

ARIN down to 1.00 /8 – Akamai got 104.64.0.0/10 yesterday - Amfy
https://www.arin.net/

======
zaroth
I remember reading about full IPv4-space scans showing some fairly massive
blocks that were allocated but unused. As I recall it was well over 10% of the
overall space that could theoretically be reclaimed and redistributed with a
hand-wave.

Anything that gets IPv6 adoption to mainstream is a Good Thing, but more
likely we'll just start seeing the $1/mo/IP become $2/mo/IP, and upward... The
squeeze will just continue as people make more money off of it, and we'll
still need IPv4 addresses for compatibility with people running Windows XP in
2020.

~~~
nwh
Yeah, IPv4 is pretty much empty. Lots of companies own a /8 all to themselves,
like Xerox (13.0.0.0/8), Apple (17.0.0.0/8), USPS (56.0.0.0/8) and Ford
(19.0.0.0/8) to name a few. None of them allocate even the tiniest portion of
them.

~~~
zaroth
There are usage requirements for IP addresses now. I have to substantiate the
allocation.

I think if ARIN wanted to, they could give everyone a year to "substantiate
their allocation" and set the policy something like "companies must return for
reallocation any overallocations."

The risk of not returning an overallocation, well I'm not sure. ARIN certainly
has teeth, and companies should simply be expected to correct these huge
overallocations.

Just like the open source community comes together to solve serious problems,
if we as a community enforced an ethical standard and some key people stood up
raised this as an issue, I'm willing to bet ARIN could replenish a stockpile
of IPv4 space.

So the question I'm asking is, since ARIN is empty, clearly they aren't
interested in keeping a stockpile of addresses. Why not? I guess the more
generous alternative is simply they have failed spectacularly at their stated
goal.

~~~
jlawer
I admit that I am not familiar with ARIN, but if it is anything like APNIC
(Asia Pacific) then those big Class A Allocations are protected as legacy
allocations. As such they are not required to give the legacy allocations up
and its questionable if the RIR could even revoke them.

ARIN can go over the pool of post 1997 addresses they have allocated, but I
think you would find much smaller unallocated blocks.

------
martinflack
I work for Akamai and it's worth noting that we also do a ton of work around
IPv6: [http://www.akamai.com/ipv6](http://www.akamai.com/ipv6)

~~~
alexgartrell
Why did you guys need a /10?

~~~
muppetman
I'd love to know the justification for this too. SSL hosts is the only thing I
can think of.

~~~
zurn
Would be a shame since SNI appeared in browsers ~2007. IE 6 is hardly worth
wasting the Internet's last IPv4 space on.

~~~
vidarh
It's needed for Windows XP users regardless of IE version. Whether you care
about Windows XP users or not is another question..

~~~
toomuchtodo
Are we terribly concerned about supporting a 13 year old OS that is EOL'd by
its manufacturer?

------
dcc1
A lot of websites could use ipv6 to connect to a proxy/security provider such
as cloudflare which would output the site to ipv4/ipv6 end users with all the
other bells and whistles that cloudflare offers.

The end user then doesnt even know or care that the website he/she is using is
ipv6

btw does cloudflare support ipv6 only domains?

~~~
baudehlo
There's still some issues with HTTPS which need further roll-out to completely
solve this problem (i.e. not everywhere supports SNI yet), but yes, for a lot
of web sites this would work perfectly fine, and indeed is how many PaaS
providers work.

------
throwaway2048
Seems a little absurd that one company just got 1/4th of all remaining ARIN
ipv4 adresses when there is such an insane crunch looming, no matter how big
and important they are.

~~~
nemasu
I can't wait till subnets are a thing of the past with ipv6.

~~~
ams6110
Don't hold your breath. I think ipv4 will be around for a long time. With NAT,
there's really no shortage of numbers for many sites.

~~~
dvdkhlng
Haha, I'm laughing at that statement. You do realize that NATs merely extend
the address space by mapping connections to computers with non-public IPs onto
a uniquely identifiable port number? So depending on the average number of
concurrent connections operated per peer, NATs won't be able to extend the IP4
address space by more than, say 12 bits.

See also here: [http://serverfault.com/questions/502305/linux-networking-
por...](http://serverfault.com/questions/502305/linux-networking-port-
exhaustion)

~~~
abcd_f
Hahas are on you.

NAT does tuple mapping - src/dst addr/port and protocol. That is - two TCP
mappings can use the same local external port even if they go to the same
remote address, for as long as they connect to a different remote port.

~~~
lsc
This is true, but consider that while there are 16 bits of ports on both
source and destination, in reality, nearly all traffic flows to a very short
list of ports. Most connections, and connections are what matters here, not
total traffic, are going to have a port 80 or 443 on one side of the
connection or the other. So while I think 12 bits is too low, in practical
use, you aren't getting the 32 bits you think you are getting. Considering
source port restrictions, I think saying single-level nat extends IPv4 with
another 16 bits is not too far off. Of course, that is still a lot of IPs.

Of course, nat has a bunch of other pain in the ass problems, especially in
that if I want to be able to track abuse, I've got to log every new connection
(flow, whatever) that you make. When I get a complaint, I've got to match that
up to my logs, which can be goddamn difficult if the complainer's clock isn't
just right.

With static IPs it's way easier to track abuse, and I don't have to actively
log what you are doing, just who has what IP when, and because IPs stick
around a lot longer than connections, I'm way less vulnerable to clock drift.

------
spullara
Maybe they should have come up with a version of IPv6 that didn't basically
require both to exist forever.

~~~
Arnt
All the proposed variants required that. Some hid the requirement a little
better than others.

Some proposals were superset-like, so v4 and v6 addresses could ping each
other. But not all v6 addresses. As soon as the v4 space was used up, those
variants had to allocate v6 addresses that could not ping v4 addresses, so you
got a sneaking incompatibility. Worse: you'd never know for sure whether there
were any v4-only hosts left on the network.

Clean break or sneaking, what's your preference?

~~~
spullara
Clean break with the new protocol NATing the old protocol. IPv4 addresses not
behind the NAT are not accessible on the new internet. Exploit the asymmetry
inherit in services vs clients.

------
davidw
This seems to be a problem that markets will solve pretty well: as the
resource gets scarcer, the price will go up, meaning people will have an
incentive to use it more efficiently (selling unused address space), and/or
look for alternatives (IPv6).

~~~
lsc
The major cost of IPs is routing table bloat. Every time I announce a new
block, every router on the internet (that carries a full table) needs more
(very expensive) memory.

The size of the routing table has been growing faster than the cost of fast
router memory has been falling for some time now.

I mean, if you are only pushing a gigabit of traffic (and /maybe/ 10 gigabits,
especially if the packets are large.) it's not that big of a deal; you can use
dram and CPUs with large caches, and it's fast enough. But if you own a real
pipe and have to push 40 gigs, or really, even 10gigs of small packets, my
pair of vyatta routers on Xeons just isn't going to cut the mustard.

It's kind of a 'tragedy of the commons' because when I buy IPs, that money
goes to ARIN (or to the previous owner of those IPs) - none of that money goes
to all the router owners who have to pay for more fast router memory - even
though I'm costing those people money.

The problem with runout intersects with this. If I need, say, 4000 IPs, I can
get one /20, and occupy only one routing slot, or I can get 16 /24s and occupy
16 routing slots. From my point of view, from the point of view of the person
who owns the IPs, there really isn't much difference between one /20 and 16
/24s. But the rest of the internet has to pay 16x as much if I get 16 /24s.

~~~
davidw
So with a few rules, you can design a market that works pretty well:

[http://www.hbs.edu/faculty/Publication%20Files/09-091_0077c0...](http://www.hbs.edu/faculty/Publication%20Files/09-091_0077c048-67b7-4693-84bd-8ab4165104f5.pdf)

~~~
lsc
eh, they are aware of the problem, but their solutions are still centralized
ones; either preventing de-aggregation altogether, or making the end-user
justify the usage, presumably to some central authority.

I mean, it might work out okay; that's pretty much what ARIN does now. I'm
just saying, it's not exactly a market-based solution; that document proposes
a market in IP addresses, but it largely leaves the routing table as a
commons, even if it does propose to regulate that commons in ways that are
similar to the way it is being regulated now.

~~~
davidw
Like I said: markets are not perfect, but what are the alternatives? I think
it'll mostly work out ok: as prices go up, it'll push people to get serious
about IPv6 and other alternatives.

~~~
lsc
My point is that the most important resources (routing table slots) are still
allocated via informal central planning in your proposed scheme. And that
isn't unreasonable; usually if you want a functional market, you need
/something/ dealing with the externalities.

In the general case, sure, I like markets, too. It's just that markets deal
very poorly with externalities, and I want to make the point that the way most
people want to set up a market for IPs, routing table slots are externalities.

There is currently a process for selling IP addresses:

[https://www.arin.net/resources/transfers/index.html](https://www.arin.net/resources/transfers/index.html)

My understanding is that you give the previous owner enough money to make them
happy, then you satisfy the requirements that you would have had to satisfy to
get ARIN to give you the resources if you were requesting said resources from
ARIN directly.

------
ay
I am curious if this news affects how many HN readers which are involved into
the product development are developing their products / websites with IPv6
support ?

If maybe this helps folks managing news.ycombinator.com to click the button
and dualstack their site ? (Being behind CloudFlare, it is really just a click
away, I am told).

~~~
bananas
We've been IPv6 entirely for about 3 years internally. Externally our peering
is shit and they don't do IPv6 competently at all.

We run Windows and Linux machines.

My ISP (Andrews and Arnold) in the UK give us IPv6.

~~~
nextw33k
Could you expand on the peering problems?

I was thinking of switching to either A&A or fido.net this summer as they are
the only ISPs in the UK that offer reasonable priced IPv6 broadband.

~~~
bananas
It's our DC not broadband connection. We have several peers in the DC but not
all are IPv6 and the level of competence is "variable". We had some techs not
able to understand IPv6 even from a basic level and one peer screw up our
routing.

A&A rock - no complaints at all.

------
tszming
If the certificate authorities can reduce the price of a SAN cert (multi-
domains on a single IP, not to be confused with SNI), I guess a vast number of
IPv4 can be saved, e.g. we host quite a number of client sites and we need
IPv4 for each site just for SSL.

------
exabrial
Ipv6 is still a terrible solution for so many reasons. Running out of
addresses wasn't and and still actually isn't a problem, so stop pretending
like it is.

IETF should have taken a pave-the-cowpaths approach and cleaned up ipv4, not
created a huge incompatible ipv6 mess.

~~~
aidenn0
ipv6 is a terrible solution for many reasons, but running out of addresses
_is_ a problem, and the best solution available right now is ipv6

~~~
exabrial
sadly... you might be right. I wish there was a collaboration group to fix
ipv4 incrementally

------
aidenn0
Still no ipv6 address from my ISP at home :(

~~~
darklajid
Better than the abomination called Dual Stack Lite imo (which is what I got).

~~~
zokier
Whats wrong with DS-Lite?

~~~
skrause
Carrier-grade NAT.

~~~
zokier
In case you haven't noticed, we are running out of IPv4 addresses. CGNAT for
v4 is inevitable one way or another. That is why we have IPv6. At least with
DS-lite there is only one layer of NAT, compared to full dual-stack which
usually implies two layers of NAT (CPE and CG). But all that shouldn't matter
that much when you have nice unobstructed end-to-end connectivity with IPv6.

