back to article When will Microsoft next run out of US IPv4 addresses for Azure?

Microsoft's Azure cloud service has run out of occasionally runs out of US-based IPv4 addresses. Redmond 'fessed up to the issue in a blog post in which it says users have been asking it why, when they use Azure-hosted VMs, they find themselves redirected to websites localised for other nations. The post offers a screen shot …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

IPV6 Foot Dragging Goes On Forever

This isn't amusing any more. It's time to catch up with the future.

27
4
Anonymous Coward

Re: IPV6 Foot Dragging Goes On Forever

Provided that IPv7 or IPv8 is under development, but I think that IPv6 is just terrible.

10
6
Silver badge

Re: IPV6 Foot Dragging Goes On Forever

Frankly, if it wasn't terrible, it would have been adopted ten years ago.

20
3
Silver badge

Re: IPV6 Foot Dragging Goes On Forever

IPv5 seems to be a forgotten disaster. IPv4 was a solid professional job, but everything since then has had a "student project" feel.

So yes, let's have an IPv7 that at least has some compatibility with v4 to enable a gradual transition.

4
3

Re: IPV6 Foot Dragging Goes On Forever

@Primus Secundus Tertius

This covers your rather odd post, and more http://programmers.stackexchange.com/questions/185380/ipv4-to-ipv6-where-is-ipv5.

@all others: Could someone tell me why IPv6 is looked down on by so many? I'm not a network guy.

1
1

This post has been deleted by its author

Re: @BlueGreen @Crazy Operations Guy

A lot of these things aren't quite problems or have been somewhat solved, some remain, but it isn't as bad as it would seem.

*You can't manually set a default route on most OSes (You need to enable Routing Advertisements)

Which OSes? I've been able to manually set default routes on Windows and Linux. Not sure about OSX but I'd assume it's possible as well. The one I did have problem setting up was with a particular Solaris box, which indeed required me setting up SLAAC/radvd.

*There are a bunch of other services needed on DHCP-based clients

Not sure what you're talking about here.

*Many ISPs don't support IPv6, which means you have to pay for a tunnel

There are free tunnel brokers, SixXS and Hurricane Electric at the least.

*ISPs that d support IPv6 will charge you an arm, a leg and your first born for IP addresses (usually a /64)

Some ISPs are giving out larger blocks. Sometimes a /56 or a /48.

* The smallest IP block you can use is a /64, so you need a new block for every network segment you have.

Agreed, while having /64 as a minimum is a "feature" intended to avoid having the IPv4 problem of "ISP didn't give me but one IP for my home network", if your ISP only gives you a /64 you'll need to ask for new blocks if you want to segment your network. ISPs would have to be forced to give out larger than /64 blocks then.

*No NAT, so rather than just needing a small block of external addresses and using chunk of the 192.168.*.*/16, 172.16.*.*/20 or 10.*.*.*/8, you now need a separate /64 for each piece you were planning on taking.

This is a feature. NAT was originally brought in because of the IPv4 address exhaustion. But the internet was never intended to have a zillion private addresses being hacked into a single IP on the global network and the protocols show it. NAT breaks a lot of stuff and the only reason we see it running smoothly at some places is because the gateways are keeping tabs on the whole NAT stuff. But some things won't work at all. IPv6 brought the "scoped addresses" concept, so your internal stuff can set up a private address space similar to the 10.0.0.0/8 and similar variants for internal equipment, and you don't need to dole out global-scope IPv6 addresses to boxes that aren't going to need access to the global internet.

Sure, it requires a lot of re-training on the security side of IT, but we have to realize that the current "NAT == Security" mentality is wrong and move on.

2
1
Joke

Re: IPV6 Foot Dragging Goes On Forever

"Could someone tell me why IPv6 is looked down on by so many?"

A ( little ) bit of El Reg humour. The reference is to Windows and how, allegedly, every second version is good/bad. IPV6 is NOT run by Microsoft but that is part of the joke.

0
0

>but also raises questions about why Azure is relying on Ipv4

Because (according to the quality of comments on articles IPv6 on el reg) network administrators don't like typing and are incapable of finding tools to make their lives easier or writing their own so they have slowed the uptake of IPv6 tremendously. If 90%+ of your users have no way to access your server via IPv6 you're going to need an IPv4 address too.

>and how Redmond let itself run out of IPv4 addresses.

Because there aren't any left. How many decades of people repeatedly saying that there simply aren't enough free addresses to scale to current and future demand does it take for the message to get through?

24
2
Silver badge

Many ISPs here (Germany) have been dual-stack IPv4/v6 for a few years and a couple have started putting new customers on pure IPv6 DHCP addresses.

Only businesses can pay extra to get a block of IPv4 addresses for their leased lines.

1
0
Silver badge

>>and how Redmond let itself run out of IPv4 addresses.

Well we shouldn't forget Microsoft (like many others) were late to the party so missed out on a free /8 or two allocation. Also MS haven't exactly acquired companies with large allocations in the same way HP have.

What this announcement tells me is that cloud infrastructure is such that there are design and operational reasons why NAT can't be used to any great extent.

2
0

..it probably could not foresee the need for quite as many addresses..

"640K ought to be enough for anybody."

20
1
Anonymous Coward

Perhaps

They should talk to Stephen Fry

19
1

Re: Perhaps

Well Apple is still fine... Could be because:

1) Fry is a fanboi.

2) Al Gore invented the internet and is on the Apple board. He looks after his buddz.

3) Apple own 17.0.0.0/8

5
0
Anonymous Coward

Re: Perhaps

Then why doesn't Microsoft use 169.254.0.0/16?

2
1
Silver badge
Joke

Re: Then why doesn't Microsoft use 169.254.0.0/16?

There, I fixed it for you - see icon.

2
2

just create a new .azure domain

and keep reusing the same old 10... addresses behind another bank of next-up routers

yeah, it's the same thing as a Stephen Fry joke, but has enough detail to prompt a meeting, so they can't do any real damage during that time

1
0
Black Helicopters

More BGP interception games

Do they understand how bad of an idea this is? Once an address is free from its geographical zone, it makes it impossible to tell if it is being routed all over the world for nefarious purposes.

5
2
Anonymous Coward

Re: More BGP interception games

Really? I deployed parts of my ARIN issued /16 all over the world. Are you saying that I should have applied to RIPE and APNIC for /16's (or more likely /20's)?

3
0

like all those local news videos coming out of ow.ly?

surely it could take down the net! film at 11 on WACK.TV

0
0

Re: More BGP interception games

Your/16 is supposed to be world wide. That is why is it a /16.

0
0

Personally....

I'd rather have the US address with my stuff stored in Brazil.

With the NSA freak-outery, an assurance the data is in USA really doesn't have much benefit.

14
0
Silver badge
Unhappy

Re: Personally....

No, to the average US punter the world outside the US is a big, scary place full of foreigners and their non-American ways. Having your stuff hosted in the US is, for them, like a security blanket. It might not be of any practical use but it keeps the bogeyman at bay.

For the rest of the world NOT having your stuff hosted in the US is a plus, probably as equally illusory, as who knows what the "security services" have got their fangs into?

Although having said that having a host located in Brazil is probably as good as it gets just now. Ask Dilma Rouseff why that should be.

10
1
Silver badge

It's not that simple for them to switch to IPv6

After all SCADA in the Cloud is a big market for Azure, most of such installations run on Azure. And SCADA systems are mostly legacy systems which are unlikely to support IPv6. And you aren't going to replace your industrial controller just to support IPv6.

2
1
Anonymous Coward

Re: It's not that simple for them to switch to IPv6

Solution: Charge more for an IPv4 address. They are a rarity so this can be justified, those that don't need them will go for IPv6 for costing, in a few years when you've moved enough onto IPv6 and lowered your IPv4 usage, you can lower the price to match for legacy systems and maybe throw in a loyalty bonus for those that did genuinely need IPv4 for legacy systems.

7
0
Silver badge

Re: It's not that simple for them to switch to IPv6

The SCADA world needs a big kick up the bum and anything that helps achieve that is good news.

Just clever enough to connect your nuclear power plant to the IPv4 Internet, not clever enough to use an encrypted connection or change the default password (or even make the default password changable).

7
2
Anonymous Coward

Re: It's not that simple for them to switch to IPv6

"Solution: Charge more for an IPv4 address."

Better yet, charge a subscription for address allocations, with the cost increasing exponentially the larger the subnet and/or total number of IP addresses the company leases.

Those with massive ranges probably have deep pockets, or can sub-let them at cost to others that need them.

0
0
Silver badge

Suspicous

I think the packets just wanted to go and watch the footie

7
0
G2
Pint

throwing a big wrench

there you go... Microsoft throwing a BIG and PUBLIC wrench in the MAFIAAA's laughable claims that IP addresses can map always to a precise physical location. The new address space isn't even from the same general geographic area.

ROFL...

3
3

Re: throwing a big wrench

Sorry, wrong. MPAA et al. are not claiming third party geolocation databases can tell what house an IP is associated with (and they can't even in the best case), they're claiming the ISP's own records can. In this example, it would be like saying that Microsoft itself has no idea if a given IP corresponds to a VM in the US or Brazil.

0
0
Silver badge
Meh

Plusnet is apparently doing that as well although it seems to have got hold of some US addresses.

0
0
Silver badge

Three mobile broadband seem to also do it, which creates much fun - for a period recently all the ad's were in Spanish...

0
0

Goes to show..

..that content-providers/websites should NEVER rely purely on IP address to tell them about location of a user or anything else (like if that user should be blocked etc.). Even more so since s single IP can have 100s of actual users behind it.

1
0

Confused about IPv6 vs. NAT.

I'm confused on IPv6 with regard to NATTING equipment behind a firewall.

From what I have read, IPv6 renders the 'need' for using router-based NAT as obsolete. The 192/24 172/16 10/8 ( & CIDR) private network concepts have been obsoleted, by some of the google/youtube research I have done.

The idea of my network hosts being publicly addressable seems like a bad idea to me. I might not be able to PINGv6 an IPv6 address over an IPv6 version of ICMP PING, but vulnerabilities appear all the time. (I'm thinking an IPv6 version of heartbleed).

I would much rather hide my equipment behind an IPv4 router that shields my equipment from hackers running port scans, than adopt IPv6.

I'm really looking for someone to prove to me that my concern is unfounded.

4
2

Re: Confused about IPv6 vs. NAT.

With IPv6 all hosts have a public address, but networks should still have a firewall, offering the same protection as a NAT firewall by allowing outgoing connections but not incoming.

6
0

Re: Confused about IPv6 vs. NAT.

You're confusing NAT with a firewall. IPv6 doesn't need NAT but you can still run a firewall on a gateway/router that drops unsolicited inbound packets. The only thing you miss out on with IPv6 is the absolute joy of configuring port-forwarding.

5
0

Re: Confused about IPv6 vs. NAT.

What it all really means is that because there are so many IPv6 addresses it's quite feasible for EVERYTHING to have an address from the public address pool, and theoretically be addressable from anywhere. This is unthinkable nowadays in the IPv4 world, hence the almost universal use of private address ranges. However there are private IPv6 address ranges too, and it would be possible for small networks to use these and have a single public address NATed, as per the current IPv4 method. The debate is whether this is necessary or not.

2
0

Re: Confused about IPv6 vs. NAT.

Unless your ISP allocates a public IPv6 range for all your devices you will to use NATing and private addresses anyway.

0
1
Silver badge
Boffin

Re: Confused about IPv6 vs. NAT.

Unless your ISP allocates a public IPv6 range for all your devices

Most of them are doing. Either a /48 or a /56. My current ISP doesn't offer IPv6 (Plusnet just to shame them a little). My previous one did (IDNet) and they give you a /48. So I became responsible for 2^80 addresses. That is slightly more than I need for all the devices in my house :)

But network administrators be warned. If you currently only know about IPv4 you should train up ASAP. There's quite a few gotchas and apparent 'weirdness' about IPv6 that means it's not going to be just a matter of throwing a switch and sitting back.

For one thing no matter what I tried I couldn't get Windows configured with a static IPv6 address. Anything other than DHCP issued blew the entire stack (IPv4 as well). For my server I ended up disabling the dynamic public addressing (the one that recalculates itself periodically) and just used the MAC derived address.

Oh and the real fun bit - just because two machines can resolve each others names doesn't mean you've got DNS configured correctly.

5
0

Re: Confused about IPv6 vs. NAT.

If your ISP doesn't allocate you a public IPv6 range, they are doing it wrong and you should change.

Firewalling v6 is not hard - just drop all new incoming connections and use a stateful firewall to allow replies to outgoing connections on your router - you are now as secure as NAT ever made you.

The addition of privacy addressing means that a remote site can't realistically pin down your IP to a single machine as they regularly change too.

Just make sure you allow ICMPv6 - otherwise nothing will work quite right. Not that there's a good case for blocking ICMP on v4 or v6 anyway.

2
0

Re: Confused about IPv6 vs. NAT.

Network Address Translation. If you have an IPv6 assigned, the "translation" you will be using is between your "physical" address and the internal "post office"... Instead of NAT, why not look into PAT... 65k+ ports... security by obscurity... If I am trying to "hack" your shit, I would need to be able to FIND your IPv6 first. And THEN I would need to beat on every door (port) until I find one that will respond to my advances...

I would reconsider your view of IPv6. Potentially it contains MORE security. One of the reason it has yet to be rolled out... It's REALLY hard to keep track of shit... (Said the NSA)... :)

Hack-On!

1
0

Re: Confused about IPv6 vs. NAT.

Strange... I was able to configure a static IPv6 on a physical machine. Not only that... It was a server box, running hypervisor, controlling four VR machines. One DNS, one a Mail server, a honeypot (for fun) that looked like my 2008r2 main. And a client...

After BEATING MY BRAIN AGAINST A BRICK WALL... All it took to make it work correctly, a secondary (physical) NIC that was addressed SOLELY to the VM side. That NIC was essentially "talking to itself" as well as a route configured to my PRIMARY NIC. Primary NIC routes to my gateway and "knows itself"...

(back when I did this, my professor almost popped an eye vein) I was the only person able to make everything "talk" and see everything.

I was INSTANTLY forced to help others try and understand what I was doing...

I STILL don't understand how to explain it... I am better at DO, not explain. ;)

4
0
Silver badge
WTF?

Re: Confused about IPv6 vs. NAT.

Strange... I was able to configure a static IPv6 on a physical machine. Not only that... It was a server box, running hypervisor, controlling four VR machines. One DNS, one a Mail server, a honeypot (for fun) that looked like my 2008r2 main. And a client...

Nice one. I dunno what the problem was. Click a couple of radio buttons and fill in some fairly obvious fields with information readily available. Only in my case it just caused the machine to lose all network access :(

That was particularly irksome on my server since it runs headless :-/

Anyway fixing the public address did the trick and eventually I even got gmail to send me mail over IPv6. Then I switched ISPs and now it's all academic.

1
0

and that forces you into their naming scheme?

actually, if FumbleNet slips you 50 IPv6 addresses and says have fun, you can still private 6000 machines behind one of them if you want. use one for web servers. one for mail. one for arranging those secret stock trades. and bank 46 of them.

0
0

Re: Confused about IPv6 vs. NAT.

"The idea of my network hosts being publicly addressable seems like a bad idea to me."

Then set up the filters of your site ingress and egress routers to DROP any datagrams addressed to the IPv6 nodes you want to keep on your private network. That is what happens for the 192/24, 172/16 and 10/8 addresses right now.

Also, just because you use NAT, does not mean your "internal" nodes are any safer!

0
1
Silver badge

Re: Confused about IPv6 vs. NAT.

>Most of them are doing. Either a /48 or a /56.

From other forums some ISP's are allocating a /64 for residential usage.

0
0
Silver badge
Stop

Re: Confused about IPv6 vs. NAT.

Also, just because you use NAT, does not mean your "internal" nodes are any safer!

Well it does. It's hard to attack a target if you don't know its IP address and even if you did know its IP address it's not reachable. Put it this way I'm happy to tell you that my laptop's IP address is 192.168.1.13 because there's nothing whatsoever you can do with that information. There is no way you can launch an attack against my laptop based on that knowledge.

But telling you its public IPv6 address (if it had one) gives you something to target. It gives you something to track.

Now sure you can determine my public IP address by looking at the packets I send you and that gives you an address to target. But that's my router. You still can't launch an attack against my laptop because unsolicited packets sent to my public IP address are just ignored. You could try to take control of the router but that's no more likely with an IPv5 NAT setup as an IPv6 setup. Probably less likely due to IPv4 only routers being older and simpler so fewer attack vectors.

So the only other option is to monkey with packets coming back as the result of requests my laptop makes. Now sure that's a risk factor without a firewall but still - NAT has eliminated the brute force 'barbarian at the gates' attack. It has made things safer. A firewall do even more good but NAT is better than nothing. A lot better than nothing in fact.

2
1
Silver badge

Re: Confused about IPv6 vs. NAT. @cynicalcsyan

Re: NAT and PAT

One of the advantages of the way NAT and PAT are implemented in many ADSL routers is that the PAT is dynamic, making it very difficult to effect an inbound connection to any system on my network unless an inbound translation rule for that specific system has been explicitly set up. I'm not sure how IPv6 can improve on this out-of-the-box security.

Obviously when dealing with enterprises and datacentre's things aren't so simple.

1
0
Silver badge

Re: Confused about IPv6 vs. NAT.

That's the method I stumbled across some ages ago. And no, I haven't got a f---ing clue why it works. I keep bating my head against the wall until something vaguely works.

1
0
Boffin

Re: Confused about IPv6 vs. NAT. @cynicalcsyan

One of the advantages of the way NAT and PAT are implemented in many ADSL routers is that the PAT is dynamic, making it very difficult to effect an inbound connection to any system on my network unless an inbound translation rule for that specific system has been explicitly set up. I'm not sure how IPv6 can improve on this out-of-the-box security.

Set up the firewall to DROP (or reject) inbound connections. Only allow connections to whatever services you need outside connections for. Done! I suspect IPv6 enabled ADSL routers are already doing this anyway.

And in fact, this is what we should be doing in the IPv4 world anyway. NAT was a quick hack-fix because of IPv4's issues concerning private networks and the upcoming IPv4 scarcity.

0
0

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017