefix. Block a /64 and you're probably blocking a consumer endpoint. With IPv6, addresses are allocated hierarchically, so this becomes even easier. Just shorten the prefix and you'll eventually get the whole ISP. This makes it very easy to block ISPs or even countries that harbour spammers.

Additionally, it becomes much easier for a home user to identify attacks at the router. If you pick a random 32-bit number, odds are that it is a valid IPv4 address. Pick a dozen and you've almost certainly found one that's a home Internet connection. That makes it very easy for malware to spread. Pick a random 64-bit number, and if you're very lucky it's an IPv6 subnet that has some computers on it. Now you have to pick another 64-bit number to find one of the computers on it. For a home Internet connection, most users will be using under 50 of these (and rotating them quite frequently), so you end up with a 50 in 2^64 chance of getting the right one. After a few tries, their router's firewall will notice the suspicious behaviour (lots of connection requests to nonexistent addresses) and block your /64.

Re:Who cares

[bbn]

IPv6-addresses can actually be much easier to remember than IPv4. Why? Because there is a system to it.

Here in the RIPE region there is only three possible prefixes for any address: 2001::, 2003:: and 2a0x::

In practice you are only working with one or a few ISPs. This means the first two blocks are always going to be the same. My ISP has 2001:1448::.

We got a /48. We happens to be number 201. So our addresses are all starting with 2001:1448:201::.

Everything from that point on is something I decided. If I want easy to remember addresses I would choose easy to remember addresses. My primary server could be 2001:1448:201::1. I would remember it as the ::1 server.

It is true that if you let your hosts autoconfigure to a random interface identifier that will be impossible to remember. But there is nothing stopping you from using manually configuration or DHCPv6 to number your hosts in a human friendly manner.

Re:Who cares

[icebraining]

So, write a script to preprocess the logs, replacing the IPs with names?

Re:Who cares

Unless you are running Windows 8 which will helpfully rewrite your hosts file for you when you are done.

Re:Who cares

[marka63]

On a mac, system preferences -> sharing, and if you hit edit you can teach it how to register itself in the DNS.

Re:Who cares

Like RFC 1751 (http://tools.ietf.org/html/rfc1751) for instance :)

Although it does tend to come up with sequences that have some comedy smutty parts.

Re:Who cares

[petermgreen]

ranges were given out like candy to anyone who asked in the early days of the web. Corporations, Government and Academics made a land grab because they were the only people who could use the resource at the time.

Remember in the early days of the internet there was only Class A, Class B and Class C (equivilent to /8, /16 and /24 nowadays), so if you were too big for a class C then you got a class B and if you were too big for a class B then you got a class A. This lead to many allocations being far bigger than they actually needed to be.

I've heard that Glasgow Uni has a /8 that's never had more than 10 addresses exposed to the Internet.

Sounds like it was either a myth or it was given back years ago. I don't recall ever seeing them on the /8 allocation list.

Re:Who cares

[Eil]

I pointed out all the IPv4 address exhaustion issues, but was basically told to mind my own business. "No customer demand for this feature."

Despite being in the business, your forgot one important thing: B2B hardware and software vendors almost universally design products only according to what their customers are actually asking for. It's not quite like the consumer sector where a company designs something new and tries to convince the masses that they need it via marketing. The enterprise is different. If the customer wants a faster horse, you damn well better offer a faster horse or they're going to buy your competitor's solution instead. You may be able to see a future need for a feature (like IPv6). Management sees it as unjustified engineering costs.

Of course, the cynic in me also wonders how many vendors are putting off explicit IPv6 support in their products in order to manufacture a crisis when IPv4 addresses run out, a la Y2K bug. "Oh noes, we need IPv6 in all our stuff, won't you help us out? Here's gobs of money for consulting and durable goods, just make our shit work again!"

Finally, even though IPv6 is starting to take off in the consumer and hosting space, most large internal networks are going to be mainly IPv4 for a good long time yet. We're talking decades, here. Large production business networks are loathe to change and they simply do not upgrade critical systems just because it makes sense to do so. That Sun box you helped engineer, it's going to be in the trash heap long before IPv6 is widespread in the enterprise.

Re:Who cares

[mellon]

Just start working with it. You will find that cut and paste works in the cases where you really have to put in an IPv6 address—it's what I do. If you really have to type in an IPv6 address, it _is_ a pain in the neck, but it's also a rarity. I think the major modern operating systems support DHCPv6 at this point, so DNS updates will work if you require DHCPv6. If you just set everything up to use ND, of course that won't update the DNS unless you also have a pretty fancy Windows/Active Directory setup.

Re:Who cares

[jbolden]

There are over 10^50 atoms on earth. v6 is big it ain't that big.

Re:Who cares

[shentino]

The migration is being obstructed by people with hoards of v4's they got back when the addresses were plentiful, as well as ISPs that find more profit in milking their IP space for all its worth and making people pay for a business connection to get out of NAT...and also enforcing "no servers allowed" in their residential contracts.

Nowadays, stashes of v4's are a gold mine and people holding them are not going to let their windfall go without a fight. Instead, they are going to squat on them, and milk their inventory of v4's for all its worth.

Whether we like it or not, the v4 black market is here, and it's not going away. If ICANN and the internet registries actually had balls enough to revoke allocations from people that didn't need them, or claimed they did but then were caught selling them on the black market, we would not be in as bad of a mess.

Also, being able to NAT your residential customers and milk business grade fees for real IPs is quite lucrative for an ISP.

Entrenched interests are making a fortune selling off v4's and/or extracting premiums from business class users that are able and willing to pay to get out of NAT, and it is only going to die when it's pried from their cold dead hands.

V6 needs to arrive, but greed by hoarders and providers, and pacifism on the part of internet registries have aggravated the crisis and made it worse than it needs to be.

Re:Who cares

[jbolden]

There are no True IPV4/IPV6 NAT or PAT protocols; how am I supposed to set up a proper DMZ without that?

Firewalls between physical connections.

Say you have 2 networks A and B. A has a firewall on it which goes in from the internet. It blocks all traffic to or from any non A address. The connection between A and B goes through a firewall. That firewall blocks any traffic to or from B that's not routed to A.

Re:Who cares

[JSBiff]

Is abc1:2345::10 that much harder? Ok, solution:

In your OS, set an environment variable that persists across logins:
6NET=abc1:2345

Then when using networking tools:
ping %6NET%::10

Was that so hard?

Re:Who cares

[cjjjer]

It all depends on how you look at it.

"6732:87fb:87fa:12a9::54d8"
"6732:87fb:87fa:72a9::54d8"

Notice the difference right away.

Re:Who cares

[Aqualung812]

Calculating masks in your head will still be a more difficult task

Why would you do this, unless you work for a large ISP?

With IPv6, everyone uses /64 for each broadcast domain, cutting the address exactly in 1/2. It is easy.

Devices that need statics are DNS servers and routers, and neither should be changed fequently. Also, you're likely to use simple addresses for them, so it will be:
NetworkPrefix::1, Network::2, Network::3, etc.

For me, I have 2601:d:881:b::1 for a default gateway, and 2601:d:881:b::101 for my DNS server #1, and 2601:d:881:b::102 for DNS server #2.

That isn't hard to remember, and it isn't hard to type. What exactly is the problem?

Re:Who cares

[Miamicanes]

> I am yet to see DNS fail badly. I have seen plenty of people who don't understand it say it does, when the problem is invariably routing or a firewall.

Note the key phrase, "who don't understand it" and its modifiers "routing or a firewall". There's a HELL of a lot of people who happen to fall into that category, and whose frustration goes off the scale when something fails to work because the slightest configuration problem will break it, and if you manage to avoid a subtle semantic bug in a zonefile somewhere, factors upstream that are beyond your control can still break it in ways that are almost impossible to distinguish from that same hypothetical zonefile bug. Bind is a cruel, heartless, sadistic, and demanding master. I struggle to think of anything that universally strikes fear in the heart of otherwise brave men than "Can you set up the DNS for us from scratch? We registered the domain yesterday. The computer's over there, and here's the Ubuntu installation DVD."

DNS only "just works" when some OTHER unfortunate soul has already set it up and spent the day troubleshooting it for you. Worst of all, there's a big, fuzzy gray area of "works for me, and apparently for him, but not for you for some unknown reason".

So, yes... for 17 or 18 artisan-level gurus who've achieved Englightenment, DNS is easy and straightforward to set up. For the other 99.9% of individuals unfortunate enough to find themselves tasked with the duty of setting it up at the server end, it's pure hell, and Bind was a punishment invented by God for sadistic entertainment purposes.

When I talk about "DNS Failure", I'm not talking about it from the perspective of pure end users who connect to a network and make use of DNS that somebody else has already gotten to work for them. I'm talking about the unrelenting hell of being someone who lacks control of his upstream network configuration trying to set up his own DNS server and make sense of errors that could be caused by just about anything, or (almost) nothing at all, and can take a relative eternity to troubleshoot when it happens.

Re:Who cares

[SQLGuru]

If you code in a C-based language:
00 is 00st
01 is 00nd
10 is 10rd
11 is 11th

Which was the parent's point.

Re:Who cares

[pclminion]

We got a /48. We happens to be number 201. So our addresses are all starting with 2001:1448:201::.

When you've got a block that's bigger than the entire IPv4 Internet, you know you're cool.

Re:Who cares

[suso]

You're missing the oppurtunity to use hexidecimal characters in memorable ways in your IPv6 addresses though:

2001::FEED:FACE:DEAD:BEEF (For non-vegans)
2001::C0DA:0B0E:BA55:C1EF (For musicians)
2001::CA11:D011:FACE:BABE (For a good time)
2001::FEE1:DEAD:BABE:B00B (For necrophiliacs)

Re:Who cares

[Cimexus]

Er this is completely standard. I've been on native IPv6 for two years now, on my standard residential $29.95/month DSL plan, and also have a block way bigger than the entire IPv4 internet. Though mine's only a /56 rather than a /48 (oh noes, only 4,722,366,482,869,645,213,696 globally-addressable IPs for my home LAN??)

That's the whole beauty of IPv6 :)

Re:Who cares

[Cimexus]

Yep. Been on native IPv6 for 2 years now and I have not ONCE needed to memorise, copy down or type/enter a IPv6 address for any reason. This is a non-issue.

Re:Who cares

[maxwell+demon]

2001::0192:0168:0000:0001 (For IPv4 fans)
2001::436F:6D70:7574:6572 (For people who know ASCII)

Must be a UK citizen to sign the petition.

[i286NiNJA]

You have to be a UK citizen to sign the petition so please sign if you can.

Sell the Addresses? Don't Give Them Ideas

[grcumb]

An e-petition was created asking the DWP to sell off the block to ease the IPv4 address scarcity in the RIPE region.

Why not just ask them to do the right thing and give them back to RIPE? I mean seriously, what kind of example are we trying to set here? Or maybe someone's just trying to bootstrap a market for IPv4 addresses in order to cash in on the increasing scarcity....

... In any case, encouraging profit from a public resource like this is a terrible idea.

Re:Sell the Addresses? Don't Give Them Ideas

[jibjibjib]

Giving away a block of IPv4 addresses worth about $1 billion is the same as literally giving away $1 billion of taxpayers' money. I don't think that would be doing "the right thing" for the people of the UK.

Re:Sell the Addresses? Don't Give Them Ideas

[jibjibjib]

The amount it cost in 1994 is irrelevant in the decision about what to do with it now.

If it can be sold for $1 billion, then giving it away for nothing is equivalent to giving away $1 billion.

Re:Sell the Addresses? Don't Give Them Ideas

RIPE's terms and conditions prohibit selling IP addresses. RIPE actually has the power to take them back if they're unused and they're needed - and they are needed, RIPE just allocated its last block!

In this instance, I shall be voting for RIPE to do just that.

Re:Sell the Addresses? Don't Give Them Ideas

[Patch86]

Screw that. My government (that is to say- the taxpayer, i.e., me) owns a £1 billion asset they probably didn't know they had. And you want them to give them away to companies, corporations, private citizens and whatnot for free?

Re:Sell the Addresses? Don't Give Them Ideas

[Zocalo]

Quite. These IP addresses legitimately belong to the UK Government, and therefore by implication to the UK taxpayer. The snag is that they belong to the wrong department of the UK Government to actually do much good and given the usual incompetence of government transferring them to where they might be useful isn't likely to happen in time. If UK.gov can get its thumb out of its ass and come to some kind of arrangement with RIPE to let them it do it (this kind of thing is not currently permitted under RIPE's T&Cs), these IPs could actually make some money for the Exchequer.

There are going to be plenty of IPv6 hold-outs in the UK who are pretty much fscked now that RIPE is assigning IPs from its last /8 and therefore won't be able to get any more IPv4 addresses to grow their businesses. If the DWP's /8 were to be loaned out to those companies for a suitably stiff "administration fee" that would give those businesses more time to migrate to IPv6 while potentially generating a considerable amount of revenue for the UK government in the process. Better yet, make the fee monthly and increase it as time goes by; that way you'd be motivating the companies concerned to hasten their move to IPv6 so they could return the loan IPv4 block back to UK.gov ready for assignment to the next sucker who held off deploying IPv6 too long.

Let's reserve our favorite numbers now!

[RulerOf]

Am I the only one that sees something like this and immediately wants to call dibs on a "Vanity IP?"
I'll take:

• 51.51.51.51
• 51.52.53.54
• 51.0.0.1
• ...and 51.50.49.48

I'm sure there's an algorithm or list that could tell me all of the possible "desirable" IPs in the /8, but, due to the fact that we shouldn't be greedy, and the completely arbitrary relation to the number 4 for IPv4, and the fact that it's an election year here in the US, I propose that we Slashdotters limit ourselves to four a piece, and leave the remainder to Reddit and 4chan. Or something.

Re:Let's reserve our favorite numbers now!

[Formalin]

You can have 51.51.51.51, but I've got dibs on 0x33333333.

Re:Let's reserve our favorite numbers now!

[RulerOf]

Oooo.....

http://0x33333333 [Enter]

You sneaky bastard :D

Really?

[phizi0n]

How did nobody notice this until now? There isn't that many public /8 blocks (125 or less since the 10 and 127 blocks are for special purposes and 0 is unusable) and they've been trying to recoup unused /8 blocks for over a decade so is this really a new discovery?

Re:Really?

[camperdave]

They're holding on to them until the rest of the world coughs up the missing Dr Who episodes.

Re:Really?

[Zocalo]

Plenty of people have noticed this before now, IANA has published a table showing all the /8 allocations pretty much since they were formed. Anything flagged as "LEGACY" was assigned before the current RIR/LIR assignment process was implemented. Someone even complied a table showing which parts of the legacy IP assignments were not routed some years back, which must have included the DWP's /8 as well unless they were actually advertising it at the time that the table was compiled.

The only thing that makes this slightly newsworthy is this about a cash strapped sovereign government sitting on a sizable pool of "spare" IPv4 space that has suddenly become a much more valuable commodity following the recent announcement that RIPE is now down to its final /8 and IPv4 allocations within Europe and those parts of Asia that fall under RIPE's remit are now heavily restricted. You can probably expect a similar story about the dozens (see the table above) of underused /8s that are held by US corporations and government agencies, the DoD especially, when ARIN's IPv4 approaches exhaustion as well.

relatively common

This sort of thing is relatively common, it's probably used internally as a routable address space, but not intended for use on the public Internet. (Saves have to deal with multiple uses of rfc1918). This sort of thing is very common in the government (though usually much less than an /8). They can't use a consistent rfc1918 address space internally as whenever the government changes it's priorities, work units will shuffle between departments. You'll probably find that this address space is now used by many departments, and trying to move all users over to another range will cost more than they can recover from selling the /8

Re:Propaganda

[The+Master+Control+P]

I enjoy the idea of the Internet actually functioning as an end-to-end network the way it was meant to, rather than one with a handful of privileged devices with publically routable addresses and (soon enough) whole cut-off sub-Internets trapped behind them. But that's just me.

Re:Propaganda

[fm6]

"The way it was meant to" was specified by a bunch DARPA funded geeks who design their tech for a small network where all the admins knew each other. They had no concept of operating a network with large numbers of users, many of them malicious

Whenever I hear "the way it was meant to" I run the other direction. It's always based on some lame notion that things were perfect in the past, even though people in the past were also whining about "the it was meant to."

Re:16.777 != 16.9

[Psicopatico]

Someone used the Imperial IP which is slightly bigger than the Metric IP, hence the result is 16.9.

Re:16.777 != 16.9

[mrbester]

Ah, the widescreen version.

I believe...

[AliasMarlowe]

I believe in the incremental approach to updates; it's so much safer and usually easier.
So it's going to be IPv5 for me, while you suckers make a mess of IPv6!

Re:I believe...

[AliasMarlowe]

I also believe a WHOOSH! is in order for you, sir/madam.

Re:I believe...

[Megane]

Hah! I'm not going to waste my time with IPv6, what with IPv7 right around the corner!

Re:I believe...

[MightyYar]

The worst is that if you upgrade right now, you just know they'll drop the price right after you get IPv6.

Some of that 51.0.0.0/8 actually is in use

Local government network admin here. Parts of the 51.0.0.0/8 address space is in our internal routing table, because it's used for shared private networks between different government organisations. Just because it's not in the public Internet routing table doesn't mean it's not used.

Granted perhaps not the whole /8 is in use (I only see 3 x /16s out of a possible 256 in my routing table at present), but who's to say other sectors which I don't have network connectivity to aren't using it.

We're actually pushing for and slowly enabling IPv6 internally on our core and servers where we can, rather than delay the inevitable. This is despite our organisation ourselves owning a whole public /16 block, yet have maybe only 10-15k addressable nodes max across all our networks we control at present. It will take us much much longer to re-IP/re-subnet the entire network more efficiently so some of that space can be returned to RIPE, than for it to be reallocated and used up after returning, due to old systems and old proprietary software in use. Not to mention the resources required to do such a massive task.

Personally I think the people asking for addresses to be returned by any organisation (supposedly) not using them (including all the other apparently wasted /8 allocations out there) are not looking long term enough. IPv6 is the way to go.

Re:Some of that 51.0.0.0/8 actually is in use

[lbft]

If you need a /8 for private addresses, use 10.0.0.0/8. That's what it's bloody there for.

> Personally I think the people asking for addresses to be returned by any organisation (supposedly) not using them (including all the other apparently wasted /8 allocations out there) are not looking long term enough. IPv6 is the way to go.

Consumer internet IPv6 adoption rates are atrocious across the globe. VPSes and dedicated servers require dedicated IPs, and even shared hosting requires a dedicated IP for SSL if you want anybody running any version of Internet Explorer on Windows XP to not get a certificate warning.

Are people who do business online supposed to claim pensions until enough people can reach their IPv6-only websites?

Re:Some of that 51.0.0.0/8 actually is in use

[lbft]

APNIC have been on their last /8 policy for nearly a year and a half. RIPE have now entered their last /8 policy.

That means no more than 1024 IPs per organisation, ever.

So once existing allocations are exhausted, right now, in Europe, Asia, or the Pacific, any new ISP will not be able to have more than 1024 customers online at the same time without NAT. Any new datacentre or VPS provider will not be able to have more than 1024 active services, at all (since NAT would not be an acceptable solution for servers).

"The time you need to move" is now for many people, and it's not going to be long before it's you too.

Make them dual-stack use only

[unixisc]

Since it's been discovered, what they should do is break it up into, say ~65k blocks of 256 addresses each, and sell them only to customers who have IPv6 transition plans. In other words, these addresses should only be used to enable dual-stack for customers who have taken the initiative in moving to IPv6.

That forces people to move seriously towards IPv6 - starting w/ the telecom vendors, such as BT, Vodafone, et al. That way, the migration, instead of being pushed out, gets expedited.

Indeed, that should be the approach worldwide - provide IPv4 ONLY to supplement IPv6 blocks so that dual stack can be supported, and not any other reason.

51st State?

[Martin+S.]

Would privatisation of the DWP's 51.0.0.0/8 block be the first or last step to the 51st State?

Not publicly routed doesn't mean unused

[Martin+S.]

Just because this block is not public does not mean it is unused.

The UK Government has a huge darknet.

Managing your addresses

[unixisc]

First things first - for IPv6, DHCP6 is a better idea than DHCP4 was for IPv4. Use that to manage your addresses. You can assign certain addresses (or ranges) as static, certain address ranges as dynamic, and be off to the races. No need to struggle w/ subnetting the way you did in IPv4.

Next thing - if it's important for you to remember your IPv6 address, remember that the first 12-16 digits (depending on what your ISP gives you) are gonna be common. You then have the remaining 16 digits. If it's important that you remember them, set up a naming scheme for those 16 digits that works for you, and assign those names accordingly. Set it up in your DHCP6 server, so that all your devices automatically get their IPs. From that point, after a while, you should be able to remember the first half - since it's your assigned global prefix - and then the latter half, since it's something you assigned and remember. Do not use auto-configured addresses in this case.

In the event that you have money to throw @ this problem, there are even PAM (Protocol Address Management) software that some IPv6 companies provide, that help you manage your addresses. You might want to invest in those.

Re:The nuttiness of allocation

You're victim to Xeno's paradox: You focus on the little steps, and that clouds your perception of the big picture. There aren't enough IPv4 addresses, no matter how many are reclaimed or how efficiently they're allocated. The whole of IPv4 has a maximum of 4 billion addresses. There are already more people on this planet. Many use more than one IP enabled device at the same time. No matter how you allocate the addresses, in the end there won't be enough of them.

Re:DHCP6 preferable to autoconf

[KiloByte]

What's wrong with manually assigning IPv6 addresses? That works just the same as it did with IPv4:

iface eth0 inet6 static
        address 2001:6a0:114::9
        netmask 64
        gateway 2001:6a0:114::1
iface eth0 inet static
        address 192.168.0.9
        netmask 255.255.255.0
        gateway 192.168.0.1

You just get a much bigger range to choose from, which you may use or not.

A great opportunity

[Chrisq]

This must be worth more than the Bank of Scotland. Lets sell it quick. The Government is actually much more likely to hold on to it until everyone is on IPv6 and it becomes worthless.

Re:NAT is dead

[Pentium100]

Load balancing/failover between different ISPs:
IPv6 - ISP cooperation and 1300EUR/year,
IPv4 - NAT router with software that supports this (for example pfsense) - can be completely free and does not need ISP cooperation or knowledge.

I actually did the load balancing between two connections from the same ISP. I had DSL and could access a WiFi AP (legally), but WiFi was not very reliable. Pfsense could load balance both connections and give me faster torrents (if WiFi worked) or was just the same as with only DSL (when WiFi did not work). No additional configuration required, uT worked perfectly.

IPv6 level NAT (there are software packages for this)

any of them work on x86 Linux or Windows?

Two real servers appearing as one - it may be that the client software expects one server (and for some reason I have to have them separately, be it physical or virtual machines) or to confuse hackers. Or to keep old links working after one of the services was moved to a different server.

Essentially, NAT allows me to "decouple" the internal network from the external one - I can make it appear as I want to from the outside instead of what it actually is. Nobody outside has a need to know how my network is set up - just like the power company does not need to know what devices I have plugged in - all it sees is the total current.

In IPv6, defense is easier than attacks

[unixisc]

Blocking a prefix, and thereby a whole host of IP addresses is easy. Targeting a specific IP address out of 18,446,744,073,709,551,616 is hard if they are static, and impossible if they are dynamic. In fact, blocking works better in IPv6 than it does in IPv4.

Re:Who says they're unused?

[unixisc]

This is very true. IBM has 9.x.x.x. So the way they may have originally configured it may have been have 9.x.x.x to their central router, and then subnet it from that point throughout the company worldwide. So that every separate LAN within IBM would have a certain number of users. Now, if they were asked to return what they were not using, they'd have to totally re-configure their subnet centrally, and it would be a nightmare to pull off. And for what - so that other people can use them?

Agreed that IP addresses were badly allocated by Jon Postel to a select few companies, and he probably never imagined the world's entire population potentially needing it. So that's water under the bridge, and nobody should try to solve it that way. The way it's being done now- IETF owning the root, then allocating the unicast bunch to the IANA, which then allocates them to the RIRs, who then allocate them further downstream, is a good way to work. That's what people should do. The only reason for wanting to get IPv4 addresses would be to support dual stack, but for anything that is not a web server, use IPv6. That way, people don't have to scour for these addresses, and the nightmare it would be to configure them.

Re:Who says they're unused?

[Megane]

Usually. The problem happens when companies merge, and both are using the same "private" address space.

/etc/hosts instead

[Danathar]

I don't want somebody knowing who I'm looking up so I downloaded the entire DNS and dumped it into my /etc/hosts file. I feel so safe now....

Re:Propaganda

[petermgreen]

Having a public IP that changes from time to time is mildly annoying but can be worked arround with stuff like dyndns.

Not having a public IP at all is much worse.

Slashdot post in 2022

[upside]

"The Slashdot user known as bbn has a /48 block of IPv6 addresses that is unused. An e-petition was created ..."

I'm rolling Microsoft-style

[JSBiff]

I call dibs on B16B:00B5!

Re:And have they got DNSUpdate in IPv6?

[PhotoJim]

Use radvd instead of DHCP6. That way IP addresses are predictable and unique, as long as you use /64 subnets which is standard practice with IPv6.

You can take a machine's MAC address and predict its IPv6 suffix perfectly. Add it to your /64's prefix and you know your IP. radvd and your clients will figure the same IP out on their own.

Easy to remember

[unixisc]

Somebody should make a list of all words of 4 letters of 4 letters or less, made up of A, B, C, D, E, F, G (6), I (1), O(0), S (5) and Z (2). Publish a dictionary of just those words. They can be used in composing IPv6 addresses that are easy to remember. And to make it simple, only English words for this exercise :-)

Re:Easy to remember

[unixisc]

Thanks - I copied those. Actually, the list would be much longer than that, since I said 4 letters or less. Also, if I had made it 8 letters or less, that would have made it a lot more. But using those words to lock either the upper or lower half of the interface ID (the hosts part of the address), and then letting the other word vary as per the user needs - allocating a range to dynamic, while assigning some static. It would be easy to remember something like 2001:4fad:1357:6:xxxx:add5, and then, the only thing that has to be remembered about the node address is xxxx. And there too, one could use just decimal numbers and drop the a-f, or they could just use a-f and drop the numbers... A whole range of possibilities.

Re:DHCP6 preferable to autoconf

[tlambert]

DHCP6 is if you are anal and want to explicitly exclude giving routable addresses to random devices.

The thing that's frequently missed is that you don't have the necessary CERT to do an update to the local DNS server, if you want your machine to update DNS automatically, then you need to have a CERT for a DNS server where you do have update rights.

Practically, this comes down to my laptop always being named "mylaptop.mygroup.mycompany.com" because I put the IPv6 stateless autoconfiguration address into the DNS server for "mygroup.mycompany.com" mapping it to that name with the CERT, and then the local DNS allows this as an inaddr.arpa. update because the forward check was allowed by my DNS server.

It doesn't matter if I use this address to send random SPAM, since it comes back to my domain via gethostbyaddr(). This assumes you deploy DomainKeys. If not, then the reverse name doesn't happen, and no one will be willing to relay your SPAM for you anyway.

If you care about routable addresses, then you probably need to set up a DMZ with a WiFi certificate for the non-DMZ network. This is how GoogleGuest allows people on the Google campus onto the Internet.

Re:Who says they're unused?

[Cramer]

Class E *is* reserved space. That's why many devices refuse to allow those addresses.

Yes, a decade (plus) ago we could have wasted efforts to un-reserve that space -- and forcably reclaim all those legacy /8's. We'd still end up in exactly the same damned place... IPv4 address space isn't large enough for the global internet. The effort was instead devoted to creation of IP-ng (aka IPv6.) For all of the "designed by committee" mistakes, IPv6 is our solution. It's too god damn late to say it's trash and try to invent a new system.

The biggest failure of IP-ng is the complete lack of migration, transition, and interoperability. IPv4 and IPv6 are COMPLETELY different protocols. They might as well be Appletalk and IPX. They create to completely independant network. There is zero chance of ever getting the entire world to agree to drop v4 and go v6 at any set point. The largest sticking point here are US ISPs... they have v4 address space and their customers only want to get to v4 connected sites, thus there's zero pressure to deploy v6. (read: no consumer demand -- also zero consumer understanding) Even within the enterprise sector, there's little demand for IPv6; so again, the ISP has no pressure to support it. In fact, their plan for "the we day run out of IPv4" is carrier grade NAT, not IPv6. The IPv6 deployments of most US ISPs is a horrible joke -- AT&T's answer is 6rd - period, Legacy Bellsouth DSL... switch to Uverse: see previous answer, TWC? who knows as next to none of their customers have IPv6 connectivity, Comcast appears to be the only one headed in the right direction but at glacial speed.

IPv6 isn't an IPv4 bandaid, per se. It's a cement truck trying to pave over it. The quad-A record format was to allow v4 and v6 DNS to interoperate. One can resolve IPv6 addresses via a 100% IPv4 DNS system. It also means IPv4 only hosts can see IPv6 records ('tho they cannot talk to them.) Your suggestion would further isolate IPv6 within it's own DNS realm.

TL;DR IPv6 deployment is a matter of business need. As long as you have a v4 address and need to talk to other v4 hosts, there's no need for v6. This is the boat american companies are riding.