The exhaustion of IPv4 address space

FireFury03 writes "Cisco has an interesting article talking about estimates for the exhaustion of the IPv4 address space, and the inevitable move to IPv6. It predicts that the IPv4 address space will be exhausted in 2 - 10 years and suggests that it isn't worth trying to reclaim old allocations. With the mainstream use of IPv6 now potentially within the ROI period of many products the manufacturers need to start including support, but will the ISPs roll out native IPv6 networks before they absolutely have to? IMHO, ISPs providing native IPv6 support would be a Good Thing since it opens up the door for peer-to-peer technologies such as SIP without needing nasty NAT traversal hacks, but a major stumbling block seems to be a complete lack of IPv6 support on current consumer-grade DSL routers (tunneling over IPv4 is an option but requires more technical know-how from the end user)." Of course, Cisco may have some vested interest in driving up the IPv6-compatible router sales *cough*, but the bottom line is that the transition will have to happen at some point in the near future.

I can't understand why...

[saskboy]

Why don't more routers that are sold today tout their IPv6 compatibility? Are they not compatible with the new protocol? If not why not?

NATs at home can only hold IPv4 together for so much longer. Soon a killer ap will come out that just doesn't want to be NATted, and the whole Internet using public will demand direct addressing [at least they'll demand a solution that requires direct IP addressing].

Is NAT Better?

[HugePedlar]

I remember reading a while ago that NAT actually turned out to be better than IPv6 by virtue of it "solving" the limited number of addresses problem and simultaneously providing a defence against simple hacking attempts by hiding your real IP address.

Can anyone explain whether this is true or not and why?

for anyone who can't tell wtf is going on

[s388]

TFA didn't help me get much of a clue. I tried reading it, and I said to myself: "aren't there one trillion possible IP addresses, available in principle? (minus 1)" just because of the 12-digit IP addresses i'm used to.

"The IPv4 address space has 32 bits, limiting it to an absolute maximum of 232 (roughly 4.3 billion) possible addresses. For both administrative and technical reasons (the latter in large part being related to routing), IPv4 addresses are allocated in blocks which are restricted to sizes which are powers of 2; this leads to many addresses being unused at any given time. In addition to this, substantial parts of the IP address space are not easily usable because of early technical decisions reserving them for private network use, loopback addresses, multicast, and unspecified future uses, which has resulted in some of these limitations being programmed into devices; working around these limitations will require substantial amounts of re-engineering to increase the amount of available address space. Finally, some of the IPv4 address allocations made early in the development of the Internet (in the 1970s), when only blocks of 224 possible addresses (called a /8 in IPv4 address terminology) were supported, led to some institutions that were involved in the development of the Internet having disproportionally large allocations. MIT, for example, has an entire /8 block allocated to it (224 addresses, about 0.39% of the whole internet address space) and various US Department of Defense agencies have several such blocks."

THANK YOU wikipedia.

Home routers

[bozojoe]

Perhaps this is an AskSlashdot, but who is making a decent(affordable) IPv6 router for the home? And where can one locate documents on SIP/RTP in IPv6 land?

Re:Interesting

[rubycodez]

yup, 8 years ago they were saying the ip4 space would be exhausted in next 5 years. Heck, I sat at a presentation on IPng in 1994 where that was said. At least such a statement is more true now than it was then, but I'll bet reclaiming old absurdly huge allocations of IP space could push this out beyond 10-12 years.

My cold, dead hands

[BJZQ8]

Until I absolutely HAVE to switch to IPV6, I will keep my much easier-to-remember addresses. Try to remember something like these:

fe80::02d0:c1ff:fe5c:0010/10

2002:c0a8:1122::5efe:0a01:0101/48

2001:7f8:2:c01f::2

I mean, DNS goes a long way towards turning that hex into something memorable, but as a sysadmin it does NOT make my life easier. Let's reclaim some of those /8 blocks allocated to people that barely use them, first. Does E.I duPont REALLY need 0.39% of the internet address space? Does Eli Lily? That is 16777216 addresses, for what? Does Eli Lily even have 16 million adressable devices? It seems to me that we have plenty of IPV4's, it's just the allocation stinks.

Re:Already rolled...

[Spetiam]

All I know is that if, once my broadband ISP serves up IPv6, they want to charge me extra for a static IP, I'll be pissed.

Re:Is NAT Better?

[fyonn]

I remember reading a while ago that NAT actually turned out to be better than IPv6 by virtue of it "solving" the limited number of addresses problem and simultaneously providing a defence against simple hacking attempts by hiding your real IP address.

well, it's not "better" as such, just a different solution. NAT is not a golden bullet though. Yes, it does, by and large prevent random machines on the internet directly contacting your unpatched windows desktop at home, but a firewall will do that too, and virtually every dsl router has a firewall these days too. I would like to see home dsl routers supporting native ipv6 but I don't know of any.

I think that ipv6 is a good thing to go for, but it's not finished (but then, is ipv4? :). there's lots of advertised features for ipv6 (mandatory encryption, mobile ip etc) that are good on paper, but aren't all that in the real world.

Mandatory support for ipsec is great.. except how many of us would use it? as there is currently no support for mndatory ipsec encryption to unknown strangers. you've got to be pre-configured for crypto. I'd like to see something like ssh. if you know the key then great, if you don't then you can accept and save one and then while you may not have verified the destination, you're at least protected on the wire. yes, they also need to sort out authentication and perhaps some form of certificate distribution, but lets make a start on something useable.

mobile IP. sounds great! I can be using my ipv6 pda via my mobile phone and as I walk into my house, it picks up my wireless net and my downloads speed up instantly, all the while not dropping the voip call I'm making. or I'm using a laptop on the train and as it flits from hotspot to hotspot I don't lose any of my connections. sounds great! how does it work? you tell me, details are not easy to find. ots of talk, few working implementations (if I'm wrong, please tell me, I'm genuinely very interested).

working with networks as part of my job, I know how useful and really annoying NAT can be, and I really think it should be an option, not a requirement. I'd love to see ipv6 rolled out and see what changes it brings, but I also think it needs a fair amount of work still.

dave

Re:Is NAT Better?

[FireFury03]

I remember reading a while ago that NAT actually turned out to be better than IPv6 by virtue of it "solving" the limited number of addresses problem and simultaneously providing a defence against simple hacking attempts by hiding your real IP address.

NAT in itself doesn't provide any extra security - the connection tracking needed by NAT is what provides the security (and you can do this equally well without using NAT). I wrote an article [nexusuk.org] on this subject a while back.

Whiles NAT does to some extent "solve" the limited number of addresses problem, it also creates many more problems. The Internet was designed to be peer to peer but NAT turns it into a client/server model. Whilest client/server works fine for "traditional" applications such as web surfing, it's a major stumbling block for peer to peer services such as VoIP, which have to employ various hacks to trick NATs into letting the peer-to-peer traffic through (with varying degrees of success). The likes of Skype are designed to hijack the connections of random Skype users who don't have NAT and use them to route traffic between peers who do have NAT when the NAT traversal hacks fail.

Examples

[overshoot]

$FORMER_EMPLOYER has several Class B address spaces but keeps the entire internal network behind proxies and doesn't even support internet DNS lookups for machines in the intranet. Net result is that the entire company could present less than a Class C to the internet at large.

In general, corporate networks today are so completely firewalled that they might as well be behind NAT, and some (bless 'em) are -- Intel for one uses nonroutable addresses internally.

Paying extra for fixed IP

[3770]

So, today you have to pay extra to get a fixed IP. I can understand that, somewhat, because there is a limited number of IP-numbers.

Now, if we have an unlimited number of IP-numbers, then I will be pissed if they expect me to pay extra for a fixed IP. What is their explanation and motivation for a higher price for a Fixed IP?

So maybe one of the reasons that they are trying to delay the introduction of IPV6 is because they know they will no longer get the extra income from customers that are paying for a fixed IP.

Network Operators thoughts on IPv6

[br00tus]

I went to a NANOG [nanog.org] meeting in 1997, at which were many of the bigshots of network operation - Van Jacobsen (author of traceroute and Van Jacobsen compression, which you may recall as a checkable option on Windows 3.x's Trumpet Winsock), Paul Vixie (of BIND and MAPS fame), Kim Hubbard (of ARIN), Mark Kosters (of Network Solutions) and that type.

Anyhow, I myself was curious about if/when IPv6 would be rolled out. One of the talks was about how to deal with IPv4 space running out, and a lot of the talk revolved around such things as multiple web sites running on the same IP (which was very uncommon then) and other ways to use less address space. Some audience members gave other suggestions for conserving IP space such as ways to use Network Address Translation to limit public IP use. I would say the feeling in the hall was that this was not a problem, and that people had to go the route of IP sharing, and aside from the need for more IP sharing, everyone pretty much liked the situation as it was, which was in contrast to the prevailing attitude in the world outside the hall. One audience member rose his hand and said, "What about IPv6?" The response to this was the entire audience broke into laughter - it was the funniest thing they had heard that week. After that I began thinking about IPv6 more along the lines of projects such as MBONE [savetz.com] (anyone remember the hooplah over that years ago?). Not that IPv6 will never be implemented, but this story that IPv6 was needed straightaway could have been written 8 years ago. I haven't seen much headway in it in the past 8 years, except for products promising they were IPv6 compatible, just in case. Not that IPv6 will never be rolled out on a large scale, but I'm not holding my breath.

Re:Already rolled...

[comcn]

Try Andrews and Arnold [aaisp.net.uk]. I've had IPv6 (via a tunnel from their network) for the last two years with them. Native IPv6 (without a tunnel) is integrated into the new router they are developing, and should be live by the end of the year (only problem is finding an ADSL router that will support it, but you can use an ADSL modem and Linux, for example).

Re:I predict that...

[NotoriousQ]

double the address space for the same price

No, there will not be a doubling of the address space, just the name space. Same internet, twice th ICANN. Now people will have to purchase domain names from two registrars to be listed on both DNS systems. And the moment this happens there will be a flurry of activity to develop rootless DNS systems, from which all will benefit.

Submarine Patents AHOY!!!

[ObsessiveMathsFreak]

Let's not forget that any rollout of IPv6 aware devices is going to be plauged by patent litigation. Turns out that just before its release, and lot of "Intellectual Property" "Firms" simply guessed the IPv6 standard, or parts of it, and bought^H^H^H^H^H^Happlied for corresponding patents from the USPTO rubber stamping office.

That means for around the next 20 years we'll have the whole RSA debaucle played all over again in the IPv6 sphere. Expect to see "Innovative Ideas" lawsuits gouging money from OS makers and especially makers of routers(esp consumer grade) and other networking devices.

Look on the bright side thought. With any luck, we'll run out of IPv4 addresses before the litigation finishes, and then someone really WILL have to do something about it!

Re:Already rolled...

[Waffle Iron]

hey moron, the reason you get charged for a static ip is not because of the lack of ip's, but because of the extra labor required to manage your static ip

No it's not. The reason they charge more is because they're charging what the market will bear. They figure if you want a static IP, you're trying to run some kind of server, and you're probably willing to pay more for it.

If IP6 effectively gives every device in the world a static IP, then the upsell oportunities associated with the witholding of static IPs by the ISPs go away. That's why I don't see many ISPs supporting IP6 any time soon.

Re:Interesting

[Hizonner]

Yeah, they said the address space would be exhausted AND THEY WERE RIGHT. The only reason we're not out of addresses now is that people made a fundamental change in the network architecture by deploying NAT (primarily because IPv6/IPng wasn't ready), and using RFC1918 private addresses. NAT is a nasty kludge that breaks all kinds of things. Furthermore, NAT has been done, so it's not going to save us again.

Re:Is NAT Better?

[Frank T. Lofaro Jr.]

IP address exhaustion is like Peak Oil.

There is a time where the problem is looming, but taking action then will mitigate a lot of the damage.

Or one can wait until it is having severe impacts, and then we will all be hosed very very badly.

For *business* customers maybe, for a price.

[Bob_Robertson]

I recently asked my cable ISP what their IPv6 gateway was. They said, "We don't provide that service. Maybe you should upgrade to a business account."

They only offer multiple client services on business accounts, so technically I'm already in violation of their rules because of using a router and NAT even though I run no "server", just a couple of PCs.

Yes, Cisco has a vested interest in replacing all those legacy IPv4-only cigar-box routers like mine. Yes, my IP provider would love a reason to raise rates or otherwise push me into a "business" account (and thereby charge me more).

Fact is, I won't be buying a new router, I'll just recycle one PC into place as a gateway and continue to hide behind NAT because I don't care to pay business rates for home PC use.

No matter how much I dislike IPv6 because of its "second system" bloat, I have yet to find a free IPv6 tunnel provider. Yes, it's my fault, people tell me they're out there I just cannot find them.

Bob-

Re:Is NAT Better?

[FireFury03]

Mandatory support for ipsec is great.. except how many of us would use it?

Well, all those businesses that currently shell out rediculous amounts of money for VPN solutions I suppose. Things will get more interesting if DNSSEC (shoving X.509 certificates in DNS records) gets widespread and easier to use - at the moment it's horrendously complex to set up.

I think in the long run it'd be nice to use IPSEC with DNSSEC instead of SSL, etc. There are some advantages - for one thing, once the keys have been negotiated between 2 hosts then that's it (until they expire), no having to renegotiate the encryption for every connection with the associated multiple round trips needed. Of course it'll cause firewall administrators a headache since they can nolonger filter packets by port number.

Re:Is NAT Better?

[asdfghjklqwertyuiop]

Exactly. What the H*ll is a packet with a source or destination IP address of the private address space doing on the public internet? Why don't ISP's filter this crap at its source, the networks edge, instead of making me deal with this fluff.

They do. That doesn't save your ass in these situations:

Scenario 1: ISP gets hacked. Attacker sets up routes to your internal network. Attacker now has full access to your network and never even needed to lay a finger on your "firewall".

Scenario 2: Broadband ISP has everything set up such that the outside IPs of all customers in the area look like they're all on one big ethernet. Road Runner (Time Warner's cable ISP) works this way. Other customers in the area can set up routes to your LAN right on their own routers.

And people who consider the security of their own networks "fluff" are better off not being connected to the internet at all. They're just providing connectivity to that many more spam/ddos zombie hosts.

And for the record, have you actually tried this little experiment?

Yes.

most devices I know of would just drop that clearly troubled packet in the old bit bucket, not carefully move it to the "right side of the fence".

Most devices you know of (ie, cheap consumer broadband routers) are not capable of being confiugred to perform NAT without filtering, at least not through the idiot proof web interface (and that's certainly a good thing).

Re:Is NAT Better?

[QuantumRiff]

Actually, while not directly connected to the internet, a College I work with has started to move all of their classroom flouresent lights to IP addressable dimmable balasts. This enables them to adjust the light, depending on the ambient light coming in from the windows, having certain lights dim when the network gets a broadcast saying the networked projector is turning on, alert maintenance when a light burns out, alert someone to the fact that the lights have turned on at 3 am and maybe security should head over and check it out, and other fun stuff.. Also, all their sound is now over IP. I know, this is not "over the internet" and does use private IP address space, but still, there are more IP devices coming out than you would think..

Re:Explanation requested

[sploxx]

Will there be measures in place that prevent the massive privacy problems of a fixed IP? I mean, it sounds a bit ugly to have anything I'll ever search or browse directly and eternally linked to my name/IP, with every website operator knowing who does what when on their sites? (Apart from larger entities such as goverments, ...).
Right now, I can in most cases hide behind a /24.

This question is partly rhetorical, as I don't think that this will be the case. But if anyone here knows about recent developments in this area, I'd be glad to hear!

Re:Interesting

[AuMatar]

But no buisness will ever implement a v6 address when v4 users can then not access them. It would incredibly stupid. Thats why we can't just stop handing out v4 addresses.

Its not like there aren't plenty to go around still- HP owns 2 class As now, and a handul of universities own a full A as well. Reclaim a major portion of them for reuse.

Re:Is NAT Better?

[quantum bit]

Since you had a clue when you set up the network (right? :), all your addressing is done through DNS and your machines are configured by DHCPv6 or the native IPv6 router discovery protocol (which is part of the IPv6 stack), so just changing the prefix on your router and in DNS will cause your entire network to migrate over to the new network automagically.

Hahahahahahahaha, yeah right!

DHCP has been a internet standard RFC for what, 8 years now? DNS for over 20? And yet there are still brand new devices (copiers, network timeclocks, etc) that don't support either standard correctly. Devices which don't even work correctly with DHCP and IPv4, which have to be statically assigned and addressed by IP address because the vendor's crappy software won't do DNS lookups for some unknown reason. Or that claim to support DHCP, but in reality request a lease once and never try to renew it.

As much as I'd like it to be true, corporate networks are not in any way ready to go fully dynamic. Renumbering, whether with IPv4 or IPv6 will always be painful. IPv6 makes it worse since it strongly discourages private address space.

Re:Is NAT Better?

[Spy Hunter]

Wrong. Firstly, IPv6 provides support for automatic network renumbering, which solves the real problem instead of hacking around it with a band-aid that ultimately changes the network architecture. Switching ISPs with IPv6 is easy. Secondly, your multihoming example doesn't require NAT at all; why would it? Each site uses its ISP's address space, and you can set up your internal routing however you like.

Re:ADSL IPv6 router - Re:Already rolled...

[Martz]

I have bought and installed several Cisco 837 ADSL routers for use with UK ISPs, and they have all been superb compared to the typical cheap ADSL and Cable routers made by the likes of Belkin, Linksys, SMC, Negear etc.

Don't get me wrong - with most of these other routers now there isn't anything really wrong with them, it's just the Cisco 837 is exceptionally stable and never requires a reset or a poke to awaken it, like some others I have mentioned above. YMMV.

Look out for the Cisco 837 SOHO version, and save a large wedge of money too! Expect to pay around £350 for the non-soho.

(I don't work, nor am I associated with Cisco :P Just a happy customer, for once)

Re:Is NAT Better?

[shreak]

Here's one that's not layer 3, and isn't an application bug and NAT takes a huge crap all over it.

I have a control stream (TCP/UDP doesn't matter) that I can successfully set up from within my NAT'ed network to an external machine. This control stream signals that we're going to set up two media streams, one from me to him, and one from him to me. They're over UDP.

I send him the port # I'm opening on my machine to receive the stream he's sending.

I never get the media he's sending. Want to know why?

Because I opened port 20057 on my machine but nothing happened on the NAT machine who is refusing to relay the media.

Many protocols use this technique and have to jump through hoops to get it to work through NAT.

NAT good riddance!

=Shreak

Re:Interesting

[Detritus]

Greedy bastards? I'd call them pioneers. They helped create the Internet.

Your comment reminds me of the people who will buy a house next to a rural airport and then complain about the noise and try to shut it down.

Re:Is NAT Better?

[asdfghjklqwertyuiop]

Perhaps your point isn't clear. The cheap NAT gateways (actually PAT, see below) everyone else is talking about don't do this (ie are secure), but I assume you are refering to a larger scale Cisco Router that a begining network admin might activate NAT on thinking it will secure him.

Yes, that's right. But most of the cheap NAT gateways probably function that way interally also. It is just the web interface that prevents you from setting it up in that way.

For example, a number of linksys routers run linux. Linux can definitely be configured to NAT and NAT only, and it won't drop a thing. It is just the linksys web interface that prevents you from configuring it that way.

Honestly, your concerns sound like a seriously broken NAT implementation. If the "device" is not explicitly listening for the private IP address on the outside interface, why the heck isn't it dropping the packet thats not meant for it?

It isn't broken. It just isn't a function of NAT to decide to drop or accept packets. NAT just rewrites or does not rewrite. In just about every type router there is, NAT and firewalling are separate and distinct things. The NAT standards don't specify dropping packets if they can't be rewritten, and it is just good design to keep those things separate. It gives you more flexibility and power and makes debugging easier.

The decision wether to drop or accept is a function of the firewall.

There's nothing broken about a NAT implemenation that only Translates Network Addresses. It would be broken if it ever did more than that.

Re:I can't understand why...

[mrchaotica]

Why don't more routers that are sold today tout their IPv6 compatibility? Are they not compatible with the new protocol? If not why not?

You know what's really ironic? Not even the Linksys WRT54G, which is made by Cisco, supports it with the default firmware.

Re:Interesting

[Pii]

Couple things...

First - Hearing people talking about Cisco, and other companies, drumming up hype so that they can start selling new-fangled IPv6 capable routers is getting old... The Cisco router you already have will do IPv6 today. It's a software change.

Second - Why do people seem to insist that by turning on the IPv6 website, somehow that will prevent people from accessing the IPv4 website? So many ways to address this: Enabling a second network stack on the existing host; Standing up an additional server to host the IPv6 version; putting a 4to6 gateway in front of the website...

IPv6 is coming. It's going to be a difficult transition, but the sooner it happens, the better for us all. Doing it sooner means less "transition work," because the installed base continues to swell.

Re:My cold, dead hands

[jxs2151]

Please explain how it is a benefit to be over allocated IP addresses by a huge margin?

Anything that is limited is valuable. Supply and demand. Think real estate. They aren't going to make more ip addresses, at least not in IPv4. That makes the ip addresses valuable and that's why MIT et al are not going to willingly give them up.

reserving address space for certain entities

When they were handing out addresses they had no idea that this thing would be wildly popular. Why ration (reserve) when you have no inkling that you would need to. Do you reserve water today from your grocery? Why would you, after all there is plenty of water. However, fifty years from now someone is going to wonder why we didn't. See how the idea of plenty works?

Who said anything about evil corporations?

Not you apparently. I got you confused with the parent. Now relax, this is just a discussion forum. No need to get mad at early risk takers just because they won't give up something willingly that they earned by taking an early risk.

Not an issue...

[cookiepus]

Sorry to be a ludite but this is really not an issue. Greanted we're placing more devices on-line, but so what? If I need to telnet into my toaster, I can just have my router forward a particular toaster port to it. He doesn't NEED his own IP. Similarly, do all the 1000-plus apartments in my building need to have separate IPs? Why? Most people read e-mail and look at websites, they don't need to host anything. We can all be on a LAN with a single internet IP, just like resnet in college was. Why not? if somebody needs an IP they can have their service set up that way but most of us don't give a shit.

I know, I know, there are more people in the world than there are IP addresses or whatever, but so what? I'd say that billions of people don't have a shot at owning a PC in their life anyway. Those who do can probably share IPs too.

It's a made-up crisis. There's nothing wrong with IPv6 but there's absolutely no dire need for it.