low whistle I imagine they paid a pretty penny for those /12s.
A thought comes to me: If IPv6 adoption continues to drag along, and AWS/Azure/GCP continue to expand their IP blocks like this, how quickly are we in danger of the cloud providers effectively being the Internet?
I've worked in the cloud hosting industry for a decade and a half. The entire time, we were warned about the IPv4 shortage and how we needed to switch to IPv6 soon(tm). Well, things haven't changed. Everyone is dragging their feet on IPv6 adoption from hosting providers, ISPs, hardware manufacturers, and software developers. I predicted this years ago and always said that it would require a government mandate to move on from IPv4.
I honestly believe we are going to ramp up NAT in the coming years before really doing away with IPv4.
Some countries did exactly that, China for example. Most of the infrastructure, ISP networks, even user applications here is now IPv6 or ought to be in a few years [1].
Also, when your country's population is such that the entire IPv4 address space could only allow three addresses per resident, with that ignoring all reserved / multicast restrictions...
Benevolent leader is the best case of government, it is just improbable and of course it is too risky for any dissenter, and the successor is never as good. So people go for inclusive forms of government, which produces average case results more often.
NAT is ramping up on client side. Many home-internet connections are now NATted twice - in CPE, then again in CGN.
On the server side, in contrast, NAT is winding down. 15 years ago, it was common to have either DMZ-style NAT, or on AWS you had to have NAT (they call it EIP). Nowadays, having a CDN or could-native load-balancer in front of your server is increasingly common. And behind those, that server just don't need a public IP (maybe only a shared outboud NAT for OS updates). That is - if you have a server at all (and not moved to lambda, S3, etc...)
It’s hard to tell sometimes what is going on. I just learned for instance that the cable modem provided by Comcast switched to NAT - and my router is also doing NAT - and my business firewall also does NAT. So at least 3 layers now.
If they are doing CGNAT further into the infrastructure, how would I even be able to tell at this point? I’m assuming someone would also block ICMP just so it would be less embarrassing, but who knows.
Comcast does generally seem to be moving towards IPv6 at least, which is helpful.
How do ipv6-only customers reach ipv4 hosts? Wouldn't some 6to4 gateway count as CGN?
I've had this problem in the past with Vodafone, sometimes their AFTR (?) would go down but all ipv6 enabled hosts were still reachable. Only the ipv4 internet was unreachable. It took months for me to find that out, and I still don't know any workaround in case that happens again.
Every modem provided by Comcast supports dual stack broadband and IPv6 only for management by default. The latter is transparent to customer and is for internal use only. IPv6 only for management has no impact on dual stack broadband. If your modem is in bridge mode (Wi-Fi router functionality disabled) then you need to ensure that your broadband router supports IPv6 specifically DHCPv6 for the acquisition of IA-NA and IA-PD.
Highly unlikely we will ever see the day IPv4 is not used at all. There are too many legacy systems in place, so dual stack will always be required. The value of IPv4 may drop as it related to the price people pay, however, it will play a key role for decades to come.
As for the government mandate, also not possible. It would take our major ISPs over a decade to make this work, and the lobbyist would never allow it.
With that said, the DOD did make an interesting decision to move 175 Million IPs recently in routing tables.
I spent some time trying to upgrade my home network to primarily-IPv6 (mainly so I could more easily address internal computers from the outside). I was pretty unimpressed with the results; I expect to have to run dual stack for the foreseeable future.
I just don't get it. We already have regular hygiene programs to remediate legacy stuff - remove weak encryption methods, scan for CVEs and patch old versions, etc. IPV6 isn't any harder to use than IPV4 except for storing a larger IP address. Really, there's no excuse and that goes double for anyone using a modern stack instead of legacy.
All this is because IPv6 addresses are too long. If they’d made it 48 or 64 bits we would be fully converted by now. We are dragging because people hate using it.
I’ve been saying this for years. Nobody gets it because geeks don’t get ergonomics.
I've said it for years too. It's not JUST because they're long - years ago (and maybe even today?) there's still some hardware issues with keeping large sets of addresses for routing (I'm not an expert on this - I seem to remember reading about this years ago - larger ISPs not being able to keep all their routing rules in memory because of IPv6 address sizes - maybe I'm WAY off).
But, yes, generally, you're right. It's been seen from the very beginning as "a big move". If every address A.B.C.D was addressable as 0.A.B.C.D, and we opened up another 255 * 4 billion addresses... we'd have been converted a long time ago. And we'd have been better at actually implementing 'upgrades' because they'd be already done/completed - it wouldn't be a 'monumental task(tm)'.
We don't need every atom in the universe to be able to have 16 public addresses.
> (I'm not an expert on this - I seem to remember reading about this years ago - larger ISPs not being able to keep all their routing rules in memory because of IPv6 address sizes - maybe I'm WAY off).
in modern (last 10 - 15 ish years) routing table size has been roughly the same for IPv4 and IPv6.
Modern, ISP grade routers have control and forwarding planes seperated between different (usually redundant) hardware components.
The control plane is responsible for keeping states of routes (which routes do i recieve from a routing protocol? where is my next hop according to rule XYZ etc).
Forwarding plane is responsible for forwarding packets across interfaces.
Route lookups happen in the control plane, but a route lookup is almost never for a dedicated address (especially in IPV6). route lookups happen at the subnet level, and IPV6 has a "standard" subnet size which leaves half of the address space for the subnet itself. (the first /64 subnetmask bits are used for network differentiation, while the other /64 is used to create host specific addresses).
This cuts down on TCAM size considerably, because the router doesn't need to store 128 bits of information per host, but only 65 bits + subnetmask for a very large group of hosts.
besides this, IPv6 has another advantage because fragmenting routes is far more difficult then in IPv4.
Usually, organisations get a /56, the ISP usually handles /48's and RIPE/IANA etc work with /32.
This all keeps the IPV6 routing table far smaller then the IPv4 routing table, which was one of the reasons IPv6 was invented in the first place.
> But, yes, generally, you're right. It's been seen from the very beginning as "a big move". If every address A.B.C.D was addressable as 0.A.B.C.D, and we opened up another 255 * 4 billion addresses... we'd have been converted a long time ago. And we'd have been better at actually implementing 'upgrades' because they'd be already done/completed - it wouldn't be a 'monumental task(tm)'.
would this actually change the amount of "momumentalism" in switching ipv4 for something else? Backwards compatibility with larger address sizes (be it 128 bits, 33 bits or whatever) is not possible because ipv4 stacks can only hadle 32bit address space. Updating those is about as a monumental task as implementing IPV6, considering you would still need two network layer stacks for each device to handle both IPv4 and the "ipv4+" version.
> in modern (last 10 - 15 ish years) routing table size has been roughly the same for IPv4 and IPv6.
Really? I see 700k routes v4 and 70k v6 routes.
IPv6 will keep routing table size smaller since they can preallocate HUGE subnets to every AS (AS is what people would call an ISP pretty much) so that they only have to split their subnets by geolocation.
what i meant to say was, that in modern routers, IPv4 and IPv6 theoretical routing table size can be the same. There is no difference in terms of maximum routes in the routing table between both protocols.
> If every address A.B.C.D was addressable as 0.A.B.C.D, and we opened up another 255 * 4 billion addresses... we'd have been converted a long time ago.
That has nothing to do with the address being long, but with being compatible.
In designing ZeroTier I put a ton of effort into creating a secure P2P layer with addresses that are only 40 bits long. This effort continues with new solutions being worked on to maintain security while allowing more openness and federation.
It would have been much easier to use long addresses that are long hashes of keys. Having only 40 bits means we need two layers of defense in depth to prevent intentional collision: a work function to make the cost substantial (about USD $8M per collision on today’s public cloud) and a single source of truth for lookup that still supports federation. You could punt on all that with 128 or 256 bit addresses.
Yet I did it because I was quite aware that it was very necessary for usability. I have had many people tell me they love that they can type a ZeroTier address.
I would bet anyone that if the addresses had been gigantic we’d have 1/10 the adoption.
Software is first and foremost for people to use. Most of the complexity in software exists for this reason.
ZeroTier has a flat address space governed by a single algorithm. The Internet is a loose hierarchy of independently-managed networks. These problems have quite different addressing requirements.
Analogy: ZeroTier is to https://plus.codes/ as IPv6 is to mailing addresses. A mailing address is pretty long, but you can use its structure to route the mail efficiently.
The Internet is governed by a single algorithm: IP routing. Short IP addresses are a lot easier than short cryptographic addresses.
Adding 16 or 32 more bits to IPv4 would have been trivial. The existing IPv4 address space becomes 0.0.n.n.n.n or perhaps 0.n.n.n.n.0 if you wanted to give every existing IP 256 addresses to assign while also multiplying the IP space by 256.
You're describing 6to4, where the existing IPv4 address space becomes 2002:nnnn:nnnn::/48. You can treat the 80 bit suffix as 8 bits when designing a network.
Problem is, stacking the new protocol on top of IPv4 was never very reliable, so 6to4 is mostly dead now. It would've worked a bit better if the Internet had used 2002::/16 exclusively.
Adding 16 bits or 32 bits doesn't matter: The networking stack of every device would still need to be updated to understand the new address structure (just like IPv6!) You can't magically fit 48 bits in a 32 bit field.
IPv6 was the correct long term approach. You wouldn't want to pick only 48 bits and have to do this again in 20 years.
Yes. I'm saying if we had to update every device anyway, we might as well do it right and not some short term solution (48-bit addressing or whatever.)
IMO it's because they used stupid semicolons in the syntax instead of sticking with periods. Nobody likes hitting the shift key, especially so rapidly and while typing numbers.
DNS names already conflict with v4 addresses, and we deal with that ambiguity just fine.
For an actual conflict, someone would need to be using hostnames that had at least 16 segments, none of which were longer than 4 characters. Putting the burden on someone who wants to use extremely deep hostnames that look like bare IP addresses to type a trailing . on their hostname seems plenty reasonable to me. And if they want to use resolv.conf:search while still typing in 16 segments of a hostname, then that ambiguity could be resolved with a leading period.
I suspect the real reason is people who wanted to be able to write ad-hoc parsers using strchr().
We deal with it by requiring v4 addresses to be entirely numeric, which... well, it's possible for v6 but would make it even more annoying to type v6 addresses out.
No, that is not how it is dealt with. A DNS hostname can be entirely numeric as well. For example, add 'search in-addr.arpa' to your resolv.conf.
We deal with the ambiguity by making it clear that if you expect to use DNS names that look like IPv4 addresses, you're going to experience the pain of unexpected behavior. I see no reason this general expectation couldn't also have been set for 16-segment hostnames that look like hexadecimal IP addresses.
Alternatively, a full IPv6 address without any '..' abbreviation could have been defined to start with a period. Then there would be no ambiguity.
I guess there's a large pool of IP addresses used by residential ISPs that could be recycled relatively easily.
When I lived in Ireland I only got a public IPv6, my IPv4 was behind CG-NAT. The nerd in me wasn't a fan of that on paper, but in reality I didn't have any issues with it.
I could see ISPs making a quick buck by switching to CG-NAT on IPv4 so they can sell off their IPv4 blocks.
Those IPs being recycled for servers/services doesn't seem too risky, given that they're not typically hosting anything.
Problem with CGNAT is the costs involved in bookkeeping for law enforcement.
Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.
Which requires A LOT more storage and much more expensive equipment.
Going rate per IPv4 is up to $40 nowadays, selling of your v4 block might not be cost-efficient.
Disclaimer: I work with this stuff and might be a little biased to certain vendor solutions.
A good CGNAT implementations have support for static blocks: the subscriber always ends up a a specific ipnumber+portblock combination. (Each subscriber is assigned a specific number of exit ports and this all just logged once during startup so you always know where each subscriber ends up).
Should they run out of their assigned portblock, there are pools which you can borrow from (these need then to be logged who borrowed at what time etc). So all in all there is less logging than when everything was dynamic.
And law enforcement inquiries barely contain source port information, or precise time. Most of then go like: who had this IP in $this-two-weeks-window. No source port, no destination IP/port.
this is not how most of these laws works.
As an ISP, you are required to have this bookkeeping, and are audited for it in (most) countries.
Usually, the law has specific procedures about how this information is requested, what responsibilities are with which party, and how long the response time should be for suchs a request.
When starting (or already being an ISP). You already know what kind of system you need to build that matches all these requirements by law. Simply saying, we do not have the required information wouldn't work because the law has very specific details about the requested information.*
* this is in a european country, so no clue if this is applicable to the US.
In my European country the law very specifically tells ISPs what to record. It doesn't require them to produce any conclusions or other data, so if you ask for a subscriber name without enough details (port and destination in this example) the response I gave is totally legal. I have in fact seen that kind of thing happen and compliance departments tend to favor exactly this, do what the letter of the law said, not a byte more unless a court orders them. The risk otherwise is that you're illegally violating the privacy of a customer just to please some law enforcement agency.
As a follow-up the agency, with the right court order, could get all the raw connection records and try to figure it out themselves. But if you don't know the exact time and (source IP, port, destination IP, port) combination you're not going to figure it out in a network with large scale NAT.
Whilst I don't necessarily disagree with the sentiment, all the costs an ISP might incur will almost certainly be passed into the consumer. We're paying to be surveilled in many different ways.
> If cgnat keeps scaling, these ip Limiters need to phase out.
This problem would be easy to solve, if only there were some way for a website operator to phase out CGNAT and see a user's 128-bit IP address instead...
> I'm finding more and more that I go to some random website, and get a message about an IP ban. That or a 401 error with no context.
The association between IP and user/endpoint is changing, especially with the advent of Apple’s Private Relay, other privacy-protecting proxies, and increased CGNAT.
Website & hosting providers will have to adapt, but right now we’re certainly in a transition state.
> Where an IPv4 solution for your clients only needs change-logging on IPbinding-to-client level, the CG-NAT requires you as an ISP to log every outgoing IPv4/port combination with timestamp to client mapping.
Why does each individual connection have to get a port from the global allocator, rather than any of the pooling or hierarchical techniques that high performance memory allocators use?
It might not be so niche if we weren't all behind NAT firewalls. There would probably be a whole lot more applications that do direct connections between two people, and eliminate the middle-man. There's a reason every major service out there has their applications set up in some cloud to relay the messages back and forth between clients.
That makes me realise there is an incentive for ISPs to hold out on supporting IPv6. If IPv6 was widely supported then their IPv4 blocks would be worthless. I wonder how many will be holding out on deploying IPv6 until they can offload their still-valuable IPv4 addresses.
IPv6 adoption is just sad. Sharing an anectode: Back in 2002, I was using a 56k modem on a linux box 24/7 from home with a dialup flatrate. Being an avid IRCnet user, I setup an IPv6 tunnel with a tunnel broker (I think it was Hurricane Electric - it was before Aiccu was a thing) and connected to the IPv6 IRCnet servers. There was once a channel #uptime which was a contest: On start of contest, everybody in channel got voice - and the person to last hold voice would win (you lose voice when your TCP connection disconnects). Even so I had a forced disconnect every 24h, amongst over 100 users (mostly Servers, Bouncers, Universities etc.) I ranked 6th place in the end (after couple of weeks), because my ipv4 dialup was reconnecting fast enough to receive the buffered ipv6 tunnel pakets from the broker. Today I have no more IPv6 since SIXXS shut its doors a couple of years back, and my provider (o2/Telefonica) hasn't roled it out to me yet.
Looking back those 19 years, the availability and state of IPv6 has worsened for me - even though IPv4 shortage was known back then.
Same story here. I think I had IPv6 around 2000 with HE and then SIXXS, and my university back then already assigned IPv6 addresses. Now in 2021, I don't think I have had an IPv6 address assigned either at home or at work for quite some time.
It's hard to understand why they don't just push through since there clearly are no real technical problems as witness by those few countries with major providers that actually actively use IPv6 (only).
I used to have that. Then all residential customers were put under a CGN, and you can ask for a dedicated, public IP, free of charge. I imagine 99.9% of users can't tell the difference so the ISP saved a lot of IP space, while customers are just as happy.
Yup, ISPs in countries that got a nice big block if addresses in the early days can still manage this. I have a cable connection that was originally provided by NTL (now Virgin Media). My IPv4 address changes about once a year now as they do upgrades/maintenance. It used to change even less.
I find the ipv6 address scary because IP geolocation gives that in the same city district. Cgnat would be better because the server would see ipv4 of the ISP.
I don't know, is there a way to not show my ipv6 and fall back on cgnat address because that looks much more secure in terms of not getting doxed and ad tracked.
That’s not inherent to IPv6 though, your ISP chose to be more specific in the location data for those addresses. If it’s sufficiently detailed as to “dox” you, maybe ask them not to do that?
Yeah, NTL/Virgin Media in the UK do the same in that their IPs geolocate to where the node/head end is. In a city, it's not going to be specific enough to uniquely identify you but it's still weird seeing ads that aren't that far away.
On the other hand, the IPv4/v6 addresses on my A&A connection geolocate to either London or Bracknell (where their office is), about 400 miles away. I get a lot of pointless ads for things in Surrey that I have no intention of visiting.
i have never used google search but the other day someone used that infront of me and on the bottom i saw what appeared to be "pin code for approximating your current location for local results" and something to that end. that scared me big time because this was like my home pin code, my small city has like 30 so this is narrowing me down to a single one which i am not comfortable with
Right, but is Google doing this with the information they get from your IP address or something else entirely? Is it just coincidence that your IP address corresponds to your ISP’s office which happens to be relatively local?
With loose enough permissions your browser has a geolocation API that, depending on your device, will be a hell of a lot more accurate (if you have Wi-Fi hardware it can use that to work out where it is relative to the known locations of the SSIDs it can see, or straight-out use GPS).
None of this has anything to do with IPv6 - you give away some location information with your username and profile on this very site, for example.
I believe Google has their own IP geolocation database, likely seeded from all their apps that have location access because the location given at the bottom of the search results pages is always far more accurate than any other IP geolocater I've seen and there are others on my WiFi network who use Google services with location.
Public auctions (which they didn't use) are currently in the $45-50 per IP ballpark. At that price it's $247.5 million worth of IPs.
At auction the larger networks tend to go for less money per IP since there is a smaller market of people who want and can buy them (you have to be approved by ARIN/RIPE/etc. for the allocation size), which drives the price down.
The actual number is much higher. Amazon doesn’t publish all their IP addresses in that json, only the ones in use. They have almost double the IPv4 addresses, ie quite a bit reserved for future use. See https://toonk.io/aws-and-their-billions-in-ipv4-addresses/in...
I think that it starts to have downward pressure at /22 to /20. You can see Hilco's historicals at [1]. Not all purchases are done in public though.
It seems to me like an arbitrage opportunity, since /24 and /23 networks have many more potential buyers. But you have to be approved with a regional registry for the amount of space in order to buy it.
Observing things from the buy side, I suspect that IP space is being brought to auction in a slow but steady trickle so as to maintain upward momentum on prices. The price has approximately doubled in the last year.
It's not like the news of "we have new IPs" instantly drive customers to rent more VMs. They are likely to have a lot of unused capacity for years, which is not paying back for itself.
Technology certainly scaling and improving but it's being concentrated in fewer and fewer hands. In the past I could compete with most sophisticated companies, it wasn't unattainable. Barrier to entry is simply too high now. No single or small team of developers and technologists is going to compete with AWS.
That's an interesting idea. I don't know if the FTC has the authority to do so under the current powers given to it by Congress, and I don't know if I'd like the precedent of them trying without Congress so delegating that power. I'd be totally willing to discuss Congress delegating them said authority.
That you call global IPv4 addresses to be a critical resource is extremely odd. If I go to prudential.com or to another insurer's website, the IP delivery addressing protocol doesn't affect competition.
A user doesn't really see any difference when traffic gets delivered over IPv6 instead of IPv4, so the scarcity of the global IPv4 space is meaningless compared to the incredibly vast usable size of the global IP space.
So offering any service just on IPv6 makes no sense in 99% of the cases. You can use if for some internal cases, if you can be sure that all your users have IPv6 wherever they happen to be.
If you are cloud provider and cannot offer your customers as many public IPv4 addresses as they want you are out of business.
Using it doesn't. But having a pool of 200 times more than the next competitor does. I'm not sure whether according to the letter of the law. Courts would decide that a decade later if any administration went to court. But certainly in the spirit of free competition.
That's if you can define IPV4 as a critical resource. But because anyone can assign any IPv4 address to anything and advertise it with BGP, it can't fit the definition of that.
Can it be defined as property? I could make a Internet The Second using isolated networks and advertise whatever I wanted. It's not like digital movies and music where it's defined as property under copyright law because it's a creative work.
This is the same as saying no one can own a Disney character because anyone can draw it at home. Or no one owns songs because you can freely transmit them between devices you own.
People still own those things in most jurisdictions around the world.
The thing with Disney is that those characters were created by someone in a creative pursuit. IP addresses, on the other hand, are simply pointers to some location, and so it's an unknown if they can be covered under IP law. Digital copies of media only count as property because of that IP law, or they would be worthless because they can be copied infinitely.
Yeah I don't have much any problem with doing CGNat. We need to get the ISPs to do IPv6, and we need to penalize AWS when a customer chooses to do IPv4 only. (They will pass on the fee, which is just fine easier than going after the customers directly.)
IPV6 is in many ways a simpeler protocol then IPv4. for instance, it has a significantly simpeler header then IPv4, it does not duplicate the broadcast behaviour of ethernet but relies on multicast instead.
Some parts of IPv6 are complex (mainly, IPsec) but those are not required to get an operational ipv6 network.
SLAAC & NDP are both significantly more simple then ARP and Automatic addressing under ipv4.
Of course that is how it will end. Noone thinks that this is a bad idea, to only allow customers of those three to host a service, because that is the current mindset. When they own all the v4 ips, we will have no choice but to hot on their infra or not host at all.
At that time, someone might think that IPv6 with all its faults might have been a good idea after all, but then it will be too late, since "v4 seems to work, all clients behind 2-3-4 layers of NAT, everything tunneled in HTTP/4.5 on a single port outwards to your VPS/VPN".
Not being able to host a game on your home computer, not being able to start a service unless GCP/Azure/AWS allows you to will be the end of the internet as we used to know it. Extra fun for anyone not being american enough to want to be a customer of the big three.
if the only folks left who can use IPv4 are the hosting providers ("big three" or not), then nobody will be using using IPv4 to contact all the hosted services.
large swaths of users have IPv6 available to them. if there starts being some inconvenience to not having 6, we can be sure adoption will pick up even faster.
>> When they own all the v4 ips
>... there won't be any value in them any more.
and upto that point, it will be SUPER expensive for you to try to get one (or 256), which they can pay since they have monopoly on them, and you only needing one can't.
I wonder if we see large use of IPv4 and IPv6 adaptation how tricky it will be to adapt and be able to have enough FIB in boxes to hold all those resolutions I wonder how many companies will go into buying beefy chassis rather than implementing some some low level fragmentation for two families
Having just realized my internet provider, cox, does not actually support ipv6 for the 2 million plus subscribers in my state I think it is safe to say that ipv6 is dead and will never take the place of ipv4 in our lifetimes.
Don't get me wrong. They say they support it, they have lots of PR that says the support it but in fact as a subscriber they do not.
Mine had some beta program years ago. You had to find a number to call which was hidden away in a locked filing cabinet hidden away in a disused lavatory.
They were purchased recently and maybe there is hope now.
Cox has had ipv6 for quite a while. Hell for a while they kept shutting down my ipv4 leaving me only with ipv6. That was fun to get through tech supports head. Took three times of that happening for a day or two before I finally got to a level 2/3 tech that at least understood what I was talking about.
The ability to launch a public-facing, commercial service and pretend like IPv4 never existed and you don't have to worry about it at all? Probably not within our lifetimes.
I am not sure about that. When IPv6 support nears 95%, the pressure will be on those few ISPs to give access to those areas inaccessible from v4. Think of all these websites that need to be cheap and are happy enough with reaching 95% of the audience: blogs, small businesses, anything education related, etc. That should help going from 95 to 100.
I wish that instead of buying more IPv4 blocks, AWS would drastically lower the price of NAT gateways, then charge extra for EC2 instances and Fargate tasks with public IPs, to make it a no-brainer to stop wasting public IPs. As it stands, it's cheaper to waste public IPs than to use NAT gateways.
Addendum: I also wish I could volunteer to be switched over to CGNAT for my personal IPv4 traffic. This discussion got me thinking about what it would take to get my company's IPv4 footprint down to zero. Might as well do that for myself as well if I could.
Somebody doesn't do any address or route planning.
In IPv6 the amount of hosts in a subnet is totally unimportant (because there are always 64 bits for this). If you have, say, a thousand hosts you're going to need to buy decent network kit 'cos a pile of daisy-chained 5 port plastic home switches won't like that - but it's only a local problem, like buying enough cable. You can have however many subnetworks you felt was appropriate for managing and organising things, and only those need managing. However in IPv4 you need to know how many hosts there will be or might be in each subnet, in order to plan address allocation, and small changes can throw things into turmoil, you have to manage the individual host addresses.
Suppose I have four subnets with 40-50 hosts in each - in IPv4 chances are that's four /26s. And then somebody wants to add 20 hosts to one of the larger subnets so now it won't fit in a /26 any more. Ugh. This is likely to involve a re-numbering programme that might take weeks or months. I may need to reach above me, to find somebody who has enough address space to trade with me, and they may in turn have to reach up too, or worse find the money to buy space. Suddenly what should have been an easy problem ("add twenty new hosts") is a nightmare with a budget and project management.
IPv6 evaporates this entire class of problems. There might actually be people at large organisations whose job ceases to exist under IPv6. Certainly there are people whose job gets much easier and less stressful, and who don't have to say "No" as often any more.
Do you have examples of software that you can't use because it doesn't support IPv6? Of all the software I've used there isn't any, which is why I'm curious.
is this not trivially fixable by running software that tunnels IPv4 into ipv6 between hosts who want to play multiplayer?
I have seen some implementations of IPX which work by tunneling IPX inside IPv4.
It really depends on your needs - I use nano sized SPOT instances for NAT gateways which only cost a penny a month. They in no way compete with the 40gbs capacity and high availability of the hardware NAT devices but if the majority of your traffic is internal, going to a peered VPC, or over IPV6 and you just need a means to make an occasional API call to one of the AWS endpoints that don’t yet support IPV6 (which is the majority of them), then it’s a perfectly viable solution - better then sharing a hardware NAT IMO because you can take advantage of network traffic within the same availability zone being free.
I've been making us use a NAT gateway for all of our EC2 instances since the dawn of time. Only those that need to be directly touched on specific ports get dedicated IPv4. I can count all of our public IPv4 addresses on 1 hand, and that includes a static comcast address for a branch office.
Using auto-assigned IPv4 should not be default, IMO. If I just did what amazon wanted me to without thinking, we would be consuming 5-6x more IPv4 addresses than we otherwise need to.
Do you have any Internet-facing load balancers? IIUC, each AWS application load balancer gets a couple of public IPv4 addresses. So I guess if you have a single ALB and a couple of NAT gateways (in two availability zones), you could still end up with a total of 5 public IPv4 addresses.
Last time I set up an ALB, it required 8 IP addresses. I assume that is because it spins up extra instances on the backend as the load increases. Most of the time the hostname is only assigned to 2 IPs.
Regarding NAT gateway pricing (~ $30/month or so iirc) we can use a micro (~ $10/month) Linux instance, it's quite literally about 2 commands (sysctl enable ip forwarding and a masquerade iptables command) or a short script to set it up.
I wonder if it would be feasible, when using a stripped-down container host OS like Bottlerocket, to configure one container host instance per availability zone to also do NAT. Note that I'm assuming a setup where the containers are running in ECS tasks that use the awsvpc network mode (i.e. each task has its own VPC network interface and private IP address), so security groups can be fine-grained. So even the tasks running on container hosts that do NAT would need the NAT.
Yep. Or even give me a CG-NAT adoption. I have plenty of use cases where I only use a public IP address in AWS for Internet connectivity without any need for new incoming connections. For those, I'd be totally fine with a CG-NAT address.
I wonder if we could hack that for ourselves by having our EC2 instances or Fargate tasks do all outgoing Internet access indirectly through Lambda functions.
Last October, Amazon bought ~4 million addresses by bribing the corrupt technocrats of a radioamateur "non-profit" organization. Fuck Amazon, fuck those corrupt technocrats (like the ICANN/.org team who tried to sell the TLD). It's incredible what this kind of people can get away with.
I assume Amazon came to them and offered the money and they accepted. I don't see anything shady about that. How do you sell something "openly"? Via an auction website? Is that standard procedure for everything these people sell?
Standard Internet procedures for IP addresses is apply to your Regional Internet Registry for addresses, and the panel decides who will make best use of them (usually smaller/newer providers are prioritized). You only pay administrative/membership fees for the addresses because IP addresses are technical bits not property... everyone operates addresses but nobody owns them.
That people sell food and houses is disconcerting in the physical world and creates real problems for real people where some can't afford to eat or have a roof over their head despite a global abundance of resources. That people do the same in the virtual world, with literal numbers, is beyond the scope of comprehension: pure madness.
Just because i don't hold your religious beliefs in regards to private property doesn't mean we can't have a conversation. Of course, if the entire conversation revolves around the legitimacy (or lack thereof) of private property, we'll wander away from the topic that big tech multinationals are eating away the Internet commons. Specifically from Amazon, i'm also referring to the .amazon TLD case.
That organization did not own those addresses. In the most generous interpretation of the situation, they were administrative custodians to the good usage of those addresses.
Reselling them to a for-profit company was definitely not what was intended by anyone and directly contradicts their mission as custodians. Those addresses were that of the global radioamateur community and no one else's.
That's why i made a comparison with .org. ORG TLD was created exclusively by and for non-profits, so it was a scandal when some execs conspired against the general public to resell it and induce more costs for everyone. Likewise, it's a scandal that when you need/want to build DIY radio Internet setup, your addresses which were reserved for that usage don't exist anymore, as they have been appropriated by Amazon.
Please note that this story would be less of a scandal if the community had been consulted on how much of the IP range to sell (retaining some for legit usage), and/or if that money benefited the community and not some greedy capitalist execs, and/or if they had been reattributed through normal channels (RIPE and other RIRs) and not commercialized, none of which is true.
Not exactly a shortage, no. But giving away an entire range without giving ample time (think months/years) for network operators to comply is a bit harsh.
Thanks for the link to their grants. It's good to see they're doing something useful with the money and it's not a case of outright corruption. Although one could argue a club from one of the biggest colleges in the global north may have more suited avenues for funding, i'm glad to see smaller projects in there as well.
To be fair, if the goal was to raise money for the community, would it not have been wiser to rent the IP space, or to setup a proper charitable auction? The IPv4 addresses are bound to go up in value in the coming years, now that major RIRs have given away all the remaining blocks, so that might have brought more revenue.
Looks like the answer you're suggesting is Dr. Hank Magnuski[0]? He seems like an important and impressive fellow, but I'm not sure how that addresses the idea of ownership here.
Most likely we have different understandings of how ownership/stewardship of ipv4 addresses works. My take is "I don't know how it works", but I think the people further up thread believe it's not about ownership, but merely the right to administer on the understanding that it's done for the public good, or something like that.
If you have a concise resource that summarizes how it works that would likely do more to convince us than telling us to research ampr.org.
So, take my words with a grain of salt because i'm not a member of those communities. From reading the previous thread on HN (which i linked in my parent comment), even the people who think the sale is a good thing agree that it was a rather shady deal where it wasn't very clear that a single entity should feel entitled to "own" this IP range.
If you have links with more information going one way or another, historical internet politics is always something i have time for reading, and i think i'm not the only one around here! :)
I have 127.0.0.0/8 for sale! Give me 100 million euros and it's all yours! What do you mean some people are actually using those addresses and i don't own them? RFC makes it very clear local link means my own machine and i pretty much own my own machine, thank you. Do you see how ridiculous is this situation now?
You don't have that for sale, because you don't own it, and if you try to announce it you will get disconnected from all your peers and will have to close shop.
Not that i disagree with your point, but you'd be surprised - if you're not familiar with the ISP world - the crazy routes some operators announce sometimes.
It is my understanding that IP addresses are not owned, indeed. Please correct if wrong.
There are historical IP space who governance is not clear, but for most IP space it's de facto "owned" by RIRs who assign some ranges to their members. According to RIPE assignment policy:
> Assignment of this IP space is valid as long as the criteria for the original assignment are met and only for the duration of the service agreement between yourself and us. We have the right to reassign the address space to another user upon termination of this agreement or an agreed period thereafter.
Internet "ownership" of resources is, or at least was, in my understanding a form of usage-based ownership (as defined by anarchist thinkers). You operate some resources and your ownership is based on that need precisely, despite having to pay some administrative fees (for domain names and IP addresses) to ensure public service infrastructure is maintained properly. Until recently, domain names and IP ranges were not subject to the "laws" of offer and demand, but rather to a first-come-first-served basis. But apart from historical actors (read governments and military industrial complex) who benefit from special rules in order to maintain backwards-compatibility forever, IP space is managed communally through RIRs and no entity exactly owns IP addresses, at least in a private-property based understanding of ownership.
Of course, my claiming to sell 127.* was a joke :)
That's true though. If you're a tier 1 network then you can advertise whatever you want, and if they cut you off on that advertised address, then you can cut your peer's address off. And, if you're big enough, the peers can't just disconnect from you altogether or they themselves would lose connections to other peers. This is why BGP and the other routing protocols are so cool; you can get control of the internet if you just buy some routers and create a way to get advantageous peering relationships. It's an offer you can't refuse.
That's a big if. I don't know where you're from, but here in France the State expropriating smaller landowners in order to achieve huge private-public partnerships (i.e. siphoning off public money right into the pockets of private companies, with little if any benefits for society) is common practice: see for example the ZAD in Notre dame des Landes for an example of popular outcry/resistance, or the expropriations and mafia-like intimidation/aggression for the "Grand Stade de Lyon".
Of course, if you're a big landowner and/or close to the circles of power, you have nothing to worry about.
Can IPv4 even be defined as private property if it is nothing more than a few DDN numbers? I could make a Internet 2 that's totally isolated and restart the whole IP allocation process all over again.
In the consumer space this doesn't matter much. Most internet users at home could have their IPv4 address removed and only provided an IPv6 one.
Mobile internet is commonly served only by IPv6.
It's the hosting/server space where IPv4 matters and will probably be like this for the next 20 years. This will be harder than the python 2 -> 3 migration. We'll continue to come close to running out of IPv4 addresses but we won't ever ween off them completely in the server space.
> Most internet users at home could have their IPv4 address removed and only provided an IPv6 one.
> Mobile internet is commonly served only by IPv6.
These aren’t true. There are still some big consumer-facing sites that are IPv4 only — notably twitter.com and amazon.com. I can definitely still access both from my mobile device.
As far as I know, these middlemen are deployed by the respective ISPs and are not a core function of ipv6. I've had the 6to4 (or AFTR, I'm still not sure which) fail on my ISP and could only reach ipv6 enabled hosts, sometimes for hours.
Not strictly required for the ISP to run it, I think Hurricane Electric did/does run something like those for free. But in general, yes, it's on the clients to handle.
Meanwhile, Hetzner just added a staggering $19/address setup fee and a soon doubling of prices for IPv4 addresses from them ostensibly due to the rising costs of getting addresses, yet still has virtually no support for IPv6 on their offerings outside of a /64 per dedicated server.
/64 seems pretty standard, unfortunately. It's what I get on OVH. There's also way worse providers, like Digital Ocean with a /124, and LightSail with /128.
Is it? If the major cloud providers are siphoning off IPv4 space to create a monopoly, and 2nd tier cloud providers are raising prices due to the cost of IPv4 acquisition due to scarcity, there’s a real chance market forces migrate customers away from the 2nd tier as their costs rise.
IPv6 will never happen without someone forcing hands of big corps and ISPs to switch to Ipv6.
Imagine all social media and streaming services, disable ipv4 within a month. These are not critical services but still will force ISPs to make the switch.
I actually think that what will really drive IPv6 adoption is if the price of IPv4 space continues its upward trajectory unabated. The price has about doubled at auction in the last year.
How are those two things related?
1. There are a ton of owners sitting on inefficiently used IP space.
Any company (not doing cloud hosting or network transit) that's holding a /8 is almost certainly using it very inefficiently, but an owner like Apple will never feel financial pressure to optimize or sell their /8. However, an owner like the university I went to (with a /16 network currently worth $3 million) will eventually face internal pressure to sell that network when the value rises to say $50 million.
As another example, Yahoo is currently announcing subnets containing 4.3 million IPv4 addresses, which is worth $193.5mm at auction. If the price of IPv4 addresses increased by say 10x, their IPv4 space would probably comprise the bulk of the company's value.
2. Owners will need to adopt IPv6 in order to realize these financial gains.
In order to sell a significant portion of their IPv4 space, an owner will have to compact their IPv4 usage into a much smaller space and migrate everything else to IPv6. This will be a huge undertaking for a lot of these places, but at some point it's worth it. By doing that, IPv6 adoption increases.
There is the potential for a feedback loop to be created where demand for IPv4 drops and the prices decline and so fewer conversions are done, but I tend to believe that IPv4 pricing will remain inelastic.
So basically the invisible hand of the market may guide us to IPv6, but I highly highly doubt we will have seen the last of IPv4 even decades from now.
> There are a ton of owners sitting on inefficiently used IP space.
This includes AWS, btw. You effectively get a public IPv4 with your instance, regardless of your actual needs. It actually increases your costs to get cloud instances that don't do that.
AWS has that inefficiency baked in to their design, but I'm guessing that they do efficiently deploy their IPv4 space.
That is still a problem for sure, but I thinking of places doing things like giving a printer its own subnet just because they have no incentive to be efficient.
Another one I've heard is that CGNAT shared IPv4 addresses lead to higher hardware requirements to manage that CGNAT. So just by having IPv6 support and having more traffic go through native IPv6 saves ISPs hardware that would've been required to manage the CGNAT.
My company owns a /16 and everybody gets an static address for each device, so I currently "own" two global IPv4 addresses. But everything is firewalled to hell and we need to connect through a proxy, so what's the point?
The /24 itself doesn’t cost me anything. I registered it before ARIN existed and it’s considered a “legacy” block. No fees cause I never signed their registration agreement.
I pay about $180/month for a “business internet” cable line. 300 megabits down, 25 up. I also “know a guy” at the ISP who made sure the routing wasn’t going to be an issue.
Yep, I was wondering more about the ongoing costs of "operating" the block. I was reading a superuser.com question [1] about it and it mentions ongoing costs, like transit, BGP routing etc.
This is super interesting! I didn't know this was even possible before I started looking into it.
When I read that right, all the transit and routing seems to be done by his ISP. The superuser response is about what happens when your provider (or in this case, ISP) does not do this.
There are no direct costs there. I pay for the bandwidth. The ISP announces the /24 using their BGP ASN.
There are also cloud providers, like Vultr, that will allow you to do BGP with them. You could then get a network block routed to a VPS, then tunnel it out or whatever.
90s were a different time for the internet, even till right after dot com bubble being online was relatively safe, many companies would not even have had dedicated InfoSec teams, no audits and compliance processes were covering firewalls etc
I maybe biased, I grew up in the 90's so I dont' really know how it was before, I do hear people reminisce about days before eternal September and bb groups and the good old 80's so perhaps it is always been a downward gradient as more and more people came online.
The funny thing is social media and streaming is already there:
facebook.com has IPv6 address 2a03:2880:f119:8083:face:b00c:0:25de
instagram.com has IPv6 address 2406:da00:ff00::23ae:4dc1
snapchat.com has IPv6 address 2001:4860:4802:36::15
netflix.com has IPv6 address 2600:1f14:62a:de82:822d:a423:9e4c:da8d
youtube.com has IPv6 address 2404:6800:4006:810::200e
The holdouts are somewhere else. Imagine if cloudflare and cloudfront defaulted to enabling ipv6 - I expect the jump in worldwide ipv6 traffic would be massive. On the other hand the missing services are very tech oriented:
github.com has no AAAA record
Once traffic can default to ipv6, we'll see ipv4 slowly dying, but the defaults really matter.
My bad, should've been more clear - yes, it's the default in some places. What I meant is actually treating ipv6 as first class everywhere. For example:
In other words, I expect steering people to do ipv6, then maybe ipv4 as well rather than the opposite would give the internet as a whole another big jump in ipv6 usage.
This will show my lack of ipv6 knowledge but I’ll ask anyway. Say I have an endpoint service somewhere listening only on ipv6.
Let’s take any sort of CDN out of the equation for simplicity. Can I use Cloudflare DNS for the service, such that anyone using ipv6 will connect directly to my service, of course— but can CF do some magic ipv4->ipv6 translation/bridge sort of thing, so that someone on ipv4-only will also be able to connect to my ipv6-only service?
I’d imagine the answer is hopefully yes and perhaps this is trivial stuff these days, but anyway I’m thinking of setting up a blog and might go ipv6 only with it..
Cloudflare makes a website dual-stack from the user's perspective, regardless of whether the server is IPv4-only or IPv6-only.
Typically, both the A and AAAA records point to the same Cloudflare proxy, because serving IPv4 and IPv6 via different infrastructure requires a lot of care to avoid subtle brokenness.
You should be able to advertise your ipv6 endpoint in the AAAA record, going direct to the origin, while make the A records pointers to Cloudflare which can then proxy back to your v6-only origin servers.
About 16% to 23% of the Alexa 500 top sites have ipv6 support [0]. There hasn't been much of a change since august 2018 (17% to 21%) [1], or Oct 2016 (19% to 21%) [2]. 5 years is a long time in tech.
Meanwhile on the user side support has tripled from about 11% in 2016 to 33% recently [3].
I guess when you run a scalable web service, you need comparatively few publicly available ip addresses, and everyone has ipv4 anyways, while when you run an ISP, you need way more ip addresses. So the problem is way more pronounced for ISPs than the service providers. I guess the number of deployments with carrier grade NAT without ipv6 support is quite low.
Years ago, when I perhaps more naively believed in the benevolence of Google, and that wisdom of the Elder True Nerds who worked there would lead us to The Future, I might have applauded them throwing their weight around doing something like that. Possibly with a condescending paternalistic attitude like, "dragging the unwashed masses kicking and screaming into the the future they're too stupid to realize just yet that this will be better for them."
I am no longer so young and naive. Now, there is no doubt in my mind that such a move by Google or the other tech giants would not be made out of benevolence, but because by doing so, somehow, would net them yet greater control over the flow of information across the world. Whether out of an authoritarian desire architect society the right way this time, or chasing their profit margin as far down the asymptote as they can measure, the resultant 1st through Nth order effects would probably be the same for the rest of us.
Control is one argument, but I'd go with the money argument:
All the big cloud providers like Google and AWS as well as the small ones like Hetzner do have an incentive to keep IPv4 going as long as possible. They can charge a premium for things IPv4 "because addresses are scarce". Charging a premium means more profit margin.
At the same time, they do not need to invest in more than lip service for IPv6 support in their offerings: No cloud provider has any comprehensive IPv6 offering, most services don't do IPv6. The edge ones maybe do, but there are always sharp edges, missing docs and general pain, pushing everyone back to IPv4 where the profits are.
I think the "switch" mental model is misleading. IPv6 has already happened, and most users don't notice it since they aren't in the habit of looking at network interface diagnostics on their device. See eg sibling comment about instagram, netflix, facebook etc. v4 NAT will remain in use concurrently and services will remain available over v4 for consumer facing things for a long time.
I thought ISPs were actually doing pretty well? Big corps are moving slowly but I think it's mostly limited to internal NATted networks, which frankly nobody has an incentive to upgrade. We're getting there... slowly.
Lucky you, somebody already did that for you. It‘s called DNS. :P
On a more serious node: IPv6 can be short and if used right they are actually short. Unfortunately, people continue not to care about relearning their habits and treat IPv6 as if it‘s a 1:1 replacement of IPv4 (you can even see it in this threat when people ask „why would you need more than a /64“). A major blocker in IPv6 aren‘t just the IPs but that all sys admins out there are trained to treat IPs as they got used to from the v4 world and can‘t stop to think of them as scarce resources instead of applying a hierarchical approach.
This. I honestly think the FCC will have to mandate it's adoption and give a hard date for the termination of IPv4 for it to work. Both will need to occur.
Same with Ford. And while I do think the addresses should be returned, they should get market value or above for them. We should not punish companies for buying into the future, which turned out to be a great investment.
Alternative view - those addresses should not be "returned". They're owned. I hope hoarders will get blocks as large as they can so that we experience real shortage and start seeing the first ipv6-only services.
They probably got a /8 early and gave each regional office their own /16, so they'd have to unpick all the addresses they're currently using before they could sell off any.
So part of this is putting into service networks that they previously acquired, probably to keep up with growth. Buying in 2018 would have been a MUCH lower price than today -- and it can pretty much only go up!
I worked at GE when this was done. Because a lot of things decided what was GE/not GE based on coming from a 3.x address it caused chaos. They called it 3-dot-geddon
Then again, at the height of the times, the registries handed out one /8 per month more or less, so whatever small pockets of (seemingly) unused /8s, or /10s you can find, gives you weeks to delay your ipv6 transition.
Yes, and it may be possible they will be sold[1]. From the article it looks like they're identifying unauthorized use of their space, while clearing the addresses from firewalls to become really routable.
I’m a huge IPv6 advocate, but I can’t imagine we’re not better off releasing 240.0.0.0/4 to RIRs and fixing stuff that makes that assumption. That’s an enormous amount of IP space.
The argument against that is to 'deploy and fix IPv6', since this just kicks the can down the road, which has already been going for at least 20 years at this point.
"The first RFC to standardize IPv6 was the RFC 1883 in 1995, which became obsoleted by RFC 2460 in 1998. In July 2017 this RFC was obsoleted by RFC 8200, which elevated IPv6 to "Internet Standard" (the highest maturity level for IETF protocols)." https://en.wikipedia.org/wiki/IPv6
Wow! IPv4 addresses are like oil. We think we've run out, then we get better methods like "fracking" and "shale oil" and we can squeeze out a few more barrels of them.
You want proof that people don't yet trust IPv6? Simply lookup SPF records, very few (like <5%) of domains list IPv6 records in their SPF record, for example Google and Outlook do, but aol.com/yahoo.com do not. Email is a critical service and the fact most people aren't using IPv6 to deliver email yet is a telling sign.
dig -t txt DOMAIN | grep v=spf1
and walk the records and includes for "ip6:...". Good luck finding any.
In my experience working IT at some public universities and some private education facilities there is a negative incentive for adopting IPV6. Often in these environments bandwidth use it up even on the LAN side and dual stack IPv6 simply causes unnecessary traffic that impacts negatively network performance. This was not the case in my experience 7-10 years ago.
Amazon didn’t just buy these addresses, an AWS service was just assigned them due to some future known growth. Amazon bought the rights to use all of the 3/8 network years ago and is just now allocating some additional subnets of that to AWS services.
Another huge problem is that companies are handling out IPv6 by bulks of /128 subnets per machine, and many experts encourage “one IP per service on the machine”, adding “it’s good for security since it’s harder to scan all ports of all subnet IPs. So at that pace, I still wonder how IPv6 will not run out of IP as quickly as IPv4.
We have less than 8 billion people on the world which corresponds to about 2^33. Let's assume that (given that we already have issues with sustainability) we will have much bigger issues than IP addresses if we ever reach more than 128 times that. So we are at less than 2^40. (Realistically I would expect much less, but let's be safe)
Than the question is how many addresses everyone needs. Currently we assign subnets. Let's provide everyone with 1024 subnets for client devices and an additional 1024 servers each with their own subnets. So 2^11 subnets each.
So we end up requiring 2^51 subnets, while we have 2^64 available, thereby only using less than 0.013% which provides plenty of room to reconsider if any of these approximations turn out to be wrong.
Even if you reduce it down to /48 subnets you have 281,474,976,710,656 of these, ~65k times more than the entire IPv4 space, your usual assignment to a machine is a /64 which are about 4.2 billion times the amount of the IPv4 address space, about 18 quintillion.
Thats enough addresses to give every one of the 8 billion humans on this planet, two billion /64 subnets. Which I'd say should be enough for the moment.
Last week I was thinking about a system to automatically cut my hair the way I exactly want (precision up to the millimeter and per hair).
So, one way would be by using cheap microrobots*.
The
On average we have around 100K hairs on our heads. Let’s say you buy 100K microrobots to cut your hair. Each of these microrobots could have their own ipv6 (because, why not) so that you can control them via your phone. So, suddenly you have there one person using 100K ipv6 addresses.
So, whenever people say “ipv6 should be enough for now”, I always think “well, it depends on how they are used!”
There are 340,282,366,920,938,463,463,374,607,431,768,211,456 IPV6 addresses.
With a global population of 8 billion, you can give every individual ~ 42,535,295,865,120,000,000,000,000,000 addresses and then some.
A thought comes to me: If IPv6 adoption continues to drag along, and AWS/Azure/GCP continue to expand their IP blocks like this, how quickly are we in danger of the cloud providers effectively being the Internet?