
Ripe NIC: 'In Five Weeks We'll Run Out of IPv4 Internet Addresses' - dyslexit
https://www.ispreview.co.uk/index.php/2019/10/this-time-there-really-are-no-ipv4-internet-addresses-left.html
======
ergothus
Stupid question: Everytime I'm given the option to work with v4 or v6 (which,
granted, is not often) I do v4 for one silly, stupid reason: I can remember a
v4 address for, like the 10 minutes while configuring that I might at any
moment have to record/enter it somewhere. (So: Not just once, but being able
to have it as needed in a small time window)

What do people do with v6? Have better memories than me? cut-and-paste
repeatedly as needed?

While I do less-and-less sysadmin work over time, even on my home network,
there are opportunities to get more comfortable with v6 that I've skipped
because of this, yet I never see anyone talking about it.

~~~
birdyrooster
You remember the prefixes (e.g. 1234:5:6:7::/48) you care most about and the
hexadecimal nature of the address makes them fairly memorable and compact. You
can prefix addresses with a-f to hint at usage and even spell words. Unused
octets can be omitted thanks to the nature of the ::.

~~~
ATsch
Yes, this is important to remember.

While automatically assigned IPv6 addresses will usually use the full 128 bits
(last half is random), manually assigned addresses usually don't. So e.g. one
of my servers is 2a00:1234:8::10, which is pretty easy to remember. There's
going to be no way around memorizing the first two or three colon sections,
which are assigned to you, but the last part is going to be as easy to
remember as you make it.

2600::1, owned by sprint, which is the shortest pingable IP address I know, is
exactly as long as 1.1.1.1, the shortest possible IPv4 address.

~~~
U8dcN7vx
I raise you ...

$ ping 1.1 PING 1.1 (1.0.0.1) 56(84) bytes of data. 64 bytes from 1.0.0.1:
icmp_seq=1 ttl=56 time=26.0 ms ...

~~~
chmod775
I raise you ...

    
    
        $ ping 0
        PING 0 (127.0.0.1) 56(84) bytes of data.
    

Note that this may default to 0.0.0.0 instead depending on what you're
running, which is technically the correct interpretation. I'm not sure who is
doing the shenanigans here.

~~~
U8dcN7vx
Touche!

All zeros is self, which is to say generally the same as 127.1.

------
RijilV
AFRINIC has a number of available IPv4 free, across multiple /8s:
[https://www.afrinic.net/stats/ipv4-pool](https://www.afrinic.net/stats/ipv4-pool)

APNIC has "0.32" of a /8 left:
[https://www.apnic.net/community/ipv4-exhaustion/graphical-
in...](https://www.apnic.net/community/ipv4-exhaustion/graphical-information/)

ARIN reached zero on Sept 24, 2015:
[https://www.arin.net/resources/guide/ipv4/](https://www.arin.net/resources/guide/ipv4/)

~~~
1996
Can you easily get a free /24 from AFRINIC?

What kind of presence do you need? I will soon have to do a small CDN with a
POP in ZA. I might as well get the IPv4 from AFRINIC if they have plenty.

~~~
mike_d
You need to have a business presence in Africa, not just a network presence.

Cloudflare abused this long ago by creating a subsidiary on paper in
Seychelles just to get as many IPs as possible, while doing no business there.

------
ulkesh
I have been hearing this end-of-the-IPv4 world chatter for 10+ years now.
While I understand it is a real problem, I wonder if we’ll still be talking
about it in the present tense 10 years from now.

~~~
zenexer
The internet can continue operating and growing without IPv6; it just won't be
pretty. More and more endpoints will have to share a single IPv4 address;
that's possible, but it can cause a variety of problems. I'm not really
qualified to assess their severity on such large scales, but similar scenarios
are known for being problematic at small scales.

It might seem like it makes more sense to switch to IPv6 than to deal with the
issues of IPv4, but the entities that have to deal with problems that result
from IPv4 depletion usually aren't the same entities impeding the adoption of
IPv6.

~~~
ATsch
Two big reasons that Microsoft says have caused them to start pushing v6
adoption internally from around 2017 are:

a) struggling to implement proper IP based access control with their available
address space.

b) as everyone uses the same 16 or so bits of Private IPv4 space, every
acquisition likely causes new IPv4 address space collisions which must be
worked around.

~~~
mlyle
> b) as everyone uses the same 16 or so bits of Private IPv4 space, every
> acquisition likely causes new IPv4 address space collisions which must be
> worked around.

I mostly agree, but this overstates thing some. 10/8 offers 24 bits, 192.168
offers 16 bits, and 172.16-172.31 offers 20 bits.

The latter are particularly frequently unused; if you pick one of
172.20-172.28 to cram into you have a high chance of not crashing into someone
else when you integrate networks. Particularly if you use the upper half of
the resultant class b.

Of course RFC 4193 for IPv6 is very nice; pick your own random 40 bit prefix,
and get to run 65536 subnets of arbitrary size. You need to integrate ~2^20--
a million-- networks before you have a 50% chance of having encountered a
collision.

~~~
ATsch
> 172.16-172.31 are particularly frequently unused

haha, I wish. We decided to use them two decades ago exactly because we
thought they were less frequently used, but then a decade later docker comes
along and uses exactly that as a default NAT subnet. So we get multiple
tickets about that a week.

~~~
saurik
What kind of issues is this causing you / your users?

~~~
ATsch
Well, the complaint usually goes like this:

"we recently set up service x, and it seems to be working fine. However, when
we try to connect from the campus wifi, or a certain department, the service
does not respond".

What happens is the server gets a request from a private IP within the range
assigned to docker0, and then the container replies, but because the IP is
believed to be local, linux correctly tries to find something attached to the
docker0 interface with that IP and fails.

------
peterwwillis
We need a Wiki that documents all the problems of migrating from IPv4 to IPv6.
Currently it's a scary, unknown process of bumbling into corner cases, which I
think is the reason the vast majority of people haven't adopted it into their
products. Why do something slow and complicated when you don't need to (yet)?
By documenting it fully, it will seem easier, and more people will at least
try to adopt IPv6.

One of the many things that would speed up adoption is "IPv6 by default".
Often it's just a matter of turning on the "IPv6 thing" at the same time as
the "IPv4 thing". We need IPv6 name servers added to DHCP leases. We need load
balancers to expose IPv6 addresses. We need to provide an AAAA record at the
same time as an A record. We need firewall rules for IPv6 at the same time we
add one for IPv4. We need SLAAC or DHCPv6 enabled. And we need applications to
natively support an "ip address" field that accepts both IPv4 and IPv6 format
addresses.

~~~
clarry
> One of the many things that would speed up adoption is "IPv6 by default".

This is precisely why I end up searching for the knob to turn off IPv6 in
kernel after installing a new system. That is, if I remember to do so. And
then I curse because the system's (or application's) name resolver still keeps
performing AAAA queries and breaking because IPv6 doesn't actually work.

Recent example:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1582686](https://bugzilla.mozilla.org/show_bug.cgi?id=1582686)

Please don't enable anything by default unless it's actually working.

~~~
Jonnax
[https://www.google.com/intl/en/ipv6/statistics.html](https://www.google.com/intl/en/ipv6/statistics.html)

One third of traffic into Google comes from IPv6 sources. And they work fine.

When major ISPs around the world are enabling for both their fixed and mobile
customers and not getting issues.

The problem is either in your ISP, your network or client configuration.

~~~
clarry
> The problem is either in your ISP, your network or client configuration.

Thank you for telling me that it's broken. That's kinda my point.

Again, I don't _have_ IPv6 connectivity to the world, _at all._

Random applications trying to enable and use it per default is bound to fail.

~~~
Jonnax
You linked to a bug in Firefox Nightly. That's hardly indicative of there
being widespread issues.

Also that bug seems to occur when IPv6 is disabled in the kernel.

Random applications should be fine with trying the IPv6 address, and if it
fails using the IPv4 address.

That should happen transparently. There are millions of Linux deployments that
don't require manually disabling IPv6.

You not having an IPv6 address is a separate issue.

------
shaki-dora
I recently decided on a whim to try an IPv6-only VPS which was something like
70% off at my provider. It being for internal stuff only, I thought it
shouldn't be too much of a problem.

As it turns out, not even the Ubuntu repositories are reachable over IPv6.

I believe this was the PPA server, which held some package I needed for some
workaround for all the other connectivity problems.

So let's hope a few important people/companies/institutions start to be
slightly inconvenienced. I bet as soon as this rises to the concern of, say,
some peoples' Netflix stream stuttering it's a matter of weeks to solve it.

~~~
Liquix
Forgive my naiveté - how does running out of IPV4 addresses result in Netflix
stuttering? I'm viewing it a binary problem (you either have an IP and have
internet, or you're fighting to get an IP and have no internet) but that seems
incorrect.

~~~
orev
I could imagine if your ISP has some big NAT plant that’s overloaded, it would
cause connection problems with traffic getting congested at the NAT devices.

~~~
toast0
Not just raw bandwidth, but also NAT relies on session tracking, and the NAT
device has a limited amount of memory and therefore sessions available. It's
often a lot easier to augment bandwidth than to augment available sessions.

------
jasonvorhe
Finally. I can't wait for the outcome of this. We'll probably waste another
couple of years with more NAT and other hacky short-term solutions, but in the
long run adopting IPv6 is inevitable.

~~~
tenebrisalietum
NAT destroys the end-to-end principle and encourages things like CGNAT, which
make side-stepping centralized services impossible. I really hope IPv6 starts
becoming commonplace and that the outcome isn't that CGNAT becomes the norm
for residential Internet connections.

~~~
JohnFen
> NAT destroys the end-to-end principle

Yes, and that precisely why I use it in my home network, and will continue to
use is with IPv6. I explicitly don't want any IP addresses in my green zone to
be directly accessibly from my red zone.

~~~
Dagger2
Then you're doing something very wrong. You can't rely on NAT to stop
connections, because that's not a thing NAT does.

You need to be using a firewall. NAT is just an extra, useless, complicated
and unnecessary thing to be adding to the top of that; one that makes it hard
to understand how your network is even working, and which makes it harder
rather than easier to secure.

~~~
umanwizard
Can you explain how an outside person (other than my ISP) can make an outside
connection to my laptop despite being behind a NAT? Assuming for concreteness
that my laptop's internal (NATted) address is 192.168.1.123 and my router's
public address is 123.45.67.89. What sequence of commands would you type to
open a TCP connection to my laptop?

~~~
takeda
NAT is implemented on a firewall, the blocking of incoming connections is a
side effect and isn't even intentional (that's why UPnP exists).

Since you already have a firewall you can just add a single rule that block
incoming connections and that's all you actually need.

------
xfalcox
If every engineer took the extra 10 minutes to enable IPv6 for their AWS
services we would have a much better availability.

I believe it's less than 50 lines of Terraform code to enable it for the
standard Application Load Balancer use case.

~~~
regecks
I have the opposite experience when it comes to availability.

I sell some software that runs on servers, and we used to get so many tickets
that came down to the server's IPv6 transit being busted in sometimes obvious,
sometimes subtle ways. And then we have to fight with _their_ NOC to convince
them something is broken.

IPv6 is an afterthought in many networks. There is less peering, less
monitoring, less users overall to uncover issues.

It got so tedious to deal with that support burn that I just changed our
software to not dual-stack any of its outgoing connections. Not heard a peep
since.

~~~
xfalcox
Does the software runs well under heavy CGNAT? Because that is where we are
going if everyone follows you.

~~~
seppel
The whole problem with ipv6 is that earlier adaptors have not much advantages
(while still having to support ipv4 anyway) whereas late adaptors will have it
much easier (better ecosystems, much less bugs anywhere else, problems are
documented and well understood, infrastructure is tested, etc.). The
incentives from the business side are just plain wrong. They can change when
CGNAT causes problems. But they don't as long as other stuff is more
important.

------
eat_veggies
I believe even Hacker News is inaccessible via ipv6.

[https://news.ycombinator.com/item?id=19833362](https://news.ycombinator.com/item?id=19833362)

I noticed this at my parents' house, where their new wifi setup was toggled to
"ipv6 only" mode, and HN didn't work.

~~~
icebraining
Accessing an IPv4-only website from IPv6 is not a major problem. A NAT64
gateway to access such legacy services works fine. IPv4-only _clients_ is
another issue.

~~~
p1mrx
Running an IPv4-only website becomes a problem as ISPs migrate their IPv4
traffic to NAT44/NAT64, and you can no longer tell users apart for abuse
detection purposes.

~~~
blotter_paper
> you can no longer tell users apart for abuse detection purposes

s/abuse detection/tracking

As a user, this sounds like a feature -- but really, there are a ton of other
metrics to track most users by (assuming we're talking about abuse done via
the actual website interface rather than just flooding ports with packets from
a specific IP).

~~~
fakename11
I doubt this website would even be up if they had no abuse detection.

------
proverbialbunny
When a dns request is sent the dns software most of the worlds ISPs uses pulls
both the A and the AAAA record, but the AAAA (ipv6) record takes on average 4x
longer than the A record to pull. The dns software short circuits this so what
you get back is almost always an ipv4 address.

If you're accessing a website, you're almost always going to end up getting
its ipv4 address. This is significant, because still the entire internet
doesn't support ipv6. (I'm looking at you Sonic.) If website providers can't
get a dedicated ipv4 address, they could use some sort of 6to4 like tunnel to
support ipv4. But because of the way the current dns software works, by
default all of their traffic will run through that ipv4 tunnel.

This leaves ipv6 almost exclusively used for p2p or other types of home
connections. The future of the internet is shaping up in such a way where
websites run over ip4v and end users to have a sort of firewalled ipv4 access,
then use ipv6 for everything else.

A law that requires ISPs fully support ipv6 may be beneficial.

~~~
300bps
Is there a reason why certain companies get to retain their originally
allocated Class-A netblocks with their 16 million addresses?

[http://www.aturtschi.com/whois/neta1.html](http://www.aturtschi.com/whois/neta1.html)

Even companies that were given Class-B netblocks with about 65,000 addresses
seems a bit wasteful. I remember when I started an ISP in 1996 it was like
pulling teeth to get a Class-C with 255 addresses but there Ford sits with 16
million of their own.

~~~
Dagger2
Yes: those netblocks belong to them and you can't take their stuff just
because you like the look of it.

There aren't enough addresses in v4. Reclaiming one or two /8s here or there
won't fix that. Before IANA runout in 2011, we were going through over one /8
per month, and demand has only gone up since then. Those class Bs you're so
worried about would last the internet maybe 2 hours each.

You can push as many allocations around as you like, but there just plain and
simply _isn 't enough v4_.

------
mingabunga
Some ISPs are resorting to CGNAT eg.
[https://help.2degreesmobile.co.nz/app/answers/detail/a_id/40...](https://help.2degreesmobile.co.nz/app/answers/detail/a_id/402/~/changes-
to-ip-addresses-%28cgnat%29)

~~~
pkulak
Man, that would suck to be behind one of those.

~~~
lucb1e
Tell me about it. Rented a place in Amsterdam that came with a Ziggo
connection. Wanted to play a game online with someone and I couldn't. No way
to host a game. Called support, they said I had a shared ipv4 address. They'd
be happy to switch it to a real one but then I'd lose my v6 connection. I
didn't know what to tell them. These connections need to come with warning
symbols, this isn't what I expect of an Internet connection (I think they
deployed "dual-stack lite" but it isn't mentioned in the contract, and even if
it is, it should be called "Internet lite").

Still happy with my XS4ALL connection on fiber. Proper /48 subnet and static
legacy IPv4 address since ~2011.

~~~
saurik
Why can't you host a game behind CGNAT? You should be able to use PCP or STUN
to establish an incoming port, no?

~~~
MayeulC
But wouldn't the game itself would have to support something like STUN?

AFAIK, it's a handshake between the two ends, made trough a third party
server. Both parties need to contact the third party server, then they get an
IP:port combination.

So you would have to do that, then quickly enter that information in the game
client and server, while making sure that the TTL doesn't expire. You might
also have to fight your OS a bit.

Moreover, STUN doesn't work on symmetrical NAT, where the router uses the
incoming address of a packet to route it trough the host.

I don't know PCP; I'll look into that. IMO, the solution to the GP's issue is
a VPN. Hamachi used to be a popular solution among gamers, I think.

~~~
saurik
My point was not about the user being able to work around game limitations but
to assert that this is, first, a game limitation, wherein it failed to account
for the existence of NATs. NATs aren't some new problem: my computer has not
had a public routable IP address essentially _ever_ , as even when I was using
dial-up in 1995 I had set up a Linux server in our basement to use NAT (as I
wanted to have multiple machines in my house always connected). I just don't
see why CGNAT is somehow bad or worse or even different than NAT, if the game
supports NATs (which it sounds like in your case it doesn't).

Yes: "symmetric NAT" is useless, but I have not yet seen a CGNAT deployment
use symmetric NAT. I would just go so far as to say "symmetric NAT is an
example of a technology that is not and never will be good enough to be called
carrier grade" ;P. So like, that NAT can and has sucked shouldn't be a
demonstration that all NAT everywhere is entirely useless.

It could very well be that CGNAT deployments _don 't_ have support for PCP,
(or the related NAT-PMP and UPnP mechanisms that it is a successor to), which
would suck. I haven't checked this yet. However, if they do, you should be
able to do just about anything you could on any private NAT setup: these
protocols let you ask your NAT to open a reverse port mapping to your system
on a routable IP address, and you can use them with external tooling (they
don't require you to be inside the app listening on the port or anything).

------
purerandomness
In the meantime, we still can't have a web server running on a GCP instance
that uses an IPv6 address and does TLS termination with your own certificate
at the same time.

------
magicalhippo
I'm currently running a pfSense router at home, which has limited IPv6
support. Does anyone have any suggestions for something with more extensive
IPv6 support?

Specifically what I need is something which can handle my ISP only handing me
a /64, and can smoothly handle prefix changes (update firewall rules etc).

Ideally also being able to register/update LAN clients on dyndns service so I
don't need to install an update client locally on every device.

~~~
bn7t
I think OPNSense has proper IPV6 support

------
xvilka
At the same time, GitHub Pages do not work[1] with IPv6 yet...

[1] [https://github.community/t5/GitHub-Pages/Cannot-reach-any-
gi...](https://github.community/t5/GitHub-Pages/Cannot-reach-any-github-io-
page-via-IPv6/td-p/4021)

~~~
tambre
They _used to_ support IPv6. When they added HTTPS support they removed it
because of it [1]. Which is a complete nonsense reason. Using the old IPv6
range works for *.github.io domains even now.

But IIRC, you can fetch GitHub Pages custom domains over IPv6 with HTTPS too,
but you don't get the correct certificates, because they simply don't have an
IPv6 range pointing to the newer HTTPS-supporting infra.

[1]:
[https://github.com/isaacs/github/issues/354#issuecomment-385...](https://github.com/isaacs/github/issues/354#issuecomment-385746014)

------
Havoc
Now if only my ISP would get onboard. I applaud the 1gbps fibre, but IPV6 has
been "in progress" for like 3 years now...

~~~
umanwizard
Verizon FiOS?

~~~
tambre
IIRC, they plan to deploy IPv6 in 2020 spring. Unfortunately I can't remember
the source.

And they've had it in few select residential areas as a trial since 2018
autumn [1].

[1]: [https://www.dslreports.com/forum/r32136440-Networking-
IPv6-w...](https://www.dslreports.com/forum/r32136440-Networking-IPv6-working)

------
illys
Well, to me, the issue of IPv6 adoption is that it is not a natural extension
to IPv4, but two different protocols. It requires two settings efforts and
additional efforts for interoperability with third parties still limited to
IPv4.

I am sure there must be some tools to smooth the efforts, but it is not native
in the protocols.

------
neckardt
Would it be ethical/useful to overwhelm NATs with addr:port combinations to
overflow the NAT's translation table? If NATs start breaking down, it might
force upstream to start adopting IPv6. I could see a system of doing this as
setting a different port for each outgoing connection. Thoughts?

~~~
rb12345
I doubt it would be either ethical or useful to deliberately overload
translation tables. That said, I would imagine that the migration to QUIC and
HTTP/3 would increase pressure on NATs. QUIC's use of UDP means that it's
harder to safely reuse source ports for connections to different destinations
compared to TCP, so the density of connections per external IP address should
be lower.

------
nodesocket
Is there a graph of the average price of a /24 block of ipv4 addresses?

Is the price going to keep appreciating as supply falls until there is no more
supply? I.E. is there potential to treat ipv4 addresses like a commodity?

I don't see ipv6 being widly adopted (major cloud providers only offering ipv6
for new servers) in the near future.

~~~
Dagger2
[https://auctions.ipv4.global/prior-sales](https://auctions.ipv4.global/prior-
sales)

[https://www.vultr.com/products/cloud-
compute/#pricing](https://www.vultr.com/products/cloud-compute/#pricing)

------
jakeogh
IPv4's inability to label all the things may be a feature. NAT's are like
borders in some ways, and prevent fine grained censorship without larger
consequences.

------
commandersaki
Meanwhile ipv6 which had literally one job* remains fairly useless.

* that is to avert impending address exhaustion, but it happened, and ipv6 sat idle and did nothing.

~~~
peterwwillis
If that were its only job, the only change would have been 128 bits instead of
32 for the address. There's like a bazillion other changes, unfortunately :(

~~~
Dagger2
Not as many as you think. It's mostly very similar to v4, and the majority of
the changes are to handle the extra address width.

------
nikanj
Again?

~~~
Dagger2
Nope, not again.

This is the first time that RIPE has ever had more applications for v4 space
than v4 ranges to satisfy those applications with (even with the strict limits
on how much people can request).

