China To Run Out of IPv4 Addresses In 830 Days

JagsLive writes "China is running out of IP addresses unless it makes the switch to IPv6. According to the China Internet Network Information Center, under the current allocation speed, China's IPv4 address resources can only meet the demand of 830 more days and if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet. Li Kai, director in charge of the IP business for CNNIC's international department, says that if a netizen wants to get access to the Internet, an IP address will be necessary to analyze the domain name and view the pages. At present, most of the networks in China use IPv4 addresses. As a basic resource for the Internet, the IPv4 addresses are limited and 80% of the final allocation IP addresses have been used."

830 days? China?

[suso (153703)]

Try the whole world. According to this counter [entne.jp], the world will be out of IPv4 addresses in 768 days.

Re:830 days? China?

[ohxten (1248800)]

Really? I thought there was a separate internet in China...

Re:830 days? China?

[Van Cutter Romney (973766)]

Try the whole world. According to this counter [entne.jp], the world will be out of IPv4 addresses in 768 days.

So the world runs out of addresses before China runs out?

Did the Chinese government move themselves to outer space?

Blocks vs. sub-blocks.

[DrYak (748999)]

So the world runs out of addresses before China runs out?

The world will run out of new blocks to allocate (as in "254.xxx.yyy.zzz"), before China gives out all addresses in the allocated blocks it has (as in "www.254.254.254").

Nonetheless, IPv4 can only provide a little lower than 253^4 different addresses. What makes it worse is that it's allocated in chunks (some chunks are reserved like the 127.x.y.z family - other addresses may be free but land in a range which is allocated to some company and thus can't be used by your computer).

Thus even if some providers use dynamic IP (only those machine which are connected have an IP address - thus an ISP needs a chunk only as big as the number of simultaneously connected users, not as the total number of subscriber), and lot of router use NAT (only 1 single IP address is visible on ther internet. all the machine are visible through this address and use a private address on the internal network),
in a world where everything including your fridge is connected to teh interweb 24h a day, 7 days a week, we will quickly run into a situation where no more IPv4 address can be assigned to a new machine :
- the ISP has ran out of addresses in its chunk because there are more simultaneous connection (because everyone stays perpetually connected) that there are free address in the chunk (china will reach this point in 2-3 years)
- and there are no more new free chunk to allocate for the providers (all are already either reserved like the 10.*.*.* and 192.168.*.* range, or have already been allocated to others) thus now way to give more chunks with more IP to the ISPs (the world will reach that point too in about 2 years).

Re:Blocks vs. sub-blocks.

[truthsearch (249536)]

In our small business IP telephony is handled with DHCP. All calls get routed through an asterisk server. So we only need one static IP address for the whole phone system. We need asterisk as a PBX anyway, so it's no extra fuss.

Re:Blocks vs. sub-blocks.

[Bryansix (761547)]

Actually NAT DOES provide some sort of security. That is because by default nobody can see which devices sit behind the NAT. They also can't directly address them. So you want to see if your milk expired at home while you are at work so you can buy more if you need to? That problem has been solved. Your fridge had NO problem making outbound connections. It CAN upload the latest stats to a website that either you host yourself or a service from your fridge manufacturer. Need a better solution? Map the Public IP of the NAT but with a high unused port number to your fridge. Then whenever you connect to your SINGLE IP address but on that specific port it will serve up the stats on the fridge.

See there are two solutions already to your perceived problem.

Does your small business with 60 employees want to use IP telephony? In this case, each PC (or each telephone) needs a public IP. You can get away with routing this at the application layer, but why bother when it doesn't actually gain you anything?

Wrong! I deployed 100 Hosted VOIP phones in a NAT environment. My Router has 11 public IP addresses but the phones all use the same one. If I used SIP trunks instead it would be the same deal. Only the phone server would need a public IP for the SIP trunks; not each phone.

Re:Blocks vs. sub-blocks.

[ydrol (626558)]

"Actually NAT DOES provide some sort of security"

I agree, though being pedantic it's PAT and not (just) NAT

Re:Blocks vs. sub-blocks.

[QuoteMstr (55051)]

Actually NAT DOES provide some sort of security.

Sure, in the same sense that crushing an airliner into a cube makes it useless for terrorists. NAT breaks the internet, and when you break something, it's useless because it's broken.

You can filter packets with a firewall without doing any NAT at all. In fact, your life would be a lot easier without NAT. There would be no need for configuring ports. There would be no need for mapping and configuring and making and unmaking.

You'd plug things in, and they'd just work. Globally. You can allow connections to your fridge from work, or from anywhere. A firewall could do that. The fridge itself could do it. But you'd still be connecting to your fridge, and not some random port on some arbitrary gateway machine somewhere.

Going with your fridge analogy, why should it be a bad thing for a grocery store to connect to all the fridges it knows about in order to tell them about new products? Why this artificial distinction between "inbound" and "outbound" traffic?

Re:Blocks vs. sub-blocks.

[nutrock69 (446385)]

Going with your fridge analogy, why should it be a bad thing for a grocery store to connect to all the fridges it knows about in order to tell them about new products?

Dear Fridge,
You're out of SPAM!
- the grocery store

Re:Blocks vs. sub-blocks.

[QuoteMstr (55051)]

So why do you need NAT instead of a non-translating firewall?

Re:Blocks vs. sub-blocks.

[LanMan04 (790429)]

Actually NAT DOES provide some sort of security. That is because by default nobody can see which devices sit behind the NAT.

Well, kinda-sorta. If you look at the behavior of the IPid field of outbound TCP packets coming from a NAT/PAT router, which most of the time is untouched by the router, as well as the TTL field, you can make a pretty good guess as to how many devices are behind the router, and a rough guess as to their OSes.

The IPid field is usually used as a packet counter for a given OS, so it will increase in value by 1 for every packet sent. So if you have a few machines, each counting, you can group the outbound packets by IPid value. Also, various OSes have different default values for the TTL field (64, 128), so you can make a guess as to what OS it is as well.

See: "Passive Detection of NAT Routers and Client Counting," Straka, K., Manes, G., 2006 in International Federation For Information Processing, Volume 222, Advances in Digital Forensics, eds. Olivier, M., Shenoi, S., (Boston: Springer).

Re:Blocks vs. sub-blocks.

[gnick (1211984)]

So you can connect to your fridge and see if your milk has gone off from outside your home?

No problem. Just forward port 6969 (the standard port for FAP or Fridge Access Protocol) to the 192.168.1.x internal IP assigned to your fridge. Then you can FAP anywhere you have Internet access.

Re:More to the point

[deraj123 (1225722)]

I'll answer your question with another:
Why not?

Seriously. This whole "X doesn't NEED to be on the internet" is a ridiculous argument. It's simply saying "oh, having a PC and computer type equipment on the internet should be enough for anybody". The whole point of this internet thing is innovation. Sure, a fridge doesn't NEED to be on the internet. Unless I want it to have some functionality that requires internet connectivity. Same with my computer. It functions just fine, and doesn't NEED to be on the internet.

And why is "fridge can reorder beer for you" drivel? Is there some reason that a fridge SHOULDN'T reorder your beer? Sure, it's not a vital function, but neither most of the stuff that our technology does. Again, this is what innovation and technology is all about - improving the standard of living, making this easier, etc.

Re:More to the point

[Mister Whirly (964219)]

"Just how lazy are you?

As much as technology will allow.

Re:Blocks vs. sub-blocks.

[gnick (1211984)]

Doesn't matter - the IPv4 shortage is a myth.

DeBeers actually has plenty, but they're being hoarded away in vaults in Antwerp to keep the price artificially high.

Re:830 days? China?

[Prof.Phreak (584152)]

Did the Chinese government move themselves to outer space?

Nop. They've enabled NAT on their national firewall.

Re:830 days? China?

[morgan_greywolf (835522)]

There would be a lot more available addresses if companies that were given entire /8 blocks in the 80s and 90s (Ford, IBM, AT&T, Halliburton, etc.) were to give back those blocks. Most of those companies aren't even really using their /8 blocks anymore, with most of the addresses going unadvertised.

Re:830 days? China?

[by Anonymous Coward]

Shame Lehman didn't have a /8 block.

Re:830 days? China?

[mollymoo (202721)]

If 25 companies (are there even that many with /8s?) gave back their entire allocation, that would still only add 10% to the pool. That might buy a little time (a year, if we're at 80% and have two years left), but it's hardly going to solve the problem.

Re:830 days? China?

[Midnight Thunder (17205)]

A year is a lot of time. Think how much cheaper computers/routers get in a year. That's a lot of expense saved if they can delay switching over for a year.

Its simpler if people just started accepting that IPv6 is going to happen and adjust accordingly. For me its like having to accept Y2K was going to happen and acting accordingly. Believe me its much simpler to code the applications than go through the politics, and possibly technical issues, of getting someone to give back a block they don't appear to be using.

Get your ISP and your router manufacturer to provide you an IPv6 solution. That too is probably not easy, but if we all start making noise then they will start doing something - hopefully.

And what does that buy us?

[SmallFurryCreature (593017)]

IP4 doesn't have enough addresses, of course a managers solution is to put of the inevitable so that it happens on someone elses watch rather then taking the time we got now to develop and implement a solution.

IF pushing IP6 doesn't work in the roughly 2 years remaining THEN we can use the buffer of under-used blocks as a last reserve. if we use the reserves now, and do nothing then we still have the same problem, just a bit further away but this time with no reserves remaining and no work chance of it being solves in time.

You should run for president, you would do well with your solutions.

Uh Oh!

[Smivs (1197859)]

Sounds like it will be easier than ever to ring the Wong number!

Normal 'net access?

[i.r.id10t (595143)]

Do any Chinese citizens even have "normal" 'net access now? Thought NAT was used heavily, not to mention the GFWOC

Meet With Congress

[mfh (56)]

To get a quick infusion of 700 billion IP4 addresses -- NOW!

Peak IP4 is a Myth

[TimeTraveler1884 (832874)]

Peak IP4 is a myth; there are still plenty of addresses buried in the Canadian tar sands. However, in the short term, the only solution is to lift the ban on coastal drilling for IP4 addresses.

What is the point in having a public IP address

[jeffmeden (135043)]

When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that! Flatten it to a /8 network in 10.0.0.0 and put it all behind one public IP. Problem solved!

Q: Why is starting in the Subject: line annoying?

[DNS-and-BIND (461968)]

A: Because it breaks the flow of a message.

It's more annoying if subject and post don't...

[clickety6 (141178)]

Pease porridge hot
Pease porride cold
Pease porridge in the pot
Nine days old!

Re:What is the point in having a public IP address

[Artraze (600366)]

> When your WHOLE COUNTRY is behind a firewall? NAT the hell out of that!

The firewall is more figurative than literal. My understanding is that it basically bans certain IPs/domains. That can be done with a stateless system, while a true NAT/firewall would need to track all packets of all connections of all users. Not impossible, but insanely expensive. Plus it would have the unpleasant side effect of actually firewalling China (i.e. no incoming connections), whereas now they just don't let you view certain things.

The whole point is largely moot anyway. First, as was pointed out above, the entire world is estimated to run out in about 780 days, so they've apparently got more time then the rest of use. Second, the primary usage of IPs comes from blocks assigned to institutions and businesses, with the latter _requiring_ incoming connections. Could a business have one public IP and NAT/load balance their servers and whatnot? Sure, but they could always switch to IP6, which is gonna be a lot cheaper than all these NATs

So will the Interweb Gods force IPv6...

[Ortega-Starfire (930563)]

Or will they just open up reserved addresses or something stupid like that?

Netizen?

[by Anonymous Coward]

Netizen is really stupid word, we really don't need more buzzwords.

Re:Netizen?

[jbeaupre (752124)]

Worse, they are using "netizen" to describe people who aren't on the internet. Kind of like calling someone a pilot if they would someday like to fly a plane.

Re:Netizen?

[Ritz_Just_Ritz (883997)]

One World, Two Internets.

It's got a nice ring to it. LOL

Re:Netizen?

[Ambiguous Coward (205751)]

Kind of like calling someone a pilot if they would someday like to fly a plane.

Come now, this is Slashdot. It's actually more like calling someone a car mechanic, when they would some day like to work on cars.

-G

HP

[QuietLagoon (813062)]

When HP acquired Compaq, HP also got DEC's /8 block of IP4 addresses. Now HP has at least two /8 blocks of IP4 addresses.
.

C'mon HP, be a good netizen and give back the bulk of those IP addresses. Try using NAT instead of hoarding IP addresses that others so desperately need.

Re:HP

[Amouth (879122)]

on top of that if they would redo ssl so thatyou can support host headers that would allow allot of consolidation of webservices/sites by farm hosters..

personaly i think we are all just too lax about dealing with IP's..

Re:HP

[fprintf (82740)]

Sorry, I should have previewed!

If I were HP (or Ford or AT&T), I wouldn't be a good "netizen" before giving consideration to what the blocks of /8 addresses are worth. If they wait another 365 days or so, perhaps folks will start getting desperate enough to pay for them. Can you imagine the value those addresses will have to a rapidly expanding internet enabled population, like China, that also has the means to pay for it? It might be a whole lot cheaper for China to buy the blocks than implementing iPv6, even at an exorbitant, over-the-barrel rates HP might be able to get.

On the other hand, what is being a good player in the internet enabled worth anyway? Is there some intrinsic value in being good, or using the Google philosophy "Don't be evil"?

I say hold out for a while.

China will be first to use IPv6

[QuoteMstr (55051)]

I predict that we'll see China begin to use IPv6 addresses before most other people. Why?

• Extreme scarcity of IPv4 addresses: China gained internet access well after the era of enourmously wasteful address assignment [iana.org] ended.
• The great firewall is always set up as a traffic relay. Not only does it provide a natural point to set up an IPv6->IPv4 NAT gateway, but running IPv6 internally makes it that much more difficult for dissidents to bypass the firewall.
• China's strong central state would allow mandating of IPv6 and near-instantaneous implementation.
• Chinese sites are accessed by relatively few non-Chinese. Therefore, the penalty for running an IPv6-only site inside China would not be very great.

Granted, I'm no fan of China's human rights policies. But it definitely has an advantage in terms of adopting IPv6. Hopefully, when China switches protocols, it'll catalyze the rest of the world to do so as well.

In other news

[augustz (18082)]

Slashdot runs it's 15th story about IP addresses running out "real soon now". The first was something like 5 years ago :)

These stats ignore the fact that there are huge available allocations that can go behind NAT's. An ISP can NAT big chunks of its user network. Charging even a modest amount per IP would free up huge numbers of IPs. There are abandoned blocks (companies out of business) and wildly oversized blocks (MIT etc).

Plus, we've been hearing these stories for years. The idea that the internets resources are going to become ipv6 anytime soon is unlikly. So folks are going to figure out a way to manage the existing pool, where there is lots of room for improved efficiency.

Fun to keep on reading these stories... they're always written as breaking news :)

Re:In other news

[fabs64 (657132)]

Not a week goes by where someone doesn't trot out a new statistic on how P2P uses the vast majority of bandwidth on the internet. And you suggest NAT will be the solution to limited IP addresses.
*sigh*

The worst part is--

[straponego (521991)]

They're even running out of RFC 1918 addresses.

Don't worry...

[flowerp (512865)]

the LHC will end it quicker than that. They estimate some 90 days until they've got their repairs done ;)

They'll just do what they always do

[Centurix (249778)]

Impose a one IP address per family rule...

Why would China want to fix this?

[FireStormZ (1315639)]

Seriously their government is hell bent on controlling what goes into and out of that nation and what better way to do that than by forcing people to use a proxy..

NAT is not a solution

[QuoteMstr (55051)]

NAT is not a solution. It's a huge, gigantic clusterfuck of a problem. Some people only started their careers after NAT was widespread, so they can't imagine how wonderful the world is without it. The internet is much simpler when you can assume that all nodes can directly address all other nodes.

Look: this is what we've done.

In the beginning, each endpoint of a TCP (or UDP) connection looked like this:

[octet][octet][octet][octet][16-bit port]
[(------- host-------------)(--service--)

Each octet was routed hierarchically, and the port acted as an additional level of routing within a single node.

With CIDR, the model moved to this:

[32-bit opaque address][16-bit port]
(-------host----------)(--service--)

This change didn't hurt anything, aside from an increase in router complexity. Allowed the 32-bit address space to be used much more efficiently.

Now with the IP address shortage, the situation looks like this:

[48-bit address]
(----?---------)

Note how we've lost the distinction between host and service and smushed them all together into one huge opaque number. We've caused ourself lots of problems with this:

1. One can no longer tell which service is being used based on part of an endpoint address (i.e., the port.). Firewalls, proxies, and so on become much more complicated.
2. Only part of the endpoint address is provided by DNS. (I'm ignoring SVR records, which nobody uses.) Thus, part of the address needs to be hardcoded:
   • Every damn piece of software has to have a knob to control what port to use.
   • When software is too much trouble to configure, we use hardcoded port-parts. Consider SMTP and HTTP. When the port-portion of the big smushed address is hardcoded, Herculean efforts have to be made to route these services through NAT. Good luck if you want to run more than one SMTP server behind a given NAT gateway.
3. 48 bits still isn't enough to satisfy growing demand. What happens when you can't address the endpoint you want even if you use all the address bits and all the port bits? Do we start piling on in-band multiplexing? Should every protocol necessitate something like HTTP 1.1's host header?
4. Getting a publicly-routable endpoint address involves talked to one or more routers, which may or may not allocate a port for you. And this portion of the endpoint address is highly dynamic.
5. Because of the last reason, protocols that involve callbacks are complicated. FTP, for example, made perfect sense in the days before NAT. Now, it's viewed as a problematic pain in the ass that always needs special NAT rules and connection tracking to accommodate it.

These days, instead of saying "connect to mydomain.foo.cx", for example, you have to say "connect to mydomain.foo.cx at port 12345". That's out of band address information, and should never be needed. Imagine if DNS only gave you the first three octets an IP address, and every application requires you type in the last one in manually. That's what the world is like today!

Re:NAT is not a solution

[QuoteMstr (55051)]

Let's ignore in-band multiplexing being messy a hack. Let's ignore the lack of consistency between multiplexing schemes. Let's ignore the immense complexity of making routers understand every stupid little application-level protocol. Let's ignore the latency introduced by waiting for a connection to open before knowing where the next hop goes.

Even after all that ignoring, your proposal won't work. Not with anything resembling today's equipment anyway.

I'm Bob, you're Alice. (We can switch; I'm flexible.) You want to initiate a call to me. Let's say we've registered with a central directory, and the directory tells you that I'm at address A.B.C.D:12345.

But wait -- back up. What right do I have to use A.B.C.D:P? As far as I'm concerned, I'm at 192.168.1.1. So I connect to the directory and tell it I'm at 192.168.1.1, listening on port 12345.

The directory replies "what the hell are you talking about? That's not a public IP. Your public IP is A.B.C.D.". If you, Alice, try to connect to me at 192.168.1.1, the connection will fail, or go to your annoying friend Carol, whom you really don't want to talk to. OTOH, if the directory replies with A.B.C.D, how are you supposed to connect to me? Remember, I'm listening at 192.168.1.1 at port 12345.

Either I have to talk to my ISP and tell it "give me an external port and forward traffic on that port to 192.168.1.1 port 12345", or the directory server has to talk to A.B.C.D and tell it "Oh yeah. Your client 192.168.1.1. He's listening on port 12345. He told me so. Give me a port I can connect to you on that will have traffic go there."

The second scheme is clearly a security problem. The first requires cooperation from ISPs. UPNP sort-of addresses the issue, but not really very well at all.

Basically, you're reinventing an entire routing protocol. Poorly.

You need to upgrade ISP equipment to allow this sort of chit-chat to go on whenever somebody wants to listen for a connection.

What happens if your ISP is itself behind a NAT? What happens when you run out of ports?

The way you propose, it's turtles all the way down. It'd still be cheaper to just adopt IPv6 in the first place.

Why is everyone talking about pushing back IPv6?

[bugg (65930)]

Why is everyone in the comments talking about various steps (reallocating large blocks, more widespread NAT, etc.) that would allow us to push back IPv6?

It seems that we very close to the point where every device supports IPv6 (Vista adoption is helping this) but just isn't using it. Let's start turning it on. What better way to help the adoption than by having users who are IPv6 only complaining?

There's plenty of addresses left

[StoatBringer (552938)]

We've only used half the available numbers.
Just start using negative numbers: -248.100.-97.-201

Re:NAT?

[Shakrai (717556)]

Heck, they already firewall everybody -- why not just break IPs up into NATted subnets? The 10.x.x.x range should give them enough room for awhile, right?

Hmm.... 16,777,216 IP addresses divided by 1,300,000,000 citizens.....

Re:Please

[Spatial (1235392)]

Quite so. It's simply good netiquette.