IPv4 Address Crunch In 2 Years, IPv6 Not Ready

An anonymous reader writes "We've known for ages that IPv4 was going to run out of addresses — now, it's happening. IPv6 was going to save us — it isn't. The upcoming crisis will hit, perhaps as soon as 2010, but nobody can agree on what to do. The three options are all pretty scary. This article covers the background, and links to a presentation by Randy Bush (PDF) that shows the reality of the problem in stark detail."

Dupe

[suso]

Here is the story from a few weeks ago [slashdot.org]

And as I said before, the solution is to take back some of those huge class A blocks from companies like HP, Ford and GE, which are not using all the space. That would buy a few years.

Re:Dupe

[Silver Sloth]

RTFA - which says

... there are ideas for managing the address space more efficiently by introducing auction and other pricing mechanisms to encourage better use (people who don't need their allocation will flog them off rather than hoarding them, while new uses will be parsimonious in their approach), but the developing world sees this as unfair in the extreme. You can see their point.

There are other problems: how do you route IP addresses when the existing hierarchy breaks down due to address spaces moving through the network? Who's responsible for managing an increasingly incoherent network? Who foots the bill when your address space is sold from underneath you? In any case, it doesn't solve the basic problem - it merely makes it increasingly expensive to innovate.

so it's not quite that easy...

Bad, but not fatal

[Anonymous Coward]

There are measures in place to try and aid in conservation as the migration occurs. RFC 3021 provides the ability to utilize /31 address space on point to point links instead of a /30. This will literally halve address utilization by point to point links (a significant use of space among carriers). It requires some work to renumber, but following that, space can be re-allocated for other things. Cores can also be built into v6 space before transported networks killing more space. Private space can be utilized for equipment management instead of utilizing public addresses for everything. There are many ways that at least on the carrier side, this can be pushed off a bit with a little work, while the v6 migration continues. Carriers are crafty, they will find a way to make it work.

All of that said, that just means I think we will find a way to get by until V6 is fully in place. Not that we should forgo finishing V6 migrations.

People are starting to work on solutions

[Anonymous Coward]

The basic solution to this problem is to deploy IPv6 as soon as you can, figure out what problems remain to be solved before you can use IPv6 100% and then put pressure on your ISPs, vendors, etc. to solve these problems. That's how the Internet grew like topsy in the first place, and its not too late to get this going. Two to three years is enough time.

ARIN has published a web site which collects information about how to move to IPv6 here: http://www.getipv6.info/ [getipv6.info]
It's oriented towards the things that ISPs and other service providers (hosting centers, large IT depts) need to do to get IPv6 working in production.

Soon, the stock market analysts will be asking the big ISPs and telecom companies what actions they are taking to avoid going bankrupt in two years when the crunch hits. Any company that can't get new IPv4 addresses will have to stop growing their IPv4 networks. If they have an IPv6 network to take up the slack, no problem. If not, then customers will flock to the providers that have IPv6 ready to roll.

There was a network operator meeting at NANOG recently where they showed that it is almost possible to provide full Internet access, both IPv4 and IPV6, using an IPv6 connection. Yes, I know, "almost" means there were problems, but they were not massive problems. They were the kind of things that people were working on fixing with IPv4 networks back in the early 90's. And they did that because they went ahead and built IPv4 networks and tried to make them work for everything imaginable. When things broke, they fixed the bugs and moved on, eventually becoming the global Internet that we know today.

There is a way to avoid going bust when the address crunch hits in two-to-three years and that is: Get yourself IPv6 Ready!

The IPv6 mess

[philippic]

I think this article [cr.yp.to] by Dan Bernstein is a pretty good read regarding this subject.

SSL

[mother_reincarnated]

would it be feasible to host, for example, 100 different websites on one ip using header information? or does that have traffic spike issues/ latency issues/ wasted cycles involved?

The real problem is https not http - you don't get the host header until well after you had to present a certificate to the browser. For http 100 'virtual host-by-name' sites on one IP wouldn't even break a sweat for a good setup.

Re:remove dumb domains that don't have any use...

[RPoet]

Squatter domains typically don't have unique IPs.

Three Things for Widespread IPV6 Acceptance:

[JoeD]

1. Home routers that support IPV6 off the shelf.

2. Cable/DSL modems that support IPV6 off the shelf.

3. (The biggie) ISPs that hand out IPV6 addresses.

In a vain attempt to forestall the inevitable followups:

Yes, I am aware that I could install new software in my WRT-54G, and convert my home network to IPV6. But as long as my upstream connection is IPV4, this gains me NOTHING except a bunch of aggravation and downtime getting the thing set up. No thanks. When my ISP supports IPV6, then and only then will it make sense for me to convert.

Itojun

[eldavojohn]

Yeah, we always fall back on the government to help us out when us nerds aren't satisfied with how capitalism is driving the technological trends that need to happen.

But let's not forget those that went before us. Jun-ichiro Hagino [itojun.org], better known as Itojun, was one of the first researchers that was pushing for IPv6 since as long as I can remember (at least 2001 [onlamp.com]). On top of that he was developing specifications for it and working through the BSD code to make it one of the first operating systems fully capable of being IPv6 compliant--starting a trend that needs to happen in more operating systems sooner. He even started documenting draft APIs [ietf.org] to get developers thinking about how this would work inside software.

And then he died in a car accident at age 37 [icann.org]. It's funny how you don't appreciate their work until they're dead [cisco.com]. Almost like a painter or author.

Although many still carry on his work, the saddest part is that all his efforts to bring awareness to everyone about IPv6 may fall into the responsibilities of the government or, worse, capitalism.

Re:Is this REALLY a problem?

[ModMeFlamebait]

Except you can't NAT a NATted connection.

Sure you can.

Re:Is this REALLY a problem?

[Tranzistors]

Last I heard, two NATted clients can't talk to each other.

Unless you have port forwarding (or how do you kids call it these days)

Re:Tell MIT and IBM

[beuges]

As a commenter above posted, each of those companies with top-level blocks actually owns 16,777,216 IP addresses. These companies include IBM, MIT, Ford, DEC, AT&T, Apple and Xerox.

As big as IBM and MIT may be, do you really think they need almost 17 million IP addresses?

Re:Well duh

[upside]

Never mind pr0n, how about industry leaders with deep pockets like Google, Yahoo, Sun and Microsoft? Not one has an AAAA record for their web servers. It's pretty pathetic.

Re:Dupe

[gclef]

We allocate 10-12 /8's [potaroo.net] every year, and that rate is increasing. Reclaiming legacy allocations is not going to help.

Re:Is this REALLY a problem?

[suggsjc]

Except you can't NAT a NATted connection.

Sure you can. All NAT does is take one IP address, monitor connections and spread/translate the unique connections across different ports. The device doing the NAT doesn't care "where" it gets its source IP from, it just knows that it has an IP and it splits the connections to that IP. The only potential issue is that if the first NAT runs out of available ports. However, at that point its routing table would be huge and it would probably begin to degrade in performance (depending on the hardware).

Re:Tell MIT and IBM

[gclef]

God damn, I'm tired of fighting this meme. Look, as I mentioned in another response, we allocate 10-12 /8's [potaroo.net] every year, and that rate is increasing. Reclaiming MIT & IBM's /8's would buy us at approximately 2 months at our present allocation rate. The negotiation to make that allocation possible would take far longer. Reclaiming space is not a useful activity at this time.

Re:Well duh

[Anonymous Coward]

you don't get to be president because you're Joe Average from Missouri

Harry Truman.

Re:Well duh

[Yvanhoe]

Ok, should have RTFA. The fact that most equipment is IPv6 compatible would be a myth.

Re:Class 'C' address space for sale.

[anticypher]

But you don't "own" that netblock, you were allocated it from ARIN for a single use.

Put it on eBay and ARIN will then send you a polite email about how they have now reclaimed the netblock since it obviously no is no longer being used for it's original declaration. They will then turn around and allocate it to the next demand in their queue. They have all the authority, you have none.

If your sale goes though on eBay, for selling something that did not belong to you, you have committed fraud. I hope you have put aside some of your windfall for legal fees.

the AC

Migration to IPv6 (it's on it's way)

[Midnight Thunder]

There is a lot of feet dragging going on, partly because too many business plans rely on short term spending. The irony is that some of the companies which you expect to be leading the way in IPv6 migration don't even have web sites that are IPv6 enabled. This includes IBM, Apple, Microsoft, RedHat and Cisco. I make the point because they should be picking up the torch now that research sites have already done their part, and showing that it is an achievable goal, and not some sort of pipe-dream. /. readers at the same time, should probably get to know and understand the technology, since it is not a question of whether it will happen, but when. When it happens if the IT crowd doesn't understand IPv6, then we really have issues.

If you want to get an IPv6 web site running there are number of solutions, including using Apache 2 with IPv6 support activated and making sure you have an OS that supports an IPv6 stack - most modern OSs do.

Migration technologies for people stuck behind IPv4 NATs include Aiccu [sixxs.net] and Teredo [microsoft.com] (Vista includes this, and for other OSs there is Miredo [remlab.net]). If you are at home, then one of the 'consumer' routers to support IPv6 out of the box is the Airport Extreme. If others support it out of the box I am not aware of this.

When you are ready see the dancing turtle [kame.net] - if you don't see it you are accessing it via IPv4.

Other stuff you can do in the meantime is checking to see if some your favourite network based applications handle IPv6 and if they don't make some noise. Its best to make the noise now, when it doesn't matter so much, than waiting until it does. On the bonus side they can advertise [wikipedia.org] the fact they are IPv6 ready.

Re:Well duh

[Tony Hoyle]

Certainly on the home side... go into the average store, and it's easy to count how many home routers are ipv6 enabled. none at all.

Some can be adapted - my wifi router can route ipv6 but not talk it for example. No way all that hardware is going to be replaced within two years.

OTOH we've been hearing the doomsday scenarios from the ipv6 zealots for 10 years now, and I'm not seeing it - it's still easy to get a block of IP addresses (I asked for 8 and got given 16 'just in case' for example).. we're not seeing the beginnings of a shortage yet.

Re:Class 'C' address space for sale.

[arthurpaliden]

So tell me. How does it feel to go through life with out a sence of humor?

Re:Well duh

[Bert64]

Altavista used to... Back when it was run by DEC.

See:
http://www.ipv6.org/v6-www.html [ipv6.org]

Microsoft research have a v6 site too...

My site (www.ev4.org) is also available on v6, just incase anyone cares.

Re:Well duh

[pherthyl]

Well there's definitely something going on. Look at the OPEC oil production over the last few years: http://en.wikipedia.org/wiki/Image:GlobalCrudeOilProduction2001-mid2007.png [wikipedia.org]

Since 2005 it's been flat. And yet prices have skyrocketed in that time. In 2000, OPEC promised to adjust production to keep prices around $22-$28/barrel. Then in 2007 they said prices would stay around $50-$60/barrel until 2030. Well it's one year later and prices are at $100. All this time OPEC hasn't increased production, and they may even reduce production at their next meeting in the spring (no solid source for that one, just what I heard on the news). So they have every reason to increase production, and have had every reason to do so for years, but they've done nothing.

That to me is very suspicious. Either there is a massive conspiracy to hike up the cost of oil (incredibly unlikely) or they just can't keep up with the production, despite their claims. The latter is pretty much the only likely solution.

Re:Is this REALLY a problem?

[anticypher]

I'm so glad someone else is aware of this problem, NAT can't be infinite, or even large.

I saw a Cisco presentation years ago on their experiences from rolling out NAT internally. They started with an address overload of a /24 (251 usable addresses) into a single external IP address. For an office with about 120 active machines, the NAT box (biggest, beefiest box they made at the time) completely fell over. With only light internet use, the NAT tables filled to take over all of the outgoing 65k ports in short time. That was in 1998, when most internet use was web pages, some email and simple IM. At the time, they recommended no more than a /26 (59 usable addresses) per external address.

Move forward to 2007, and I made an updated presentation (for Cisco and non-Cisco NAT kit) that took into account all the new kinds of traffic we see, office workers who listen to internet radio, streaming video, youtube, multimedia conferences with H.323, peer-to-peer apps like Skype, other internet telephony apps, etc. Turns out that more than 15 to 20 active office users stuck behind a single overloaded external address would be the limit, even with a tight policy to prevent non-work traffic.

It is much worse for ISPs with home users, who are not limited by workplace rules against peer-2-peer for popular TV shows or looking at pr0n pages. If you look at the typical pr0n page (it was a tough job, but I did it in the spirit of improving my understanding of the industry ;-), there will be between 200 and 300 embedded elements or links to affiliate sites and advertising partners. So every pr0n page view going through NAT takes 200 new external ports, with associated timeouts and state tables. A typical pr0n user (I'm guessing here, you the /. reader can supply your own values), can open a dozen or more pages in tabs in a relatively short period of time, leading to 10s of thousands of entries in the NAT state table. Remember, you have 65,533 maximum entries in the state table for a single external IP, or for a typical saturday night in basement-dweller-land, about 4 machines.

Don't get me started about how many NAT states a typical 3Mbyte facebook page can open, and leave open for quite a while.

If you think you can hide many ISP customers behind NAT, there are limits if you don't want a ton of calls to the support lines when your users can't effectively use the net. For modern home connections, that already have a NAT box with a handful of machines behind the NAT (Mom keeping 20 eBay pages open and doing Skype, Dad doing gaming, teenage son looking at pr0n and daughter with 20 different IM chats going while she P2Ps the latest TV episode and looks at 50 different bebo and facebook pages), you just can't NAT much more than that.

That post was the voice of experience, if you want the nice real-world figures in a printed report and a keynote or powerpoint presentation to your CTO, you have to give me money.

the AC

Re:Well duh

[Tony Hoyle]

Just RTFA'd myself.. That PDF sums up 100% what is wrong with ipv6 right now.

Didn't know that XP couldn't do DNS lookups over ipv6.. that's new. They did't mention that active directory doesn't work with ipv6 (important to companies, and a biggie, because as they say.. if one part of the infrastructure can't support it, it doesn't happen).

Re:FUD

[Anonymous Coward]

You do realize that a single server with a single IP can host thousands of those websites?

Re:Tell MIT and IBM

[gclef]

Really? Using your own link, there were 12 /8 blocks allocated in 2007, leaving IANA with 43 available. Assuming we continue on the present allocation path of 10-12 per year, that puts IANA out of addresses ~ 2011-2012 with no growth in allocation rate. The problem is our allocation rate is increasing, especially in ASIA (responsible for 7 of the 12 /8 blocks last year). So, even with the data in your link, IANA will be out of addresses to assign to the RIRs in 2-3 years.

Yes, the RIRs will still have addresses to allocate to end sites when that happens, but the clock will have started ticking...if they need more, they're screwed.

Re:Is this REALLY a problem?

[Rich0]

I must then be imagining the public web server that I run over my NAT'd DSL connection.

You probably are if you are really behind an ISP-run NAT. We're not talking about the Linksys router that you can tell to forward port 80. We're talking about the ISP handing you a non-routable 192.168.x.x address and not forwarding anything to it. Outward-ONLY connections...

I've already solved this problem at work

[cwolfsheep]

At work, we use IPv6 for our VPN, and IPv4 for Internet access. All the separate LANs are using private IPv4 addressing, using NAT with static IPs on the external interfaces; OpenWRT-based routers (take a $70 ASUS router and re-flash it with Linux); and tinc VPN software to link the routers together with a private (unique local address) IPv6 subnet. Furthermore, I run a SixXS tunnel at our main server farm that lets me provide IPv6 Internet access to all the sites via the VPN: hence I have both public and private IPv6 subnets running concurrently. If you want automatic routing, you can use Quagga to set interface addresses, do route advertising, and use OSPFv3 or RIPng to manage the subnets.

http://www.openwrt.org/ [openwrt.org]
http://www.tinc-vpn.org/examples/ipv6-network [tinc-vpn.org]
http://www.wolfsheep.com/index.php/Bookmarks/IPv6 [wolfsheep.com]
http://en.wikipedia.org/wiki/Unique_local_address [wikipedia.org]
http://www.quagga.net/ [quagga.net]

Re:Not compatible, not happening

[Just Some Guy]

Why switch from an Internet with a billion people on it to one that has nobody on it that can't be reached by IPv4?

DJB has an awful problem of confusing "I don't know how it can be done" with "it can't be done". For example, he doesn't seem to realize that you can run IPv4 in parallel with IPv6. In reality, you can access my homepage linked above through either protocol, or send me email from an IPv6-only server. In fact, all of my FreeBSD mailing list traffic comes in via IPv6, right now, today.

Forgive me if I don't seem alarmed

[merreborn]

The IPv4 crunch has been 2 years away for at least 10 years.

By the way, the idea of reallocating parts of Class-A blocks has been technically feasible for over a decade. Say hi to CIDR [wikipedia.org]

Re:FUD

[MightyYar]

Yes, but do they actually?

Oh, yeah.

Here's a completely random example: slashdt.org [slashdt.org] (obviously getting typo hits from slashdot...

According to This web site [webhosting.info], that domain shares an IP with over 14,000 other domains!

Re:FUD

[casualsax3]

Not if you want to use SSL.

Re:Well duh

[Tracy Reed]

China, Korea, Japan etc. use lots of ipv6. I've been there, seen it, helped set some up. There is a whole Internet out there full of asian language websites out there that we don't even know about because our english only Internet doesn't link to it. Go to a cyber cafe in Hong Kong, Beijing, Seoul, and you'll see what I mean.

Re:What's wrong with this plan?

[Neil]

IPv4 packets would be turned into IPv6 packets in the IPv4 subset of the IPv6 address space when they left the IPv4 endpoints, and then turned back to IPv4 if the destination didn't support IPv6.

Unfortunately the IPv4 address space isn't embedded in the IPv6 address space in the way that you suggest. Dan Bernstein pointed out many years ago that this was a mistake [cr.yp.to].

Re:Well duh

[madsenj37]

Harry Truman was a Free Mason...

Myth in the article about test equipment wrong

[AaronW]

The article claims that there is no good IPv6 test equipment. I know this to be false. The old test equipment we have in our lab at work (Adtech) handles IPv6 performance testing just fine, just as well as IPv4. Granted, we only have OC-48 adapters, but higher speeds are available. This will test for speed, dropped packets, out of order, etc. I would be very surprised if any modern test equipment did not natively support IPv6 since supporting IPv6 is basically required for any decent router, especially if you plan to sell to the enterprise or government market.

The biggest problem I see at this point in terms of equipment is that few home firewall routers support IPv6, plus it sounds like Windows XP is missing some needed functionality if it doesn't properly handle IPv6 DNS or AD. I have a small Linux network at home running dual IPv4/IPv6 and have had no issues with IPv6.

Most of the Internet backbones no longer do IP routing, instead using MPLS for making forwarding decisions. MPLS doesn't really care what protocol runs on top of it, only the routing protocols do (i.e. BGP) which do support IPv6.

Re:Well duh

[jZnat]

At the rate that IPv4 addresses are being used, even if all the /8's given to companies that got on the Internet first were freed for general use, that would only buy us a few months before we ran out of IPv4 addresses again. It'd be better to just move on to IPv6 where it's impossible to run out of addresses.

Re:Is this REALLY a problem?

[misleb]

I saw a Cisco presentation years ago on their experiences from rolling out NAT internally. They started with an address overload of a /24 (251 usable addresses) into a single external IP address. For an office with about 120 active machines, the NAT box (biggest, beefiest box they made at the time) completely fell over. With only light internet use, the NAT tables filled to take over all of the outgoing 65k ports in short time. That was in 1998, when most internet use was web pages, some email and simple IM. At the time, they recommended no more than a /26 (59 usable addresses) per external address.

Really? We currently NAT well over 160 machines to a single external IP address and have had 0 problems in years. Users have unrestricted internet access (and they use it).

If 160 machines are filling up 64k of ports, something is seriously wrong with the translation algorithm. Perhaps old connections aren't being reaped properly?

t is much worse for ISPs with home users, who are not limited by workplace rules against peer-2-peer for popular TV shows or looking at pr0n pages.

Is it worse for ISPs? I used to work for an ISP that would NAT whole high rise condominium/apartments of home users with no problems other than pure bandwidth.

If you look at the typical pr0n page (it was a tough job, but I did it in the spirit of improving my understanding of the industry ;-), there will be between 200 and 300 embedded elements or links to affiliate sites and advertising partners. So every pr0n page view going through NAT takes 200 new external ports, with associated timeouts and state tables.

It is a good thing browsers limit themselves to the number of simutaneous requests, isn't it? What is it, like 6? An intelligent NAT gateway will close a translation when the client does. A pr0n page will NOT take up 200 external ports.

Remember, you have 65,533 maximum entries in the state table for a single external IP, or for a typical saturday night in basement-dweller-land, about 4 machines.

Bullshit.

Don't get me started about how many NAT states a typical 3Mbyte facebook page can open, and leave open for quite a while.

How many? I'd really like to know how braindead your router is that it doesn't know how to close translations when the TCP connection is terminated.

If you think you can hide many ISP customers behind NAT, there are limits if you don't want a ton of calls to the support lines when your users can't effectively use the net.

Again, bandwidth was our only limitation.

For modern home connections, that already have a NAT box with a handful of machines behind the NAT (Mom keeping 20 eBay pages open and doing Skype, Dad doing gaming, teenage son looking at pr0n and daughter with 20 different IM chats going while she P2Ps the latest TV episode and looks at 50 different bebo and facebook pages), you just can't NAT much more than that.

You can. You're full of shit. (Or is it FUD?)

That post was the voice of experience,

No, it was the voice of someone who just pulled a bunch of numbers out of his ass. 4 user limit behind a residential gateway? Come on, you can't possibly believe that.

-matthew

Re:Is this REALLY a problem?

[misleb]

300 people means an average of 218 TCP connections per person at peak. That sounds reasonable, actually.

No, it is totally unreasonable. It just doesn't happen. I just checked the translation table of our firewall with in excess of 100 users and there's only 216 translations open. This includes connections to our web server in the DMZ. You're telling me that it is reasonable for that number to increase 2 orders of magnitude?

You just also need a router than can support this. Cisco's original presentation was "years ago" so even though webpages were simpler and needed for ports, the hardware was lacking. No idea how recent the hardware the GP used for his presentation was, but I can confirm that facebook, especially with a bunch of apps, can be CRAZY.

Numbers, please.

 

Re:Is this REALLY a problem?

[Rich0]

Sure, I work for one of those companies - my laptop right now is connected to the VPN and is on one of those class-A networks. It is fairly well segmented across the company although obviously not all the address space is strictly necessary.

However, as others have pointed out if you actually got all those companies to give up all their address space it would buy you 6-12 months max. There aren't really that many of them. The problem is that address space demand is increasing exponentially.

And in some sense those companies helped get the internet started. There are always perks to being an early adopter. By the time you'd be able to take that space back in an orderly way it would be a sizzle in the pan.

NAT to ISP customers is EXACTLY what people are concerned about. ISPs would almost encourage it since it helps them to reduce the internet to email + large-scale websites, which is easier to support and extract ad revenue from. Stuff like games, bittorrent, etc is just a pain to them and the idea of customers not being herded to preferred sites paying ad revenue is just abhorrent...

Re:Please, read the PDF.

[sjames]

Actually, some of the servers ARE v6 only, and indeed, IPv4 cliants out there cannot reach them at all. No NAT is happening for those servers.

The client machines, OTOH are either running dual stacks or they are NATing v6 prefixes into v4 addresses at the edges of their v6 network.