Millions of Internet Addresses Are Lying Idle

An anonymous reader writes "The most comprehensive scan of the entire internet for several decades shows that millions of allocated addresses simply aren't being used. Professor John Heidemann from the University of Southern California (USC) used ICMP and TCP to scan the internet. Even though the last IPv4 addresses will be handed out in a couple of years, his survey reveals that many of the addresses allocated to big companies and institutions are lying idle. Heidemann says: 'People are very concerned that the IPv4 address space is very close to being exhausted. Our data suggests that maybe there are better things we should be doing in managing the IPv4 address space.' So, is it time to reclaim those unused addresses before the IPv6 crunch?"

screw ipv4

[k3v0]

lets just switch to IPv6, it's more functional and future proof

Credit crunch

[Harmonious Botch]

This is curiously similar to the current credit crunch. When a fix is not guaranteed to happen soon, people start hoarding.

Give back class As

[Neil Watson]

Perhaps some of the institutions that still have class A networks reserved from the old days, with no reasonable need for them, should give them back.

Why bother?

[Timothy Brownawell]

Would giving them back do anything other than encourage network providers to procrastinate on IPv6 for another couple years?

IBM, Ford, Microsoft, etc.

[Spazztastic]

If the big fortune 100 companies would dump their IP blocks that they don't use more then 10% of the whole sensationalist scare of "OH MY GOD WE'RE RUNNING OUT OF ADDRESSES" wouldn't even be relevant.

Also, to quote someone from the last three articles related to IPv4 running out, it seems like one of these articles shows up on the main page at least once per month and nothing has changed.

I don't see why any company, even in the expandable future, would use every address in a /8 subnet... unless they have everything open to the internet, which is moronic.

Why is anyone surprised?

[gstoddart]

People setting up networks aren't trying to use every single address in their space.

It's far easier to use an entire a.b.c.* as a logical sub-domain than fiddling with netmasks and all that stuff so that a.b.c.1 and a.b.c.200 are on different subnets.

The amount of work people would need to invest to use every single IP address with no holes would be cumbersome. (I'm not saying you can't do it, it's just tedious.) And, you never know when you're going to need to allocate more machines -- I remember getting blocks of IP addresses for static machines in case I needed another machine in the future.

Now, why most people aren't using 10.*.*.* as their internal stuff I'll never know. Since the overwhelming majority of machines on the internet aren't (and shouldn't) be directly routable, it's an awful waste to not have organizations behind NAT-ed firewalls and not drawing from the common pool of route-able IP addresses.

Cheers

Reliable?

[Anonymous Coward]

I, for one, question the reliability of this data since the machines that are occupying those addresses are probably firewalled.

TCP and ICMP

[IceCreamGuy]

I drop ICMP entirely, and besides our website and mailservers, we don't have any standard tcp ports open on any of our other external IPs. I really can't imagine it's that much different for other medium and large businesses; am I to believe they nmapped the entire Internet? (It's clear FTA that they did not) To me, these findings are not that surprising in the security-oriented world we live in today.

The simplest solution is to...

[Jodka]

Raise prices.

Raising the price of an IP address increases the incentive to not to waste the IP address.

Re:Why is anyone surprised?

[spaceyhackerlady]

Now, why most people aren't using 10.*.*.* as their internal stuff I'll never know. Since the overwhelming majority of machines on the internet aren't (and shouldn't) be directly routable, it's an awful waste to not have organizations behind NAT-ed firewalls and not drawing from the common pool of route-able IP addresses.

This is exactly how the company I work for does it. We use one public IP address, and our computers (all private IPs, as they should be) are NATted behind our router. I do the same thing at home, partly to circumvent how many computers my ADSL provider will let me plug in to their connection without giving them more money. :-)

If everybody did things like this we would need a lot fewer IP addresses.

...laura

Re:TCP and ICMP

[Anonymous Coward]

If none of the ports are open on any of your external IPs, then why do you need to have more than one external IP?

Re:screw ipv4

[Finallyjoined!!!]

Internally yes. Externally no. However my point was; everyone who stands up and says "Screw IPv4 let's move to IPv6" should be sat in front of a border router & told to get on with it.

Everyone can eat salami, precious few can make it.

Re:Give back class As

[t0rkm3]

As a network security guy in a company with 9 Class B's that are used within the company. (1 is Internet facing) The internal usage of public IP address space is justified by one thing, acquisitions. Every time a company is bought up by our company we have to integrate them into our network. We are already using some RFC1918 space at stub networks(plants/refineries) and for VoIP applications. However, the challenge of integrating 25,000 new IP devices with a conflicting address scope per merger is painful and wasteful.

Re:Credit crunch

[Chaos Incarnate]

That is hoarding.

No, that's life outside a police state.

Simpler Politics

[Midnight Thunder]

lets just switch to IPv6, it's more functional and future proof

Yup and it is probably much simpler. Trying to reclaim addresses involves political issues, finding out who to talk to, bureaucracy and some technical issues. Switching to IPv6 is about technical stuff and just getting going. You are going to have to switch to IPv6 at some point, so why spend energy twice?

Rearranging Deck Chairs on the Titanic

[Detritus]

This whole discussion is a waste of time. You aren't going to get any of these address blocks without an expensive and prolonged fight. Wasting valuable resources that could be used to advance a real solution, IPV6.

Even if you "liberated" all of these address blocks, they would be quickly consumed by the natural growth of the Internet.

NAT is not a solution, it is a malignant blight that must be destroyed. If you want a firewall, get a real firewall.

Re:screw ipv4

[vux984]

Nobody has configured for IPv6 because there's been no forced set date to switch over so everyone is still just using IPv4 which is working just fine.

Sure my PCs can all switch without too much trouble; just configuration issues.

Will an xbox, xbox360, PS3, Wii, PSP or DS do ipv6? Will my ipod touch? What about my cell phone? Does my dlink nat/router do it? What about my dlink voip box? My network printer? My cable/adsl modem?

Seriously.

I can't abandon v4 at home (Wii doesn't do ipv6 afaik, nor does my router). Nor can I do it at work... the LaserJet 4050s don't do it unless I upgrade the jetdirect module (which is stupid expensive). I also doubt my cell phone supports ipv6. My parent's have a Wii and a usb-print server that don't d ipv6. My brother in-law has a PS3 and a Wii that doesn't appear to support ipv6. My parents in-law have an xbox and a wifi router that doesn't do ipv6... my cousin has a DS... she's stuck on WEP because it doesn't do WPA... I highly doubt its going to do ipv6.

TCP/ICMP not a good way to do this

[jimmyhat3939]

TCP and ICMP is not a good way to test this. Plenty of IPs won't respond to a ping and don't have any TCP ports open for inbound connections (SYN flag set).

Re:screw ipv4

[hedwards]

What you'd do is upgrade the router. That's it.

Basically new routers would do a 1:1 version of NAT going from IPV6 externally to IPV4 internally. You'd likely still be using the set aside non-connected blocks without problems. As things evolve you'd probably be able to do IPV6 easily internally and ditch that as the network devices support it.

The difficulty of upgrading to IPV6 has never been on that end it's the other infrastructure and the ISP services which were where the actual work, challenge and money were located.

I'm sure that there are other ways of doing it, but that's really the simplest and it allows people to transition on the less important end as they care to or not. It wouldn't make a difference for anybody else.

Isn't there a better way to do this?

[damn_registrars]

It appears that all they did was ping every address they could, and then track which addresses responded and which ones did not. Consdiering how many systems are either configured to not respond to ping, or sit behind firewalls that stop the ping from getting through, this seems like a method of marginal value.

Wouldn't there be a better way to query the addresses than this? In some areas, I suspect checking DNS records might be more informative if what you are looking for is which addresses are unused (though of course DNS isn't mandatory either).

Re:Why bother?

[hedwards]

I doubt that will be a bigger problem than what we currently have. The most likely thing will be for the IPV6 stuff to end at the modem and be IPV4 internally. At least until the security and configuration utilities are easy enough for people to use. I'd be surprised if it weren't opt out in some fashion.

The big thing is for the ISPs and the rest of the net to be ready for IPV6, the home user is sort of the last part that needs to be changed. And they aren't the ones that are pushing for more time.

Re:Give back class As

[qwertphobia]

Core routers don't get DHCP addresses. Servers don't get DHCP addresses. Infrastructure, for the most part, should not be dynamic, and should never rely on other infrastructure unnecessary.

It can take years to transition between addressing policies.

Re:Why is anyone surprised?

[sl3xd]

It's a useful hack, but it also causes as many problems as it creates.

People who worry about IPv6 being routable everywhere on the internet really need to get their heads examined. It's quite simple to set up a packet filter that acts more or less identical to a NAT packet filter. It's quite simple to keep packets from getting where you don't want them to go - no more difficult than IPv4 with the NAT hack.

Re:screw ipv4

[Anpheus]

Future proof? Everyone says IPv6 is future proof. No one will ever need more than 2^64 addresses.

That's ridiculous. If we have the addresses, we'll find some way to use them. Instead, it should be IPvX. We should have an extensible standard that the IANA or -someone- can flip a switch on and the routers will add another 8 bits to the address automatically. Need more IPs? Done, 256 times more. This scales well, means we'd never have to go through this again and in thirty years no one will be mocking our generation for this silly attitude of "2^X IPs is enough for the whole world."

Re:Many addr's may be behind firewalls...

[sl3xd]

You gotta love the assumption they're making that "not pingable means not in use."

In reality, it can quite easily mean that most of the IP addresses on the internet are firewalled off, because they're not serving anything to the rest of the internet. If anything, I like to think of it as a good sign that at least rudimentary security measures are being taken by consumers.

Grandma doesn't need her own web server, mail server, etc. Neither do most consumers - heck, I only have a couple of ports open - SSH and a gaming VoIP server.

Guess what ping does? Yup. Nothing.

Re:Why bother?

[Just Some Guy]

Isn't that a good thing? I imagine there are going to be serious security issues when ipv6 is implemented and EVERYTHING is routable.

So we move back the crisis another 18 months. What then? We find some ultra-short-term "fix" to put it off another 18 months for "security issues"? At some point, you've gotta do what you've gotta do.

Re:screw ipv4

[coolsnowmen]

We should have an extensible standard that the IANA or -someone- can flip a switch on and the routers will add another 8 bits

IANA? You are not a ____? A computer engineer.

Anyway, we should not have such a thing. Yes it would be easy in software to make such a conditional, but the high performance backbone needs to be just that. And when you add that "option" the hardware engineer needs to decide whether that condition should be done in serial (costs you in transient lag), or do all options in parallel (costs you in $$).

But it really comes down to keep.it.simple.stupid engineering. Why add complicate a standard when you can't justify it?! Your attempt at future proofing ipv# is short sighted because ipv6 will easily last 20 years, and after that noone knows. They don't know because it is impossible to predict how technology will evolve, people will adopt it, and politics will allow it in 30 years. So as an engineer you pick a point, and you say with 99.999% probability this will be good enough for X years. At which point you change it.

Re:screw ipv4

[TheRaven64]

Do you have any idea how big a number 2^64 is? There are currently just under 2^33 people in the world. This means that 2^64 is almost enough for every person to have as many IP addresses as there are currently people. It is enough for 2^35 IPs per square kilometre of the Earth - including the sea - or, to put it another way, enough for every 0.29cm^2 of the Earth's surface to have a unique IP. It is enough not just for every computer you own to have an IP address, but for every item of clothing, every item of furniture, and every object in your fridge to have a unique, public, IP, and still have a lot left over. IPv6 will last until nanotech becomes widespread and you want to have networks of nanoscopic devices online - and possibly even then since it would make sense to treat personal area networks as a single public device.

Re:NAT is a hack.

[TheRaven64]

Rubbish. Which is more secure, of the following two options:

1. A public IP address, which you use to run a published protocol, on well-defined ports, through a firewall that blocks everything except the authorised ports.
2. A NAT'd IP, which requires you to do lots of tricks to bypass, preventing the firewall from being able to tell the difference between malware and VoIP traffic.

This is exactly the option people have now. If you want something like VoIP, and both endpoints are behind a NAT (they usually are these days) you need to rely on something like Skype, which is a security nightmare (see the paper 'Silver Needle in the Skype' for more details).

Re:screw ipv4

[Cramer]

Actually, it is far more complicated than current generation IPv4 NAT/PAT. IPv4/IPv6 requires a protocol bridge. I guess you are too young (and I'm really not that old) to remember when IPv4 ("IP") was new. Everybody had networks built with Appletalk, IPX, etc. A company that wanted to "get on the internet" either had to replace equipment and completely restructure their network into a "dual stack" rig -- while you could install a TCP/IP package in windows and Mac System 6, none of the services commonly in use (i.e. the reason for the network in the first place) would use IP. It took many more years for IP to finally become the backbone. For example, a decade (+) ago game makers were still using IPX for network play. And even as recent as 2003, the telco I was working for still had, and used, a large IPX network. (luckily, they had fazed out all the token ring hardware in the mid/late '90s.)

It's not as simple as rewriting the source or destination in a packet. Both have to be changed and the entire packet rebuilt. Plus, there has to be logic to dynamically turn the IPv6 world into an IPv4 world -- because a legacy device has zero understanding of v6, it cannot understand a v6 address at all.

Re:screw ipv4

[BitterOak]

If the router is handling the conversion and talking ipv4 internally, why would the devices need to support ipv6 again?

Ok, so let's say you have your router converting packets from IPv6 and IPv4, and translating your internal IPv4 addresses to external IPv6 addresses. Now, let's say you're sitting at your IPv4 computer connected to this magic router. You launch Firefox and type type the Slashdot URL. (More likely, you'd have it bookmarked.) So, what does your computer do? It sends a DNS request to get Slashdot's IP address. Now, in an IPv6 world, this IP address would have 128 bits instead of 32. How is your IPv4 operating system going to make sense of this?

So you might suggest a fancier router that is DNS aware, and translates those addresses back and forth, effectively acting as a DNS proxy. But there is a problem. How do you translate all IPv6 addresses to IPv4 addresses? Considering that the address space for IPv6 has 4 times as many bits, I don't see how this is even possible: you can't assign a unique 32 bit number to each 128 bit number.

So the problem is much more complicated than it first appears.

Re:Credit crunch

[hob42]

Nah, you have two, but can get by with one. Just let us buy the other, and if you really do need it in the future, you can always buy another one.

(That sounded funnier in my head.)