The RIPE NCC Has Run Out of IPv4 Addresses

Kelerei writes: The RIPE NCC, the regional internet registry for Europe, West Asia, and the former USSR, has allocated the final /22 remaining in their address pool, and has stated that they have now run out of IPv4 addresses. RIPE will continue to recover IPv4 addresses from organisations that go out of business, close, or that return them due to lack of need, but expects these small amounts of recovered IPv4 addresses to fall well short of demand: RIPE will now only assign IPv4 addresses to entities that have never received any IPv4 allocation in the past, and even then will assign no more than a /24. RIPE puts out a call to action for IPv6 migration:

This event is another step on the path towards global exhaustion of the remaining IPv4 addressing space. In recent years, we have seen the emergence of an IPv4 transfer market and greater use of Carrier Grade Network Address Translation (CGNAT) in our region. There are costs and trade-offs with both approaches and neither one solves the underlying problem, which is that there are not enough IPv4 addresses for everyone. Without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited — not by a lack of skilled network engineers, technical equipment or investment -- but by a shortage of unique network identifiers. There is still a long way to go, and we call on all stakeholders to play their role in supporting the IPv6 roll-out.

Fungible commodities will never run out

[Gregory Eschbacher]

As with any scarce resource, it can never really just "run out". Instead, as it becomes increasingly scarce, the market will react to changes in the elasticity curve.

In this case, as easily obtainable IPV4 addresses run out, the price should go up. As prices go up, organizations that have large blocks of IPV4 addresses could sell them which increases the overall supply. Older companies (HP? IBM? ) from the good ol' days of computing are probably holding onto vastly more blocks of addresses than they could ever need and would be able to sell them. Organizations (universities?) that have large blocks of IP addresses could also move to put themselves behind NAT or equivalent technologies and free up addresses.

I think there really isn't much to worry about here, especially since we've been talking about this since 2011 (https://tech.slashdot.org/story/11/04/14/2237237/asia-runs-out-of-ipv4-addresses ) and 2015 (https://tech.slashdot.org/story/15/07/02/1437236/north-america-runs-out-of-ipv4-addresses ) and the world just keeps on moving even as the number of connected devices has exploded. How? Because efficient markets in allocating scarce resources have come into effect.

Re:

[religionofpeas]

They aren't talking about the "market", only RIPE NCC. A single organization can certainly run out.

Re:

[brunes69]

HP and IBM already gave back their blocks.

https://en.wikipedia.org/wiki/... [wikipedia.org]

There are still a lot of entities on that list who own /8 blocks that really have no need for them at all. Unless you're a public ISP you have no valid reason to own a /8. The DoD is hogging 13 /8s for goddsakes. Why Ford or USPS needs a /8, I can not understand.

Re:

[zekica]

And that will help how?
15 /8 (DoD, Ford and USPS) will last for about 3 years, and then what?

Re: Fungible commodities will never run out

[brunes69]

That's not the point. The point is that Ford Motor Co and DoD should not be able to profit from the free address allocation they received and do not need.

Re:

[dunkelfalke]

Tell that to the Newfoundland cod fishers.

Re:

[sjames]

If you're really that desperate to pay high prices for an IP address, I can probably come up with one and sell it to you for $1,000,000.

Why the US DoD have soo many /8 ?

[JcMorin]

What blow my mind is how many /8 the departement of defense in the us have. I can't believe more than 1% of those are in used. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Anonymous Coward]

What blow my mind is how many /8 the departement of defense in the us have

The reason those were issued is clear. It's the reason they haven't released them back that's sucky.

The DOD and some universities were the original arpanet infrastructure, and this was a time before CDIR subnetting existed.
The "netmask" of an IP block was defined by the highest 4 bits of the IP, and those bits being all zeros made it an "A class", or what we now call a /8
This is also why 0.x up to 127.x are listed the way they are, those were all A-class and at the top level couldn't be divided. 128.x was

Re:

[kingbilly]

Please upvote this anon. They are right for the issue reason. Before CIDR (the parent fat-fingered the acronym), a class "A" was a class "A". Once your first octet started with an 0-127, it would be treated like a /8 by all hardware and software at the time. So giving it out was all or nothing, there wasn't a way to be smart about it.

Re:

[twocows]

I can think of a reason. They're valuable, and they're increasing in value every day. There are a lot of reasons the US government would want to hold onto a limited resource that constantly increases in value. Whether that's ethical or not is another question, of course.

Money Making Opportunity for ISPs

[thevirtualcat]

From an ISP's perspective:

A. Put customers behind CGNAT, charge extra for a public IPv4 address.
B. Give everyone a block of IPv6 addresses for free.

I know some ISPs have chosen B (Comcast, surprisingly) but I would be willing to bet that a not insignificant chunk of ISPs are going to pick A for as long as they can get away with it. (That is, until a critical mass of "important" online services go IPv6-only. Which, let's face it, that's going to be a while.)

Re:

[pr0fessor]

Doesn't being behind a CGNAT help protect your privacy a little?

Re:

[thevirtualcat]

Technically? Nothing really stopping the ISPs from selling the customer-to-port mappings to advertisers, but it *does* add a step to the process.

That's probably how they'll sell it, though.

New feature: "Privacy Guard CGNAT" protects your privacy by preventing your computer from broadcasting an IP address. Please note that some applications such as VPNs and certain games are not compatible with "Privacy Guard CGNAT." Public IP addresses are available for the low cost of $29.99/month for our valued customers

Re:

[Darinbob]

As soon as one porn site goes IPv6 only, the internet world will change overnight.

Re:

[thevirtualcat]

Well, yeah. Why do you think I put "important" in quotes?

You didn't think I was talking about the Smithsonian or something, did you?

Re:

[tdelaney]

At my ISP (Aussie Broadband):

A. Customers are put behind CGNAT by default. If a customer needs a public IPv4 address (e.g. for gaming, to run a server, etc) they can get a sticky public IPv4 address for free (easy to request). Approx 10% of customers are requesting public IP addresses.

Note: a sticky IPv4 address is not guaranteed to remain the same over time, but in practice almost never changes except when there are major changes in the network e.g. when CGNAT was brought in.

B. A static IPv4 address is ava

Market forces are not enough to push IPv6

[Nicopa]

At this point it has become clear that market forces alone are not enough to move us all to IPv6. Free-market is great when it works, but sometimes it needs a little push, some correction, from above. I think that IPv6 should be promoted by states. How much? I don't know. That can go from tax benefits to just making it a mandatory thing ISPs must implement (same as governments mandate standards in other fields).

Re:

[Bert64]

Well the regional registries allocate addresses to their members and require their members comply with various rules... So years ago they should have required that their members must provide dual stack or ipv6-only services as a requirement of getting or maintaining an address allocation. In fact, start taking back ipv4 allocations from any organisation that's providing ipv4-only services unless they provide dual stack by default for all their services.

Another one is demand and awareness. If google and othe

Re:

[jrumney]

I switched over to IPv6 for everything 3 weeks ago when my ISP started using CG-NAT instead of publically accessable dynamic IPs. I still have outgoing IPv4, but I've updated my AWS instances so I can use native IPv6 between there and my home. The difficulty I'm having now is that dynamic DNS clients and providers seem to make it hard not to set an IPv4 address. I figured out how to do it manually with DuckDNS, but still trying to get the client to play ball. If my ISP would assign a static IPv6 prefix,

Re: the supposedly-reserved "future use" blocks..?

[thatseattleguy]

Just curious. The fine page at: https://en.wikipedia.org/wiki/... [wikipedia.org]

....shows 240.0.0.0/8–255.0.0.0/8 (aka 240.0.0.0/4 - a full 6.25% of the available IPv4 address space) - as "reserved for future use". That's apparently for IP Multicasting per various RFCs (919, 922).

Could those conceivably be made available, or is 240.x.x.x so deeply enshrined in various TCP stacks as "multicast only" that it can never actually become available for general-purpose usage?

Re:

[religionofpeas]

Why bother risking problems ? That extra 6% only buys people a little more time to be lazy and do nothing. Everything is ready for IPv6.

Re:

[citylivin]

"Everything is ready for IPv6."

Except you know, people.

Its an important part of the puzzle. Take a look at an ipv6 address, it makes no sense. I am sure there is some way to read them but i dont use them enough to learn the syntax. Catch 22 i guess.

Re: the supposedly-reserved "future use" blocks..?

[Bert64]

Makes perfect sense...
First two parts is your prefix eg 2001:2020:, which identifies your company.
Then how you allocate the addresses underneath that is up to you... Most will come up with a scheme based on site or vlan ids etc.
2001:2020:100:: - site 100 (hq)
2001:2020:200:: - site 200 (backup dc) etc
2001:2020:200:10:: - site 200, vlan 10
2001:2020:200:10::50 - site 200, vlan 10, host 50

You don't have to use the autoconf based on mac address, but you can if you want.

It's much easier than the mess which is ipv4... Where does 18.3.1.32 sit on the network in relation to 64.21.2.5? And when you connect to port 80 of 18.3.1.32 does that forward to 192.168.10.10 or 10.2.3.50?

I find the ipv6 MUCH easier to manage and remember than the legacy v4, where i have to maintain a database to know where a given subnet or host is, with disparate address blocks all over the place and then nat adding extra confusion.

On the other hand i only have to know this because i manage a network... For the average user, they just use DNS.

Re:

[Z00L00K]

Multicast is used for a variety of functions, among them are routing protocols and without multicast the routing won't work.

Re:

[higuita]

there is a project reassigning those reserved IPs to a new use and most of the last few years IP allocations are being done using those reserved IPs.
The problem is some of then are in use or blocked and may require firmware/config updated in routers.
notice that even the 0/8 block is being take care, so it may be possible to allocate a 0.1.2.3 address in the future
of course, the energy put in doing this could also be used in pushing the ISP to finish their IPV6 migrations. With ipv6 solved in the ISP, everyt

Re:

[jrumney]

Multicast is used by mDNS and UPnP for discovery. There also used to be video services using it though it fell out of favour for that because of routing issues when not all routers are configured for multicast (and for ISPs, the routing tables to handle it can get quite big when a lot of customers tune in to multicasts at once, so a lot of them turn it off).

Elon Could Do That

[Greyfox]

Elon's putting a few tens of thousands of internet-providing satellites in orbit, he could just make them ipv6 only and that would probably pretty much single-handedly drive adoption of the standard. Otherwise he might have to whore himself out to IBM or someone -- IIRC those guys got three class As back in the day and they just use them on the internal corporate network.

Re:

[Dorianny]

A service which so far only counts Elon Musk as a user doesn't exactly carry much clout. What you need is either a consortium of to the top ISP's (ATT, Verizon, Spectrum, etc) or a consortium of the top services providers (Google, Facebook, Amazon, Netflix) giving the other a deadline by which time ipv4 will be turned off. Of course it would be nothing more than a bluff since neither side is going to risk pissing-off users and loosing business over ipv6

I've done my part

[reanjr]

I run a small-ish AWS rollout with about 55 hosts. I've enabled IPv6 on all of them. But there are still plenty of clients connecting w/ IPv4, so I can't really remove the IPv4 addresses yet. It's kind of annoying, because AWS is much nicer with non-transient IPv6 addresses than it is with IPv4 addresses that change every time an instance is stopped. People gotta get their shit together.

Relevant XKCD

[Dwedit]

Relevant XKCD:
https://xkcd.com/865/ [xkcd.com]

Not a problem for RIPE

[PPH]

Once the UK drops out of Europe and gives all their IP blocks back, there should be plenty for the remaining members.

CGNAT

[enriquevagu]

Welcome to the new era of widespread adoption of IPv4 CGNAT. Forget using torrent or any domestic server: cloud-based (and subscription-based) services only, sorry, your old RaspberryPi-based appliance no longer works in our network.. The IPv4 end-to-end principle, long ago deadly hurt by NAT, will definitely dissapear.

Time to select an ISP providing IPv6 service (none in my area, though) and to consider throwing away all those IPv4-only appliances...

Re:

[iggymanz]

that's kind of alarmist nonsense considering ISP have huge pools of ipv4 for the end user. this impacts mostly nobody as a customer.

Re:

[Bert64]

Only in some places...

https://en.wikipedia.org/wiki/... [wikipedia.org]

Some countries are screwed, and only have a single ipv4 address per several thousand of their population. North korea has only 1024 addresses in total, which is fine if only the dear leader is allowed internet access but for them to ever offer any kind of service to the population they would have no choice but to use cgnat.

Every isp in myanmar puts all their customers behind cgnat, some will provide a dedicated ipv4 address to business customers for a l

Just take them from Russia

[WillAffleckUW]

It's not like we need more anti-democracy bots

We are sorry the internet is full.

[Fly Swatter]

It's a shame they didn't use 16bits (IPv2?), so that by the time big greedy corporate types caught on they would not have been allowed in.

But really, just keep dragging your feet on ipv6 ISPs...

Re:

[110010001000]

Yes. A lot of Universities and organizations are selling their blocks to Amazon.

Re:

[Aqualung812]

GE sold their 3.0.0.0/8 block to Amazon. That had to be worth a ton of cash.
MIT sold a /9 to Amazon as well.
https://gist.github.com/simons... [github.com]

Re:

[Pascoea]

From the link: "We hold a block of 16 million IPv4 addresses. Fourteen million of these IPv4 addresses have not been used...at least eight million are excess and can be sold without impacting our current or future needs..." Maybe someone smarter than I could put this into perspective for me. Why would someone like MIT need 2 million IP addresses?

Re:Money?

[Aqualung812]

Why would someone like MIT need 2 million IP addresses?

They don't.
Speaking from experience in dealing with networks like this, the IP addresses are not all used up by hosts, they're used up by subnetting.

When you're designing a network, there are good reasons to have logical segments divided up. For example, at MIT, I would imagine a single building with 150 computers, 200 wireless devices, 30 cameras, 150 phones, 10 servers and maybe 300 other "IoT" devices doesn't put all of these devices on a single /22, even though that would hold all of them.
They likely use a /21 or /20, and then put those 150 computers on a /24 that can handle growth, same with the phones. This way security and QoS is easier.
If you build the network only big enough to handle a certain load, then you have to spend a TON of time, money, and downtime to redo it.
The common solution is to over-build the subnets so you don't have to touch them again, but that means a lot of wasted addresses.

Re:

[Pascoea]

So that part makes sense to me, but why would they be using public IP space for that? Wouldn't those internal subnets be in the 10.0.0.0/8 or 192.168.0.0/16 space?

Re:

[Aqualung812]

If you're using RFC 1918 space, you have to NAT everything.
It is quite common to have links between universities, say from CalTech to MIT. If you're using public IP addresses, devices can communicate directly without NAT.
Once you start NATing things, you've added a level of complexity that adds time and expense when you have a lot of people that need two-way communications.
The real answer is moving to IPv6.
Also important to note: some large companies have run out of RFC 1918 space. All of the IPs in 10.0.0.

Re: Money?

[somejng]

What you need to remember is that NAT was invented long after IPv4, so when the Internet was young all the universities and other early players got huge public allocations and used them for all devices because at the time there was no such thing as a private address. I'm sure parts of MIT and other institutions have switched over to NAT, but I'm also sure there's a lot of "if it ain't broke.." thinking going on, especially since the early institutions have huge public blocks and aren't under any pressure t

Re:

[thatseattleguy]

Yes, echoing other comments here, the going rate is about $20 per address, or put another way, about ~$5K per /24 block (256 addresses). See https://auctions.ipv4.global/p... [auctions.ipv4.global]

Re:

[dj245]

Yes, echoing other comments here, the going rate is about $20 per address, or put another way, about ~$5K per /24 block (256 addresses). See https://auctions.ipv4.global/p... [auctions.ipv4.global]

That's surprisingly high. I'm very surprised that my ISP is still giving out V4 addresses when they could just cash in so their executives can get a huge bonus.

Re:

[vadim_t]

These days most people's routers are working 24/7, so unless you move your customers behind carrier NAT, you're going to give them an address anyway. Taking advantage of that some people do indeed turn everything off when it's not in use might save some resources, but it's doubtful that very much.

Re:

[jonbryce]

My ISP recommends that I don't turn off at night, because they would mistake it for a connection failure and lower the speed to try to make the connection more reliable.

Re:

[Z00L00K]

And my ISP [telenor.se] still can't offer IPv6 addresses.

Any time I question them about it I get a non-answer.

Re:

[LynnwoodRooster]

Good news: you live in Sweden, so you have lots of cheap and fast bandwidth!
Bad news: you don't have an IP since your ISP ran out of them...

Re:

[CastrTroy]

But how many access points (routers,modems, firewalls) haven't been updated and don't support IPV6. Sure most of the new stuff does, but it hasn't been a long since you could buy devices that only came with IPV4.

Re:

[CubicleZombie]

But how many access points (routers,modems, firewalls) haven't been updated and don't support IPV6. Sure most of the new stuff does, but it hasn't been a long since you could buy devices that only came with IPV4.

Comcast told me I had to buy a new modem to support DOCSIS-whatever or I'd lose service. So I bought one.

What's the problem?

Re:

[Bert64]

IPv6 has been around 20+ years at this point...
It's older than most of the other technologies you might be using, or are you content with 802.11b wifi and 10mbit ethernet?

Re:

[Retired ICS]

A brassiere supports. Some even lift and separate. Over-the-shoulder-boulder-holder.

Access Points (routers, modems, firewalls) don't "support" IPv6. They may either work with it or not, but they do not and never will "support" IPv6.

Unless of course you mean the "marketroid" meaning of support, which is "make money from". So technically, no. Physical devices do not "support" (make money from) IPv6 either. The manufacturer of the device is the one "making money from".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sosume]

Look at it in he scrum way. The product backlog item "Upgrade to IPv6" has suddenly become a priority item. Apparently other stuff was way more important before.

Re:

[110010001000]

Not sure what you mean. The US has pretty good IPv6 deployment.

Re:

[Bert64]

You will end up with NAT... And you won't be able to start a new ISP.
In some countries, this is the case already because many countries were late to the party and never had large allocations of ipv4 for their isps.
Having a connection behind nat is shit, but it's the only thing available in some places.

Re:

[Retired ICS]

"Now only the ISPs reserves are left, and once those run out they won't be able to take new customers."

For a ride you mean? They will certainly be able to take their money and provide them with Internet access, however.

Re:

[sjames]

Perhaps people started talking about it early knowing there would be considerable inertia. From the look of things, they were dead on about the exhaustion of IPv4 addresses and if anything they seriously underestimated the amount of inertia.

Note, the first warning that the IPv4 address space wouldn't be adequate came when it was still called ARPANET.

Re:

[110010001000]

The main problem was not doing IPv5. It is like going from Windows 1.0 to 3.0.

Re:

[mark-t]

IPv5 was an experimental protocol developed in the 1970's that was more or less still-born, because by the time it would have started any seeing actual implementations, IPv6 had already been proposed and had much more momentum behind it.

Re:

[mark-t]

They don't have to adopt anything different with ipv6. If they are comfortable with NAT, they can continue to use it with ipv6. It's just that there won't be as much of a point..

Ipv6 makes NAT a personal choice, not a necessity for the internet to continue to function.

Re:

[WaffleMonster]

I would suggest that a technology that hasn't seen widespread deployment after 21 years isn't going to take off, and we need to look at something different.

IPv6 deployment *IS* widespread and growing on an exponential trajectory.
https://www.google.com/intl/en... [google.com]

People rely on NAT as part of their network security. Maybe they shouldn't, but they do. And forcing them to adopt something different is going to be a problem.

SPI does what NAT does only difference being it's more secure.

Re:Sad things

[higuita]

bullsh*t!!

The hard work was already done many years ago, the basic code support, everything released in the last 10 years is ipv6 ready, just plug and it's done. IPV6 can talk to ipv4, so having ipv4 do not stop anyone from using ipv4 only services. It have a transparent fallback that works well. Of course, broken configs are broken and may make both ipv4 and ipv6 fail, but those are usually ISP problems and most of the time quickly fixed after being reported.

we do not have universal IPV6 because of ISP

the ISP are the ones that are lazy, they need to replace equipment in some cases, upgrade the firmware on others and the worst problem, they need to update their software and tech support.

On the client side, almost everything is ready years ago and those that aren't either are obsolete or simply need simple updated libs/code to allow AAAA dns and bigger IP size. But the few software that still fails is waiting for the ipv6 ISPs support

On server side, almost everything supports ipv6, only some code and DB need to be updated if not already to allow bigger IPs. The few sites/software that fail to support ipv6 are all waiting for ISPs to support ipv6

Backbones are all ipv6 ready, no problem here for several years

So again, ipv6 was hard to deploy in the first few years, but now is easy...ISP are just lagging because they are lazy, they are mega-corps where everything is hard, because no one cares internally, customers still pay ipv4, so why bother with ipv6!

Those that still do not have ipv6, switch ISP for another that support ipv6 and do not forget to warn then about that

Re:

[AllHailTheHypnotort]

IPv6 is a hot mess. I'm sorry to say this, but there are very good reasons that people are unwilling to use it. Here are a few practical things that just don't work:

Home router support is flimsy and doesn't deal with common scenarios, like delegation of specific prefixes to match firewall rules or adapting firewall rules to dynamically delegated prefixes (if there even is prefix delegation support in the first place, which is not guaranteed). Let's look at everybody's darling: OpenWRT. How do you allow fo

Re: Sad things

[simpz]

On openwrt "ip6neigh" makes all these things doable but as you point out this is all this isn't exactly elegant. IMHO ip6neigh should ship with openwrt. Then use fixed allocated EUI slaac, so IPs are predictable, and use ULA addresses internally that are fixed.

The mistake is really ISP's still want to live in a world where fix IPs are a premium thing and so can charge. This is pretty ridiculous with IPv6 being so large.

We are probably also a minority that care about things like inbound services on home conn

Re:Sad things

[WaffleMonster]

There is very little incentive to prioritize IPV6 or even support it.

Meanwhile according to Google 30% of users are on with an exponential trend.

A new networking protocol which was not backwards-compatible with ipv4 was a horrible idea from the start. It means all or nothing.

The opposite is true. There is no circumvention of the pigeonhole problem no matter what. The problem is entirely insufficient fixed address space not anything else related to any design of anything.

The multitude of piecemeal tunneling / translation schemes that existed to enable backwards compatible communication were liabilities to the adoption of IPv6. Content has very clearly demanded production quality network and explicitly REJECTED additional layers of unreliability in the form of tunneling schemes that existed for backwards compatibility.

Either everything is on ipv6 and you can turn off ipv4 or you need to maintain ipv4 in which case why bother with ipv6 at all.

IPv6 is faster and cheaper than CGN.

Furthermore the whole idea behind ipv6, all devices having a routeable address turned out to be a horrible idea due to poor device security and not-needed due to so called "cloud services" which allows access to iot devices without the need for routable addresses

Fuck that. The Internet is a network of PEERS. IPv6 restores the ability for peers to communicate. This provides value to users effectively lost during the IPv4 NAT era. If the answer is forcing everyone to "cloud services" then that answer is unacceptable.

As for security again the opposite is true. SPI is MORE SECURE than one to many NAT schemes. The reason SPI is more secure is that ALGs make exploitable ASSumptions and additional code required for packet mangling is an unnecessary liability.

Re:

[Dorianny]

Meanwhile according to Google 30% of users are on with an exponential trend.

30% in 20 years since ipv6 was drafted.

The opposite is true. There is no circumvention of the pigeonhole problem no matter what. The problem is entirely insufficient fixed address space not anything else related to any design of anything.

ipv6 was drafted in 1998, if they had drafted a ipv4.1 as well, which did nothing more than go from 32bit addressing to 64, by now 99% of devices would have support and we could start assigning those larger addresses while continuing the roll-out of ipv6

IPv6 is faster and cheaper than CGN.

Not when you have to support both but only ipv4 is absolutely necessary

Re:

[WaffleMonster]

30% in 20 years since ipv6 was drafted.

It could be 200 years since it was drafted and it would make no difference.

The only thing that actually matters is current adoption and the exponential trend. Virtually all of the growth was just in the last few years with adoption doubling every three years.

ipv6 was drafted in 1998, if they had drafted a ipv4.1 as well, which did nothing more than go from 32bit addressing to 64, by now 99% of devices would have support and we could start assigning those larger addresses while continuing the roll-out of ipv6

No absolutely not. Adding even a single bit to a fixed length address space requires global changes to hardware, operating systems, persistent data stores, client/server software, naming, countless support protocols and management systems. It's a gar

Re:

[WaffleMonster]

Youre, Totally wrong about the security mess that will result from not having NAT. The problem is, most consumer grade devices, such as game consoles, IP cameras and all that are other crap are so poorly designed and have so many security problems, and the manufacturers dont care and wont change their ways either, none of these devices have any business being exposed to the net directly.

NOBODY is arguing this. Every last consumer router, modem/router with support for IPv6 available for sale does SPI out of the box. This prevents unsolicited incoming connections from being forwarded to end devices in the same manner as NAT devices. Not a single person is arguing for anything to be "exposed" to the net directly. Most importantly this just isn't happening in the real world and neither is it what anyone is advocating.

Most people should not be using ALGs

NAT effectively is the same shit as SPI except with considerably less com

Re:

[sjames]

So, we're heading for a bridge pylon at 70 MPH and your position is "Well, we'll cross that bridge when we come to it"?

Re:

[110010001000]

That blog makes no sense. If you want NAT, use NAT. Nothing is stopping you from using NAT with IPv6.

Re:

[Strider-]

Well, except that last I checked, the maintainer of the linux networking stack has explicitly stated that they will not be implementing NAT for IPv6, as NAT is fundamentally stupid, and a kludge that has helped IPv4 live as long as it has. As most of the world's soho routers run linux, they are affected by this.

I actually agree with the maintainer on this one.

instead, what we have is the privacy extensions for IPv6, which cause clients to shift their addressing on a regular basis. This is a much better solu

Re:

[110010001000]

I didn't know that. It does seem a bit silly to run NAT in 2019, but there ya go.

Re:

[Z00L00K]

There can be more than one reason to run NAT, and the primary reason is that I don't want to expose my whole network to the world or even to my ISP.

Re:

[sosume]

But setting up an IPv6 firewall is super-duper-easy!

Re:

[itsme1234]

That's a wrong assumption made by people who know some (but not enough) IPv4 and no IPv6 which uses (I think even in Windows by default) ephemeral addresses. They are supposed to be generated/assigned when a session is opened by the client and then destroyed when it's closed. Just as before you won't be able to tell the number of clients behind, just the number of connections;there could be one client or as many as connections you have.

Re:

[sjames]

So turn on the privacy extensions.

Re:

[sjames]

Exactly why I believe the moon is made of green cheese and the earth is flat. All those round Earthers sound like a bunch of cultists. They even subverted the schools to indoctrinate kids through their text books!

Re:

[stabiesoft]

I am not an expert on V6 but I thought my ISP gave me something like a /56 on V6. Is it possible to firewall off say the top half of the /56 from the outside, and make the bottom half exposed? Then put any private boxes on the top range and any boxes than need access on the bottom. Of course even the bottom would probably block almost all ports except the couple you want exposed. Internally I am still running V4 since I don't need V6 yet, so no idea if it is possible.

Re:

[Bert64]

Of course it's possible, you can even allow or disallow individual ports and individual devices, or you can create individual subnets for different purposes.
You have a larger address space with a /56 than any single organisation ever had with ipv4 and you can subnet and route it however you see fit, with individual firewall rules for each network or host.

I keep it simple by having /64 networks, but i have several of them at home for different purposes - guests, iot devices, family, work, servers... All with

Re:

[stabiesoft]

Thanks, that is what I was thinking you could do. /56 which is what they gave me. I really was in disbelief about the size. I wonder if 20 years from now they are going to regret tossing out these giant subnets to residential customers. I know 128 is large, but I suspect they thought 32 was large at the time. Hence the reason they tossed all those class A address groups out to HP/IBM etc and needed them back.

Re:

[slack_justyb]

the primary reason is that I don't want to expose my whole network to the world or even to my ISP

This is not a good reason. The only thing you are hiding is your internal IP addresses, but machine information and the details of what is running inside your network is still leaking out through application level protocols. Additionally, there's ways to machine to machine through NAT, so you aren't even keeping things from directly talking to your machines. If you want a network wide firewall, then do that, you don't need NAT to have a firewall. If you want to have a private subnet, then do that, DMZs

Re:

[kingbilly]

I'm a bit confused, I'm always hearing about defense in depth and having multiple layers of security. Couldn't NAT be part of that equation?
Does NAT actually make you insecure, like people claim? Or are those claims assuming that because NAT existed, people don't bother adding better alternatives?

Asking as someone who wants as many layers of security, including firewalls, but would also consider adding NAT to the mix. And more security measures.

Re:

[zekica]

There is nothing that NAT does for security that a simple stateful firewall doesn't do:
ip6tables -t filter -P FORWARD REJECT
ip6tables -t filter -A FORWARD -o eth0 -j ACCEPT (your outside interface)
ip6tables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT (connections that nat would have a mapping for)

The above does exactly the same as a basic NAT.

Re:

[Bert64]

NAT requires a stateful firewall in order to function...
A stateful firewall does not require NAT.

A stateful firewall without NAT is easier to manage - you have simple allow or deny rules, no need to bother with nat rules or nat reflection rules etc. You see at a glance if something is allowed or not, and where it's allowed to/from.
Adding NAT to the mix confuses things, does allowing traffic to a specific port on the external address allow traffic to a service on the firewall itself? Or is that port forwarde

Re:

[Eravnrekaree]

. NAT is a perfectly valid security measure and secure by default. The problem is many consumers dont know anything about IP and not capable of setting up their own firewall. NAT is secure by design and does not have to be configured to be secure, it just is. Nothing wrong with that. NAT is great if you want to hide device counts from the ISP as well, as well as having default high security.

Re:

[WaffleMonster]

Well, except that last I checked, the maintainer of the linux networking stack has explicitly stated that they will not be implementing NAT for IPv6, as NAT is fundamentally stupid, and a kludge that has helped IPv4 live as long as it has. As most of the world's soho routers run linux, they are affected by this.

Originally you could do NAT in the form of DNAT 1:1 mapping..etc so long as a single address is not being shared.

In newer versions of kernel the masquerade target is also very much alive for IPv6. Quite unfortunate.

Re:

[lamber45]

Linux and ip6tables supports the DNAT, DNPT, MASQUERADE, NETMAP, SNAT, and SNPT targets for IPv6 since kernel 3.7 (released in 2012). So in 2013 [serverfault.com] it wasn't uniformly supported, but today it should be. Never mind what one developer might have said, the support actually is there for several years now and it actually works.

Re:

[zekica]

IPv6 has NA(P)T - at least on Linux it is implemented since kernel 3.10 in 2013.

IPv6 also has NPTv6 (network prefix translation) that does stateless NAT and preserves end-to-end principle.

Re:

[marka63]

Given the traffic to Pornhub will be using a privacy address, which are ephemeral, on anything anywhere near recent, it will just trace back the /48 in IPv6 exactly the same as it traces back the the /32 in IPv4. No more, no less.

To get more specific you need to maintain connection logs which are equally applicable to IPv4 as to IPv6.

Re:

[Darinbob]

This is a silly argument. The reason "IPv4" hides your identity better is not because of IPv4 but because ISPs are using additional protocols like NAT in order to deal with inability to provide enough IPv4 addresses for their customers. In other words, because there aren't enough IPv4 addresses you won't get unique addresses for your devices by default (though you can pay extra for this service). If you need the additional privacy then you should use additional methods beyond relying upon your ISPs use o

Re:

[fulldecent]

I am not talking about carrier grade NAT. I am talking about consumer NAT, which comes by default on every IPv4 router.

I am willing to bet that no iPhone has ever had a unique trackable IPv4 address. Every iPhone connects using Wi-Fi or cellular. And every time that happens you are anonymized with other people that are connected to the same Wi-Fi hotspot or cellular connection.

Compare that to IPv6. Every internet connection made from that every iPhone that enables IPv6 is uniquely identifiable to a social s

Re:

[Dagger2]

Compare that to IPv6. Every internet connection made from that every iPhone that enables IPv6 is uniquely identifiable to a social security number (in the US) or nationally identity card (other countries). How? Because if your phone makes ANY connection to an attributable service (Facebook, XKEYSCORE-able services) then ALL your traffic is attributed

v4 is no different on this front. If you NAT the traffic from all of the machines on your network to the same source address (as basically all v4 routers do by default), then the exact same correlation is possible. v6 doesn't change this in the slightest.

Re:

[fulldecent]

On IPv4:

* Alice's phone connects to Facebook: Facebook & ISP see IP address A
* Bob's phone connects to Facebook: Facebook & ISP see IP address A
* Alice's phone connects to Pornthub: Pornhub & ISP see IP address A

Who was on Pornhub? Only Alice knows.

On IPv6:

* Alice's phone connects to Facebook: Facebook & ISP see IP address A
* Bob's phone connects to Facebook: Facebook & ISP see IP address B
* Alice's phone connects to Pornthub: Pornhub & ISP see IP address A

Who was on Pornhub? Alice k

Re:

[zekica]

On IPv6:

* Alice's phone connects to Facebook: Facebook & ISP see IP address A
* Bob's phone connects to Facebook: Facebook & ISP see IP address B
* Alice's phone connects to Pornthub: Pornhub & ISP see IP address A

Except that is not how IPv6 privacy extensions work, the following is correct:
* Alice's phone connects to Facebook: Facebook & ISP see IP address A
* Bob's phone connects to Facebook: Facebook & ISP see IP address B
* Alice's phone connects to Pornthub: Pornhub & ISP s

Re:

[fulldecent]

Are you referring to privacy extensions in RFC-4941? Then yes that's how it works.

Here is the fatal flaw:

> The default value is given in TEMP_PREFERRED_LIFETIME and is one day.

This means if you access Facebook or any other XKEYSCORE-enabled website only once per day then ALL of your traffic is attributable.

---

In your example "Alice's phone connects to Pornthub: Pornhub & ISP see IP address C" only happens if Alice waits a whole day to access Pornhub and does not access Facebook in the meantime.

And ev

Re:

[WaffleMonster]

This is a silly argument. The reason "IPv4" hides your identity better is not because of IPv4 but because ISPs are using additional protocols like NAT in order to deal with inability to provide enough IPv4 addresses for their customers.

CGN systems allocate port to end users such that IP + source port can be used to uniquely identify a subscriber even when multiple customers share the same IP.

Re:

[110010001000]

"People have been increasingly unable to edit Wikipedia"
Oh no.
"It is the same on 4chan where people are blocked from posting on many isps"
Oh no.