[arin-announce] IPv4 Address Space (fwd)
I love this. ARIN publicly states, "Whatchoo talkin about, Willis?" (see announcement below) So, by extrapolation, if we've collectively used 20 /8s over the past 5 years, and we have 90 left, that's over 20 years of IPv4 growth we have left. Some would ask, "What about increasing address usage?" I would ask, "What evidence do you have that usage is increasing?" Technologies like NAT and efforts to reclaim poorly assigned address space have a large negative pressure on the increase of IP utilization. As more and more "appliances" need IP addresses, people will realize more and more that the last thing they want is those "applicances" on public IP space. Does anybody have statistics for assigned-but-not-announced space? I'd be willing to bet there will be more and more dead space over the years, and in fact quite a bit of "increasing usage" is just churn. What does any of this matter? I think there is a huge financial incentive for NSPs to ignore IPv6 until the situation arrives where they are at a competitive disadvantage to NOT deploy it. I also don't think that time will ever come, as I expect new technology to trump IPv6 by the time it's actually needed (some would argue that NAT has already accomplished this). How about a protocol that eliminated the need for BGP, while simultaneously making every address portable? That, to me, would be The Answer. Not that it seems possible given what we currently know, but 20 years is a long time :) Try to think backwards 20 years, and you see how impossible it is to conceive of the next 20 years. (Yes, I realize that statement neuters the basis of my argument. But I'm not really stating the future demand for IPs as fact, just assumptions to be debated.) Does anybody honestly think companies will commit the capex needed to implement IPv6? I know this thread keeps on coming up...but I don't see any positive momentum for IPv6, and if the people of this Esteemed Forum can't agree that IPv6 is something that must happen ASAP, how will the PHBs (those who control the money) and the customers (those who control demand) ever be convinced? Hell, I can't even convince myself that IPv6 is neccessary. Is anybody out there totally sold on IPv6, enough to evangelize it to anybody willing to listen? I mean, IPv6 is no CIDR... Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- ---------- Forwarded message ---------- Date: Mon, 27 Oct 2003 14:48:17 -0500 (EST) From: Member Services <memsvcs@arin.net> To: arin-announce@arin.net Subject: [arin-announce] IPv4 Address Space There have been press articles posted over the past year that make statements about the remaining pool of IPv4 address space. A recent article states there is a shortage and that Internet Protocol Numbers will run out some time in the year 2005. The Regional Internet Registries (RIRs) do not themselves make predictions about when the remaining IPv4 address space will be depleted. They do, however, report on the rates of RIR allocation of IPv4 address space and on the state of the remaining pool of unicast IPv4 address space. The RIRs report statistics regarding IPv4 allocation on their respective web sites and present a "Joint Statistics" report at each of the RIR meetings and at other Internet industry meetings several times yearly. The most recent presentation on this subject can be found at the following location. http://www.arin.net/statistics/index.html This report states that the RIRs have collectively allocated 19.59 /8 equivalents between the dates of January 1999 and June 2003 (4.5 years). It also identifies that there are 91 /8 equivalents held by the IANA in reserve for future allocation by the RIRs. The RIRs will continue to report this information on a regular basis and will work closely with the IANA to ensure the efficient management of the remaining IPv4 address space. Richard Jimmerson Director of Operations American Registry for Internet Numbers (ARIN)
Does anybody have statistics for assigned-but-not-announced space? I'd be willing to bet there will be more and more dead space over the years, and in fact quite a bit of "increasing usage" is just churn. I have these statistics at http://www.completewhois.com/statistics/ip_statistics.htm
At above page look specifically at the blue part of the graph for assigned- but-not-allocated space. I actually looked at opposite (assigned & routed - this I named "routing utilization ratio") as way to determine efficiency of RIR policies. This ratio is very high for the new ARIN ip blocks (97%), but as you pointed above the churn is high for older blocks and only 42% of allocated space in 192/8 is actively routed. The ratios are in between around 60%-80% for other old blocks and these numbers both has to do with allocation policies that were not developed at the time and with churn due to dead companies. I have done analysis for different time periods, see: http://www.completewhois.com/statistics/rir_ratios.htm If you need data on exact amounts, you will need to do your own substraction use allocation statistics data from http://www.completewhois.com/bogons/data/allocation-statistics.txt and substract current use data from http://www.completewhois.com/bogons/data/data-bgp-announced/ipv4-activeblock...
Does anybody honestly think companies will commit the capex needed to implement IPv6? Not without additional benefits. We need either applications that are working a lot better at ipv6 or we may yet have to see ipv4 space ran out before it becomes clear to everybody that ipv6 is a must.
--- William Leibzon Elan Networks william@elan.net
On Mon, Oct 27, 2003 at 01:17:26PM -0800, william@elan.net wrote:
Does anybody honestly think companies will commit the capex needed to implement IPv6? Not without additional benefits. We need either applications that are working a lot better at ipv6 or we may yet have to see ipv4 space ran out before it becomes clear to everybody that ipv6 is a must.
imagine a network without NAT. I stopped counting applications that are struggling/breaking with NAT... But many people still believe rfc1918 and NAT are a cool thing because they just got used to it... tschuess Stefan -- Stefan Mink, Schlund+Partner AG (AS 8560) Primary key fingerprint: 389E 5DC9 751F A6EB B974 DC3F 7A1B CF62 F0D4 D2BA
On Wed, Oct 29, 2003 at 10:06:37AM +0100, Stefan Mink wrote:
Does anybody honestly think companies will commit the capex needed to implement IPv6? Not without additional benefits. We need either applications that are working a lot better at ipv6 or we may yet have to see ipv4 space ran out before it becomes clear to everybody that ipv6 is a must.
imagine a network without NAT. I stopped counting applications that are struggling/breaking with NAT... But many people still believe rfc1918 and NAT are a cool thing because they just got used to it...
They're a cool thing for other reasons. If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well. There's also no *need* to use public IP's on a private internal-only network either, so it makes little sense to do so. The way I see it, there are a lot of reasons not to use IPv6..
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT. Simon On Wed Oct 29, 2003 at 10:57:35AM -0000, Dave Howe wrote:
Avleen Vig wrote:
If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well. IPSec, SIP/VoIP or almost anything that relies on UDP borks on NAT, doesn't it?
-- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: Simon.Lockhart@bbc.co.uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT.
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
On Wed, 29 Oct 2003 03:14:20 -0800 Avleen Vig <lists-nanog@silverwraith.com> wrote:
On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT.
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
this is true, but incomplete. there are numerous deployment strategies for IPSec, some of which work around NAT, some of which can be coerced to work through NAT, and most of which don't work around or through NAT. businesses deploying IPSec often lack the flexibility to pick and choose, especially in extranet deployments where two independent business are deploying a tunnel with mismatched equipment and limited choices. it's particularly bad when one end is a 800 lb gorilla with all the high cards, forcing a particular set of parameters on the small business on the other end. i've consulted for small businesses on the wrong end of that stick, and it's no fun at all. you ought to try it some time before you casually toss off a statement like the one quoted above. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Avleen Vig wrote:
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen). Indeed so yes - however... A large and increasing segment of my users are VPN laptop users with ADSL at home. our accounts department looks a certain amount of askance at IT when they get a large phone bill in expenses for someone using a 33.6 modem right next to a nice shiny half meg ADSL connection that IPSec won't traverse....
Dave Howe wrote:
Indeed so yes - however... A large and increasing segment of my users are VPN laptop users with ADSL at home. our accounts department looks a certain amount of askance at IT when they get a large phone bill in expenses for someone using a 33.6 modem right next to a nice shiny half meg ADSL connection that IPSec won't traverse....
IPSec can traverse NAT. Often times, it's the implementation of IPSec that doesn't traverse NAT. Software vendors apparently didn't think it necessary to allow for address translation. Tis sad, really. I have customers that can VPN through NAT and customers that require public addressing. The one's that really make me laugh seem to require a static IP address. Of course, the customer is always right. -Jack
On Wed, 29 Oct 2003, Avleen Vig wrote:
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
The most common use of VPN links is the roadwarrior. IPSEC in this context is broken badly by NAT. Even when the extensive hackery required to workaround NAT is enabled, it still can not work in the case where two roadwarriors are behind a single address connecting to the same VPN gateway.
However, what is authenticated in the IPSEC datagrams is the addresses of the IKE gateways (the routers). The fact that an entire netblock exists within the tunnel is not especially relevant to the part that suffers from NAT breakage. Owen --On Wednesday, October 29, 2003 3:14 AM -0800 Avleen Vig <lists-nanog@silverwraith.com> wrote:
On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT.
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
-- If it wasn't signed, it probably didn't come from me.
Simon Lockhart wrote:
Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Indeed. Novell networking for example - or MS Exchange New Mail notification. of course, you shouldn't be doing either on the internet, but a common "small branch office" solution involves ADSL, NAT and a single VPN client....
Plenty of UDP based apps work over NAT. depends a lot on the nat - if the UDP app isn't port-specific, then often a "smart" nat can create a virtual map for it (and IPSec NAT traversal often relies on a single internal initiator creating such a map on the nat device, and the destination not minding too much) If the "outside" sender expects the recipient to be on a fixed port though, often the best you can hope for is that *one* internal host can receive data.
Right... Forgot about the SNMP breakage. SIP doesn't depend on knowing which host it's talking to from the source address, but, it does depend on being able to assign RTP session parameters based on IP addresses contained within the SIP payload. Thus, when the SIP payload goes through a NAT box and the payload is not modified accordingly, the RTP session rarely works out right. Owen --On Wednesday, October 29, 2003 11:03 AM +0000 Simon Lockhart <simon.lockhart@bbc.co.uk> wrote:
No.
Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks.
Plenty of UDP based apps work over NAT.
Simon
On Wed Oct 29, 2003 at 10:57:35AM -0000, Dave Howe wrote:
Avleen Vig wrote:
If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well. IPSec, SIP/VoIP or almost anything that relies on UDP borks on NAT, doesn't it?
-- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: Simon.Lockhart@bbc.co.uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
-- If it wasn't signed, it probably didn't come from me.
No. IPSEC and SIP break because their payloads include information that is dependent on the IP address header. In the case of IPSEC, this is to support end-to-end authentication and avoid certain kinds of man-in- the-middle attacks. In the case of SIP, it's because SIP is a call setup protocol which facilitates the creation of an RTP session. It's much the same problem as FTP. The reason FTP doesn't BORK is because most NAT gateways understand about the need to proxy FTP and because PASSIVE mode FTP doesn't have the same call-setup problems. In the case of IPSEC, there is an IPSEC standard for NAT traversal. It allows for a slight compromise in the end-to-end security while still preserving most of the capabilities of IPSEC. UDP works just fine through NAT, as evidenced by DNS and other protocols that aren't inherently broken with NAT. (Of course, DNS could suffer from the same effects as SIP on some levels since the contents of the DNS A record answers may be dependent on an un-natted world). Owen --On Wednesday, October 29, 2003 10:57 AM +0000 Dave Howe <DaveHowe@gmx.co.uk> wrote:
Avleen Vig wrote:
If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well. IPSec, SIP/VoIP or almost anything that relies on UDP borks on NAT, doesn't it?
-- If it wasn't signed, it probably didn't come from me.
Owen DeLong wrote:
It's much the same problem as FTP. The reason FTP doesn't BORK is because most NAT gateways understand about the need to proxy FTP and because PASSIVE mode FTP doesn't have the same call-setup problems.
Passive mode has the same problems that PORT FTP does. It just pushes the problems to the server end. If you put a FTP server behind a NATed address, you'll need to proxy PASV (and also inverse to the client behind NAT, PORT needs none at the server end). -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com
On Wed, 2003-10-29 at 05:28, Avleen Vig wrote:
imagine a network without NAT. I stopped counting applications that are struggling/breaking with NAT... But many people still believe rfc1918 and NAT are a cool thing because they just got used to it...
They're a cool thing for other reasons. If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well.
At that point, so does application layer proxying. *shudder*
There's also no *need* to use public IP's on a private internal-only network either, so it makes little sense to do so.
Ever tried to setup connectivity between the internal networks of two different companies who both use the same RFC-1918 range internally? VPN or PtP link, it's not fun either way, and usually involves heavy packet mangling or renumbering the smaller (or less important politically) side of the connection.
The way I see it, there are a lot of reasons not to use IPv6..
Other than the new hardware investment, what? It's not really worse than IPv4, and lets us get rid of this damned RFC-1918 stuff, even if you end up changing (pointlessly) the source IPv6 address of your packets, at least your network is internally uniquely numbered. I'm tired of having to work around NAT limitations for SIP, IPSEC, and all the other innovative stuff people haven't even bothered to publicly release because it's horribly broken by NAT and they don't want to support it. I'm tired of meticulously configuring my peer to peer clients to work with my NAT, because the other guys don't configure theirs to and I can't download anything. I want my end to end back. -Paul -- Paul Timmins <paul@timmins.net>
Andy Dills wrote:
Technologies like NAT and efforts to reclaim poorly assigned address space have a large negative pressure on the increase of IP utilization. As more and more "appliances" need IP addresses, people will realize more and more that the last thing they want is those "applicances" on public IP space.
It seems that the Internet will take the "switchboard lady" detour due to misguided thinking like the one above, mostly due to the fact that a major OS explodes when it touches the Internet. Fortunately hardly any of these "applicances" have this OS.
How about a protocol that eliminated the need for BGP, while simultaneously making every address portable? That, to me, would be The Answer. Not that it seems possible given what we currently know, but 20
This protocol is called HIP, right? (Host Identity Payload)
Does anybody honestly think companies will commit the capex needed to implement IPv6?
Yes. Investment in information technology hardly ever makes sense. If it would, market share numbers of various ICT products would look wildly different.
I know this thread keeps on coming up...but I don't see any positive momentum for IPv6, and if the people of this Esteemed Forum can't agree that IPv6 is something that must happen ASAP, how will the PHBs (those who control the money) and the customers (those who control demand) ever be convinced?
Because they heard somebody from Gartner, IDC, etc. so say so.
Hell, I can't even convince myself that IPv6 is neccessary. Is anybody out there totally sold on IPv6, enough to evangelize it to anybody willing to listen? I mean, IPv6 is no CIDR...
You are smarter than many of them. Like most of the readers here. Pete
On Mon, Oct 27, 2003 at 04:10:26PM -0500, Andy Dills wrote:
Technologies like NAT and efforts to reclaim poorly assigned address space have a large negative pressure on the increase of IP utilization. As more and more "appliances" need IP addresses, people will realize more and more that the last thing they want is those "applicances" on public IP space.
Does anybody have statistics for assigned-but-not-announced space? I'd be willing to bet there will be more and more dead space over the years, and in fact quite a bit of "increasing usage" is just churn.
http://www.potaroo.net/ispcolumn/2003-07-v4-address-lifetime/ale.html This is actually a pretty good write-up about the IPv4 address lifetime by Geoff Huston. It has some graphs that compares BGP to actually assigned space comparisons. Makes very good reading about all this. -- Cliff Albert | RIPE: CA3348-RIPE | https://oisec.net/ cliff@oisec.net | 6BONE: CA2-6BONE | PGP Fingerprint = 9ED4 1372 5053 937E F59D B35F 06A1 CC43 9A9B 1C5A
participants (14)
-
Andy Dills -
Avleen Vig -
Cliff Albert -
Crist Clark -
Dave Howe -
Greg Maxwell -
Jack Bates -
Owen DeLong -
Paul Timmins -
Petri Helenius -
Richard Welty -
Simon Lockhart -
Stefan Mink -
william@elan.net