
How bad is IPv4 address exhaustion? - okket
https://blog.apnic.net/2018/02/15/bad-ipv4-address-exhaustion/
======
seeekr
Hypothesis: Mass adoption of IPv6 is blocked by the ugliness/inconvenience of
the IPv6 address format, hence "end-users" (developers) don't like adopting
IPv6. As long as this UX issue does not get solved, IPv6 adoption is only
going to happen on an individual level when any given business' significant
income stream is at immediate risk of being disrupted. Depending on how many
of these individually affected businesses represent major infrastructure
providers (such as public clouds), the individual moves to IPv6 might together
bring about a globally noticeable effect.

\---

Who here actually feels any sort of pain, as an internet technologist, or as
business owner, from "still" being on IPv4? I know that I do not.

~~~
FooBarWidget
I don't know. IPv6 is ugly, yeah, but not any more ugly than other long random
strings that we just copy-paste all the time, like API keys. For me, not
adopting IPv6 has these reasons:

* My home and small business Internet provider does not support IPv6, despite them talking about deploying it for about 10 years now. Actually here in the Netherlands I have never encountered a mainstream consumer ISP that supports IPv6.

* I don't have any users that are on exclusively on IPv6. All my users have access to IPv4.

* IPv6 does not bring me any visible benefits, like faster performance.

~~~
overcast
You go ahead, and try relaying an IPv6 address over the phone from one of your
end users.

~~~
yAnonymous
"Sir, please type this into your browser to get to the router web interface:
2001:0db8:85a3:0000:0000:8a2e:0370:7334. I repeat
2001:0db8:85a3:0000:0000:8a2e:0370:7334."

"Server IP address could not be found."

5 minutes later...

"Now could you please tell me the IPs of all connected devices?"

 _Customer hangs up and cancels his subscription._

~~~
scruple
Wasn't a similar problem solved by services like URL shorteners? I had to work
occasional technical service for products where I was one of the embedded
engineers and I leaned heavily on bit.ly at the time to get URLs back and
forth from customers and it worked exceedingly well.

So, with that in mind, what would be the major drawbacks to IPv6 address
shorteners? You'll always have a certain class of issues such as transcription
errors, of course.

~~~
overcast
Problem with URL shorteners is ones that use characters, especially of varying
cases. Relaying letters across a telephone sucks, I often resort to NATO
codes, and now you'll have to distinguish capitalization.

~~~
scruple
Yeah, actually I guess that I was spoiled in that regard. I worked for an RF
company when I had that experience and, also having a military background
myself, the NATO phonetics were used naturally when communicating with our
customers.

------
nottorp
I don't see an answer to 'how bad' in the article. I thought I'll get some
recent numbers but instead i got... some generic text that was valid even 3
years ago?

~~~
exikyut
Offtopic tangential forum rant:

There has been an answer to your question in this thread for 14 minutes.
However only users with showdead on can see it, because Arc has erroneously
flagged it as evil. Screenshot/proof of what I currently see:
[https://i.imgur.com/Y7iM30E.png](https://i.imgur.com/Y7iM30E.png)

HN does get spam, but the text and links don't look like the currently-buried
comment does. I can't see it being /that/ hard to train an RNN, what with this
being a comp-sci discussion forum...

\--

Oh, about the bar being brown/black in my screenshot - I set the bar color to
that of the upvote/karma text, as I don't care to see that information (I
start commenting for points, not to contribute meaningfully - it's true).
Unfortunately Arc doesn't realize it should make the color of the links
lighter so I can see them, so I've had to work hard to learn where the
"threads" link is sitting so I can access comment replies.

Bit inconsistent letting me change the background color but not the text
color. I can understand it, but still. Getting to the root cause, it would be
nice to have an option to completely disable karma score display.

</Irritated but ultimately harmless 1:30AM rant>

~~~
bkor
Don't you have enough karma to vouch/favorite that comment? I just did.
Usually there's a reason why the comment is automatically flagged so don't
agree with your assessment.

~~~
exikyut
I did immediately. _It stayed dead!!_ , which is what prompted the rant.

------
spystath
In the organisation I work for we had IPv4/IPv6 dual stack. Due to IPv4
exhaustion my whole department was shoved behind an NAT, which given the
circumstances I find it normal as there is no need for 400+ workstations to
have public IPs. The weird thing is that after the switch to NAT IPv6
connectivity was lost. When asking why IPv6 was lost I was told "what do you
need it for?".

In the meantime I have residential IPv6 since 2011. I really believe corporate
networks are one of the main causes of delay in massive IPv6 adoption. And
given the inertia I'm not really expecting them to change soon.

------
kuon
My ISP doesn't support IPv6 and it's been complicated to get IPv6 running
properly at my hosting providers too. My hosting provider uses DHCP to
propagate routing information, and I had a lot of issue with it going down,
thus losing IPv6 connectivity. In the end I just disabled IPv6 on all the node
I manage, it has no benefit except increased complexity.

The problem is the lack of insensitive to do the conversion.

~~~
XorNot
This sounds more like poor DHCP configuration on your side? DHCP going down
doesn't remove anything unless your client decides to time out it's current
address configuration - of which there's no incentive to do on a server.

Moreover if routing was being propagated by DHCP, why was that not the case
for IPv4 as well which would presumably be using it ?

~~~
geofft
DHCPv4 and DHCPv6 are different (they even run on different ports) and
probably they have more experience with monitoring and operating DHCPv4.

Honestly I think the fundamental mistake of IPv6 was trying to fix everything
else along the way. Certainly there are things that can be fixed in DHCPv4.
But there isn't a way to put off that operational work until you're ready to
get good at it; there is no way to _just_ get more addresses and not also sign
up to run a new version of DHCP, to decide if you even want DHCPv6 or you want
RAs and SLAAC, to give up ARP, etc. It's a big lesson in the second system
effect.

~~~
pas
What was the problem with ARP anyway? Why Neighbor Discovery is better?

~~~
geofft
As I understand it, ARP is abstraction-breaking and hard-codes that IP is
running on top of Ethernet or something Ethernet-compatible - you're sending
Ethernet packets (with a non-IP EtherType) that reference IP and an IP
address, initially over Ethernet broadcast. NDP runs over ICMPv6, which is an
IP protocol, and the way it works is that it's sent to well-known IPv6
multicast addresses, ff02::1 for all nodes or ff02::2 for all routers. If
you're a node and/or a router, you join those multicast groups. So there's no
assumption of Ethernet; that just depends on _some_ link layer with a working
multicast. (And broadcast is a perfectly legal implementation of multicast,
although if your layer 2 protocol makes it easy to do a better implementation,
great.)

Also, there's some multicast fanciness so you join a multicast group based on
some hash of your IP address so that NDP packets don't even go to all
machines, but just some hash bucket that contains that IP address.

(I think these are good reasons to make a successor to ARP, but I don't think
these are good reasons to require that you use the successor protocol if you
don't want to NAT, especially given the extent to which deployed networking
gear does ARP snooping and IGMP snooping - and does not expect a pile of
multicast groups.)

------
gwbas1c
> The ultimate solution to IPv4 exhaustion is, of course, the complete
> transition of the Internet to IPv6, however, this will take time and until
> then there will be (by definition) networks and sites which only support
> IPv4. This requires other networks and sites, even if they support IPv6, to
> maintain IPv4 connectivity, which in turn requires some number of IPv4
> addresses. For that reason, IPv4 exhaustion certainly is an issue to be
> understood and dealt with, especially by those who are building new networks
> and services.

That's what I heard in college in 1999.

------
jimmies
IPv4 exhaustion is going to get really bad if we don't move to IPv6 soon.

IPv4 exhaustion means no more personal server boxes at home. The US has huge
chunks of IPv4 allocation. In Vietnam, it's not as fun. IPv4 addresses have
really exhausted. I just learned by accident that the ISP there they do a
thing called the "carrier grade NAT" to get around that.

I was baffled I couldn't open a port on my router to seed some Linux images
despite setting up the NAT correctly (remotely). After scratching my head for
a while I noticed the IP address that the router reported was not the public
IP when I Googled "what is my IP address." Then I sent an email to FPT, the
ISP - one of the biggest ISPs in Vietnam saying "Hey guys - I believe I'm
behind a NAT... I can't open a port to do stuff. Can you assist me?" To my
surprise, after 15 minutes they sent an email back, saying "Oh yeah, we know
that, we have given you a public IP. Thanks for trusting our service." I was
double baffled by their service. Then because of that, I also asked for IPv6.
10 minutes later - "IPv6 has been enabled on your account. Thanks for using
our service." What the hell?

While my ISP in the US (Spectrum/TW) has just given me a hell of a hard time
because they sent me a buggy modem that would restart 3+ times a day. And in 4
months with a countless number of calls, 10 tech people sent to my house, no
one knew what TF was going on. Now suddenly, it doesn't crash anymore, but
they disabled IPv6 altogether, no words given. No one in their tech support
knew that IPv6 was disabled because it crashes their router and they just gave
me bullshit answers. I just found out about the "Puma chipset IPv6 crash"
ordeal by Googling. Again, Spectrum was as helpful as a rock. I don't know how
do they have so many people sending me mail spams weekly and calling and
harassing me to sign up for their TV service, yet the service sucks so much.

------
craig1f
I feel like AWS and the Cloud in general have to be helping with this issue,
because people no longer need to lock down individual IPs or ranges of IPs to
get work done. Without the need to lock down an IP that you may or may not
need to use, and with load-balancers that are able to expose boxes on a
private subnet, the demand for IPv4 should be going down.

~~~
dijit
I actually disagree on this point. The rapid deployment and horizontal scaling
that cloud recommends implicitly (failure domains, microservices as small
isolated single purpose units et al.) also promote the consumption of IPv4
address space.

The other thing is Docker and Kubernetes are not supporting IPv6 today so that
definitely locks a lot of the more modern cloud deployments to IPv4, even if
it's S2S communication which could have been IPv6 only (since you would
control both ends) otherwise... so that's another thing.

However, new network layer technologies like "Layer-3 all the way to the
server" are allowing providers to use their entire IPv4 allocation by having
BGP pushing /32 routes internally and this has been the biggest helper in my
opinion, no longer do you have a static /24 allocation and a bunch of dead
space that can't be freed easily.

Of course people who are new to OPs/Dev haven't really seen this much- but I
would probably venture more than 50% of ipv4 space is locked into allocations
that are mostly empty.

\-- I also think there is still an increasing population of internet users and
VPS/Cloud providers give a cheap and easy way to be online too.. $5 for a VPS
in most cases.

~~~
notyourday
> I actually disagree on this point. The rapid deployment and horizontal
> scaling that cloud recommends implicitly (failure domains, microservices as
> small isolated single purpose units et al.) also promote the consumption of
> IPv4 address space.

Nothing but the external entry points in a cloud need to be publicly
accessible IPv4.

------
YouKnowBetter
From a corporate perspective: we are just scared shitless to implement v6
internally.

Keeping (private) v4 working is hard enough.

Even drafting a project budget for v6 makes management go balistic. \-
firewall & IDS upgrades

\- firewalls rules

\- accountablity

\- dynamic DNS

\- employee education

\- toolchain updates

\- upgrades of software

\- functionality tests

Not all companies employ NY or Google level engineers who "just roll out v6"
on a Sunday afternoon.

~~~
AstralStorm
Come on. Firewall rules is one sed call. IDS are dinosaurs and junk that are
generally worthless (feel free to show me otherwise).

Since all major OS support ipv6 there's nothing to educate about other than
perhaps new IP address form.

Software upgrades? Like what software, OS to support NAT64? Which every major
OS supports? (Including Windows 7. The holdouts are ancient telephones and
tiny embedded trash.)

Toolchain updates are important... if you use IP addresses directly, bypass
the OS network stack and so not support names. This likely means that software
is junk that should've been replaced years ago and likely some internal
cookery.

This leaves tests and dynamic DNS.

~~~
YouKnowBetter
> Firewall rules is one sed call

Not so fast. With over 60.000 clients (yes with all known OSes and versions
known to man), 10.000 servers (yes with all known OSes and versions known to
man), 50 network firewalls, firewall on nearly all hosts (clients & servers),
it might be just a little more then a sed call.

> IDS are dinosaurs and junk that are generally worthless.

They're part of the infrastructure, partly "just a compliancy thingy" but also
part of the layered security model. Hell, there is even antivirus software for
that exact same reason.

> [...] there's nothing to educate about other than perhaps new IP address
> form.

That is a joke right? I am sure you know a little bit more about v6 then "it's
just a longer address"

> Like what software

Like software that touches IP addresses. DHCP (if that's your choice for v6),
monitoring tools (yes there is loads of that which does not support v6 (mainly
home made crapola) etc.

You might live in a greenfield environment, homogene and clean. Loads of older
organisations run everything ever invented within the last 20 years.

~~~
disfadbish
This guy definitely knows better

------
ranger207
Google was incorporated in September 1998. RFC 2640 was published in December
1998. Google's IPv6 tracker [1] has ~20% of their traffic coming in as IPv6.
In the time that it's taken for Google to become one of the largest companies
in the world, IPv6 is still uncommon.

[1]
[https://www.google.com/intl/en/ipv6/statistics.html](https://www.google.com/intl/en/ipv6/statistics.html)

------
cornholio
I think search engines are very well positioned to massively help IPv6
addoption. For example, they could limit the number of search hits to an IPv4
only site. A mom an pop page without IPv6 is fine, a top 1000 site is
inexcusable in 2018 and contributing to the vicious circle.

On the user facing side, they could inform consumers when they are connecting
from IPv4 only networks, to realy drive home the point that they are receiving
a sub-par service. It might not be true today, but in the long run it's true
for the internet as a whole, stuck in IPv4. And if people perceive IPv6 as
desirable, they will prefer it given the choice even if they don't understand
exactly what it is, just like they prefer a 4G service to a 3G one.

What incentive would Google and Microsoft have to do this? IPv4 exhaustion
costs them too, in routing performance and manpower to manage a scarce
resource. Also, reliable end to end connectivity is an enabler for the type of
technologies they push, limiting telco control over their users. Massive
growth markets are trumped by lack of IP space, the whole of Afrinic only has
a few /8\. That means African carriers will do massive NAT.

------
SlowBro
An embarrassing admission, but one that is potentially useful for this
conversation: I have a Cisco CCNA cert that I got in 2009 but never used. (Got
a job that didn’t put most of the knowledge to use, and the cert collected
dust.) IPv6 was on the exam. I’ve forgotten all about how to use it.

For me it is just not as intuitive. Maybe others think the same, slowing
adoption? I didn’t find it intuitive when studying for the exam, but I got it
enough to pass.

Basic networking knowledge I still have. I can tell you how to set up a DHCP
and DNS server, and how NAT works on your router. I can tell you about ARP
tables, VPNs, VLANs, firewalls, and subnets. I can’t begin to tell you about
the equivalents on v6.

Maybe I’m just getting old. Maybe it would come to me once I started using it
again. Or maybe it’s just not as intuitive.

------
AckermanMD
Could IPv4 address exhaustion be staved by opening some of the currently
unused /8 blocks? For instance, Apple has the entire 17.0.0.0/8 block. If IPv4
addresses are really becoming scarce and demand is going up, seems like Apple
could dole out /24 or /16 bit blocks to RIRs and make some money - which they
obviously like to do. So why aren't they doing it? Maybe someone more familiar
with the economics of IP has an idea.

~~~
jsjohnst
There’s dozens of cases of this besides just Apple. Frustratingly, if you scan
the legacy allocation /8 blocks (not done personally, but know someone who
has), most of the ranges have no open ports on a majority of the range. So
they literally are serving no justifiable (in my opinion) purpose.

~~~
closeparen
I did IT support at a car dealership where some ancient line-of-business
software needed a public IP for every Windows desktop it ran on to function
properly.

No _justifiable_ purpose, sure, but I can only imagine the tons and tons of
legacy line-of-business crap out there with assumptions like this.

~~~
jsjohnst
You nailed why I threw in the word _justified_ intentionally. There’s plenty
of reasons a public IP could be _needed_ , but not _justifiably_ (to me, your
example perfectly illustrates that).

------
d3ckard
I agree with people blaming whole situation on ugly format of IPv6. I also
believe that increase to 128bit address was unnecessary and harmful. We could
have just added another two segments, have 48 bits total and it would probably
be enough. It would also be much easier for people to switch from 127.0.0.1 to
0.0.127.0.0.1 than to ::1.

~~~
devdas
The problem with changing _anything_ from 32 bit would have run into the same
issues. You have a whole new stack.

------
kawsper
I think some hosting providers are wasting a bit of the address space. For an
example I have 15 linodes each with their own public IP, but I actually only
need one or two of the IPs to be accessed publicly for the loadbalancers, the
rest I actually prefer not to be routable from the public.

~~~
iMerNibor
Yeah, this just proves how much of a non-issue ipv4 exhaustion is still

IPs are still cheap enough to "waste" \- the only real motivator is going to
be ipv4 price being too high which we're quite far off of

------
ekns
> The ultimate solution to IPv4 exhaustion is, of course, the complete
> transition of the Internet to IPv6, however, this will take time and until
> then there will be (by definition) networks and sites which only support
> IPv4.

Off-topic: I've always wondered why English speakers (or perhaps just
Americans?) use "by definition" arguments so much (also just saying that
things are by definition so and so).

People never seem to use "by definition" arguments and such in Finnish for
example.

Definitions of mathematical objects aside, things in concept space are not
eternal and can shift around. Is the usage a cultural thing? A quirk of
language? Just some random trivial thing that just is and doesn't have any
particular reason to it? :p

~~~
p1mrx
This usage seems pretty reasonable. He's saying "Before everything supports
IPv6, there will (by definition) be things that only support IPv4."

He's defining a particular scenario, and then using a tautology to clarify
that scenario.

------
Corrado
One problem to moving to IPv6 is that most of the firewalls I've looked at
either don't support it at all or the support is very weak. I know that IPFire
doesn't support it and I couldn't find any information on Smoothwall IPv6
support. I think that pfSense supports it but I don't know how well.

Come on people, it's 2018 and your building a network application. I'm
thinking a top priority would be IPv6 capabilities. Apparently, I'm wrong.

------
dorfsmay
Nothing is going to change unless there is a real issue by not having ip v6
which will force users to jump to the ISPs which do support it and abandon the
ones who don't.

My understanding is that there is a real cost for ISPs to make IP v6
available, but zero need to (upgrade of thousands of pieces of hardware
equipment - is that still true?). There is no consequences for not doing so.

~~~
moduspol
I had read that cellular carriers were pushing to be able to just use IPv6. I
know Apple has really emphasized IPv6 compatibility with App Store apps for at
least a few years now.

That's one of the things I've been watching. Theoretically, the easiest
switchover should be consumer iPhones on cellular data networks, because any
app released in the last few years should work on them.

------
ReverseCold
I had IPv6 setup at one point, but a lot of things using it are broken. Some
sites/services/software repos will just refuse to connect- and after a few
minutes of debugging I realize it's probably v6. Turning off IPv6 usually
fixes the problem.

I'd like to use IPv6, but since turning it on by default breaks a lot of
things- I'm leaving it off for now.

~~~
chrisper
When I set up IPv6 I learned that you have to let some things through your
firewall, like ICMP, because the IPv6 protocol relies on it. When I blocked
everything like I did with ipv4, it eventually stopped working.

~~~
cesarb
If you block everything with IPv4, things stop working too: you have to allow
at least some ICMP (for "packet too big" path MTU discovery), otherwise you
will have hard-to-diagnose issues.

~~~
jsjohnst
Less an issue with IPv4 in a consumer sense because the device blocking the
ICMP is also commonly doing NAT too.

------
ymse
I've been dreaming of a small-scale "cloud" hosting startup, and one of the
biggest concerns is actually IPv4 availability.

I was hoping that this article would shed some light on the feasibility for a
new company to grab a /20 or so. Does anyone around here have some insight?

------
AstralStorm
The most important slowdown on IPv6 adoption is vat replacement of small local
services and servers in lieu of centralized ones provided by ISPs amd a few
Fortune 500 companies.

------
Yuioup
Couldn't read the article on the phone due to excessive amount of pop ups on
the page.

~~~
egwynn
This is off topic, but I make heavy use of “Reader Mode” in mobile Safari, as
well as the embedded “Mercury Reader” in the “Reeder” app. These both do a
great job of cutting out the junk on annoying sites, and I’d recommend
investigating whether similar utilities exist for your platform of choice.

------
bullen
We should add another 4 bytes to IPv4 which is the internal IP, then AWS f.ex.
would only have one public IP per region and the rest would be internal IPs.

IPv6 is too big and incompatible!

~~~
chatmasta
If I understand what you're suggesting, this is basically how NAT64 [0] works
to provide backwards compatibility to IPv6 (tunneling IPv4 over IPv6). It uses
the first 32 bytes of the IPv6 address to store the IPv4 value.

[0] [https://en.wikipedia.org/wiki/NAT64](https://en.wikipedia.org/wiki/NAT64)

~~~
djrogers
Pedantic comment here, but NAT64 doesn’t involve any tunneling - it’s pure
address translation handled by an edge box, whereas tunneling involves
encapsulation.

~~~
chatmasta
True, I should have been more precise.

Although there is technically no packet-level encapsulation, from a
mathematical perspective you may consider the IPv4 bits "encapsulated" within
the IPv6 bits.

------
nik736
I am actually not really sure if those people really believe that IPv6 will
EVER replace IPv4, which in my opinion will never happen.

~~~
Arnt
Can you elaborate?

IPv6's share of traffic has been increasing at about 0.5% per month for the
past year. If IPv4 has 80% and IPv6 20% this month, next month it'll be 79.5
vs 20.5. So in your opinion... what? The change will stop? When? Why?

~~~
nik736
Sure, I am a RIPE member and am leasing out IPv4 (and IPv6) address space, ASN
registrations, etc.

Everyone is able to sign up with RIPE and get a /22, thats around 1000 IP
addresses. For years the RIRs want to tell us that IP addresses run out but I
am still able, today, to pay some bucks and get IPv4 addresses without issues.
The issue was that exactly those RIRs handed out IPv4 addresses years ago like
there is no tomorrow and now they want us to switch to a broken protocol
because they made a huge mistake. I won't deny that we are months (around 2
years) away from the RIPE actually running out of IPs.

Part of my job leasing out IPv4 space is also monitoring different sources,
like Spamhaus, if my client or client of clients send spam with my IPs. What I
can tell you is that with IPv4 already this is messy but if I think about IPv6
this is impossible to track or control and a complete nightmare. Also, for
example if you operate a mail server that only runs IPv6 and send emails to
gmail they will outright block you or just send it to the spam folder. Please
note that this is only one of many examples.

Apart from that, if I look at the implementation of cloud providers like DO,
Linode, OVH, Scaleway, etc. this is all a big joke. Also, IPv6 routes from
some tier 1 upstream to others are down for days without anyone noticing it,
because most people want IPv6, but no one is actually using it. It's like
having a todo list and IPv6 is done but how it's been implemented doesn't
matter at all.

You should also be careful with statistics, as a lot of scammers switched to
IPv6 so I would not be surprised if a lot of the "IPv6 market share" is from
scammers.

~~~
AstralStorm
1) Not everyone can sign up with RIPE. We have tried multiple times and been
rejected despite being connected to backbone and having peering agreements and
AS number.

2) Why track IP addresses instead of mandating DKIM? Gmail eats valid IPv6
sourced mail with good DKIM keys no problem.

3) Same can be said about IPv4 routes. Remember nobody really uses IP directly
to route nowadays...

