IPv6 Turns 20, Reaches 10 Percent Deployment

An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."

"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."

what

[phantomfive]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Re:what

[Jawnn]

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks. Turn on IPV6 and those internal networks are simply open to the world.

Now, I am not saying we shouldn't go there, but the scope of "doing it right" is almost immeasurable. IMO, it is that which is the single largest barrier to widespread adoption of IPV6.

Re:what

[bobbied]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Sounds simple enough.... Of course, nothing is really as simple as it first seems.... Good first step though.

Where I get people's reluctance to adopt IPV6 and having their local networks become immediately routable and thus externally addressable, there is a bit more to this "security" thing when switching IP versions than just dropping inbound connections. The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before. It's true that this knowledge doesn't give them any special access if your router is working properly, but it does mean that if the router doesn't always do the right thing, they will have an easier time attacking your internal network.

Not that there are no solutions to this issue out there or that one cannot still protect their internal networks, only that such protection needs to be thought about in somewhat different terms and perspectives. IPV6 messed with more than just the number of bits in the IP address, but messed with the fundamentals of how traffic gets routed. It made a lot of things easier, faster and cheaper, but it also had impacts on network security considerations that I'm not sure we fully understand even after this long.

Re:what

[swb]

Is there something about IPv6 that precludes the implementation of NAT?

IPv4 never "had" NAT, either, AFAIK. It was a kludge tacked onto routers and firewalls as world+dog got Internet access and ISPs only handed out /24s and ultimately /30s.

I worked at a site that had a direct /22 assignment dating to the very early 90s and we never bothered with it until the local network outstripped the useful life of the /22 and then we tacked on RFC1918 blocks for new segments, but kept using the /22 space for servers and a segment of the LAN that used a particularly shitty (HP3000) 3rd party application that dated to the original direct assignment and had a shitload of hard-coded references to the application server because neither the vendor nor the clueless admin ever bothered with DNS configuration (which, IIRC, was mildly brain damaged on the Hp3000 anyway).

We also had a sister company that had TWO /16 assignments -- they would NAT between /16 blocks, which I found to be kind of amazing, like a car you drove to a parking lot...to pick up your other car.

Re:what

[gstoddart]

Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.

Using internal 192.168.*.*, or the entire class A of 10.*.*.* means my internal IP address is not your damned business. It's an un-routable address to anything else. Which means in a lot of ways it's invisible -- you have no way of knowing the IP address of a given machine, and even if you did it wouldn't do you any good because there's no way to get there.

If you don't know information about what's behind the firewall, you can't exploit that information. NAT allows you to say "yes, there is a machine behind the firewall talking to you, but any specific information about that machine isn't for you to know because we don't trust you with that information".

Providing the same level of 'security' as NAT also includes some anonymity. You're not meant to know which machine you're talking to, and it isn't possible for that information to bleed out. Which means you don't have the ability to deduce information about it.

Having an outside entity know any information about your hosts and their IP addresses is just another vector to glean information and possibly act on it. You can't target a specific machine if you have no information about it from outside the firewall.

So, for me, if you start with the assumption that the internet is a dirty cesspool of actors which simply cannot be trusted and must be assumed to be hostile ... then you start by denying as much information as you possibly can. And after many years around the internet, not assuming the internet is a dirty cesspool of bad actors is utterly idiotic, because it hasn't been true in a very long time.

IPv6 seems to have a rather naive and in-built assumption that the internet isn't full of hostile assholes, and the decision to say that NAT was unnecessary reinforces that. Anything which assumes there isn't a risk in allowing outside actors to glean information about your environment is naive, broken, and not going to work. Because you pretty much need to assume that every additional item of information someone else has is going to be exploited in some way.

If you need to rely on state-ful firewall rules to know what's allowed, you need to rely on the vendor to competently be able to handle all of these protocols and the like. And, quite frankly, time and time again we see plenty of reasons why we can't trust the vendors to competently do that.

This is one of the reasons a lot of organizations have looked at IPv6 and consistently said "no thanks, there's parts of this we really don't like".

If after 20 years IPv6 has 10% adoption, maybe it's time to start understanding why people don't want it instead of telling us everything is fine and we don't actually need NAT.

Re:what

[unixisc]

The summary seems to imply that there is no supported NAT in IPv6. Au contraire, the IETF did specifically define a NAT standard for IPv6 - it's called NAPT. It has the same concepts as IPv4 NAT - translating a public address to a private one (granted, there are more categories of the latter in IPv6). Only thing different is that it's a 1:1 address mapping here, as opposed to a 1:many address mapping in IPv4. Which saves the agony of Port Address Translation and there being fewer ports for other applications that NEED it.

But if someone wants to have something handy for load balancing, NAPT can be used. I'm not sure of what the defined multi-homing mechanism is in IPv6, and whether it necessitates the use of NAPT or not

Re:what

[lokedhs]

Or, you might want to read up on Privacy Extensions before you start talking about exposing internal information which hasn't been valid since 2001. Yes, that's 15 years ago, as modern as 2001 may feel to us old guys.

Re:what

[Todd+Knarr]

What do you mean IPv6 messed with things? What you're describing is simply the ending of the aberration that is masquerade-mode NAT and the return to the way IPv4 networks operated for most of their existence. Masquerade-mode NAT was a nasty, awkward kludge to normal routing created to work around the refusal of the DSL and cable ISPs to offer more than a single IP address to a subscriber at a time when subscribers were starting to have multiple computers in their households. Up until that point computers on IPv4 networks were directly connected to the Internet with their IP address visible to the world. That's how I used to run servers on dial-up lines, no router involved (at least on my end). All you have to do to protect your IPv6 networks is set up the equivalent to a standard IPv4 firewall. Like IPv4 you have to pay attention to what ports are allowed inbound to which hosts, but that's nothing new and IPv6 gives you more tools to help segregate desired inbound connections from unwanted ones.

Then again, I suppose most people these days haven't written firewall rules or even thought about them, masquerade-mode NAT hid the issues by terminating all non-ESTABLISHED non-RELATED traffic on the router's WAN port and the router didn't have any services except DHCP and DNS listening on the WAN side. Well, it wasn't supposed to anyway, but turns out quite a few did have things listening and those things had pretty much crap authentication so attackers could pretty much walk straight on through without breaking stride. Hence why I prefer explicit firewall rules where I know the packets are going down a black hole before anything that might be listening can even see them.

Re:what

[Midnight+Thunder]

You know how big an IPv6 subnet is? Think of scanning the whole IPv4 address space and then you are close. Between IPv6 privacy extensions and DHCPv6, you can reduce the scope of scanning. Also, with a firewall in place, that scanning shouldn't even be possible.

The biggest barrier to IPv6 adoption has been people not sitting down and adding themselves what is the native IPv6 way of dealing withings and saying it is a security risk. The biggest risk is putting off the work.

Case In point: I recently faced an issue where some users were having connectivity issues. All health checks looked good. Turns out the issue was down to not having an IPv6 strategy. These users were already on IPv6 and some of the cache servers at various providers had AAAA entries, but no IPv6 on the web server, or did have IPv6 on the server, but was badly configured. Because of the lack of IPv6 strategy, there were no operational health checks on the IPv6 status. We didn't look good to these customers, because business, and even ops, thought IPv6 wasn't important - oops.

Re:what

[unixisc]

But it's the firewall that comes w/ NAT that does the defending - the same thing that can be done w/ a public IPv6 connection. Not that I recommend it, but one could even use a combination of NAPT w/ IPv6 public addressing if one HAS TO use NAT: you'd still get the firewall, and you'd still have the warm and fuzzy feeling that NAT gives you.

Re:what

[unixisc]

As far as NAT awareness in protocols go, the IETF didn't standardize on any NAT mechanism, which is why there are 3 NAT mechanisms at least in IPv4. In IPv6, the IETF went ahead and standardized NAPT, so that in the event that NAT has to be there, there is only one recognized way of doing it. That way, any application written can either require either the native IPv6 address, or a combination of the Global Prefix of a Global unicast address plus the Unique Local address of the node in question.

Re:what

[DarkOx]

allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before.

I see this argument from time to time. I don't buy it. While I don't recommend internal address disclosure for IPv4 gateway-ed networks. I would never make it more than a LOW finding on a security report. Why because you can't do anything with that information unless you compromise an internal host. If you compromise and internal host its almost always trivial to figure out what addresses are in use internally. Even with the least privileged web shell you can usually get the adapter information off the affected host. Almost all major platforms allow ping to run without privileges and even on windows with something like AppLocker enabled ping.exe is a Microsoft signed binary and will be allowed by default. Discovering internal addressing really isn't a big deal.

Even if the ultimate outcome is that your internal addressing will now be public information, the 60 seconds someone might spend thinking about their network when turning on IPv6 probably does more for their security posture.. The other thing you have to consider is that for larger networks sub net discovery is going to get a lot harder. Discovering other hosts adjacent on the sub net also is much harder with ipv6.

I do agree though that it IS more complicated than just drop all inbound connections. That is certainly a good start but its true that it is not quite that simple. I just don't think that is so much harder though that it will impact many people at the margin. If people were just turning on NAT + UPNP and hoping for the best before they were screwed; as they will be with IPv6. If they knew/did more than that before their are not so many new considerations they are likely to do anything especially bad.

Re:what

[locofungus]

Source address: the device you don't trust.

And there's the problem. If you have multiple devices with privacy extensions then you cannot filter by source [IP] address.

On a home network it's usually trivial to filter by MAC address instead but once there are multiple routers before the egress firewall then that won't work.

Re:what

[swillden]

My Asus router supports IPv6. The IPv6 firewall is configured by default to reject all incoming connections. Done.

Re:what

[Todd+Knarr]

What configuration on the host? All configuration would be done on the router, since the last rule on the WAN IN ruleset would be to drop everything. The first rule would be to allow ESTABLISHED and RELATED traffic so the return for outbound connections works properly (assuming you want it to work, if not then just omit that rule). After that nothing outside your network's going to be able to connect inbound to your hosts unless you add rules to the middle of the WAN IN ruleset specifying exactly what you want to allow in for each host. The FORWARD rulesets follow the same pattern, adjusted for whether you want to allow outbound by default or not. I've written the rules for an IPv6 firewall, and they're remarkably parallel to the IPv4 rules.

And as pointed out, if you want a truly isolated segment you just don't advertise a routable prefix on the LAN side of your router and autoconfiguration will give you hosts with addresses that're only valid within the segment and can't be routed outside it without some black magic in the router (don't bother, it's easier to just give them routable prefixes and then leave rules for those prefixes out of the FORWARD ruleset on your router so traffic to/from those prefixes just bounces off the the interfaces).

Re:what

[hairyfeet]

The rotting elephant in the room is NOT the "security" of NAT, its the legal issues specifically that the *.A.A will be able to argue that "IP address equals person" thus letting them sue pretty much anybody for anything. You put up a vid of your kid dancing to a corporate media conglomerate owned song? Enjoy your lawsuit.

This of course isn't even bringing up how badly corporate has fucked IT for the last decade which means all the older networking gurus have all bailed, leaving a bunch of kids that won't know how to diagnose, much less fix shit when the inevitable IP V6 headaches hit, we have the environmental disaster as you have literally tens of millions of routers and modems that simply cannot handle IP V6 so all of that will have to be trashed, which of course adds to the cost of switching which is gonna be quite high......I'm sorry but there is a LOT of downsides and very few upsides.

memories, memories

[nimbius]

ah, turning 20 and enjoying 10% recognition. reminds me of my youth. but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.

Re:NAT is my antivirus

[castionsosa]

The chief infection vector these days is the web browser and add-ons. If a machine can connect to the Internet, even if behind seven layers of NAT, it can get infected. Second to that are Trojans and dancing bunny attacks.

Internet based attacks to compromise hosts are relatively few, and they tend to be brute force attempts, looking for older/patched bugs, or a DDoS. Good firewalls are a solved problem.

If we don't adopt it, the nanobots will

[jma05]

https://xkcd.com/865/

Re:Dear asshole utopians who hate NAT

[lokedhs]

Most home users would be perfectly fine with a IPX connecting to a HTTP proxy. That doesn't mean it's a good idea.

Familiarity with IPv4 is hindering adoption

[ErichTheRed]

IPv6 is a very different beast from IPv4. One of its strengths is also a weakness - NATless wide open host to host routing of traffic. This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery. It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this. Not many people understand what actually makes IP routing work at a nuts-and-bolts level, so this would be a safe default. 20 years ago, when IPv6 was new, I would have more faith that the average IT person would have a better grasp of details like this. These days, it's abstracted away for the most part. I doubt non-network focused IT people learn the stack to the same depth they had to in the past.

Even large enterprise networks I've seen implicitly trust traffic on the inside. Obviously that's not the best way to go, but re-architecting the network for trust-nothing operation is a slow process the larger the entity.

Re:Familiarity with IPv4 is hindering adoption

[silas_moeckel]

Your average consumer grade nat router that supports ipv6 has a default stateful firewall blocking unwanted inbound connections. Really no different than ipv4 with nat.

Re:What was the brake becomes the gas pedal

[Midnight+Thunder]

Trying to not support two things, is why cell phone companies are planning on going IPv6 with NAT64/DNS64. It is also why all iOS 9 apps must support IPv6. Thus approach allows them to optimise their infrastructure for IPv6 and only deal with IPv4 on the border.

Nothing is stopping anyone from staying IPv4 internally, but if you can't speak to that IPv6 service outside your network, then you'll look pretty stupid. At least get a web proxy, that deals with IPv6 externally, if you don't want to deal with the setup internally.

Topology detection

[unixisc]

Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6. Like if you have a network that has a subnet mask of 255.255.255.240, you know that there can be a max of 14 boxes on that subnet. In IPv6, all that is irrelevant: any subnet can have anywhere b/w 1 and 2^64 boxes: it's impossible to find out w/o port scans.

Also, unless someone uses some structure in assigning IPv6 addresses using DHCPv6, it is impossible to figure out individual addresses. And if they have privacy extensions, which is the equivalent of IPv4's dynamic addresses, that makes it even more impossible.

Re:Topology detection

[unixisc]

No, subnet addresses are the 49th to the 64th bit of the address, or something beyond 49th to 64th, depending on how it's allocated. Most routers would recognize the entire lower half of the address as the interface ID. There is no concept of 'class' networks the way there was in IPv4. Everything is 2^64.

Yeah, one could break the protocol and assign subnets to something in the lower half, and a few things, like SLAAC, RAs would stop working.

Re:Topology detection

[ArmoredDragon]

Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6.

No, not really (unless you're talking about the old classful addressing system? Nobody uses that anymore.) The only reliable way to determine who owns what IP ranges is to pull out your BGP looking glass (there are a bunch of them owned by major peering providers; google "bgp looking glass".) The same thing works for IPv6, by the way.

However none of that tells you anything about the internal (RFC1918) addresses they use beyond that. I.e. are they on a 10 net? A 172.16.x net? A 192.168.x net? Only way to know is to either have physical access or some kind of inside informer.

Also I'm not sure why people say you can't NAT with IPv6. Indeed you can, there's even an official RFC for it:

https://tools.ietf.org/html/rf...

Though as you can read in the RFC, the IETF really frowns upon NAT, they only added it if your internal network MUST have privacy for whatever reason. (That is, you don't want outsiders to be able to uniquely identify the IP address of machines that are highly sensitive from a security perspective, and you certainly don't want any traffic to even be routable to them.) That address space is defined in RFC4193 and is FC00::/7, the "English" term for it being a Unique Local Unicast address.

I have a feeling it will come in demand one day for those trying to avoid e.g. ad trackers, which otherwise (in IPv6) have the ability to uniquely identify your machine without using cookies or anything, even if you e.g. hop on a Starbucks wifi. Why? Because your NIC's MAC address is (in the vast majority of cases) globally unique and shows up in the final /64 of an IPv6 address as part of NDP (the IPv6 version of ARP.)

Re:Many happy returns, IPv6

[suutar]

This makes me wonder how long until ISPs start wanting to phase out nat so they can better see the patterns of usage behind the router. If they can tell that you use your TV and iPad more than your laptop... well, there's gotta be someone who'd pay for that info.

Re:Many happy returns, IPv6

[phantomfive]

Is that the metric that keeps IPv6 adaption capped?

I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.

Re:NSA does not like

[WaffleMonster]

NSA here. We want everyone to use IPV6 because it makes tracking everything down to your dog's internet enabled nipple piercing that much easier. So stop this nonsense about sticking with IPv4. Were watching you.

Restoring end to end for everyone is worth way more to continued freedom of Internet use than any NSA boogieman.

IPv6 privacy addresses are widely supported. Big data stalking firms currently have no problems discovering individual devices behind IPv4 NATs.

Subnet sizing

[unixisc]

That's the reason that I've always believed that the /64 was a stupid boundary where to demarcate the Global Prefix and the Interface ID. It should have been at /96. The reason for the /64 was for easy autoconfiguration w/ SLAAC. But even w/ SLAAC, uniqueness is not guaranteed, and therefore, a lot of flexibility in IPv6 is sacrificed at the alter of autoconfiguration, resulting in an overkill when it comes to subnet sizes.

Instead, having a /96 would have enabled the internet to have had a hierarchical routing system, thereby lessening the need for things like RIPng, OSPG, EIGRP, et al. Also, RIRs, national Internet registries and ISPs could then have allotted Global prefixes up to /64 or /80, and we could have had either 16 bits of subnetting - allowing for 65,536 subnets or a full 32 bits of subnetting - allowing for a hierarchical subnet set-up.

Even w/ all this, 32 bits would have been adequate for autoconfiguration mechanisms. Yeah, it wouldn't be completely unique, but nothing is. Port scans would still be as slow as scanning the entire internet, but on top of that, privacy extensions, or allowing an address to change very frequently would make it even more impossible for port scans to determine internal network topologies. I do think something like this would have to be deployed to avoid runnning into address depletion issues even in IPv6 later.

Re:Fuck You!

[Dagger2]

Those are all excuses. None of that stuff needs to be touched to deploy v6. Deploying v6 won't make any of it work worse than it currently is. You don't need to upgrade all your DOCSIS1/2 modems to get v6 to the DOCSIS3 modems.

Also if you're an ISP that's been buying hardware in the past half a decade that's not v6 capable, then you screwed up -- or if your hardware is much older than that, then you're probably looking towards a replacement soon anyway.

Re:Unlikely that everyone will be on IPV6 by 2020

[Chris+Mattern]

Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.

Ignoring the (quite literal) network effects. When the tipping point comes, it'll go to 100% IPv6 very quickly. Everybody will be on IPv6 because that's where everybody else is. Nobody will want to be cut off by being on an IPv4-only address.

IPv6 compatibility w/ FOSS projects

[Yonder+Way]

What's really sobering is when you look at relatively new but very successful FOSS ecosystems like that surrounding Docker, you'll see poor considerations for IPv6. If you're working on new bleeding edge stuff and you're still developing for an IPv4 world, you're needlessly wasting a huge opportunity to help the world move beyond IPv4. I really want to call out CoreOS's fleet project for using IPv4 private networks for cross-container communications where IPv6 would have been a much better fit.

Re:More like 0.1% -- IPv6 traffic is special purpo

[jfdavis668]

My cell phone traffic has been IPv6 for years. Every time I watch a youtube video, piles of IPv6 traffic flow. A large amount of network traffic is now handheld related.

Re:Many happy returns, IPv6

[Geordish]

Is that the metric that keeps IPv6 adaption capped?

I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.

As someone who works for ISPs for a living, that is nonsense. Equipment generally has a lifetime that it is useful for. We typically buy kit with 5 years in mind, but may stretch it further if there is still life in it. Equipment that is 10 years old is probably worthless (This likely is the same for most other areas of IT)

Any equipment you buy today will support IPv6, with all the latest standards. Equipment generally gets firmware upgrades for the duration of its life that adds new features as they come along.

All Cisco and Juniper kit (2 big vendors in the ISP space) have had full feature sets for v6 in the service provider routed world for quite some time now. So long that some of their kit has gone end of life that have v6 support. There may be some enterprise grade products where this doesn't hold true, but it shouldn't be far off.

If your friend claims that the way he is going to deal with v6 is to buy more kit, he is either running outdated equipment, stupid, or lying.

The CPE is the only major space where there is issues. This is getting better now, and the same 5 year rule generally applies here to ageing equipment. You have the luxury of a phased replacement plan in this space too, which makes things a bit simpler.

Re:Practical question for consumers

[Geordish]

Not giving everyone a /48 is a daft argument. From someone who is a lot smarter than me source

"Let’s assume that ISPs come in essentially 3 flavors. MEGA (The Verizons, AT&Ts, Comcasts, etc. of the world) having more than 5 million customers, LARGE (having between 100,000and 5 million customers) and SMALL (having fewer than 100,000 customers).

Let’s assume the worst possible splits and add 1 nibble to the minimum needed for each ISP and another nibble for overhead.

Further, let’s assume that 7 billion people on earth all live in individual households and that each of them runs their own small business bringing the total customer base worldwide to 14 billion.

If everyone subscribes to a MEGA and each MEGA serves 5 million customers, we need 2,800 MEGA ISPs. Each of those will need 5,000,000 /48s which would require a /24. Let’s give each of those an additional 8 bits for overhead and bad splits and say each of them gets a /16. That’s 2,800 out of
65,536 /16s and we’ve served every customer on the planet with a lot of extra overhead, using approximately 4% of the address space.

Now, let’s make another copy of earth and serve everyone on a LARGE ISP with only 100,000 customers each. This requires 140,000 LARGE ISPs each of whom will need a /28 (100,000 /48s doesn’t fit in a /32, so we bump them up to /28). Adding in bad splits and overhead at a nibble each, we give each of them a /20. 140,000 /20s out of 1,048,576 total of which we used 44,800 for the MEGA ISPS leaves us with 863,776 /20s still available. We’ve now managed to burn approximately 18% of the total address space and we’ve served the entire world twice.

Finally, let us serve every customer in the world using a small ISP. Let’s assume that each small ISP only serves about 5,000 customers. For 5,000 customers, we would need a /32. Backing that off two nibbles for bad splits and overhead, we give each one a /24.

This will require 2,800,000 /24s. (I realize lots of ISPs server fewer than 5,000 customers, but those ISPs also don’t serve a total of 14 billion end sites,
so I think in terms of averages, this is not an unreasonable place to throw the dart).

There are 16,777,216 /24s in total, but we’ve already used 2,956,800 for the MEGA and LARGE ISPs, bringing our total utilization to 5,756,800 /24s.

We have now built three complete copies of the internet with some really huge assumptions about number of households and businesses added in and we still have only used roughly 34% of the total address space, including nibble boundary round-ups and everything else."

Re:Many happy returns, IPv6

[rahvin112]

They can already see that information with DPI (Deep packet inspection) and many already do monetize it.

Re:Practical question for consumers

[sjames]

In the very worst case, the ISP gives you a /64 which is enough to support every possible ethernet address 64K times over.