
The Ripe NCC Has Run Out of IPv4 Addresses - cnorthwood
https://www.ripe.net/ripe/mail/archives/ripe-list/2019-November/001712.html
======
souterrain
I’m in the ARIN region. Two things:

1\. My home has Verizon fiber. No native IPv6. I have a tunnel for this, but
such solutions aren’t going to work for the masses. The other in-region
residential provider, Comcast, has great native IPv6 service, but had layer 2
performance issues versus price.

2\. At $dayjob I just ordered a circuit from Level3/Centurylink for a branch
site. No IP justification form was required if I needed only IPv4 /30\. But
for dual IPv4 /30 + IPv6 /126, I was required to provide written
justification. Shouldn’t this be the other way around? Unencumbered IPv6 for
all, with paperwork for IPv4?

EDIT: these are not site allocations, just point-to-point link addresses,
hence the /126\. Still, I’m being asked to justify IPv6 but not IPv4.

~~~
q3k
> IPv6 /126

Uh, unless you're running BGP over this or getting a larger subnet statically
routed to you, get a larger prefix. A /48 or /56 is the current recommendation
[1] for business end site allocations.

[1] -
[https://tools.ietf.org/html/rfc6177](https://tools.ietf.org/html/rfc6177)

~~~
souterrain
Of course, this is just a “point-to-point Ethernet” not an allocation.

That said, I think the original intent was that such “point-to-point
Ethernets” should have been issued /64, but seems /126 is common practice.

~~~
colechristensen
Comcast gives out /64s at least. I got my router to successfully ask for 2 on
different interfaces.

~~~
drbawb
Same story on Spectrum. On their residential plans they will give out a /64 by
default. However w/ DHCPv6-PD I was able to successfully request a /56\. What
I found mildly interesting was they wouldn't allocate a /60\. (My guess was:
whatever silicon they've got pushing IPv6 packets around probably likes
segmenting the routing table on a clean byte boundary.)

------
amingilani
There are five regional internet registries (RIRs), and Ripe NCC is one of
them. Here's a map of which services what region[0]

Does this mean we've finally run out of new allocatable IPv4 addresses with
the RIRs?

[0]:
[https://en.wikipedia.org/wiki/Regional_Internet_registry#/me...](https://en.wikipedia.org/wiki/Regional_Internet_registry#/media/File:Regional_Internet_Registries_world_map.svg)

~~~
eb0la
ARIN (North America) and APNIC (Asia-Pacific) ran out of addresses some time
ago (2015 I guess).

Game over IPv4.

~~~
jandrese
All it means is the free lunch is over and people have to start buying their
IPs off of an informal market.

Theoretically we could have transitioned to IPv6 instead and avoided this
hassle, but too many incumbents are dragging their feet on the whole IPv6
issue.

~~~
tgvaughan
Do any of these incumbents stand to gain financially from IPv4 scarcity?

~~~
snuxoll
Yes, Residential ISP's can sell or lease their space to AWS, etc. for example
and just start moving their customers over to CGNAT. Why bother upgrading your
entire network, planning allocations, etc when you can just NAT everyone for
cheap?

~~~
freedomben
Can confirm this is happening. If you're lucky enough to have a choice in ISP,
there are a few that won't CGNAT you. I pay a little extra for this ($10 a
month) but it's worth it for me. Ask your ISP if that sounds interesting.

~~~
flatiron
Is that really a feasible long term solution though? I require port forwarding
and also work from home so require my service not get blocked due to some
spammer on my block.

~~~
wlesieutre
I’m sure your ISP would love to sell you a business connection for 3x the
price

~~~
wongarsu
This honestly sounds like a perfect case for a business connection. Not only
does it give you a static IP without NAT, possibly in an address block with
other high paying (==reputable) people, it also bumps you up a lot in terms of
customer service and service availability. Usually the first two questions in
an outage are "how many customers are offline, and are any business
connections impacted".

~~~
nybble41
That assumes the ISP is willing to run a business connection to a residential
address. Not every ISP will, especially if you're just a home user with
special requirements and not an actual business.

------
ndmrs
And yet my ISP still doesn't support IPv6...

Until something forces the transition nothing is going to change.

~~~
maltalex
Why are you, as a consumer, interested in switching to IPv6?

~~~
superkuh
Because adoption of ipv6 allows everyone to be an equal on the internet again.
Right now half of the computers hooked up to the 'net aren't even given a
routable IP address. They're behind carrier NAT unable to participate like a
real computer. They can't use protocols, they can only consume third party
services over HTTP/S for the most part.

If everyone is routable it cuts the gordian knot in the "What kind of content
should be allowed on our platform?" question by allowing everyone to simply be
their own platform. If ipv6 gets adopted fast enough it might just save the
'net from being just a more privacy invasive form of television.

~~~
jacquesm
NAT is a poor person's firewall, and even if everybody were to switch to IPV6
I believe that NAT'ing would be here to stay. There are lots of disadvantages
to sitting behind a NAT but the positive part of it is that it actually does
have some security benefits. I used to absolutely hate NAT but over the years
I've come around a bit, and UPnP made it bearable from a tech point of view.

~~~
ATsch
This is completly incorrect. While NAT is almost always combined with a
stateful firewall, the NAT itself does not provide any security.

Home devices are always going to be deployed with an allow outgoing, deny
incoming firewall, regardless if they have IPv6 or not. They are identical in
terms of security.

~~~
gregmac
> NAT itself does not provide any security

This is just arguing semantics. It's not "NAT itself", but a side effect of
using it is that it requires deliberate effort to allow inbound connections to
get to devices behind the router. This has many of the same _effective_
security benefits as a firewall blocking inbound connections does.

Another way of saying this: the companies that make cheap, crappy routers can
do the absolute bare minimum and not end up exposing internal devices to
inbound internet traffic. So NAT provides security against the cheap, crappy
router manufacturers.

With IPv6, the opposite is true: The router manufacturer has to do deliberate
extra effort to block inbound connections, beyond just making the router
"work". Will most router manufacturers do this extra effort and include a
properly-configured firewall? Probably yes, especially if they don't want to
get a terrible reputation for being insecure, which would (hopefully)
eventually drive them out of business.

Will absolutely 100% of them always do this properly and never make a mistake?
I wouldn't bet on it.

~~~
nybble41
> It's not "NAT itself", but a side effect of using it is that it requires
> deliberate effort to allow inbound connections to get to devices behind the
> router.

Unless your router has UPnP port forwarding enabled—as most home routers do by
default, since popular apps require it—in which case any device can open a
hole in the firewall for whatever incoming traffic it wants. In this scenario
NAT provides no additional protection beyond what the client device could
provide for itself by simply not accepting incoming connections. To get
security from a NAT setup you need to disable UPnP and manually configure any
required port forwarding, which is at least as much effort as properly
configuring an IPv6 firewall.

The right solution IMHO is to have a separate LAN/WLAN/VLAN for the untrusted
IoT devices which rejects _all_ inbound connections from the WAN (no UPnP
support) as well as all _outbound_ connections to the main LAN. Outbound
connections to the WAN for updates or cloud-base control are permitted but
logged; inbound connections from the main LAN are also permitted, to control
the IoT devices locally. For the main LAN the router should only perform basic
filtering for malformed or misrouted packets—ones with an external or
multicast destination address or an internal source address, for example.
Apart from that, devices on the main LAN are expected to handle their own
security. Laptops, smartphones, tablets, and other mobile devices are already
required to handle this since they are routinely connected directly to
untrusted networks.

~~~
dboreham
In my experience upnp is no longer enabled by default (because: not secure).
UDP hole punching usually works though.

------
oefrha
[https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_addre...](https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks)

Honestly stupid that USDoD controls at least 13/256 of all IPv4 addresses.

It seems some entities, e.g. IBM and MIT, have returned (sold?) their /8s to
their RIRs though.

~~~
kevin_thibedeau
It is their network.

~~~
northrup
It’s the public’s network, funded by tax payer money. The fact that they KNOW
that they are global targets for cyber attacks and maintain so SO much
publicly routable area is beyond irresponsible. Even more irresponsible is I’m
positive they IP addresses are hard coded in some of those old systems.

~~~
kevin_thibedeau
The DoD has it's own private internet. Anything truly important isn't exposed
to the public.

------
questionasked
Unbelievably, github.com and reddit.com _still_ don't have ipv6 addresses.

~~~
alienth
We (reddit) were blocked by AWS on this until 2017 or so. Since then it's
mostly been an issue of reworking internal tooling and storage. There are a
huge number of places we'd need to futz with to support IPv6, and to be honest
we've had basically zero pressure to do so.

When pressure is zero and effort is high, things will go unchanged. I'm sure
once pressure exists then some movement will occur. It seems most of the
industry is doing everything they can to put off incurring pressure, though.

~~~
commandersaki
Thanks to CGNAT we have shifted from a 32-bit to a 48-bit address space (since
the port is now part of the address).

Ipv6 really only serves to shed load off CGNAT since we rely on the continued
use of v4 addresses since v6 is not interoperable with v4.

But why should Reddit support v6? For the greater good of v4 by reducing
pressure of CGNAT for dual homed users. But wait, who are the dual homed users
you may ask? Mobile users. And it will only be mobile users since
autoconfiguring residental networks to dual home is not going to happen. But
Mobile carriers have full control of addressing and TCP/IP configuration of
handsets, and so they can easily deploy usable v6.

So the smaller sites shouldn't bother with v6 because they're not an essential
part of the Internet with large traffic. But a site like Reddit can reduce
enormous pressure for mobile carriers to deliver use of the Internet.

------
ejbam
We ran out of IPv4 addresses again. How many times has this happened this past
decade?

[https://news.ycombinator.com/item?id=2174992](https://news.ycombinator.com/item?id=2174992)
9y

[https://news.ycombinator.com/item?id=4480532](https://news.ycombinator.com/item?id=4480532)
7y

Looking forward to the next time we run out of IPv4 addresses.

~~~
p1mrx
Your first link was when IANA allocated five final /8s to the RIRs, including
RIPE. Your second link was when RIPE reached their final /8, and switched to a
"one /22 per company" rationing policy. Today, the rations ran out.

------
yyyk
Ripe NCC has run out of address it will give for almost nothing.

I checked, and IPv4 address price is somewhere between $20 and $30[0]. It's
not so bad given it's a one-time buy - and using cloud services de facto
creates a situation where the buying is in bulk.

The real shortage will start be when prices reach $170 I guess? Should take a
few years...

[0] [https://ipv4marketgroup.com/broker-
services/buy/](https://ipv4marketgroup.com/broker-services/buy/)

~~~
ben509
No, as prices increase, the economic justification of switching to IPv6
increases. Businesses will watch the inflation and when their IPv4 bill gets
high enough, they'll pay someone to fix their systems.

Not only will no shortage occur, but the upgrades will be performed for the
least cost possible. This is the kind of resource allocation problem that
markets solve optimally.

~~~
yyyk
I was referring to 'shortage' as 'sufficient scarcity so as to make people
switch to IPv6'. However, you're completely correct given the literal meaning
of 'shortage' (hence upvote).

There won't be a situation where a business will not put up a site due to lack
of IPs, they'll switch if/when they have to.

------
jannes
My ISP-provided router supports IPv6, but I've disabled it because I don't
feel like setting up a firewall for all those poor devices on my network.

Are there any guides for how to properly secure a home network so that I can
re-enable IPv6 with a clear conscience?

~~~
q3k
> Are there any guides for how to properly secure a home network so that I can
> re-enable IPv6 with a clear conscience?
    
    
        ip6tables -P FORWARD REJECT
        ip6tables -F FORWARD
        ip6tables -A FORWARD -o wan -s 2a42:.../64 -j ACCEPT
        ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    

Literally the same as for IPv4.

~~~
Wheaties466
Why do I get the feeling that some home routers won't NAT or have the
established/related rule by default for ipv6.

~~~
q3k
I don't know. I've never misconfigured/insecure v6 CPEs in Europe. But if
you're bringing your own device, all bets are off of course.

This makes sense, considering ISPs might not want to deal with a ton of pwned
devices that are now part of botnets.

------
zamadatix
[https://ipv4.potaroo.net/](https://ipv4.potaroo.net/)

------
beagle3
I hope all home provision moves to CGNAT IPv4; IPV6 are too easy to track, and
every ISP that I've seen ties the prefix to the customer.

Who cares about cookies, 1st party or 3rd party, when you have a unique ~60
bit per customer identifier?

My ISP gives un-natted IPv4, but I get a different one each time I reboot the
modem, which I do every now and then.

------
big_chungus
I wished IPv6 could be memorized. I can rattle the addresses of all the
devices in my home network off with ease, but have trouble remembering a
single IPv6. The "just use DNS" answer isn't a good one; stuff sometimes
breaks, and it's much harder to fix when I've got to look everything up.

~~~
htns
Think of it as memorizing 4 IPv4 addresses.

~~~
Avamander
In many cases big parts of the address are zeros, so it might be only one
"IPv4" address one has to remember.

~~~
lucb1e
And common prefixes like 2a00:: or 2001::, not that many are in use (yet). And
I prefer typing ::1 over 127.0.0.1 any day (though most software accepts 127.1
as well).

------
rini17
I'm in Slovakia. The IPv6 adoption is below 1% and the ISPs don't plan IPv6
rollout because "We have enough IPv4 addresses.". Nowhere I ever had native
IPv6 available on home connection, it is option only to business clients.

~~~
vetinari
Out of the tree biggest ISPs in Slovakia, only T-Com doesn't support IPv6,
unlike it's German parent. UPC (Liberty Global) switched all their residential
customers with new enough CPE to DS-Lite years ago, and Orange also had a flag
day, since then all new customers are also on DS-Lite (they allow getting
public IPv4 for nice 99 EUR one-time fee, static one is additional 8
EUR/month).

~~~
rini17
Thanks. However, "years ago" means 2017 afaik :)

~~~
vetinari
Yeah, two, plural :)

------
exabrial
Using SRV records would eliminate a huge number of IPv4 problems.

~~~
icedchai
Not really. You'd have to update a ton of software to actually support SRV
records.

~~~
exabrial
Yes, unfortunately. I feel like that's marginally better than updating
millions of pieces of hardware for ipv6 support :/

------
rb808
Is it even possible to have a webserver that is IPv6 only? How many people
wouldn't be able to use it?

~~~
PeterisP
There's a problem that just having an IPv6 address is indistinguishable (for
such users) from a server that's not configured or is down. We need a good
solution to indicate to end users that the server is working just fine, but
just you don't have IPv6 support and can't reach it because of that.

But I can't send anything to such a user directly if they don't support IPv6
and I don't have an IPv4 address.

Perhaps we need some community-run webservice with an explanatory page saying
"Website [something.com] requires IPv6, here's lots of documentation on how to
try and fix this" and everyone could point their domain name IPv4 address to
that webservice, and the IPv6 address to the real server.

~~~
umanwizard
Why would anyone set up such a site? Fewer than 30% of people have IPv6 today.

~~~
PeterisP
Well, because they (and their entire organization) may be unable to get a
publicly routable IPv4 address, because NCC can't and won't assign any more.
You can work around it for now, but in the future this will be a more and more
common situation.

~~~
umanwizard
It means they can’t get one for free, not that they can’t get one at all. IPv4
addresses are trading for around 20/each when bought in blocks of 256. They
won’t be prohibitively expensive for any serious hosting provider for the
foreseeable future.

For hobby projects hosted on a Raspberry Pi in someone’s bedroom, I can
imagine a static IPv4 being prohibitively expensive, but that’s about it.

------
parliament32
This will lead to ipv6-only services pretty soon. As the cost of ipv4 space
gets higher and higher you'll see things like VPSes and cloud hosting stop
offering a free IP with their services, and eventually businesses will stop
using it too.

~~~
3fe9a03ccd14ca5
Very unlikely to lead to ipv6 only services any time in the distant future,
unless of course your service requires thousands of ip4 addresses.

Eventually maybe a premium for an ipv4 static IP on some cloud provider but
that’s about it. The big players have plenty of CIDR.

They already have high-performance domain-aware routers, so you can still
basically run a million websites via a single ipv4 address.

~~~
DaiPlusPlus
I can see CDNs colocated inside ISP's internal networks shifting to be
IPv6-exclusive at first because there will be guarantees of IPv6 connectivity
to the ISP's customers.

...if not residential ISPs then certainly mobile-phone/wireless providers.

------
PaulHoule
Carrier-grade NAT has a much bigger impact than IPv6 will.

~~~
kstrauser
Good God, I hope not. Having lived behind CGN for a little bit while I was
scrambling for another provider, it was a horrible experience with lots of
broken services. CGN is a technical dead end.

~~~
JorgeGT
My ISP (Orange) actually backed out and started giving IPv4 addresses to those
of us who complained in their forums about their terrible CGN.

~~~
kstrauser
Outstanding. That's the only way I could see it being remotely tolerable.

------
anticensor
Why have successors to IPv4 been designed with variable-length addresses as in
earlier versions?

~~~
zamadatix
Routing hardware would prefer you just pick a very large address size and
stick to it.

------
sschueller
How many ipv4 are in poss2of the US Gov and military? Do they really need all
of those?

With all these elastic search instances running open to the public I have the
feeling that with IPv6 this will get worse as NAT no longer protects you.

~~~
lazyguy2
You don't need to run NAT to have a firewall. Even a stateful one.

~~~
jedberg
You don't need to, but it's a nice side effect for people who don't know what
a firewall is.

I'd wager most home networks are protected only by the fact that they use NAT.
ISPs are getting better about shipping routers with firewalls on by default,
but it's still not there.

------
AceyMan
Typical of humanity's poor prioritization algorithm, I submitted on this 88
days ago … and got zero comments <whomp_whaa>.

But, now that _it 's happened_ … it shoots to the top story.

For anyone interested, the blog post from RIPE that I submitted is still up,
here: [https://www.ripe.net/publications/news/about-ripe-ncc-and-
ri...](https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/getting-
ready-for-ipv4-run-out)

------
throwawayimp
Time to shut down the Internet and go outside.

So why are IPv4 addresses so valuable? Mostly because IPv6 is overly-
complicated and a pain to work with. We should have first added a new range
where 5 of the 8 hextets were 0000. And found a simple way to write it without
::

Why wasn't that done?

~~~
lemcoe9
IPv6 is not "overly-complicated." It requires some new knowledge on IP address
notations and new concepts when talking about DHCP and such, but it is
functionally not more difficult than IPv4.

------
JackRabbitSlim
Technical arguments aside; IPv6 is just "advanced" enough to allow
corporations to fuck over the last bastions of free internet and turn it into
nothing but tightly controlled broadcast TV 2.0.

The road to hell is paved with good intentions so I guess I will see you all
in hell.

------
devit
Is IPv4 shortage really going to be a problem?

For client use, carrier-grade NATs allows to have 1000 IPs per customer,
giving 6 million addresses.

For server use, TLS SNI allows to have one IP per datacenter, which are
estimated to be around 10 million in the world.

Non-TLS inbound usage is probably relatively rare, so overall around 100
million addresses should be fundamentally enough even accounting growth.

Of course there's a lot of inefficiencies, but the fundamentals seem to say
that the IPv4 address space is enough.

~~~
kstrauser
Carrier-grade NAT is a non-starter. It's fundamentally broken from an end user
perspective and destined for the junk heap of forgotten bad ideas.

TLS SNI is awesome, but no plausible implementation is going to let you put an
entire datacenter worth of addresses behind a single address. That's not going
to happen.

IPv4's time is soon to be past. Google is nearly hitting 30% IPv6 usage
already, and it's still growing. This is the way forward, not junk tech like
CGN or millions of hosts on a single TLS SNI address.

~~~
zokier
CGNAT (or comparable tech like DSlite) will happen anyways even when majority
of traffic is IPv6. The long tail of IPv4 is long; people will be wanting some
form of IPv4 connectivity long after all the major things have switched to
IPv6 and ISPs are not going to go back to handing out public IPv4 addresses.
The timeline just doesn't work anymore to make a clean transition. Of course
how much do you care if it is CGNAT if you are not using IPv4 is another
matter.

~~~
zamadatix
I'd be willing to get there are more clients running through NAT64 than CGNAT
currently thanks to mobile networks.

