One Step Closer to IPv6

gbjbaanb writes "IPv6 came a step closer yesterday as ICANN added IPv6 host records to the root DNS servers, reports the BBC. 'Paul Twomey, president of Icann which oversees the addressing system, told the BBC News website there was a need to start moving to IPv6. "There's pressure for people to make the conversion to IPv6," he said. "We're pushing this as a major issue." The reason for the urgency, he said, was because the unallocated addresses from the total of 4,294,967,296 possible with IPv4 was rapidly running out. "We're down to 14% of the unallocated addresses out of the whole pool for version 4," he said. Projections suggest that this unallocated pool will run out by 2011 at the latest.'"

Sad

Its sad to look at the list of class a allocations [iana.org] and know that we're almost out. All this was done before NATs became popular. I think ICANN/IANA should work on wrestling some of those class As back from companies like Ford, Apple, HP, etc. None of those companies are going to ever have 16,000,000 hosts on public IPs. I know some of those companies have already made sub allocations. We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.

I mean, if those companies complain, who cares. They wouldn't get such large and prestigious allocations in an IPv6 network anyways. So what's the difference.

I know, I know, we should move to IPv6 anyways. Just a suggestion. Poor initial planning warrants changes down the road.

Re:Sad

I completely agree with you. That is why I am going to pledge my entire allocation of the 10.0.0.0/8 network back to the IANA. As long as we ensure that it is reallocated properly, I think it will be a huge benefit for the Internet as a whole. For those of you who might control a part of or the entire 172.16.0.0/12 or 192.168.0.0/16 network, you might want to ask yourself this question: do I really need that many addresses?

Re:Sad

Didn't Bill Gates once say, "127.0.0.1 should be enough for anybody." Damn, he's always so short sited.

Re:Sad

I just hope that the guy who holds the 127.0.0.0/8 network never follows suit. All his hosts have the largest pr0n collection I've ever seen!

Re:Sad

We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.

130,000,000 / 4,294,967,296 = 3%

The article says we will run out of unallocated IPs by 2011. The unallocated pool is 14%. It is currently 2008. 2011 - 2008 = 3 years. What makes you think that reclaiming 3% is going to buy us 5 to 10 years?

Re:Sad

But 3% of 2011 is over 60 years!

Re:Sad

I'm ready to begin to add IPv6 to my network. 99% of my machines can support IPV6. There is no RFC1918 private space needed with IPv6 since there is so much space. I went to allocate space, but found out that I can't;

http://www.arin.net/registration/guidelines/ipv6_initial_alloc.html [arin.net]

Re:Sad

Thats 2^48 Internets!

Why would you want that? One of my staff sent me an Internet the other week, and it took three days to arrive! If everyone has 2^48 Internets, my staff's Internets will never arrive.

Just Like Oil

Just like how when we run out of oil, solutions will come along, when we run out of IP addresses, solutions will come along. The only problem is people don't get very motivated until we're really on the edge. I don't have much hope for IPv6 for another few years yet. Still, progress is progress.

Re:Just Like Oil

The Universal Service Fund is evidence enough for you. Billions of dollars of subsidies wasted as windfalls to stockholders. Your lack of faith is wise, and it's only being supported by the new broadband plan laid out by the president.

It would be nice to have a perfectly efficient method of coercion to force ISP's to actually spend their subsidies on broadband penetration, but no one in power seems to be interested. It's the same story as IPv6 up to now. ICANN seems to be taking the lead finally. Hopefully someone will follow suit in the broadband arena.

Re:It's a sham - the Internet is mostly dark

While I would love to agree with you completely as I believe ARIN is a bunch of tards (can't speak for the other registries). There are/were technical reasons behind the way IPs are assigned. Machines haven't always had 2 gigs of ram. Maintaining routing tables on a network the size of the Internet was a difficult task, which required aggregating networks at upstream links and all sorts of stuff in a desperate attempt to prevent every multihomed router on the Internet from needing a few gigs to hows the paths to various subnets and determine what path was the best.

Of course, time goes on, ram is cheap, and doing it now is somewhat easier, but it still requires ram and processing power, and that increases latency and cpu utilization.

For instance, assume that everyone was assigned address space in blocks of 256 address (class C) and had to show they utilized the address space before getting more as well as prove they continued to use it. Now assume that only half of the address space available was assigned. 2.1 billion addresses in use. Thats approximately 8.3 million class C blocks
allocated. I'm going to assume thats higher than what we have actually in use these days (not allocated, in use) but bear with me for reference purposes.

Now, for each packet you route, you have to search through those allocated blocks and find the one that contains the address you're communicating with. You also have to determine which path of the many you may have on your router is the best path to use based on number of hops to the destination (we'll pretend AS hops are real hops for simplicity), include other factors such as your internal weights for a route because its expensive for you to use the OC3 you have rather than the DS3 because you got a great deal on the DS3 but not so much on the OC3.

You've just spent a lot of CPU cycles trying ot figure out which path to use. Now ... do this on hardware from 10-15 years ago. Well, first off, unless your at a NAP 10 years ago, doing this would require expensive memory upgrades on your routers because most didn't have the ram required to deal with a such a routing table in the first place, now add in the processing increase your going to need because even though you can cache routes and deal with updating the cache only as the external paths change, it only helps so much because those external paths change a lot so your cache hits have to be revalidated more often than you think. God forbid you have a flapping connection, as I can tell you from personal experience, on many routers from 15 years ago, a flap of a line that relays BGP information resulted in a router that was busy for a few seconds dealing with the BGP changes unless it was a fairly high end router.

So ... the point to all that is, a lot of the way address space was assigned was because the hardware we had to work with 'back in the day' was only capable of so much.

Okay, so now we can do better, great! Lets readdress everyone ...

I'm not going to bother going into the complexities of re-addressing a large network, but its rather a pain in the arse and can cost a whole hell of a lot of money in IT resources. So when you look at the big picture and think, 'well, I can readdress now and help deal with the problem and then have to eventually switch to the new protocol (for now, IPv6) eventually anyway OR I can wait till everyone has to switch to the new protocol because of this problem and only do it once'

It makes more sense to wait and do it at once, save yourself some money, deal with it when everyone else does, and deal with the least amount of work you can until that time. And ... this is how businesses make money, but not doing extra work they are just going to have to do again later if they can prevent it.

Of course, on that same note, there are plenty of businesses which don't exist yet that will make a killing off the scare of running out of IPv4 address space and the switch

Re:It's a sham - the Internet is mostly dark

You are an exceptionally bad engineer, coder, thinker, and internet citizen.

The sad part is, most of the IP addresses in question are... dark. Nothing there. Even though we're approaching 85% allocation, utilization is probably around 1-2%. No, I'm not kidding.

And you have ANY hard data to back that up ? No. Others are trying to come up with better metrics (http://www.potaroo.net/tools/ipv4/index.html is exceptionally verbose), but you ? You are not kidding about thinking that it maybe probably is around 1-2% ... Wow.

Try it yourself - hack up some script to randomly generate IPs and then ping sweep the network blocks. You'll probably be quite surprised at the result.

Bzzzt. No, I would not be -- nor should anybody be. First of all, it's not a requirement for every address to be routable to (and you can check that much better by looking at what percentage of prefixes are actually advertized). Second, many, MANY hosts and networks are behind firewalls, intrusion detection & response systems, etc. -- a "simple pingscan" can easily land you in a black hole at the network border after a couple of pings -- if access to those machines is even allowed from your network. Sure, in consumer broadband connections you don't often have such firewalls restricting inbound access, but that's not the "entire internet". Hell, go ping amazon.com and see what you get back. Nada, that's what.

A while back, I wanted to have a way to detect if a host was "offline" so that it could modify its behavior. (EG: halt outgoing SOAP requests if the server's network connection was disrupted, preventing bogus error messages from entering the system)

A problem many others have faced and solved before you.

My first thought was to randomly generate 10 IP addresses, then ping them to see if they were offline, guessing that at least 50% would respond.

Accounting for the different classes of addresses, unroutable space, bogons, etc. in that random calculation would be more work than the result is worth, especially seeing as how the state of netblocks can change over time. I wonder, why was your first thought to crap out (at least) 10 packets to the net that really are not needed ? What possible reason could there be for you to automatically ping a cellphone in Singapore ? Just imagine everybody doing this, just to check whether they are "online" ... How about choosing some well-known addresses (such as one of your own servers in a different locale, or possibly "well-known" servers that you know will respond and that don't mind a ping from you every now and then ... Not only do you get a 100% response rate when everything is working correctly, you also forego abusing bandwidth in remote locales you are not at all interested in.

Basically, none did. So, then I tried randomizing addresses and keeping a list of only those that had, at one time, responded. Even that turned out to be unfruitful.

You know, while still a bit dickish, it might have occured to you that most of {a-m}.root-servers.net do reply to ping or DNS requests. So do, in all likelihood, a router in your upstream, or DNS resolvers you know about. Instead, you now latch on to addresses that respond. The cellphone in Singapore, for instance.

So finally, I took a dictionary and randomly created domain names from 1-2 normal dictionary words, pinging those, and keeping a list.

Ah. So now that flooding ICMP out to the net is not enough, you have to litter it with bogus DNS requests the reply to which you are not really interested in. Again, imagine EVERYBODY doing this. Why not pick 10 known domain names and always ping those ? At least the results will be cached, and you may even choose ones whose owners you know and can ask whether they mind to be flooded with icmp every now and then.

That yielded some 40% usable responses, allowing me to keep a list of fairly

Re:Just Like Oil

Offtopic, but---

It simply doesn't follow that Co2 levels haven't ever been this high. That Co2 that we are generating; you know, from fossil fuels?

Where do you think it was before it became fossilized?

http://www.geocraft.com/WVFossils/PageMill_Images/image277.gif [geocraft.com]

For most of the current Cenozoic era, Co2 levels have been *higher* than they currently are. The *only* possible issue with "global warming" right now is whether or not the rapid rate of change in Co2 levels will be damaging, not the absolute level of Co2 in the atmosphere.

For example, during the Jurassic period, Co2 levels were at 1800 ppm. During the Cambrian period, Co2 levels were 5000 ppm. Currently, Co2 levels are at 378 ppm, and even if we burn ALL known sources of Fossil Fuels it is unlikely we will drive that above 900 ppm or so.

My home network allows over 10M hosts

Sadly, it can't Talk dirEctly to my Next-DOor neighbor, who runs an equally large neTwork.

more the story

The only justification you ever hear for moving to IPv6 is address exhaustion in IPv4. There's a lot of other stuff built into the protocol that will make the net a much better place. Even if IPv4 had the same amount of addresses as IPv6 it would still be worthwhile to switch. Just give this a once over for an introduction

http://en.wikipedia.org/wiki/Ipv6#Features_and_differences_from_IPv4 [wikipedia.org]

I don't expect much to change

ISPs see the limited IPv4 address space as a revenue stream. Many of them charge almost double for the privilege of getting a fixed public IP address. They don't have to spend money on a lot of scarce IP addresses themselves since they can always stick their customers in NAT ghettos.

They're not going to be very eager to give up their position as a gatekeeper of a limited resource just so their customers can frolick in a vast address space for free. Since most of them operate in a monopoly or duopoly situation, the proverbial "free market" won't force them to move off IPv4 either.

Re:I don't expect much to change

Exactly... Expect 'cheap' accounts to be allocated within a 10.x.x.x net long before an ISP thinks of implementing ipv6. They'll probably pitch it as a security feature ('let us control the firewall for you! Surf in safety! Only $10/month!').

If a user wants a public IP. That's more cost. If they want a *fixed* IP.. go talk to the business services manager over there.

If they do implement ipv6 it'll be done the same way. 1 ipv6 address per account (ipv6 NAT exists and has done for a while). If you want 8 of them that's more cost. If you want more than 256.. see that guy in a suit waving? Go hand him your chequebook.

And before anyone says 'but but we'll all get 16 million addresses!'.. yeah, over the rotting corpses of every major ISP in the world.

Peak IP?

Have we reached Peak IP?

IP6 won't matter til Google supports it

Wake me up when I can pull up the main page of Google using nothing but packets with IP6 headers.

That means that I can do a DNS query using nothing but IP6 packets - NOT IP4 packets.
That means that I can do an HTTP transfer from Google's servers using nothing but IP6 packets - NOT IP4 packets.

Hell, wake me up when there's a AAAA record for Slashdot.

This is a *baby* step towards IP6 being useful.

Re:IP6 won't matter til Google supports it

This is a *baby* step towards IP6 being useful.

Yup. The thing with first steps is that you have to do them in order to make the second step (obviously), but then you can make a third and fourth steps. Next thing you know, you've got to where you were going.

Now Google can register an AAAA record, do you think they will? If they couldn't register one, do you think they would?

Re:IP6 won't matter til Google supports it

This is actually a very important step towards what you want. About two-thirds of the TLDs have authoritative servers which are reachable over IPv6. There's a complete list at my blog - http://www.personal.psu.edu/dvm105/blogs/ipv6/2008/01/ipv6-dns.html [psu.edu]

So you can query the root and .com DNS servers using IPv6. If you want Google to be reachable over IPv6, go talk to Google. Everything higher in the tree is IPv6-enabled now. And Google has an IPv6 allocation from ARIN - they got a /32 2005 - http://ws.arin.net/whois/?queryinput=!%20NET6-2001-4860-1 [arin.net]

I agree that there isn't much content on the IPv6 internet now. So if you want it, yell at the content providers.

Consumer router support

I've been waiting a while for Netgear, Linksys and that crowd to add 6to4 support to their home NAT routers as a way to help jump start IPv6 adoption. There would be no security issue if incoming connections were blocked by default and people could turn it off if they didn't want it. But 6to4 can be set up automatically by any machine with a publicly routable IPv4 address.

Well, I'm happy to say that my wait is finally over. They didn't make a big deal about it, so I don't know exactly when they did it, but Apple added that support to their Airport Extreme. So now when I go anywhere that has one of those, I can directly SSH into those inside machines that I've opened ports for without undue muss or fuss.

Apple has been a stalwart supporter of IPv6, from my observation. It's been possible to use AFP file sharing over IPv6 since at least Tiger and the built-in VNC stuff works over IPv6 too (though there is a naming lookup bug that requires you to connect using the IPv6 address literal if you use the command-K "Connect to" dialog).

So, Netgear and Linksys, what's holding you guys up?

I get a surprising number of IPv6 hits...

I get a surprising number of IPv6 hits on my webserver at home. Most of these appear to be XP or Vista boxes with Internet connection sharing turned on that automatically assign themselves a 6to4 [wikipedia.org] addresses when they have an interface with a public IPv4 address.

IPv6 with 6to4 is easy to set up, and I'd recommend it to anybody who has a static IPv4 address. You can use NAT-PT [tomicki.net] so all your IPv6 hosts can still get to the IPv4 network. If you have a couple of DNS servers, you can even set up reverse DNS for your IPv6 network just the way you want using this nice web interface [nro.net] from the NRO [nro.net].

I maintain some good links to stuff about IPv6 on del.icio.us [del.icio.us].

I hate NAT. And I think IPv6 can be just as secure. Partly because a 64-bit address space is really hard to effectively randomly probe working addresses and partly because it's fairly easy to configure a firewall to not allow incoming connections.

Re:Great, IPv6, an insecure protocol

Lest anyone think this jackass is correct:

IPv6 barely supports firewalls or NATs, allowing any Joe Sixpack to see what your secured corporate network topology is like from anywhere.

It is not up to the protocol to support the hardware. And anyway, all good firewalls support IPv6 already. NAT? It's there if you're dumb enough to want it.

It also does not support reserved IP blocks... change ISPs, and you are forced to re-ip your whole network.

Step one: update your router to the new netblock.

Step two: sed -i'' 's/^old:net:block/new:addr:ess/' db.mydomain.com; rndc reload

Step three: laugh at people who go around changing ISPs all the time.

Of course, IPv6 has -zero- hooks for IP level encryption, so this has to be handled at the trensport or app level.

If only it support IPSec [ipv6.com], "the goal of [which] is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments." Oh, wait...

NAT Sucks

NAT is, well, better than nothing, which, currently, is your alternative. But I'd hardly call it an "elegant and awesome solution". IMO, ultimately, NAT sucks because you *do not have a globally routable address* for devices in your network. Sure, that gives some security benefits, but makes it a PITA when you do want to open connections directly to a computer or consumer electronic device in your network.

A few reasons you might want to have a public address inside your network:

* Direct VOIP telephony (SIP, Skype, various instant messenger clients, run a TeamSpeak Server), etc

* Running game servers, web server, mail server, etc

* Remote access (VNC, SSH, etc)

* Direct file transfer with a friend (I've, from time to time, run into problems with things like instant messenger client based file transfers not working behind a NAT - though they do seem to have somewhat alleviated that problem - I suspect by routing my file transfer through the IM network instead of directly to the other person), or P2P file sharing systems, like Bittorrent - yes, they can usually work behind NATs; but they work better if direct connections could be more easily made).

Yes, yes, I know about port forwarding. That's fine and dandy as long as you only have a single device per port that you want to allow incoming traffic to. Ultimately, IPv6 is a much better solution to the problem of address space limitations than is NAT. NAT usually requires software to do ugly hacks to get around the limitations of only allowing outbound connections. A simple firewall with every device having a global address is a better solution, because then I can open up as many ports to as many devices as I like, without having to worry about only allowing one device per port.

I've had a number of times where I've been extremely frustrated by NAT. Often times, if software isn't explicitly written with NAT in mind, and the problems it creates, then it won't work well in a NAT'ed network.