UK Government Owns 16.9 Million Unused IPv4 Addresses

hypnosec writes "The Department of Work and Pensions in the UK has a /8 block of IPv4 addresses that is unused. An e-petition was created asking the DWP to sell off the block to ease the IPv4 address scarcity in the RIPE region. John Graham-Cumming, the person who first discovered the unused block, discovered that these 16.9 million IP addresses were unused after checking in the ASN database."

Who cares

[Formalin]

Just apply the real cure already... This is so ridiculous.

Re:Who cares

[GNUALMAFUERTE]

I know IPv6 is needed, and it'll be great having disposable addresses to throw at any device. I'll be certainly happy to get rid of NAT in many circumstances, but OTOH, IPv6 is going to suck. I have tens of IPs in my head, which I access daily by memory. IPv4 addresses are easy to remember, easy to pass over the phone, easy to type, and easy to operate (i.e, calculate things such as masks in your head, etc). IPv6 is going to make it way harder, and that's not taking into account he migration process ...

Re:Who cares

[mellon]

Dude, it's time to learn how to set up DNS. Honest, it's not that hard. Your DHCP server can automatically update the DNS for you. Try it—you'll like it!

Re:Who cares

[fm6]

As any climate scientist will tell you, the ability of people to deny impending disaster is remarkable, especially when doing something about it costs money. That includes people on Slashdot, who keep telling me that the whole address depletion thing is bogus, that we can keep going indefinitely by discovering unused blocks and using existing blocks more efficiently.

A few years ago, I was part of the product team that was working on a new Sun server. Now, every Sun server comes with an ILOM (Integrated Lights Out Manager), a little embedded Linux system that lets an administrator manage the server remotely. Naturally, the ILOM has its own network interface — but the one planned for this system did not support IPv6. I pointed out all the IPv4 address exhaustion issues, but was basically told to mind my own business. "No customer demand for this feature." Never mind that a few years down the pipe, customers would be very unhappy they didn't have it.

Re:Who cares

I think you'll find that this complaint comes mainly from folks that do know how to set up DNS.

The real difference isn't realizing that we have DNS, it's that with IPv6 and no more NAT, devices will do DNS and it won't be such an annoyance.

Re:Who cares

[DigiShaman]

Sometimes DNS fails or you need to validate routing tables and troubleshoot based on pure IP alone. Yes, IPv6 is going to suck badly in this regard. Feeble human mind. Oh well, I'll just have to get used to depending on an IPv6 calculator app on my smartphone. That and a TXT list that I can cut-n-paste in a terminal screen. Bah!

Re:Who cares

[fm6]

I think you need to ask yourself why you have to remember all those IP addresses. I'll bet that in each one could be dispensed with if you had the motivation to work out a DNS-based way to access these systems — with the possible exception of the DNS servers themselves.

Re:Who cares

[GNUALMAFUERTE]

mysql> select count(host) from systems;
| count(host) |
                  498 |
1 row in set (0.00 sec)

(stupid slashdot thinks mysql's output are junk characters)

Since most of those 498 servers I manage are behind NAT and have dynamic public IPs, I do have a system to track them (not ddns, but a homemade solution), and I have scripts in place that allow me to get any server's IP. Combine that with shell expansion and I can ssh root@`gethost customer_id server_id` and similar stuff. That doesn't mean you don't have to deal with IP addresses anyway, and it doesn't mean doing ifconfig eth0 2001:0db8:85a3:0042:0000:8a2e:0370:7334 is gonna be easy. Imagine debugging a routing table! Imagine reading the output of tcpdump with such meaningless addresses. IPv6 is gonna be a PITA.

Re:Who cares

[GNUALMAFUERTE]

Well, windows not being able to get into the internet is a big advantage of IPv6!

Re:Who cares

[slimjim8094]

I won't even get into how IPv6 makes it much easier to track you.

Because that's nonsense? (Almost) Everybody implements the privacy extensions, so your world-visible address is random and changes every 10-ish minutes.

Re:Who cares

[jibjibjib]

Yes. In IPv6, a home internet connection generally has a rarely-changing prefix that can be converted to a name and address with the ISP's cooperation.

But in IPv4, a home internet connection generally has a rarely-changing prefix that can be converted to a name and address with the ISP's cooperation.

How is IPv6 worse?

Re:Who cares

[phantomfive]

It won't be that bad at first, until a lot of addresses are used, because of the IPv6 notation shorteners. For example, ff06:0:0:0:0:0:0:c3 may be written as ff06::c3. Unless your ISP gives you a random number as an IP address, it'll still be fine to work with.

Re:Who cares

[93+Escort+Wagon]

No, that doesn't, but acting like the issue is settled and done with does. Pick something less controversial and more agreed on next time. There are plenty of examples you could have used to support your point which are not politically charged topics.

In other words, play it safe - use gay marriage as your example next time.

Re:Who cares

[wvmarle]

that's the price of progress

Re:Who cares

[FireFury03]

When IPV6 is what we have to work with, we will be swarmed by those bastard botnets with no way to block that many IP addresses that will be used to attack.

You'll probably want to just block the prefix rather than the address, which is just as easy under v6. In fact, having sparsely populated address space is good for security since it makes blindly scanning addresses much less effective for the malware.
ith it either.

Imo the botnet criminals have been trying to force the use of IPV6 by getting all new ranges of IPV4 allocated as soon as possible.

Huh? Botnets run on existing machines (frequently home PCs), how does that have anything to do with IPv4 exhaustion?

Rather than IPV6 globally and IPV4 internally, I think IPV6 should be what the countries that attack us, who just happen to have very large populations, can use for themselves.

Why do you want to penalise the "good countries" by forcing them to stay on an obsolete protocol? (that said, a good number of attacks against my servers come from the US)

Re:Who cares

[unixisc]

It's not so much DNS they are doing as much as ND (neighbor detection) and autoconfiguring. And the latter is I think what the GP's complaint was about. Difference in IPv6 is that unlike in IPv4, DHCP6 is more essential than DHCP4 was in IPv4.

Re:Who cares

[TheRaven64]

For home users, it entails pretty much nothing. If you're running a commodity operating system, it probably already advertises its host name via mDNS. It may also already advertise its link-local IPv6 address. Try sshing to a Mac on your local network by its name and see which address it tries to connect to: you may be surprised...

Re:Who cares

[TheRaven64]

When IPV6 is what we have to work with, we will be swarmed by those bastard botnets with no way to block that many IP addresses that will be used to attack.

Don't block the address, block the prefix. Block a /64 and you're probably blocking a consumer endpoint. With IPv6, addresses are allocated hierarchically, so this becomes even easier. Just shorten the prefix and you'll eventually get the whole ISP. This makes it very easy to block ISPs or even countries that harbour spammers.

Additionally, it becomes much easier for a home user to identify attacks at the router. If you pick a random 32-bit number, odds are that it is a valid IPv4 address. Pick a dozen and you've almost certainly found one that's a home Internet connection. That makes it very easy for malware to spread. Pick a random 64-bit number, and if you're very lucky it's an IPv6 subnet that has some computers on it. Now you have to pick another 64-bit number to find one of the computers on it. For a home Internet connection, most users will be using under 50 of these (and rotating them quite frequently), so you end up with a 50 in 2^64 chance of getting the right one. After a few tries, their router's firewall will notice the suspicious behaviour (lots of connection requests to nonexistent addresses) and block your /64.

Re:Who cares

[bbn]

IPv6-addresses can actually be much easier to remember than IPv4. Why? Because there is a system to it.

Here in the RIPE region there is only three possible prefixes for any address: 2001::, 2003:: and 2a0x::

In practice you are only working with one or a few ISPs. This means the first two blocks are always going to be the same. My ISP has 2001:1448::.

We got a /48. We happens to be number 201. So our addresses are all starting with 2001:1448:201::.

Everything from that point on is something I decided. If I want easy to remember addresses I would choose easy to remember addresses. My primary server could be 2001:1448:201::1. I would remember it as the ::1 server.

It is true that if you let your hosts autoconfigure to a random interface identifier that will be impossible to remember. But there is nothing stopping you from using manually configuration or DHCPv6 to number your hosts in a human friendly manner.

Re:Who cares

Like RFC 1751 (http://tools.ietf.org/html/rfc1751) for instance :)

Although it does tend to come up with sequences that have some comedy smutty parts.

Re:Who cares

[Aqualung812]

Calculating masks in your head will still be a more difficult task

Why would you do this, unless you work for a large ISP?

With IPv6, everyone uses /64 for each broadcast domain, cutting the address exactly in 1/2. It is easy.

Devices that need statics are DNS servers and routers, and neither should be changed fequently. Also, you're likely to use simple addresses for them, so it will be:
NetworkPrefix::1, Network::2, Network::3, etc.

For me, I have 2601:d:881:b::1 for a default gateway, and 2601:d:881:b::101 for my DNS server #1, and 2601:d:881:b::102 for DNS server #2.

That isn't hard to remember, and it isn't hard to type. What exactly is the problem?

Re:Who cares

[Cimexus]

Yep. Been on native IPv6 for 2 years now and I have not ONCE needed to memorise, copy down or type/enter a IPv6 address for any reason. This is a non-issue.

Sell the Addresses? Don't Give Them Ideas

[grcumb]

An e-petition was created asking the DWP to sell off the block to ease the IPv4 address scarcity in the RIPE region.

Why not just ask them to do the right thing and give them back to RIPE? I mean seriously, what kind of example are we trying to set here? Or maybe someone's just trying to bootstrap a market for IPv4 addresses in order to cash in on the increasing scarcity....

... In any case, encouraging profit from a public resource like this is a terrible idea.

Re:Sell the Addresses? Don't Give Them Ideas

[jibjibjib]

Giving away a block of IPv4 addresses worth about $1 billion is the same as literally giving away $1 billion of taxpayers' money. I don't think that would be doing "the right thing" for the people of the UK.

Re:Sell the Addresses? Don't Give Them Ideas

[jibjibjib]

The amount it cost in 1994 is irrelevant in the decision about what to do with it now.

If it can be sold for $1 billion, then giving it away for nothing is equivalent to giving away $1 billion.

Let's reserve our favorite numbers now!

[RulerOf]

Am I the only one that sees something like this and immediately wants to call dibs on a "Vanity IP?"
I'll take:

• 51.51.51.51
• 51.52.53.54
• 51.0.0.1
• ...and 51.50.49.48

I'm sure there's an algorithm or list that could tell me all of the possible "desirable" IPs in the /8, but, due to the fact that we shouldn't be greedy, and the completely arbitrary relation to the number 4 for IPv4, and the fact that it's an election year here in the US, I propose that we Slashdotters limit ourselves to four a piece, and leave the remainder to Reddit and 4chan. Or something.

Re:Let's reserve our favorite numbers now!

[Formalin]

You can have 51.51.51.51, but I've got dibs on 0x33333333.

Re:Let's reserve our favorite numbers now!

[RulerOf]

Oooo.....

http://0x33333333 [Enter]

You sneaky bastard :D

relatively common

This sort of thing is relatively common, it's probably used internally as a routable address space, but not intended for use on the public Internet. (Saves have to deal with multiple uses of rfc1918). This sort of thing is very common in the government (though usually much less than an /8). They can't use a consistent rfc1918 address space internally as whenever the government changes it's priorities, work units will shuffle between departments. You'll probably find that this address space is now used by many departments, and trying to move all users over to another range will cost more than they can recover from selling the /8

Re:Propaganda

[The+Master+Control+P]

I enjoy the idea of the Internet actually functioning as an end-to-end network the way it was meant to, rather than one with a handful of privileged devices with publically routable addresses and (soon enough) whole cut-off sub-Internets trapped behind them. But that's just me.

Re:Propaganda

[fm6]

"The way it was meant to" was specified by a bunch DARPA funded geeks who design their tech for a small network where all the admins knew each other. They had no concept of operating a network with large numbers of users, many of them malicious

Whenever I hear "the way it was meant to" I run the other direction. It's always based on some lame notion that things were perfect in the past, even though people in the past were also whining about "the it was meant to."

Re:16.777 != 16.9

[Psicopatico]

Someone used the Imperial IP which is slightly bigger than the Metric IP, hence the result is 16.9.

Re:16.777 != 16.9

[mrbester]

Ah, the widescreen version.

Re:Really?

[camperdave]

They're holding on to them until the rest of the world coughs up the missing Dr Who episodes.

I believe...

[AliasMarlowe]

I believe in the incremental approach to updates; it's so much safer and usually easier.
So it's going to be IPv5 for me, while you suckers make a mess of IPv6!

Re:I believe...

[AliasMarlowe]

I also believe a WHOOSH! is in order for you, sir/madam.

Some of that 51.0.0.0/8 actually is in use

Local government network admin here. Parts of the 51.0.0.0/8 address space is in our internal routing table, because it's used for shared private networks between different government organisations. Just because it's not in the public Internet routing table doesn't mean it's not used.

Granted perhaps not the whole /8 is in use (I only see 3 x /16s out of a possible 256 in my routing table at present), but who's to say other sectors which I don't have network connectivity to aren't using it.

We're actually pushing for and slowly enabling IPv6 internally on our core and servers where we can, rather than delay the inevitable. This is despite our organisation ourselves owning a whole public /16 block, yet have maybe only 10-15k addressable nodes max across all our networks we control at present. It will take us much much longer to re-IP/re-subnet the entire network more efficiently so some of that space can be returned to RIPE, than for it to be reallocated and used up after returning, due to old systems and old proprietary software in use. Not to mention the resources required to do such a massive task.

Personally I think the people asking for addresses to be returned by any organisation (supposedly) not using them (including all the other apparently wasted /8 allocations out there) are not looking long term enough. IPv6 is the way to go.

Not publicly routed doesn't mean unused

[Martin+S.]

Just because this block is not public does not mean it is unused.

The UK Government has a huge darknet.

Re:DHCP6 preferable to autoconf

[KiloByte]

What's wrong with manually assigning IPv6 addresses? That works just the same as it did with IPv4:

iface eth0 inet6 static
        address 2001:6a0:114::9
        netmask 64
        gateway 2001:6a0:114::1
iface eth0 inet static
        address 192.168.0.9
        netmask 255.255.255.0
        gateway 192.168.0.1

You just get a much bigger range to choose from, which you may use or not.

Re:Really?

[Zocalo]

Plenty of people have noticed this before now, IANA has published a table showing all the /8 allocations pretty much since they were formed. Anything flagged as "LEGACY" was assigned before the current RIR/LIR assignment process was implemented. Someone even complied a table showing which parts of the legacy IP assignments were not routed some years back, which must have included the DWP's /8 as well unless they were actually advertising it at the time that the table was compiled.

The only thing that makes this slightly newsworthy is this about a cash strapped sovereign government sitting on a sizable pool of "spare" IPv4 space that has suddenly become a much more valuable commodity following the recent announcement that RIPE is now down to its final /8 and IPv4 allocations within Europe and those parts of Asia that fall under RIPE's remit are now heavily restricted. You can probably expect a similar story about the dozens (see the table above) of underused /8s that are held by US corporations and government agencies, the DoD especially, when ARIN's IPv4 approaches exhaustion as well.

Slashdot post in 2022

[upside]

"The Slashdot user known as bbn has a /48 block of IPv6 addresses that is unused. An e-petition was created ..."

Re:And have they got DNSUpdate in IPv6?

[PhotoJim]

Use radvd instead of DHCP6. That way IP addresses are predictable and unique, as long as you use /64 subnets which is standard practice with IPv6.

You can take a machine's MAC address and predict its IPv6 suffix perfectly. Add it to your /64's prefix and you know your IP. radvd and your clients will figure the same IP out on their own.