The exhaustion of IPv4 address space

FireFury03 writes "Cisco has an interesting article talking about estimates for the exhaustion of the IPv4 address space, and the inevitable move to IPv6. It predicts that the IPv4 address space will be exhausted in 2 - 10 years and suggests that it isn't worth trying to reclaim old allocations. With the mainstream use of IPv6 now potentially within the ROI period of many products the manufacturers need to start including support, but will the ISPs roll out native IPv6 networks before they absolutely have to? IMHO, ISPs providing native IPv6 support would be a Good Thing since it opens up the door for peer-to-peer technologies such as SIP without needing nasty NAT traversal hacks, but a major stumbling block seems to be a complete lack of IPv6 support on current consumer-grade DSL routers (tunneling over IPv4 is an option but requires more technical know-how from the end user)." Of course, Cisco may have some vested interest in driving up the IPv6-compatible router sales *cough*, but the bottom line is that the transition will have to happen at some point in the near future.

Already rolled...

[jamesgamble]

Most of the major ISPs have already rolled support for IPv6. They started the rollout about five years ago when the lack of IP address began to be a problem. I know for a fact that Sprint is ready to roll it, they are just waiting for other networks to support it. T-Mobile is also ready to roll it as is AOL. It's not really a big deal. It's already been done. Everyone is just waiting to push the big red button and turn on the support. Hell, even Windows supports it.

Love that quote

[Matey-O]

"and suggests that it isn't worth trying to reclaim old allocations."

Isn't worth it to whom?

Re:Interesting

[Profane MuthaFucka]

Good eye. That's a huge range. When you're talking about small numbers it makes a bigger difference too. When they say 2-10 years, that's much more fuzzy than a prediction of, for example, 102-110 years.

It's almost like me saying that any random new car model from Detroit will get between 20 and 100 miles per gallon. We all know how fuzzy EPA figures are, but even those are more precise than Cisco is here.

concurrent operation of IPv4 and IPv6?

[pixelpusher220]

I'd say this is going to be a huge test of the internet and all the various pieces.

Can IPv4 and IPv6 coexist? When do the root servers transfer over? (have they already?) If they can co-exist, what's the motivation for *everyone* to switch?

What happens to smaller countries that don't have the resources to make hardware changes to keep up to date.

From a laymen's perspetive this seems a lot like Y2K in terms of the scope of changes required.

Explanation requested

[dubdays]

Besides the huge amount of fully routable IP addresses IPv6 will open up, what are the benefits to the average end-user? I mean, will anyone accessing a 4 Mb cable connection through NAT really notice any difference by upgrading? Even large corporations, who also use private IP address space, (as far as I know) don't need fully routable addresses for every machine. So, what exactly is the major benefit? Just asking...

New Allocation Schedule

[Kadin2048]

It will be interesting (and perhaps this has already been all worked out, I haven't looked into it much) how they allocate the IPv6 addresses. It seems fairly clear now that the life of the v4 address space was definitely shortened -- although by how much is not clear -- because of the very large chunks of space that were handed out and never fully utilized. (Class A allocations; IIRC IBM had a massive one and I'm not sure ever used much of it, and I'm sure they're not the only one.) Of course this wasn't viewed as a problem at the time because there were so many more addresses than anyone imagined there would ever be devices.

I just wonder how we're going to resist the temptation to do the same thing again, now that we have another glut of address space. On one hand we don't want to end up with vacant blocks of addresses, but we don't want to be too niggardly about it either, or else individual static addresses won't ever 'trickle down' to end users and we'll be stuck with the same mess of NAT traversals and subnets that we have now.

I'm sure that this issue has been addressed (or will be addressed) but I'm just curious how the IANA will find the 'balance point' between assigning enough high-level blocks to make sure end users can get static global addresses, while not overassigning. Perhaps there should be some sort of a periodic review process for high-level address block assignments to see how fully utilized they are, and either assign an entity more addresses or reallocate underutilized resources.

Re:Is NAT Better?

[pixelpusher220]

There's no technical reason you can't 'NAT' your IPv6 address is there?

The majority in new IP address growth comes from all the future gadgets, your house, the washing machine, fridge, etc. So PCs can still 'hide' behind a NAT if they need protecting.

Re:I can't understand why...

[pete6677]

Why don't more routers that are sold today tout their IPv6 compatibility?

Because IPv6 isn't yet a buzzword that non-technical buyers are looking for. This will probably change in the next few years when the business world becomes concerned with it. Once a company CIO hears that his internet connection will die without IPv6 support, there will be a huge marketing effort on the part of Cisco and other router makers.

Simple fix..

[MrJerryNormandinSir]

Don't use real IP addresses after the gateway. I do IP
MASQUERADING. I get only 1 ip address from my provider.
I've got a wireless webcam, a zaurus wireless pda, company assigned laptop, my linux development desktop computer, my Apple G3 running LinuxPPC (my gateway, web, imap server),
My oldest son't room with a Linux based AMD 64bit server, a
mini mac, a sharp zaurus, my 2 youngest boys room and thier
computer and a laptop up in thier room, my hombrew robot,
a hacked compaq IA-1 that runs linux that I use to monitor my firewall, email, etc.. All these devices get to the outside world on 1 ip address. I have multiple servers that
are accessed by the outside world via port redirection as
well.

My point is that we should be tighter with ip address allocation.

Home / SOHO Routers

[Commander Spock]

Most of them have flash firmware, and can probably be adapted to work with IPv6.

Re:Explanation requested

[gr8_phk]

I've been looking forward to a time when everyone gets at least one fixed IP address. Want to run a server of any sort? No? How about a mail server built in to your cable modem? Or do you like your email getting stored at your ISP? Then there are any number of handy p2p type apps that will benefit. VOIP comes to mind - without needing to subscribe to a directory service. Fire up gnome-meeting or whatever and enter your friends IP (well the software could remember it for you) - the same IP they have every time. Actually, fixed IPs for everyone reduces the role of the ISP to simply being a network connection like they should be. Also, it takes effort from developers to get software working through NAT, so the burden on them should be reduced.

Waste

[Ed Almos]

If the IP 4 address space was properly allocated then we could probably get another ten years out of the system. We have for example BBN occupying three class A blocks and HP taking another two or three. Set against this is the continent of Africa which is assigned one block.

Ed Almos

Not any time soon.

[dills]

I have worked in the internet service business for over a decade now. I have seen a lot of things come and go, and a lot of predictions about when we would run out of IP space.

The bottom line is that the only people who realy WANT a rollout of IPv6 is Cisco. Why? Because the vast majority of their existing installed routers will not support IPv6 with anywhere near the same feature set and packet rate as those routers can handle with IPv4. Thus, IPv6 means people upgrading equipment that isn't really deficient.

Most people have no concept of:

a) How much IP space we have left.
b) How extremely inefficent we have been with a large percentage of the address space.
c) How much assigned, announced, and routed space is completely unused.
d) How much the rate of growth has flattened.
e) How wrong every prediction about when we run out of IP space has been thus far.

If you search the nanog archives, you'll see posts by myself going back many years stating essentially "Somebody tell me why we need IPv6 again?"

Do not hold your breath. We're 10-15 years away from IPv6, because it will take an even larger gross expenditure for the service providers to upgrade to support IPv6 than it did for the broadcast industry to upgrade to HDTV.

This is what industries that rely on revenue growth do when their customer growth flattens. They invent a new widget, come up with reasons why everybody needs it, market it, and hopefully everybody buys the product all over again. IPv6 is admittedly a good bit different; it was created by geeks in attempt to solve a perceived problem. However, it was siezed upon by the router vendors as a future "upgrade when growth flattens" path.

Don't buy into the hype. IPv4 is here to stay for a long time. Even when IPv6 starts to have some decent degree of market penetration, you will always find most of the devices on the net are IPv4 behind IPv6 to IPv4 NATs.

NAT is about a lot more than low address reserves

[jjeffrey]

I don't think that IPv6 will see the end of NAT at all. NAT is a very quick and covenient technique for consumer DSL routers to use.

For a start, a lot of ISPs only offer one address, partly to encourage people to buy more expensive packages with multiple addresses, and NAT transparently solves that issue.

There is no reason to assume that increased avilability of addresses will cause ISPs to offer more addresses to consumers - after all if they anticipate 100,000 single PC broadband connections, they are going to find it hard to get approval for 800,000 addresses (to allow a /28), even with the increased address space. And even when you do have multiple addresses allocated, what about the users that have one more machine than usable addresses? Small company networks etc? Now matter how many addressed IPv6 supplies, we will run out eventually, and much sooner than we expect.

Also low end ADSL connections often force NAT upon a user, allowing the vendor to create a differentiator between it's commercial and domestic offerings.

In the end NAT offers security, independence of allocated IP space to available addresses, simplified network management with an excellent delineation point between vendor and consumer (the ISP dosen't have to worry about what is inside the end user network), and a reasonable form of security. It's great for a small internet connected network.
 

Re:Love that quote

[Cheeko]

HP? IBM? MIT? Or anyone else who has a nice class A all to themselves ;) HP I belive actually has two (the original HP 15, and the old DEC 16). These companies/institutions will never run our of v4 addresses, so they likely will only push as hard as they are made to by their partners/customers.

Re:Is NAT Better?

[ryanvm]

NAT is not defense. The stateful firewall is defense.

NAT *is* a stateful firewall. That's how it works. It has to keep track of outgoing connections to remap those ports on the external interface. No outgoing connections == no port remapping on the external interface.

If you disagree, then explain to me how one could connect to a machine behind a NAT device if said machine has initiated *no* connections to the Internet. Sounds like stateful filtering at work.

Now, stateful firewalls are just as easy to implement on IPv6, so NAT is certainly not a valid reason for sticking with IPv4. But NAT is indeed a stateful firewall.

Re:Is NAT Better?

[LordSnooty]

The majority in new IP address growth comes from all the future gadgets, your house, the washing machine, fridge,

Ah yes, the fabled "Internet Devices". When will the companies realise that I have no need to control my washing machine from the other side of the world, or from work, for that matter. I survived this long without the useless feature, I think I'll manage. For nearly a decade I've heard about IP-enabled white goods, in that time I've seen precisely one device, an IP fridge [lginternetfamily.co.uk]. And it still can't ring up Tesco's & place your order.

Re:Already rolled...

[fm6]

Why do you need to wait to turn it on? IPv4 and v6 can run side by side.

If they run it, they have to support it. Not an extra expense they'll want to bear before they need to.

Everybody seems to think that the added costs of a new software product end with deployment. Not so.

Re:I can't understand why...

[xappax]

I know that Azeurus happily opens up a few ports on my router every time that I start it up. Whether this is a good idea security wise is another story...

NAT is not a security tool.
NAT is not a security tool.
NAT is not a security tool.
Network Address Translation was never intended to function as a firewall or a packet filter, it was designed exclusively to allow multiple computers to share the same IP at once. That's it.
The fact that NAT has some side effects which are similar to a firewall has been a big problem for network security, because it leads users and even administrators to believe that their network does not need a firewall because they use a NAT system.

We are finally, after many years, starting to see real firewall use become commonplace, and a XP even has an automatic software firewall now, but if it hadn't been for NAT, I bet people would've been implementing real, security-focused firewalls a lot earlier.

Re:Paying extra for fixed IP

[program21]

They'll still charge for static IPs even with IPv6. After all, there's not much reason for cable and DSL providers not to offer them for free right now. Most cable and DSL modems are always on and occupying an IP address anyway, and there's never been any mention of an address crunch at any big ISP (Cablevision, Comcast, etc.), so there's no technical reason to avoid offering static IPs.

Charging for static IP addresses is pure profit for these companies. A small change to the DHCP servers to indicate that a particular modem should always get a particular IP is all it takes (and only needs to be done once), but the money for that keeps rolling in. Opening up more addresses isn't going to change that.

Re:Is NAT Better?

[fm6]

...[NAT] basically acts like a firewall, but potentially a little weaker because it isn't designed to be a firewall.

Weaker how? If you can't address a node, how can you attack it? Not having your systems in the public IP space may limit your functionality (such as not being able to run P2P applications), but I don't see how it's less secure than the complicated (and thus fallible) filtering rules in a "real" firewall.

Re:Is NAT Better?

[freidog]

IPv6 implements some nice features that aren't aimed at a larger address space.
IPv6 provides for priority and quality of service information in the packet, allowing for better priority based routing.
It also doesn't permit for fragmenting packets, which makes life easier for both routing and stitching it back together at the destination.
And distrobution of the addresses is done more fairly. It's not the US and western Europe (to a lesser extent) grab the address space they'd like and the rest of the world can scrounge for what's left.

NAT does blur the line between Network layer and transport layer somewhat. NAT uses TCP or UDP ports to do routing. Good design would dictate that independant modules of a system should stay indepedant, NAT doesn't do that. Not that it's really a big deal here, there's not much change of a new transport layer protocol grabbing hold anyomre.

Re:Is NAT Better?

[saikatguha266]

Actually, NAT is better because it provides address space isolation. If your organisation has 500 computers that all have a public IP address, it is harder for you to switch providers (500 IPs is too small to get your own address space for). When you switch your provider, you have to renumber all hosts, fix config files, fix DNS servers etc -- a royal pain in the ass. A NAT allows your to keep your internal structure exactly the same while you switch providers. That address isolation is very important for small-mid sized companies.

Second, NAT helps multihomed corporations. For large companies, your 10k hosts are going to be distributed over many states/countries/ISPs ... and each site advertising its own address space is expensive for the ISP's because they cannot perform route aggregation (since your address space may not line up with the address space of each ISP). NAT solves this by having each site be NAT'ed behind that ISP's IP address (convinient for the ISP, cheaper for the company). The internal company network runs in the private space and when traffic crosses to the public internet, it gets an IP from the ISP it came out of ... consequently replies come back in through the ISP. Read: If you send a packet out of India, the response won't come back inthrough America ... which would otherwise require you to then forward it to India through your company's routers.

It is this address isolation and multihoming support that drives NAT use in small and large companies. Address space depletion has nothing to do with it. IPv6 does not fix these problems; companies will continue using NATs because NATs do.

Let the EU deal with it

[72beetle]

The EU is so hot and fired up to wrench control of the intarweb from the US, so let THEM deal with it. If we can't be trusted with the DNS system, seems logical to me that the EU would be much better off orchestrating and paying for the upgrade to IPV6.

Re:Love that quote

[Kadin2048]

Well if you look at the List of Class A address allocations [wikipedia.org] you'll see some possibilities of people who might not be interested.

In particular, Level 3 Communications has not one but two Class A blocks, the 4.0.0.0 and 8.0.0.0 blocks; "Comcast IP Services" has another one.

There are some oddball Class A assignments on there too. Who would have guessed that Ford has one? The US Postal Service? The Defense Department has something like seven, not a huge surprise given when the assignments were made. Halliburton even has one.

Anyway, reading down the list you can see that the people who already have their own Class A blocks are unlikely to care too much about how quickly v6 gets rolled out, at least for their own use. But some of the newer big-time tech companies who aren't on that list might have more of an interest ... Cisco, for instance, is not on there.

Re:Embedded?

[abb3w]

I don't think they included the fact that lots of devices are including internet conectivity, and looks like they could be TheNextBestThing, and would increase the rate IPv4 address space gets used up

But will this increase the depletion of IPv4, or just result in home NAT starting to support the use of CIDR/16 chunks of of 172.16/12 instead of CIDR/24 chunks of 192.168/16? As an example, my Zyxel DSL Modem was pretty trivial to switch over to using 10/8 on the inside its NAT, and would have been easier if it was a model that the manufacturer intended to allow a normal sized NAT pool. (The Zyxel firmware tries to prevent use of spaces above CIDR/30 for non-router hardware.) While my five-year old router isn't thrilled at this sort of thing, my 1 yr old Belkin router is completely content with any IP space I want to assign it.

So the question is, how many of these devices will have Internet (as opposed to LAN) VISIBILITY (as opposed to merely connectivity) be a feature?

Re:Is NAT Better?

[Gr8Apes]

NAT and firewalls (FW) are 2 separate things, as you can have NAT without a FW, and you can have a FW without NAT. Now, NAT, by its nature, inherently has some features in common with FWs, such as that it effectively hides ports unless they're mapped.

A second item is that moving to IPv6 will not necessarily remove NAT or the current 1 router many PCs setup so many of us have. ISPs in general have charged per IP connection/computer, considering each IP a separate computer. Do you honestly think that will change with IPv6? That ISPs are going to be nice and just let you wire up however many systems you want to their network?

I don't think they'd give up that type of revenue stream. (Besides, think of the security nightmare of locking down and managing security for all those items, like your refrigerator! You'd want some sort of appliance FW/NAT box, both to secure you and keep you from paying extra each month. The latter would be the selling point for most normal users.)

Excuses, excuses

[jd]

IPv6 address prefixes are defined up-stream. All you need to do is remember the one byte that indicates your router. The rest is imported. As for user machines, IPv6 addresses are automatically defined as being the router prefix + the MAC address. There is absolutely nothing for an administrator to do, with IPv6 networks, besides plug in the one byte designator and kick back.

The only admins who don't like IPv6 are those who are either ignorant of the way it works, or who are too hooked on being worked to death. Both need help, treatment and beer.

Re:Is NAT Better?

[michrech]

You, sir, are a moron.

There's nothing inherently more secure about NAT, it's just the way it's set up on most home routers. As a little experiment you can take a Windows box and put it in the "DMZ" of a normal home NAT box, which means that all ports and protocols get forwarded to it, just as if it was sitting on the public internet itself. It should end up getting owned by viruses and spyware just as quickly as if you plugged it into the modem, even though it's subject to NAT. The point being: the address translation isn't providing any security itself, its only because it's being applied selectively.

Of COURSE the Windows machine will get "owned" (as it were) if you TELL your FIREWALL/NAT device to forward all unexpected incoming connections to it!

Here. I've got one for you. Here's a condom. You can wear it while you have sex with whatever partners, but there is one particular partner for which I'm going to poke a hole in it for you.

Geez..

Fossil fuels

[totallygeek]

Interesting, but is 2 - 10 years as precise as they can be?
8 years seems to be a long time, to me.

Yep, and thirty years ago they said that we would be out of oil in twenty years. Go figure...

Re: hardware limitations

[FlippyTheSkillsaw]

Sure, the hardware /supports/ IPv6, but if you try to do both IPv4 and IPv6 on the hardware, you take the load way up.

As long as IPv6 isn't required to get everywhere, they can save money by using smaller/fewer routers to do IPv4 work.

In terms of just memory, you almost double the use by having a separate table for IPv4 and IPv6.

Re:Is NAT Better?

[SquadBoy]

Well yes. But, security, like ogres, onions, cake, and parafait should have layers. NAT provides a, yes rather weak, layer. But it is still a layer. So doing both is a good thing.

Re:NAT is about a lot more than low address reserv

[Midnight Thunder]

Yup, this is a big issue. People want to have the liberty to do what they want in their own home. After all when you put a nail into your own wall, do you have to phone up the regional governing entity or pay to do so? Why should we have to do the same for our private computers?

Re: hardware limitations

[FireFury03]

As long as IPv6 isn't required to get everywhere, they can save money by using smaller/fewer routers to do IPv4 work.

I think that rather depends on how much of the network is IPv6 only - if there's a large chunk that's only on IPv6 then refusing to support it would be like telling the customers "we've decided to not route any of your traffic to the US anymore because that's cheaper for us". Customers would be leaving them in droves - they don't need to understand _why_ parts of the internet are inaccessible, it will just become known that this ISP is crap because they have "firewalled" off part of the internet in the interests of cost saving.

Re:Explanation requested

[FireFury03]

what are the benefits to the average end-user?

Well NAT is a huge pain in the arse for anything peer-to-peer - for example VoIP.

Lets take Skype (horrible system that it is) for example. You want to make a call:

1. Caller A places a call to caller B. This involves talking to the Skype directory server and ggiving caller A the IP address for caller B.
2. The system realises that caller B is behind a NAT so caller A can't start a connection to B... ok, no problem, we just get caller B to initiate the session instead.
3. Oh wait, A is also behind a NAT so B can't start a connection to A.
4. Lots of nasty NAT traversal hacks are tried to tick the NATs on both ends into allowing the traffic through.
5. Sometimes the NAT traversal works, lets assume in this case it doesn't. The only way to get traffic between A and B is to go via a third party server.
6. Another random Skype user's connection (which isn't using NAT) is hijacked - both A and B connect to this Skype user and use his connection to pass the traffic. This means that not only is it sucking the bandwidth and CPU time up on the third party's connection, but that connection may vanish at any instant and there is added latency caused by going via a connection of unknown quality.

Whereas without NAT that'd just be a case of A connecting to B and all would be good.

Also, being about to log into my video recorder from my cellphone and ask it to record something would be cool :)

Re:Is NAT Better?

[illegalien]

But seriously, if IPv6 was so good, it would not require so much pushing. If the IPv4 exhaustion was real and imminent, it would not rquire so much pushing.

Haven't you learned anything from GWB: being proactive is better than waiting for "real and imminent".

Seriously... it is better in this case to be proactively preparing for the transition than to one day realize we *really* need IPv6 and are not capable of making it happen effectively. No one is saying it has to be a hard and fast cutover today. I don't see anything wrong with getting some momentum going and starting to work out some unexpected kinks before the need is *real and imminent*.

Re:Interestingly precise

[Anonymous Coward]

Mr. President, is that you?

The cost of unsupport

[fm6]

Not necessarily. Many ISPs provide non-core services that they don't offer support for; for instance, my ISP runs an NTP server, but the only support they provide...

And policies like that just don't work. Maybe with ordinary schmos like you, your ISP help desk can hide behind "That's an unsupported service." But suppose a customer who buys a huge amount of bandwidth and pays them 6 or 7 figures calls up, and says, "I have a mission-critical ap running off your NTP server, and it's broken! Help me fix it or I'm jumping ship!" What do you think they're going to say?

I mostly work in tech pubs (when I'm working), and this has been a constant issue for me. At some badly managed companies, I've seen engineers add SuperKewl Features to the product without authorization, thinking they can just throw them over the wall to the customers and forget about them. Wrong. I have to document their damn features, and that costs. If I don't document their damn features, then tech support has to handle the resulting calls, and that costs even more. And if tech support tries to tell a big customer, "Oh, that's an unofficial feature, we don't support it," that really costs!