Slashdot Mirror
North America Runs Out of IPv4 Addresses
DW100 writes: The American Registry for Internet Numbers (ARIN) has been forced to reject a request for more IPv4 addresses for the first time as its stock of remaining address reaches exhaustion. The lack of IPv4 addresses has led to renewed calls for the take-up of IPv6 addresses in order to start embracing the next era of the internet.
The sky is falling!
The sky is falling!
It hit me on the head! *OW! NOT THAT ONE!*
"Runs out".
Yeah. Okay. And how many companies are sitting on vast blocks that are only partially tapped?
This isn't so much an issue of lack (though at some point it'll become that).
It's an issue created by how assignment of address blocks was and is managed.
Chas - The one, the only.
THANK GOD!!!
as its stock of reamining address reaches exhaustion.
Perhaps they should stop using the reamining stock and switch to the remaning list. If there aren't any there, they can go to the reimaging stock.
EMBARCE! EXTNED! EXTNIGUISH!
My cell phone has been on IPv6 for years. Everything I have is ready for the conversion. What is holding it up?
Everyone I know just uses 127.0.0.1. What do we need all these new ones for?
Wow, if only some major provider of computing resources could somehow pool them and resell access, and support IPv6 at the same time. I bet that would drive adoption. Oh well, it was a dream. Still can't use it on Amazon (excluding the worthless-to-me ELB).
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
Hey, maybe this is a Serious Thing.
It's tough to tell, though, as we've been OMG RUNNING OUT OF IPv4 ADDRESSES REAL SOON NOW for the past decade and a half, give or take.
Obliteracy: Words with explosions
There are a few large companies in the USA that refused to relinquish large Class A blocks, shoot even to sell them... these companies (which I'd love to name) missed the boat when IPv4 address costs (for sale) was highest and are actually waiting for this next "crisis" in hopes that they can get billions for Class A nets (these companies date back to "the beginning" and the use their Class A addresses for non-Internet facing internal addressing (that is they are wasting the addresses) simply because they lack the skills to change). With that said, you may have to pay 100's of billions just because they lack the ability to change effectively. It's actually very sad.
I'm only using 8 addresses out of my 192.168.1.1/24 class C block, I could probably be talked into auctioning off the other 240+ addresses. Call me, maybe?
Maybe after twenty years, companies will get around to fully supporting IPv6.
(That, or they'll start abusing the shit out of NAT.)
A lot of that has been mitigated by not giving each cell phone it's own public IP4 address. If cell phones hadn't shifted over to IPv6 we'd be in a world of hurt right now.
My cell phone has been on IPv6 for years. Everything I have is ready for the conversion. What is holding it up?
There is a small interesting detail about IPv6 that is almost never mentioned. An IPv6 address counts 128 bits. Typically the "top" 64 bits are provided by your ISP and will be used to route the packets through the Internet. The 64 remaining LSb have to be unique within the subnet (typically a LAN), and usually these 64 bits are made from the MAC address of the interface linked to this IPv6 address (padded if 48 bits). That means for instance that knowing your IPv6 address, someone is likely to know also your MAC address (of the device used), that is usually the maker/configurator of the NIC (eg Apple, MS ...). And if the shop where you bought the device keep track of your MAC address - like Apple for instance - they may be able to identify you precisely, based on your IPv6 address (eg when you access their web site).
Slashdot, fix the reply notifications... You won't get away with it...
A lot of people rely on NAT for simple security and get scared when faced with IPV6's global addressing.
securing IPV6 networks is not so straight forward and often requires site specific approaches that are beyond a lot of home users or small businesses.
its a good thing to run firewalls on everything but its also pain.
I can see there being some crazy security breaches and much confusion during the changeover, as a tester every network product i've tested
has had a test plan for ipv6 that gets de-prioritised to the bottom because 'nobody is using ipv6 yet' and its hard to find people who know about it.
[site]
IPv4 CG-NAT seems to be heavily used in cell phone networks as well.
Get off my internet!
Also, I hear Voyager has just left the solar system.
No, it wasn't. It was predicted that IANA would soon run out of blocks to hand out to the regional registries unless allocation policies were tightened up. They were tightened, but in spite of that, it ran out in 2011. IANA was last predicted to ruin out on July 5th this year. They almost made it.
For that reason, only Africa has addresses to hand out now, but that will be exhausted in just a couple years.
Seriously, the only way that we are going to move to ipv6 is when being denied ipv4. The good news is that most are ready. Ideally, a large isp will decide to drop the ipv4 section and see how it goes.
I prefer the "u" in honour as it seems to be missing these days.
Why bother? The reason the first post was AC is that he is a moron and knows it.
I prefer the "u" in honour as it seems to be missing these days.
not true, firewalls can do wondrous things nowadays to isolate
Good luck trying to scan an ipv6 range... /64, even scanning every host there for a single port would take a LONG time.
The smallest subnet is a
IPv6 works fine with VPN software, even ipsec was originally a part of ipv6 and cruftily backported to ipv4... Infact, you can use ipsec properly (ie end to end without kludges like l2tp) with ipv6. The problems published recently were due to short sighted vpn providers who completely ignore the existence of ipv6. If they provided dual stack connectivity over their vpn then there wouldn't have been a problem.
Bugs could still be found in ipv4 stacks too (and are still being found), on the other hand ipv6 is much newer and addresses some of the weaknesses of ipv4.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
As usual, US can get unused resources [ IPs ] from where there's a lot available. E.g. from Iraq.
Slashdot, fix the reply notifications... You won't get away with it...
>First, an attacker can easily find your network topology (i.e. which segment is what) with IPv6.
So you've never heard of firewalls? A few rules creates a stateful firewall that performs the same "security" function as NAT.
I've got plenty of unused numbers in my 10.x.x.x range.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Are you saying that IPv6 address can not be placed behind a firewall? Just because it's a publicly addressable block doesn't mean it can't be firewalled off. There are entire companies running on 'real' ipv4 addresses right now that can't just be nmaped because they are secured with a firewall. NAT is not required to create that curtain, proper network security (firewall, acls, gateways, routing, etc) is.
The rest of it, well i'm not expert so I can't comment.
But why can't we just get major ISPs to start handing out ipv6 addresses for external communication and just use ipv6 to ipv4 nat technology internally?
THEY don't want IPv6 implemented, because IPv6 easily ensures that everyone and their evil twin can have a fully-accessible IP address, allowing them to directly communicate with each other without paying extra rent to the ISP for a "server" or "special" (routable) IPv4 address.
If users' systems can directly communicate with each other, there's far less need for centralized sites for everything where it can be controlled (for example, YouTube for video). Deep packet inspection is an option to spy on people looking for copyright trespassers or subversives, but with encryption becoming more readily available, that gets harder, too.
When anybody who wants to can set up (or even buy "canned") a media appliance running something like "MediaGoblin" to share audio, video, text, photos, etc., or VoIP servers like Mumble or various WebRTC-based systems for conferences and "phone calls" and other audio, servers for federated instant-messaging systems or "social media" platforms, etc. etc., and just assign those systems one of the overflowing bucket of publically-routable IPv6 addresses that everyone can have, it'll remove a huge amount of control that big media and telecommunications corporations (and governments) currently have. They don't want that.
Don't try to tell me it's not true, I can hear 'em talking about it on the radios the CIA implanted in my teeth.
But, seriously, my lazy, cheap, asshat phone company can't/won't give me more than one publically-accessible static IP address, probably really because of the ancient crappy DSL modem/router they force us to use and not being willing to have their executives skip lunch for one or two days to pay for the infrastructure upgrades.
Note that this doesn't necessarily mean it's not a secret conspiracy on a global scale overall, though...
Hacker Public Radio is our Friend
change your Mac address every so often.
I prefer the "u" in honour as it seems to be missing these days.
The way it MIGHT work is that ARIN would take the 3 block and in a controlled manner that won't break anything convert it into a bunch of /9 through /16 or even smaller blocks based on what GE is currently using. It would give GE a short period of time - maybe 30-90 days - to justify why it should be able to keep the blocks it is not currently using. If they give a good reason, they keep them. If they give no reason ("we have plans to use them in the next year, we'll show them to you if you sign an NDA" would be a good reason), they lose them. If they give a lame reason then it goes to some dispute resolution, effectively allowing GE to keep them for the duration of the dispute process.
Frankly, I'm surprised that ARIN didn't foresee this ages ago and ORDER anyone with a block bigger than, say, /12, to attempt to split up their address range, consolidate if practical, and return any unused blocks that were /16 or bigger. If this had been done, say, 10 years ago the process could have been be repeated 5 years ago but with the order applying to anyone with a range bigger than /16 to split, consolidate, and return any /25 or larger unused block. A year ago the same order could go out to everyone with a block bigger than /24 with an order for them to return all unused /24 blocks. I don't know if it's feasible for blocks smaller than a /24 to be handled by ARIN, but if it is, then they should start requesting those ultra-small blocks as well.
Oh well.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Your bank's grammar verification code clearly hadn't been fixed.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
If the FTC made a ruling that advertising "Internet access" was deceptive advertising if full IPv6 support was not part of the package, it would probably push change in the right direction.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Every couple of weeks or so, I turn off V4 to see what happens. /. is one of the sites that I can't reach when I do.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It wasn't crying wolf, at that time the growth was amazing and the policies for handing out IPs were much looser. They also didn't factor in for the facts that the policies would be changed and people would NAT NAT as Xzibit hadn't yet taught us about doing things while we're doing things. If NAT hadn't become so common we would have run out of IP addresses a very long time ago.
If they hadn't "cried wolf" then, I can only imagine how long ago we would have hit this point as we wouldn't have made adjustments to practices to push it into the future.
It's amazing how many morons will see that the rate at which a massive problem is coming is slower than anticipated and conclude that it's not a real problem. It's usually better to err on the side of caution and expedience as you rarely do things to quickly with regards to large problems.
What should my IPv6 address be when I'm using a satellite link from my RV ?
“Common sense is not so common.” — Voltaire
That was IANA running out of blocks to hand out to the RIRs such as ARIN.
Now, since it can't get any more, ARIN has also run out. The remainder are held by corporations and individuals and they have no obligation to hand them over.
Look at the massive amount of IPs that Amazon and Microsoft use for their cloud solutions. If AWS actually supported IPv6 properly, people could start migrating. Last I checked, Amazon didn't even offer IPv6 as an option for their DNS services.
ISPs are starting to move on IPv6, and now we need the big hosting companies to step up. Today, that's mostly cloud providers.
MidnightBSD: The BSD for Everyone
We seen this coming long ago, we did a lot of work to make sure we were IPv6 Ready, Check it out on http://www.freeswitch.org/
Couldn't we also just use private addresses within our private networks and a NAT gateway to the internet? You know, like basically every household in the world with more than one computer does today? Hell, the internal addresses could be IPv4 or IPv6 and nobody would know or care.
No that broke the internet 20 years ago, lets not go back. Major firewalls have no ability to NAT ipv6.
No sir I dont like it.
The real picture is that IP addresses are allocated hierarchically and there are multiple entities at all levels except the root, all of which run out separately.
IANA (the root of the tree, the people who allocate addresses to the regional registries) ran out of /8s in Feb 2011. The regional registries (there are five of them; these are the people that allocate addresses to ISP) have their allocated pools of /8s which ran out at different times: APNIC ran out in Apr 2011 (that's the story you linked), RIPE in 2012, LACNIC in 2014 and ARIN just now. (AFRINIC still has a few years to go, although they won't if everybody tries to get their addresses from there.)
Then there are the ISPs, who allocate addresses to their customers. ISPs will tell you that "we have plenty of addresses left" -- except the ones who don't -- but at some point all ISPs (or perhaps more importantly, your ISP) are going to move into the "don't" category.
And finally, ISP customers (i.e. you) allocate addresses to networks. Except you've probably never experienced this, because we've been short on v4 addresses for long enough that many ISPs don't (can't) give you enough IPs for your networks, and haven't for years and years. You probably grew up with this and consider it normal; it's not.
I don't know when you're going to go from "we seem to be trucking on just fine" to realizing that we have a problem -- I'd say we already do, since lots of people waste lots of time and money due to NAT, but perhaps for you it'll take your ISP giving you an RFC 1918 address on your upstream before you realize. Or maybe you have infinite time and money and don't mind the headaches caused by many layers of NAT and all the workarounds needed to deal with them, and you don't mind paying programmers to write workarounds into software, and you don't care about all the things we could've had if the internet had been up to providing them. But hopefully I've shed some light on the highly-complicated reality of "guy A allocates to guy B who allocates to guy C".
APNIC ran out in Apr 2011 (that's the story you linked),
Sorry, my bad. You linked the IANA runout, APNIC is here. (For completeness, RIPE is here and LACNIC is here.)
They can still hide behind a proxy if they want.
It's even better than IPv4 with NAT since it will actually rotate in new random IP addresses every so often (every hour or so). That means that your source IP will change over time which makes tracking harder.
A list of companies still holding an entire /8 block, culled from the Wikipedia article List of assigned /8 IPv4 address blocks and verified against https://www.arin.net/ and https://apps.db.ripe.net/searc... on 7/2/2015:
3 - General Electric
4 - Level 3*
8 - Level 3*
9 - IBM (partially *)
12 - AT&T Services*
15 - Hewlett-Packard
16 - Hewlett-Packard (inherited from Digital Equipment Corporation via Compaq)
17 - Apple
18 - MIT**
19 - Ford
20 - Computer Sciences Corporation
32 - AT&T*
34 - Halliburton
38 - PSINet*
44 - Amateur Radio Digital Communications***
48 - Prudential Securities
53 - Daimler AG (via RIPE)
This list does not include military, postal, or other government entities.
* Network service provider
** Educational institution
** Special-use, mostly unreachable, see Wikipedia's article on AMPRNet for details
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Now that would be the real end of the world, if ICANN gets yanked from the US's control and is put under some global authority like the UN. I wouldn't be surprised to see entire IP blocks pulled from established companies without warning, just out of spite.
I also wouldn't be surprised to see sites that are not popular or are not politically correct have their IP blocks reassigned as well, be it Charlie Hebdo, Falun Gong, Kurdish sites, anything that isn't approved by some cleric or government official.
People bash the US, but this is one area where the US is doing a decent job -- keeping the Net's core structure going.
I can't see that detail in the article or the ARIN announcement. It's a bigger deal if no one can get a /22, but then again if the request was for a /9 that might be a much bigger group of people about to go behind Carrier-Grade NAT.
note: I have at least one, possibly two other, Slashdot accounts because OpenID creds can't be merged with an older acco
For reasons which are wrong or don't make sense.
but it feels like we have "run out of ip addresses" and "rejected requests", "for the first time", at least 10 times already in the past year. and yet here we sit, still on on our v4 backbone. plus, are we really out of them? can't we just steal the like 4mil IBM (or whoever) has that they don't even need?
Can I sell mine on eBay?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Apple's got you covered. According to their Plan For World Domination you are supposed to replace your Apple hardware every time a they come up with a new product or model.
Security through consumerism. Then you have to buy new connectors and cases and a new desk or outfit to go with your new shiny. Thus, it helps with the local and global economy and even generates more traffic on the Internet (all of those rantings on various support boards and all of those lovely adverts). Given Apple's push towards recyclable packaging products, it helps those companies as well.
What's not to like?
Faster! Faster! Faster would be better!
They can disconnect from the internet also!
Good luck trying to scan an ipv6 range... /64, even scanning every host there for a single port would take a LONG time.
The smallest subnet is a
That's not even close to true. You need big subnets if you're going to use autoconfigs based off of MAC Address sure, but with DHCPv6, there's no 64-bit boundary, you can break your subnets into whatever chunks you want and allocate IP's out of that.
Now, the subnets are still going to be big. I mean, if you break your allocations down into /96 blocks, for example, and hand those to the end users, you'd still be needing to port scan the equivalent of the entire ipv4 address space.
Are you saying that IPv6 address can not be placed behind a firewall? Just because it's a publicly addressable block doesn't mean it can't be firewalled off. There are entire companies running on 'real' ipv4 addresses right now that can't just be nmaped because they are secured with a firewall. NAT is not required to create that curtain, proper network security (firewall, acls, gateways, routing, etc) is.
The rest of it, well i'm not expert so I can't comment.
But why can't we just get major ISPs to start handing out ipv6 addresses for external communication and just use ipv6 to ipv4 nat technology internally?
I suspect that is where a large part of it is going to go. I think alot of ISP's are going to start employing v6 to v4 gateways.
The problem with that, however, is going to be DNS.
Let's say my host is native v6 only, no ipv4 address. And I'm trying to reach a site that has ipv4 connectivity only, no v6 DNS records.
About the only way that's going to work is if the DNS server I'm using returns a result that points me to a v6 to v4 gateway for sites that don't have AAAA DNS records. I seem to remember folks getting up in arms when someone tried that for non-existent ipv4 domains.
Fortunately, that problem has already been solved. NAT64/DNS64 are viable migration alternatives, and one I'll be implementing on the home network as soon as my ISP decides they want to actually roll out native IPv6 connectivity (though I am a Comcast employee, I do not live in a Comcast area. Sometimes, there is a downside to being a telecommuter)
LOL.
Yeah, oddly, they are not the only ones with that same plan.
I prefer the "u" in honour as it seems to be missing these days.
I would suggest that a better first step would be to require that organizations prove that their allocations are in reasonable use. That the use is justifiable in light of the availability technologies like NAT and named based virtual hosting.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Dude. I'm privacy conscious and I want/use IPv6.
As already mentioned many times, all modern computers support IPv6 privacy extensions giving you a regularly changing random IPv6 address.
Furthermore, does your IP-address really matter when you are logged in to you Google and Facebook account all the time on all your devices and dozens of cookies/trackers follow you on every website you visit? Your IP-address is quite irrelevant these days.
This a non-problem. Just charge a dollar per IP per year. Watch the IP blocks be returned quickly.
With so many addresses in use, the money should accumulate quickly. Pretty soon, there will be enough money to design a new IPV6NG that can actually work (as opposed to IPV6 does cannot be deployed).
For people who think IPV6 is the solution - it is an empirically observed fact that IPV6 has not been successfully deployed in any scale in several generations technology.
So many people will lose their jobs because they don't have degrees with this experience....
The IETF knew that this was to small for the longer term, but the efficiency argument won out. (this was back at a time when a 1Mz mainfraim with 16Megabytes of ram could be timeshared to over 100 users). They figured that by the time the 32 bit address space was saturated, that the replacement protocol with a REAL address space (IP6) would be easier on the computers of the day and there would be lots of time to get it up and running (turns out to have been over 30 years).
What they didn't plan for was that the 'Net would be effectively in the control of business majors and bean counters and that IP6 adoption would be at the whim of financial considerations and a 'you first' attitude. Now IP6 adoption is waiting for a 'killer app' that is on an IP6-only server ... or for Google to announce that they'll give preferential listing to sites that are IP6 capable.
OS Software is like love: The best way to make it grow is to give it away.
So the consensus so far is that my IPv6 address shouldn't be my GPS coordinates?
Thanks for proving my point, in a round about way.
“Common sense is not so common.” — Voltaire
This is the RFC that handled three reserved IP4 address blocks 10.X.X.X which Goggle uses or any large organization is able to use; one for semi large companies can use; as well as the 192.168.x.x a small group of users are to use, and most of us are familiar with. https://tools.ietf.org/html/rf... I've read it many times in the past for those reserved blocks. Now can't make sense of it, it's grown by many many pages.
At least the HOSTS file is safe (I think) "0.0.0.0 is an obsolete form of the limited broadcast address".
A Router setup, I'll wait and see:
"A router MUST allow a metric to be assigned to a static route for
each routing domain that it supports. Each such metric MUST be
explicitly assigned to a specific routing domain. For example:
route 10.0.0.0/8 via 192.0.2.3 rip metric 3
route 10.21.0.0/16 via 192.0.2.4 ospf inter-area metric 27
route 10.22.0.0/16 via 192.0.2.5 egp 123 metric 99"
And against all advice: "A router MUST support ICMP".
... spammers start using it.
now we need to go OSS in diesel cars
The original reason for IP4 NAT was necessity, not security. It was (and is) quite common for a house or business to get a single IP4 address for however-many machines. IP6, on the other hand, defaults to giving a normal end-user an address pool bigger than what IP4 provides to the whole planet. This means that it's WAY harder for an external hacker to guess at the address of a random machine. I got a /64 prefix for my home network. That means that I have trillions of potential address for dozens of machines. Even with thousands of machines, if I pick a set of random addresses for my machines (which is what auto-config does), it should take a well-provisioned attacker a couple of centuries to get his first hit.
If you add NAT on top of all that, then you've got a pretty good security regime.
However -- all of that being said, the main excuse given for NAT being 'secure' is that people can't get to a NATed machine from the outside world. However, between machines getting 48bit (or more) randomized addresses that change from day to day, and a simple stateful firewall, you would have the same security and then some if you moved to ipv6. -- before you even throw NAT into the configuration.,
OS Software is like love: The best way to make it grow is to give it away.
Using private addressing is like living in a building with only one entrance and hoping the bad guys won't get through that entrance.
Having a firewalled public address is like living in a building with only one (or more - all under your control) entrance and hoping nobody accidentally creates a second entrance that you are unaware of/don't control.
The comment about "security in depth" is well-taken.
A hybrid method - which might actually be in IPv6 (I haven't read all of the relevant standards documents) would be to specifically declare certain IPv6 addresses or ranges as "private," and routers not specifically configured to handle those addresses would be required to drop those packets. In other words, if IPv9 had such a standard (it does not) and I owned 9.0.0.0/8 and I declared all addresses other than those ending in .1 to be private, and I didn't configure any non-9.0.0.0/8 routers to specifically handle 9.0.0.0/8 traffic, any traffic not routed through a 9.0.0.0/8 firewall ending in .1 (and having its "public" IP masqueraded into an address ending in .1 in the process) would be dropped by the first standards-compliant non-9.0.0.0 router that it encountered. This way, if an employee intentionally or accidentally connected a machine to both a 9.0.0.0/8 network and another network at the same time and the machine started routing traffic (which shouldn't happen if my internal network isn't broken in some other fashion), the first upstream router of the external network would say "woah boy, I can't handle that traffic, *DROP*. Defense in depth.
Granted, this would not stop a rogue employee who knew what he was doing from setting up a firewall that did its own address translation. This scheme provides some security, it is not intended to protect against all adversaries. It also has most of the other weaknesses of NAT, including client-based vulnerabilities where an internal machine is p0wned and has relatively-free run of the network (well, as free as if the network were entirely publicly-addressable/publicly-accessible).
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Are you saying that you use addresses that are assigned by ARIN or a similar authority to NCR, but as far as the Internet is concerned, the address are in a range that not in use ("no route to host")?
You are one mis-configured BGP announcement away from that statement becoming false. I hope you are practicing "defense in depth."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Just do it and stop talking about it.
I know a university that has an entire class B block and they claim that they need them because they pass them out to anyone connecting to wifi on campus. In reality they could get by with maybe 20 addresses, at most.
Yup, connect your laptop on campus and you have an internet routable address.
There is lots of address waste.
Similar to global warming, deniers have had their heads in the sand too, too long, and they are now getting kicked in the butt.
Hurricane Electric says that as of today, APNIC has ~ 11 Million IP addresses. Am I missing something?
Accurate, though most implementations of LSNAT will probably use the now-reserved address space of 100.64/10 rather than one of the well-known private ranges.
(Yes, in the face of IPv4 exhaustion, The Powers That Be burned an entire /10. There must be some IPv6 engineers on that committee.)