UK's 'Unallocated' IPv4 Block Actually In Use, Not For Sale

jimboh2k writes "The UK may have 16.9 million 'unused' IPv4 addresses but according to the department that owns them, they're not for sale. The Department of Work and Pensions says it would be too expensive to reallocate those addresses and, even if it did, it would not stave off IPv4 address exhaustion by much." The addresses in question are being used for a new internal government network. Of course, why that project wasn't built using IPv6...

Let the home office keep them

Changing the contract will cost them at least 20% more than the current overrun.

Re:Let the home office keep them

[bmo]

> and not to be a testbed for new technologies

But IPV6 is not new technology. The RFC is 14 years old, and current computer operating systems already speak it. An 11 year old operating system, Windows XP, speaks it. http://support.microsoft.com/kb/2478747

The "install" is merely enabling what is already there.

> From their point of view, they are good for years to come so why change that.

But they aren't good for years to come. Once IPV6 comes out regularly, that horde of addresses will be worthless and they will be stuck with obsolete tech. No, wait, it's already obsolete.

--
BMO

Re:Let the home office keep them

[ifrag]

One does not simply "file" a report in the UK.

...report to be filed, signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters.

Re:Let the home office keep them

It is much newer than IPv4. The *real* question is one that should be asked of the people asking the *dumb* question, and that is: if you have 16.9 million addresses already bought and paid for, then why would you use IPv6?

Re:Let the home office keep them

[bmo]

Oh look, fear mongering from an AC.

Do you have a stack of IPV4 addresses for sale? Or perhaps you are an ISP manager wanting to continue raking in the bucks for all those static IPV4 leases?

>Anyone taking bets on how many bugs there'll be in the latest and greatest IPv6 stuff? And how many exploitable ones?

Did the bugs in BIND prevent people from using BIND? Did the bugs in BIND dissuade people from connecting to the net at all? No. And honestly, (here comes the analogy, but it's not a car analogy - deal with it) unless you do a sea trial, your boat sits in drydock and you don't know if it will sink or not. What is certain is that your boat is worthless in drydock.

Your post is just FUD.

--
BMO

Enlighten me please

[zero.kalvin]

What's so difficult about switching to IPv6 ? I mean where the cost really is ? It is not like I have to buy all of my hardware again, it is mostly a software issue right ?

Re:Enlighten me please

[h4rr4r]

You might not, but lots of enterprise hardware would have to be replaced. This stuff has long life times and as the old gear dies off, ipv6 will come with the replacements.

Re:Enlighten me please

[PSVMOrnot]

For a home user it is not all that much of an issue, if you are running a remotely recent OS then it is probably already IPv6 capable. At worst you may need to replace your modem/router box, and those who would have trouble with this are likely to be with an ISP that takes care of such matters for them.

When you are dealing with large scale infrastructure and corporate networks however, things become a little more difficult. At that scale the assumption of running a recent OS doesn't always hold, so you have software updates to worry about which incurs at least a time cost (and time is money). Also the possibly replacing your router becomes replacing racks worth of managed switches, routers, dchp servers and so on. That's not even beginning to take into account all of the legacy software that expects IPv4 and requires it in order to work.

So, yeah. Simple for home/small business users, but a major project for the IT guys who make things work behind the scenes. Fortunately said tech guys should have been working on getting ready for this for a while already; just like when they made sure that the world didn't fall over at the turn of the millenium.

Re:Enlighten me please

[vlm]

What's so difficult about switching to IPv6 ?
I mean where the cost really is ? It is not like I have to buy all of my hardware again, it is mostly a software issue right ?

layer 1 and layer 2, yeah, Pretty Much software only. I say pretty much because there's a trend to F around with upper layer stuff in lower layer gear, think IP DHCP filtering in a "layer 2 smart ethernet switch"

The real killer is the cost of hardware accelerated layer 3 routing equipment that can insta-magically-switch ipv4 but drops down to software switching of ipv6. Luckily, normal size ipv6 bandwidth loads can be easily handled by commodity PC hardware doing solely software routing. Heck normal size ipv4 bandwidth loads work fine when software switched now a days.

Re:Enlighten me please

[Hatta]

Is there some reason "enterprise" hardware comes with firmware that can't be upgraded?

Re:Enlighten me please

[Sqr(twg)]

I have a hard time imagining that upgrading an internal network to IPv6 would cost more than what selling an IPv4 /8 block on the open market would net.

Re:Enlighten me please

[qwertphobia]

The software on my firewall (which is up-to-date) supports IPv6 in several ways. It can route IPv6 by OSPF. It can firewall and inspect IPv6 traffic. It can provide an IPv6 address to the management interface. It can use IPv6 to download software updates and signatures from the support portal. It can perform NAT6to4 to provide IPv6 connectivity to internal IPv4 resources. However it doesn't yet support Multiprotocol BGP, which is needed to route IPv6 by BGP. This is critical to us since we have multiple ISPs. I give this example because I have found most enterprise equipment "supports" IPv6 but not in a way that enables full replacement of IPv4 addressing with IPv6 addressing. Furthermore, we know how long government projects take to implement. If this one is just completed it probably started a decade ago...

Re:Enlighten me please

[petermgreen]

A few places

1: routers need to both understand IPv6 AND be able to forward it quickly. If the hardware forwarding engines can't handle the larger v6 addreses then a software update won't help you much.
2: any application software that needs to communicate over IPv6 needs to use the new v6 capable APIs. Converting software can be a pain either because it requires significant changes to support IPv6* or because the vendor is being a PITA and wants to tie in v6 support to an expensive upgrade you don't want. Or worse a v6 upgrade may simply not be available at all requiring the software to be replaced completely.
3: while windows XP has some IPv6 support it's not ready for an IPv6 only world.

*Some examples:
* There is no direct IPv6 equivilent to WSAAsyncGetHostByName so any app that needs to perform lookups in the background will need to be converted to use threads for name lookups.
* In windows XP it is not possible for one socket to listen for both IPv4 and IPv6 so apps that previously only listened on a single socket may well need design changes to allow them to listen on multiple sockets.
* Any app that stores IPv4 addresses in a binary form or a fixed-width text feild will need data format changes

Re:Enlighten me please

[silas_moeckel]

Firmware sure but those asics that make networking kit fast not so much. A lot of the first gen stuff punted ipv6 stuff to the cpu fine if you just want the line item but worthless if you want to actually use it for production.

Re:Enlighten me please

[gstoddart]

What's so difficult about switching to IPv6 ? I mean where the cost really is ? It is not like I have to buy all of my hardware again, it is mostly a software issue right ?

Because nobody has any real interest in changing to IPv6. Everybody has a working IPv4 infrastructure, and isn't interested in spending money to change over because they have no idea of how that's going to make anything better.

IPv6 has been coming "real soon now" almost as long as I can remember. And people have mostly been saying "I don't see any good reason" for just as long.

For large organizations, changing to this is one of those things that nobody can figure out why they'd go through the time and expense.

I know a lot of people on Slashdot look at IPv6 as some serious awesomeness that everybody should be jumping at. But, really, if you have thousands of machines already running IPv4, that 10.0.0.0 address is just fine for now and there's simply not a compelling reason to start undertaking the transition.

What's the benefit? What reason would a large corporation find that makes them decide to go through the pain of transitioning? By the time you invest in changing everything over and going through all of the expense and disruption ... in what way would companies be looking at getting an ROI from this?

I just can't see why people think organizations should be undertaking this, because I don't see the pay off and the business case to be made for it.

Re:Enlighten me please

[ShanghaiBill]

I have a hard time imagining that upgrading an internal network to IPv6 would cost more than what selling an IPv4 /8 block on the open market would net.

It doesn't matter because this is a government organization. If they sell the IPv4 block the proceeds will not go into the same account that is used to fund an IPv6 conversion. The cost of an IPv6 conversion would mostly be the salary cost of the personnel doing the conversion. Governments don't pay salaries using money from "selling stuff". If they allowed that, it would open the door to all sorts of corruption.

Re:Enlighten me please

[jimicus]

just like when they made sure that the world didn't fall over at the turn of the millenium.

Back then there was a clear deadline that we all knew about and no practical way to stave it off.

Re:Enlighten me please

[gstoddart]

If only it were that simple. Hardware is cheap.

Hardware is cheap if you're talking about a single thing, but the time to do this is pretty expensive.

I worked on a project last year to upgrade a single enterprise-critical application -- we spent over $250K on hardware, and another million on manpower for the project.

I've heard that rolling out Win 7 to replace XP is costing several hundred thousand per day in terms of resource costs, but that's quite removed from the source.

Most organizations would likely spend huge amounts of money transitioning their infrastructure and applications to IPV6, probably with a lot of pain points, and at the end of the day ... what has the money bought you? Is your network faster? Is it more reliable? Are your operating costs lower? Are you more profitable?

Or have you sunk a bunch of money into something which a bunch of networking geeks think is sexy but nobody else can figure out why they've even bother?

In the end, it seems like a lot of work and overhead for something which seems to have some very vague short-term benefits ... and "ZOMG, you won't need to do NAT any more as everything in the world can have an IP address" is one of those reasons that usually makes me go "and then what?". People are still going to want to NAT their internal stuff behind a firewall anyway.

I'd love to hear some compelling reasons for a company to do this. But to date, I haven't heard any. Other than the size of the address space, I don't actually know what problems IPv6 solves. The fact that companies don't seem to be flocking to it tells me I'm not the only one.

Re:Enlighten me please

[mwvdlee]

Upgrading IPv4-only firmware to handle both IPv4 and IPv6 may require more processing power and memory space than the hardware can provide.

Obviously the more expensive hardware would be able to cope, but those were more expensive so nobody bought them.

Re:Enlighten me please

[rsclient]

Ick -- WSAAsynGetHostByName? In this day and age, you have a window handle lying around?

I'm the Program Manager for WinSock at Microsoft. Have you looked at GetAddrInfoEx? In Windows 8/Server 2012, the DNS team added some Async features into it. Even better, it will properly handle IPv6 AND international domain names.

And if you're doing the new "Runtime" programming for Windows 8, we done our best to make sure that most network programs never have to deal with IP addresses at all -- that means that new new RT apps should be IPv6 ready out of the box.

(We also do the dual-stack thing with our sockets, so listener sockets just specify a port (or service) to listen on, and we automatically listen to both IPv6 and IPv4. We updates .NET 4.5 in the same way to make dual-stack be simpler.)

Links: http://msdn.microsoft.com/en-us/library/windows/desktop/ms738518(v=vs.85).asp

Re:Enlighten me please

[petermgreen]

Ick -- WSAAsynGetHostByName? In this day and age, you have a window handle lying around?

Old habbits die hard and all that but even if i'm not using it in new code there is still a need to adapt old code. So far the only way i'd found to do an IPv6 DNS lookup in the background of an event driven program using the windows DNS code is to create a thread to do it and have that thread notify the main thread when the lookup completes.

Have you looked at GetAddrInfoEx? In Windows 8/Server 2012, the DNS team added some Async features into it.

No I hadn't heard of it but there is no way i'm making my code dependent on win8 in the forseeable future.

Re:Enlighten me please

[gstoddart]

They will spend more money doing twice. But hey, people are lazy and many thinks that "its not my money", so they dont care....

Well, so far, people aren't even doing it once. So they're not paying for it twice (yet).

The opposite of what you say is that companies don't want to spend money they don't see as providing a return. So when someone says "hey, we should spend money to go to IPv6", the company says "OK, what's in it for us" ... and if your entire answer is that there are starving children in Asia who can't afford an IPv4 address, well, I don't see why an Fortune 500 company would spend millions to make the switch just yet.

There may be some Really Good Technical Reasons why people should ... but for the most part they get articulated as "ZOMG, we're running out of tubes for the interweb".

As I said, IPv6 has been met with indifference for as long as I can recall, and largely because companies are asking the question "why should I do this now?" and not coming up with compelling reasons.

There may or may not be short term thinking involved, but the amount of general apathy towards IPv6 in many circles tells me the people advocating for it need to come up with clearer and more convincing arguments than "because it's better" when all of the answers to "why" describe what seem like intangible benefits for the most part.

And this is why geeks are often incapable of explaining something to decision makers. Because almost nobody on the "for" side of IPv6 seems to be able to string together a coherent, reasoned argument detailing why this is better. I'd love to see one.

But mostly I see people whining about how evil NAT is, but without ever giving any supporting reasons.

Re:Enlighten me please

[unixisc]

Actually, the incentives for doing this is... a negative disincentive for not doing it. After a while, when public IPv4 addresses become really scarce and getting new ones will be like pulling teeth, IPv6 will be something people will have to spend an arm & a leg for just to be able to expand a network. The reason this is becoming more critical is that even NAT wouldn't cover it - one would have to go into a second level of NAT to cover it.

So this is one of those cases where making a change is not gonna give one a new internet, or anything different, but not making the change will mean that one fine day, a company will find itself in trouble and @ a loss to expand its network.

"new internal government network"

To me that means they should all be 10.x.x.x, and some IT workers are completely and totally incompetent.

Re:"new internal government network"

Government workers are completely and totally incompetent.

FTFY

Re:"new internal government network"

Remember that this /8 was allocated many years before the publication of RFC1918, to which you refer.

Re:"new internal government network"

[QuantumRiff]

if you have connections to other networks, and/or vpn's, internal network IP's are a pain in the ass. How do you setup a VPN when both ends are using 192.168.1.x? easy, you overload NAT, so both sides see the other as a completely different subnet. Do that about 5 times, and then try to debug some firewall rules.. Many larger companies will now refuse to setup VPN's with companies that use reserved addresses, since its such a pain in the rear.

By using a valid IP address, your assuring that they are globally unique.

Re:"new internal government network"

[Richard_at_work]

Thats a bit strong, considering you know fuck all about the project they are implementing - "internal" doesn't necessarily mean "private", and there are many ways in which public addresses are beneficial.

USternet

[matt007]

Well some old dinosaur US companies or even universities own a full Class A.... do you think they need the address space more than a government ?

IBM CSC Dupont MIT Ford Apple USPS... etc.

see the list at : http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

Re:USternet

[firex726]

Yea, some of those will have so many addresses that they could assign a static IP to each node and still have left overs.

But then again it'd probably just delay things further. We're going to have to bite the bullet eventually.

Re:I'm sick of these articles

[firex726]

Reminds me of the switch over from Analogue to Digital TV transmission.

Of course most home users are already setup either directly or via their ISP. It'll be businesses with these $50,000 network equipment that wont want to move over due to the cost of buying new HW when they just got through paying off the old stuff.

They should sell it anyway

[DrXym]

Sell the block for a billion or whatever it's worth, and use the money to build an IPv6 backbone for UK government services. That in turn would free up more blocks which they could continue to sell and continue to fund the transition with. Or they could sit on them and do nothing until the world switches to IPv6 and there is a glut of IPv4 addresses that nobody is interested in buying.

Re:They should sell it anyway

[gramty]

They can't sell them, they don't own them. the RIR (RIPE NCC) has very strict rules over the transfer of IPv4 addresses. If the currently end user no longer requires them they should are to be returned to RIPE for zero compensation, RIPE can then re-assign based on applications requirements and justification. The rules were brought in to prevent people setting up shell companies to land grab all the remaining address space once it became obvious it would be exhausted.

Re:Because sixxs is a pain in the ass to get

[petermgreen]

If you want a free v6 tunnel there are less elitist providers than sixxs. gogo6 (aka freenet6) even offer unauthenticated tunnels for individual machines* so you can just install their software and go.

Still I consider such tunnels as a tool for those who are interested in developing/testing IPv6 and maybe as a stopgap measure for a subset of end users who really need to reach v6 servers. If you are serious about v6 then you should be using a v6 capable ISP.

*If you want a prefix you have to create an account and authenticate to it but afaict creating an account with them is no big deal.

Re:Doesn't work.

[petermgreen]

Unless all systems attached are on the same subnet... And that plays hell with routing, causes congestion... There are reasons the 10.x is non-routed. It was aimed at large local networks - like a node cluster. Sucks when you have to go past a router. That requires routable numbers.

BS you can route subnets of 10.x on your private networks just fine. You just can't advertise them on the public internet.

The real problem comes when you are trying to link together a load of sites that are already using some part (or even all, it's a class A block so the default netmask is 255.0.0.0) of 10.0.0.0/8 for their local private network. It is likely that some users will need access to both the national network and existing local private networks. So if you use private IPs for your network you are stuck either trying to find a subset of 10.x that none of the sites are using (can work but there is no gaurantee there will be any such space and it's a problem if you want to add more sites later). Renumbering machines unrelated to your network at various sites so they don't clash with your network or using some horrible NAT hacks.

Re:I'm sick of these articles

[gstoddart]

Or we can keep dragging our heels and we will be talking about horrible kludges like NAT and an inelegant, hacky Internet address space for 5-10 years. I'm really sick of these stories on Slashdot. I'm not blaming Slashdot, I am sick of the existence of these stories in a community that isn't FORCED to do the brain dead obvious. Because no authority mandates the obvious.

Obvious? What's so obvious about it? If it was obvious, people would have switched by now.

But since people don't perceive it as better, or worth their time and money, they don't do it. Hell, you could say it's "obvious" that companies have yet to find a good enough reason to switch to it, which is why they're staying away in droves.

Frankly, I can't see companies doing away with NAT. Why the hell would I want my internal machines globally addressable? That always sounds like a stupid thing to me.

You act like it's so obvious, then fine Mr. Smarty Pants ... give me ten compelling reasons I could go to management to get funding for a project to do this. All reasons which are cool from a nerdy perspective but which don't translate into a business reason will be deemed irrelevant, as they clearly have to date which is why companies aren't doing it.

I really would love to hear your reasons. Because to date, I've always looked at it as "yeah, sounds cool, but what's in it for me?".

And I haven't really had a satisfactory answer yet. The most I ever get is people whinging about how evil NAT is -- which is mostly just geekery as far as I can tell.

Re:Because sixxs is a pain in the ass to get

[higuita]

sixxs dont require a linkedin account (or something changed since i created mine and several friends accounts)

all you need is to say you want to test ipv6 on your home computer (or home network) and put your real info (name, email, etc)... that isnt much different from registering on any website.
Requiring real info is normal, as you will access the internet with their connections, its normal they want real info to contact you or to redirect any police request if you want to use their network for illegal activities

in the pre-NAT days....

[Larry_Dillon]

For those that remember the days before NAT was prevalent, this is what way IP addresses were supposed to be used.

Re:I'm sick of these articles

[gstoddart]

third lesson: sorry, but all I hear is screeching weasel, dial it back a little

For starters, WTF is wrong with NAT? I keep seeing people say this, and it mostly amounts to apoplectic bitching about how evil it is without anything coherent behind it.

You say it's obvious, and that there are good solid reasons why people should choose it -- and then you utterly fail to explain your case.

As I said, if I put you in a room with management to make your case as to why, you'd fail utterly. If you can't make your case here to people who would like to hear your reasoning, then I think you've kind of proven my point that to management this is anything but obvious, and the supposed benefits are so nebulous as to be meaningless.

Why, for instance, would NOT using NAT be better? Would my network be faster or better or more secure?

All I hear from you is "because centralized force is the only way to make people agree with me". Which, I gotta say, isn't helping your case any.

IPV4 was designed for government use

[evilandi]

I think what people have forgotten here is quite how old the internet is, for how long the British have been involved in it, and how tightly integrated into British government it has been for a long, long time.

I'm sure Slashdotters don't need a history lesson on the origins on the internet; as a cold war military network designed to re-route traffic in the event of a nuclear strike on what would otherwise be single points of failure. What readers might need a reminder on, is the UK aspect of this early history.

Whilst the internet began as a US-only operation, within only a handful of years this had spread to the US' closest NATO ally, the British. Given that even us Brits cheerfully admit that, from a NATO perspective, our island is essentially a 700-mile long aircraft carrier in the North Atlantic that can never be sunk, the involvement of the UK in the early days of the internet should come as no surprise. It's also well known that both American and British universities got in on the act fairly quickly, initially from the perspective of military research; most British universities were either directly addressable or a short hop through a gateway from the internet by the early 1980s. Other close NATO allies, notably the Canadians, ditto.

What's not so well understood is that, as absolutely certain first exchange targets, the British had an extremely highly developed government continuity strategy for nuclear war. Some parts of this have come to minor public attention in the form of amusingly retro nuclear bunkers that have been re-purposed as museums, archives or modern telecoms junction points (look up the codenames Guardian, Anchor and Kingsway) with varying degrees of practicality. There are some very chilling bits like the "Protect and Survive" videos (now on Youtube) that frankly still scare me silly and we'd all rather forget. Further, there other parts such as the RSG Regional Seats of Government which remains partially, or perhaps even largely, obscured by national secrecy (and probably rightly so).

This stuff was set-and-forget, it's original design brief was that you wouldn't be able to call the IT department if the IT department had been killed in the first strike, it had to work and remain working without significant intervention.

Understand that concept - understand that the internet has been at the heart of the most serious British government infrastructure for around 40 years - and you begin to understand why /8 IPV4 address blocks have been, often literally, hard-wired in to the British government. This network was the network we would rely on, to survive. It was the one thing the British government could depend upon. It was the one thing which, when planning IT infrastructure, the government could be absolutely certain about.

Having that level of certainty allowed us to build other infrastructure around it, such as the PSN Public Services Network,

To those arguing that it's just a bunch of router reconfigurations... this is not your piddling little /24 home office network. Nor is it simply a bunch of VPNs linking regional offices over a few leased lines. This is not even one IT-savvy megacorporation like IBM. This is a nuclear-war-proof combined civilian and military network which over 40 years has been integrated into every government department and every local government office in a country of 70 million people. It's in the job centres, the benefits offices, the local tax offices, the post offices, the village doctors' offices. It's throughout public service departments which are staffed by people who, on the whole, are pretty good civil servants but who don't actually have a reason to need to know how it all hangs together, and in the vast majority weren't around when it was plumbed in.

Would this cost more than the value of the address space to reconfigure to 10.x.x.x or IPV6? Crikey, yes, Ten times yes. Magnitudes of scale yes.

Re:Because sixxs is a pain in the ass to get

[Aighearach]

This is slashdot, everybody already knows to use Hurricate Electric.