The provider of IP addresses to the Asia Pacific region has activated a major change in the way it allocates them after becoming the first registry to deplete its number of older addresses to fewer than 17 million. APNIC said the depletion of all but its final /8 block of addresses was a “key turning point in IPv4 exhaustion” …
Not quite "4 billion" usable addresses.
Apart from small fry like 127/8 and the two "directed broadcast" addresses on both ends of each subnet block no matter how small, there's 224/3 to consider. 224/4 is multicast, and 240/4 is "reserved". Reserved for what? I don't know. Those addresses will be blocked in innumerable devices, but strictly speaking they're free (minus 255/8 just like 0/8 and 1/8 are tainted). I think those last fifteen /8 blocks might see service before too long.
With a bit of foresight, or rather the benefit of hindsight, it would likely have been possible to put LINK LOCAL, LOCALHOST, 0.0.0.0, 255.255.255.255, and a goodly chunk of rfc1918-type addresses in a single /8, which would've saved a lot of hassle and freed up a couple blocks. No directed broadcast likewise. But that supposes people would've figured out right away that directed broadcast was a bad idea and that some day we might very well run out of addresses. Then again "they" didn't even start out with CIDR, as classes seemed like a good idea at the time, too. Oh well.
Quite amazing that IPv6 still hasn't seen much take-up yet, at all. Even where ISPs supply custom-firmwared modem/switch/ap/routers and regularly update them, there's very, very few that actually support IPv6 at all. Is civilisation supposed to collapse first?
The rollout is starting
In Germany from the summer with Deutsche Telekom promising to put all subscribers on IPv6 by Christmas. Of course, because the rollout will be of unprecedented scale we can expect a few surprises along the way but you've got to start somewhere.
They didn't start out with classful addressing. :-) And there's nothing wrong with using /31 on point-to-point-links (RFC3021), and it often works on Ethernet-links too!
And 240.0.0.0/3 will hopefully not see service any time soon. The work involved in making sure it's reachable from everywhere makes IPv6 deployment seem like a vacation. It'll give you 14-15 IPv4 /8s, just around one years worth with the current allocation speed.
Who cares ?
So what if you ISP gives you a globally routable IP (v4 or v6). Most people will not care, and can live in NAT'ed 10.x.x.x land forever.
If it's important, move to someone like Zen who already give you 8 IPv4 for free, and promise a public IPv6 address too when they move.
Take IPv4 addresses away from (mostly) American Universities
An astronomical number of IP addresses were grabbed by American Universities in the very early days, hogging them way out of proportion to actual need. As a consequence, American Universities (and Universities in general) don't run NAT'd LANS like corporations and most governments do. Which is also why Universities have rampant virus/zombie issues. ARIN-RIPE-APIC should take back most of those IPv4 blocks from all of those Universities and make them connect their campuses to the Internet through NAT routers.
@Take IPv4 addresses away
In general, you are right about universities having way more IPv4 addresses than they need. My own department has a 255 block for a couple of dozen machines. Only a couple of them need a world-facing static IPv4 address. I expect most universities could get by with only 254 IPv4 addresses in total.
As for the virus/zombie issues, that is down to Windows as #1 reason, followed very closely by the number of 'personal' computers on the networks without competent administration. The computing equivalent of "A lawyer who represents himself has a fool for a client".
On the contrary my friend
It's Universities who really should have first choice on their addresses. Anyone at a University should be able to run a public server on their machines, it's how so many services got started.
The paperwork craziness it takes to run a public IP in many UK Universities is just ridiculous and hampers any attempt at progress.
Playing the blame game and criticising the universities would be fine if:
a) they were somehow they were uniquely postioned to forecast the eventual depletion of IP addresses, even when the Internet consisted of only a few dozen organisations.
b) they could have taken less if they wanted. Classful addressing was not the original addressing scheme, but an early attempt to stave off IP exhaustion. Before that if you wanted an address range you were allocated an /8 block regardless of need, since that was all the technology supported.
Uni not only players
Also remember that it is not just universities that have big IPv4 allocations, some US companies and gov also have more than far more than is needed.
Are those addresses well used? It is true that some new projects could use them and justify a student block per uni, but most PCs are just for office admin and lab work, and would be best behind NAT anyway.
Re: Take IPv4 addresses away from (mostly) American Universities
It should be Universities (and Governments) leading the way with IPv6. NAT'd IPv4 and reasonably-firewalled public IPv6 available as standard and we'll see some progress fast. Suddenly half the new apps will be defaulting to IPv6 if available, and every next major startup will have it enabled on their websites by default. Devices and networking equipment that don't work well with IPv6 just won't be in the running.
At some point, Google, Yahoo, Bing, Facebook, & Twitter will decide that enabling IPv6 by default is viable and is "the right thing to do", and the rest of the world will scramble to follow suit as IPv4-only companies are suddenly behind the times.
apply clue with extreme force
for fuck's sake!
it's not possible for the rirs to take back address space from the organisations who got that space before the rirs existed. there is no legal basis for doing that. even if there were, i'll bet those organisations would "prove" they were "using" most of that space. or demand that someone else (who?) pays for their renumbering.
even if that legacy space was returned, it would make no fucking difference. it would just put off the meltdown by a few months. the world chews through a /8 of ipv4 space every month or theresabouts. so getting back the /8s from ford or mit are not going to solve the problem. ipv4 addresses are just about done and WILL run out soon. the only way to prevent that will be to shut down the interweb.
It's a widespread problem...
> grabbed by American Universities
It's not just them. I've recently been working for a well-known multinational company with huge IPv4 allocations.
All machines have globally-routable IPv4 addresses, which are then firewalled to the very brink of usability. The company would actually benefit from a transition to private addressing and a NAT setup. An enormous number of IPv4 addresses could be returned to the pool.
That's not going to happen, though. Said company have outsourced their IT support, so such a move would cost them a fortune :-(
Natting uni networks might also solve their alleged piracy problem the RIAA are always bleating about a then at least 1 person on campus would have to buy any cd copied :-)
Yes it would
It would be like how the analogue spectrum is being taken away from TV stations and replaced with digital allocations. There needs to be an IPV6 switchover in the same way that there is a digital switchover currently underway for television.
No it wouldn't.
> It would be like how the analogue spectrum is being taken away
It would be nothing like it.
RF spectrum is licenced. The licence issuer (the government) has the ability to control use of the spectrum by manipulation of those licences.
IP addresses are not licenced. They are handed out by the registries. But the early allocations pre-date those registries, and that is when huge allocations were made. No mechanism exists to revoke those allocations.
Other way around, NATing the networks would make the piracy worse. What happens on NATed university network is that someone sets up a DC++ server and you suddenly have several hundred individuals that can pirate off each other at LAN speeds (gigabit LAN speeds if you are lucky). Getting that one initial copy onto the network isn't a challenge either and I am speaking from experience of going on 3 years back, I have to assume that things are even "worse" now.
@Paul: On the virus/zombie count, it's actually the second item and not the first
that causes the problems. I recall Apples being the main PCs on campus student labs way back when I was in college (well, after the dedicated mainframe terminals) and very few PCs. The lab had a persistent virus problem, particularly something they claimed lived in one of the printers and which kept reinfecting the network. I was barely able to afford a C64, so I had no such problems.
If you'd ever worked with (let alone for) the government,
you'd know they'll be the last one dragged into IPv6. And they'll be kicking and screaming the whole way.
not just Unis
Pretty much all businesses continue to operate on the completely false premise that each DNS name requires a unique IP address. I;ve seen companies not only put each top level domain on it's own IP, but multiple sub-domains on their own, an FTP server on a separate IP, all fully routable and that could have co-existed on a single IP.
The only time you need a unique front facing IP for a site is when you do not want 3rd parties to see that multiple URLs are all backed by a single system, or when more than one have to be capable of responding on the same port when other data (like the URL itself) is not concurrently passed to the server (session-less browsing, telnet, etc). In some cases, applying QoS at the edge is a need and this makes using a single Ip difficult, but really, most people using more than 1 IP could use at least fewer than they do now, many could in fact use just 1.
Too many businesses simply find it's "easier" to have a new IP than bother with DNS and proper fire-walling to route traffic.
no no no
ALL those server can co-exist, pooled on a single IP. internal DNS can handle routing incoming port 80, 8080, and 426 conenction based on URL headers as easily as IP direct routing. it;s a simple matter of properly configuring a firewall and DNS server, or using something like DataPower.
There are a few cases a server and URL must be matched to a specific unique IP on a specific port, but very, very few of them have anything to do with web services.
And some are claiming IPv6 "won't happen"
Shortly after linux.conf.au, I wrote a piece that I sent in to the Wireless Institute of Australia regarding this issue. What was interesting was the bit the WIA immediately tacked onto the end of the submission, more or less attempting to refute what I had written, and claimed "we had another 5 years" and implied we didn't need to do anything.
http://www.wia.org.au/members/broadcast/wianews/display.php?file_id=wianews-2011-02-20 has my article down the bottom.
It seems this is a common issue. Two problems though:
(1) If IPv6 isn't it... what is? It took from about 1992 to 1998 for the IPng working group to come up with IPv6, then until 2005 before most mainstream operating systems implemented it. If we've got 5 years, we had better move NOW.
(2) This assumes that the unused space by these corporations will just be graciously donated back to the Internet community. Hah! Excuse me while I die laughing.
People are quick to point out NAT as a solution. Yeah? Until you get more than 65536 connections from users sharing the one IP address. Ooops. Moreover, if one of those users sends some spam to a website (say, via HTTPS, so no intervening proxy), how do you know which one of those users sent it?
Right now we can look at an address, know the ISP, ISP looks up their records and says "Ohh yes, we leased that IP address to Mr. J Smith at 123 Imaginary Lane..." ... you can trace as far as their NAT router. And usually there aren't *too* many computers at a residence or business to be able to track down which one did it and remedy the problem.
Now that IP address will soon only point to a carrier NAT device at the ISPs datacentre. Which one of the 100 users behind it is guilty? Do you log each and every TCP connection? How big are the log files going to get?
If we go down the route of carrier NAT, I can see us in a year or two drowning in a sea of spam and malware. Think it's bad now? One lyric from Bachman Turner Overdrive comes to mind... "You ain't seen nothin' yet". Yes it's a short-term stop-gap measure, but it's no solution.
ISPs need to pull their finger out and move on from IPv4. Currently in Australia, the only consumer ISP that offers IPv6 is Internode, with iiNet allegedly planning a move to IPv6. We need everyone (in every country) to pressure their ISPs to move up if we want the Internet to remain something more than a walled garden.
You don't need to log every connection. The far simpler route, assign a block of ports per subscriber. Then you don't need logs; you take the IP address and that points you to a group of users and then you look at what the source port that was used and that will point you to the exact subscriber. Most carriers are looking at 1000 subscribers per public IP. Most assign a /22 to a DHCP block, so this falls within that same approach.
..and when, say, I'm playing a multiplayer game, dont' fancy paying $wtf for my own colo server, and fancy just selecting the option in the game that says "start new multiplayer game", then asking my friends to connect to me...
Pushing NAT up any further than the router in your house is a really bad idea, if you want the Internet to remain the Internet, and not a strictly client/server model of which I'm sure various large media companies would LOVE.
Re: Assigned ports
Yes, but how many servers actually log the source port number?
How many of those servers are proprietary and thus you've got to convince the software maker that the change is needed? I agree it's one way it can be done, but if you look at the headers in your last email, you'll notice its devoid of port information. Likewise with web server logs. Apache can be patched if needed, even by the end user. What do you do for IIS?
WE'RE ALL DOOMED!
Stupid boy. Etc etc.
Reclaim IPv4 addresses?
As several people have commented, we could reclaim unused addresses in various ways to stave off the crisis.
And this would achieve exactly what? Well, it would let people go on saying "We don't have to do anything quite yet" and carry on doing nothing.
And it would stave the crisis off for what, a few months maybe? Probably less time than it would take to actually do the reclaiming.
And since internet takeup is still accelerating, this would mean that when the crisis finally does hit it will be even worse.
just ASK people when they renew package X. I could easily use an IPV6 address and translate back to ipv4 for our network via our firewall. The same cannot be said for those using TMG or ISA for instance. I mean come on M$ - it isnt like IPV6 has been around a while for you to encorporate into your latest firewall....
Not much pain
3 years ago I started a slow 'when convenient' slide towards IPv6. Today I am sitting on a fully working and tested dual stack network. But if you have been completely ignoring it, yes, you will be staying up. So why have you been ignoring it?
dig AAAA www.theregister.co.uk returns no records, so go get some Provigil.
@cowards: Even if you could find and reclaim the (fragmented) unused IPv4 space, it would be like peeing in your pants, so for one I welcome the first RIR pool depletions. It turns 'expected to happen' into current reality, which is much easier for management to relate to. And we're still running stateful firewalling on IPv6. Just like on v4. NAT makes zero difference. Zero state tracking does.
But I started planning only last Autumn. I already had a Alix board router/firewall but changed the software to LEAF-Bering to support IPv6. Changed the adsl modem to bridged mode & moved the ppp session onto the router/firewall. Then changed ISP to a Entanet reseller (UKFSN). I've now got dual-stack working with all my internal hosts. Definitely not for one's granny!
The complete dearth of consumer routers that support IPv6 is something of a scandal IMHO. Perhaps it's a sad testament to the rush to the bottom that is consumer Internet provision in the UK.
Totally agree that a few more popular websites on v6 wouldn't come amiss either.
As the "So, what's the best sci-fi film never made?" forum is now closed for new posts, I just wanted to thank you for "The Legacy of Heorot"... it sounded interesting, I got the book... now I'm halfway through, and it's fantastic. :-)
World IPv6 Test day is 8 June 2011
"On 8 June, 2011, Google, Facebook, Yahoo!, Akamai and Limelight Networks will be amongst some of the major organisations that will offer their content over IPv6 for a 24-hour “test flight”. The goal of the Test Flight Day is to motivate organizations across the industry – Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure a successful transition as IPv4 addresses run out.
Please join us for this test drive and help accelerate the momentum of IPv6 deployment."
There is a web page here for testing ipv6. I'm still on ipv4 only and can't really vouch for it. It wants you to allow scripting (ie allow all on the web page if you use noscript on Firefox). I get 10/10 for IPv4 stability and readiness, when publishers offer both IPv4 and IPv6 but my DNS server (possibly run by your ISP) appears to have no access to the IPv6 internet.
I trust that El Reg has entered 8th June in the diary, but hope there is not a lot for them to report.
@World IPv6 Test day
Just tried http://test-ipv6.com/ on my home linux PC on Virgin cable broadband:
"10/10 for your IPv4 stability and readiness, when publishers offer both IPv4 and IPv6
0/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only"
Ditto for me on the Oxford Uni network. This'll be fun...
10/10 on both
This via UKFSN (Entanet reseller). Glad this stuff just works, though I have spent some effort getting it there. A giant raspberry from me to the consumer adsl/router manufacturers, and many (most?) ISPs in the UK for playing ostriches. No doubt we'll all get lumbered with the horrors of Carrier NAT before they realise they have to do things properly.
Give me IPv6
I am all set with IPv6 internally as far as i can test.
My ISP on the other hand is still issuing IPv4 Addresses and will not provide IPv6 addresses for my router let alone my internal devices.
Does anyone know how to kick them in to gear ?
PS. Oh crap i need a load of static IP's next month for SSL sites. WTF do i do if they are not available ?
Re: how to kick them into gear
Well if you want to be nice about it, send a message to their tech support and sales teams...
1) Point out that if they intend to be in business this time next year, they need to be giving out IPv6 addresses today.
2) Give them a list of ISPs who are already offering IPv6 to their customers, and who will therefore be picking up their customer base next year.
3) Give them the choice between a "MAC code" or an "IPv6 block".
If you don't want to be nice about it, do the same but don't give them the option of an IPv6 block.
Why would you need separate IPv6 addresses?
A small part of the IPv6 space has been allocated to correspond to the entire IPv4 address space.
So, if you have a IPv4 address then you already have a corresponding range of IPv6 addresses. E.g. see http://www.twibble.org/Articles/IPv6/6to4.
Of course, if the IPv4 addresses are static, then the IPv6 addresses are static, too.
It's about the money people!
You know, supply and demand?
IPv4 is worth a LOT of money for a while now.
There is an entire economy surrounding IPv4 and how it's handed out.
IPv6 would not only single-handedly bring that to its knees, it would decimate industries that use that to make their money.
The fact there's no address space left is irrelevant, because money wins every time.
Scrambling for addiontinal "unused" IPv4 space is viable, because you're only introducing small pockets of IP address real estate - even though it only really buys a bit of time.
You think the "Global Financial Crisis" was bad? You ain't seen nothing yet.
*EVERYBODY* is using internet pipes in some capacity for everything, if not just most things.
When those responsible for running the pipes hit the wall, till someone else takes over, *EVERYBODY* is going to see entirely missing or substandard communication conditions.
Those that pick up the pieces are most likely those larger ones who will end up monopolising the game.
Rationing IPv6 doesn't fix the problem it only enables the current problem to continue.
I'm not saying things HAVE to end up like this, but the fuckers who run the game have to acknowledge that making houses out of tree parts, in an emerging market that's using modernised baked clay bricks is a lost cause. They NEED to change.
And until they face that, we will continue to overpay for dwindling resources, before we stretch a commodity beyond something that's usable anymore.
Too many people
Not to mention the real problem is overpopulation. Less people means less IP addresses needed.
Okay, IP addresses are a man made resource but there's plenty of other finite resources that we can't just make more of.
The problem is the entire freaking industry waited until the absolute last moment to start IPv6 deployment. Right now there are many companies scrambling to deploy IPv6 and hopefully it will be ready somewhere before next year.
Long live IPv6! DEATH TO NAT!
NAT, while functional for residential networks, is one of the worst boneheaded ideas to get implemented by greedy ISPs. Most of the "cable ISPs" in Mexico are pimping their users, as they have ALWAYS used NAT, and serve only 10.0.0.0/8 addys to them. Want a real IP? That's an extra $300/mo matey!
One of the best things about IPv6 is that NAT is not supported, and will *never* be supported at all. The RFCs have seen to that. Fortunately, some content providers have been starting to provide AAAA registers for their sites; if the big ones start going IPv6 only, a lot of users will start demanding their ISPs for a switchover. Go!
Never supported at all?
LOL, don't be too sure of that. I can see some hacker implementing it simply to be contrary. Sure there is no such thing as a "local LAN IP" in IPv6, but that doesn't mean everything outside one single address can't just be redirected to the bit bucket at the edge router, and the rest of the "public" block you're assigned being turned into your own set of de facto unroutable addresses.
Only problem I have with NAT is it going further upstream than my router.
Sure there is no such thing as a "local LAN IP" in IPv6
There is 1 local machine IP though, ::1 and the IPv4 sub-subset perhaps, ::ffff:192.168.1.1 for instance - I'm guessing that IPv6 will inherit the "local LAN" reserved IP addresses from IPv4 and therefore there will never be any devices shipped with IPv6 addresses in that range.
Never say never...
> Sure there is no such thing as a "local LAN IP" in IPv6
Not out of address, out of allocations
Back in 1992 the decision was made to attempt to reduce the number of routes since a major vendor was always behind the curve. In 1993, AT&T built a router that could cope with 16 million unique routes. Had that been the direction that the *NICs gone down, a small dual homed business could be given a useful /24 or smaller but now they have a /22 in most parts of the world even if they only use a few addresses.
It's no problem making a router that can take 16 million prefixes or more. Each prefix should take up less than 16 bytes so even my laptop could probably easily hold at least 50 million prefixes.
There's just one catch to a large table: The lookup time tends to stink. And remember that each and every packet crossing the router needs at least one such lookup. Many solutions have been tried with varying success, e.g. flow-based routing (a la NetFlow) or trie, but I would guess the most widely used solution is the TCAM approach.
This guarantees lookup times no matter what size, but TCAM is very very expensive. I'm certain that any major router vendor will gladly supply you with a TCAM based router that will hold 16 million prefixes, but it'll cost you...
small dual-homes business network manager here
Yup, we have a /24. We need about a /27, but route aggregation means you can't get a PI smaller than /24.
I have the form on my desk for a /48 (minimum PI for IPv6 from RIPE) which I'm fighting my way through at the moment. One of our upstreams does IPv6, and I'm going to lie and pretend we're going to be dual-homed on IPv6. We will be, I'm going to sit on my IPv4 only upstream and tell them they don't get a renewal without IPv6 - but I don't want to make the application take longer than it has to.
Very nearly all my networking kit will run IPv6, though my routers are creaking to stay default-free on IPv4, so I'm not looking forward to trying to cram another routing table in there.
I do want to go and drop a bomb on Microsoft for not getting IPv6 working on TMG. Especially with UAG/DirectAccess being IPv6 only. Their insane recommendation is to have a TMG box managing your outbound traffic and UAG for your inbound. Yeah, that makes sense.
Can I have a Ballmer with horns.
Once you get rid off the idea that your going to look through routing tables to see where packets go and just pre-calculate all /24 routes, you only need to 2 mb of ram for a 4 port router for a bit map table and you can figure out where the packet is going to go before you even have all the packet.
The sky is falling!!
10/10 for your IPv4 stability and readiness, when publishers offer both IPv4 and IPv6
9/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only
Ooops must sort out my DNS, well im sorted so balls to everybody else.
If you all in a froth and panic then just sign up with a tunnelbroker I got a /64 to play with and after doing the tests on hurricane electrics site a free T-shirt too.
It really isnt the end of the world.
"It's the end of the world as we know it and I feel fine!"
On the day it all goes "kaflooey", I shall pack up a picnic, make my way up Parliament Hill in London and watch as the city explodes!
Everyone's had plenty of time to get IPV6 sorted and it's only home users and enthusiasts who've bothered. Come the day of retribution some smartarse will pull a load of NAT'd kit out his arse or they will get and some horrendous amendment to the RFC to buy a a little more time, until the whole system collapses under the weight of the sticky tape and blu-tak solutions put in place.
I was born in a age before the internet and I'm sure I could live for a few months without out it, sure it'd be tough but I think I would survive slightly better than your average 16 year old! I'll just nip up to the loft and dig out my old Speccy for a little bit of keyboard hacking. Still think of the good side, with no internet connection, no virii, malware or pathetic emails purporting to be from Mr. Nngambo in Nigeria who is holding $750k in unmarked bills for me to pick up, subject to a deposit of $20k of course!
To play on the old classic, the end of the world will not be a big bang or even a whimper, but simply getting up one day and getting the message, "Unable to locate server XYZ. Please check network connection and try again.".
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders