back to article Crims set up fake companies to hoard and sell IPv4 addresses

IPv4 addresses are now so valuable that criminals are setting up shell companies so they can apply for addresses, then resell them to users desperate to grow their networks. Criminals are doing so because there are no more IPv4 addresses left: the American Registry for Internet Numbers (ARIN) ran out in September 2015. ARIN …

Page:

  1. Marcel
    FAIL

    Own fault

    IPv6 development started 20 years ago or something. That was for a reason. If we started migrating to IPv6 10 years ago, IPv4 address scarcity would be a non-problem. Oh well, human nature...

    BTW: theregister.co.uk --> IPv4-only

    1. Roland6 Silver badge

      Re: Own fault

      IPv6 missed it's opportunity by not being ready in 1995, when the world went "Information Superhighway" and "Worldwide Web" mad. But then MS almost missed it was well and had to do a rapid repositioning of the Win95 launch.

      In some respects IPv6 is an object lesson in thinking you have plenty of time to resolve a problem and events beyond your control prove you wrong...

      This article, one of many on the Internet, contains some now laughable forecasts "She speaks of having seen independent assessments from universities forecasting as much as 50% IPv6 traffic soon after June 6 [2012]"

      http://readwrite.com/2012/06/06/the-tortured-history-of-internet-protocol-v6/

      1. Yes Me Silver badge

        Re: Own fault

        Fact 1: the first commercial IPv6-capable operating systen was AIX in 1996. If all vendors had reacted as quickly as IBM, it could have been done before WWW took over the universe.

        Fact 2: the IPv6 standards work officially started in July 1994. The idea was to get it done before the killer app came along. But in another room at the same IETF meeting, the HTML BOF took place.

        Curse that Berners-Lee for inventing the stupid killer app too soon.

  2. Missing Semicolon Silver badge
    Thumb Down

    Arrogant architects

    If only IPV6 had not been so borked by the academic Ivory-tower-dwellers, we'd be using it now. The insistance on ripping everything up, and creating something for IoT, instead of an enhancement for IP addressing has led to huge market resistance.

    1. Gerhard Mack

      Re: Arrogant architects

      No matter what they had done, there would have been market resistance. The reality is that most suggestions to "extend" IPv4 don't take into account that the IPv4 address is a 32 bit integer in the header so you cannot easily just extend it and suggestions for adding a "feature flag" that lists an extended address in the header would only have slowed packet processing down for all time.

      Once it was established that there was no easy way to extend IPv4, they set out to make sure the transition wouldn't need to happen again any time soon by extending the address space to something huge and went about fixing some of the known design flaws in IPv4.

      At any rate, having worked for two ISPs, I can tell you most of the market resistance has been waiting for the IPv4 addressing to become a problem. "It's not a problem right now, we need to concentrate on more immediate issues" Never mind that IPv6 is not difficult to setup and co exists without trouble with IPv4. And naturally, now that we have hit IPv4 address exhaustion and the addresses are becoming expensive we are starting to see adoption According to Google, the number of IPv6 users world wide has been increasing while and US has hit 27% adoption.

      1. Phil O'Sophical Silver badge

        Re: Arrogant architects

        suggestions for adding a "feature flag" that lists an extended address in the header would only have slowed packet processing down for all time.

        Not necessariy "for all time". The problem is the complete lack of compatibility between v4 and v6. It wouldn't have been impossible to develop a model where v.new was the desired endpoint, but there was a hacky v.intermediate which could handle old and new formats. A staged rollout could then have allowed an upgrade to intermediate, probably with a "feature flag" hack, and then a later move to v.new, without ever needing to make the massive forklift-upgrade that has made IPv6 well-nigh impossible to implement for existing, non-technical, users.

        They managed it for phone numbers, going from "01 is London" to "01 is geographic", etc. It wasn't easy, multiple changes were required, but hardly anybody had to buy new phones.

        I strongly suspect that for basic, cheap, home broadband, we're going to see CGNAT as the technology of choice for the next decade or so.

        1. Gerhard Mack

          Re: Arrogant architects

          They managed it for phone numbers because none of the call routing is done by the actual phone.

          As for IPv6, it is no harder than IPv4 for non technical users. In fact, A couple of weeks ago I had a friend discover he was running IPv6 without even knowing about it because it ISP (Roger's Cable in Canada) rolled it out without telling anyone. The only reason it wasn't done years ago is because the ISPs couldn't be bothered until it became a problem.

          If you look at the Worldwide Google IPv6 stats, it's clear that the non technical users are having the easiest time of it since IPv6 as a percentage of traffic is lower during the week (9.8% vs the weekend 12%) Another nice thing about that graph is that show accelerating adoption. (Jan 2014 2.5%, Jan 2015 5.82%, Jan 2016 10.4%). At that rate, I doubt IPv4 will be much of an issue in 10 years.

          1. Anonymous Coward
            Anonymous Coward

            Re: Arrogant architects

            As for IPv6, it is no harder than IPv4 for non technical users.

            Really? And how do I connect my IPv4-only devices to an IPv6 network? It's the curse of dual-stack, you can have a foot on each side, but there's no backwards compatibility. You need to run dual stack everywhere to get full connectivity.

            At that rate, I doubt IPv4 will be much of an issue in 10 years.

            I'd put a substantial amount of money on IPv4 still being the major model in 2026.

        2. Yes Me Silver badge

          Re: Arrogant architects

          " hacky v.intermediate which could handle old and new formats."

          No, it's mathematically impossible to do that except with a dual stack model, and guess what, that's the model that was chosen in 1994 and works well to this day, for ISPs that have bothered to deploy it. Any amount of address extension ,even by 1 bit, creates the requirement for a dual stack model - because of the basic design of IPv4.

          The problem was *entirely* that the killer app came too soon, which has led us to the need for an expensive retro-fit. Ongoing. Lame ISPs will eventually get the message.

  3. sysconfig

    Dormant networks, unvalidated contacts

    Surely ARIN itself could do the crims' job much easier, repossess orphaned and dormant address ranges and therefore delay the inevitable depletion of available IPv4 space a little bit further?

    It's of course not a solution to the problem (slow IPv6 uptake), but would buy some time and remove a market for criminal extortion schemes.

    1. Gerhard Mack

      Re: Dormant networks, unvalidated contacts

      They have been trying reclaim the unused address space. The problem is that before IANA,ARIN, etc the address blocks were owned by whoever was given the IP block so contractually ARIN can't really do much. The best they do now, is on reassignment of IP blocks they try to get the new owner to agree to the new rules where you rent the IPs and lose them when you don't comply.

  4. Peter2 Silver badge

    IPv4 addresses can't be scarce.

    When I set up a remote office my ISP and want a static IP my ISP insists that I have a block of 4 IP's for EACH OFFICE if I want a static IP. Can I use the existing IP's that I already have? No. I have an office which has two lines in from seperate suppliers since it absolutely can't be down. The office has more assigned IPv4 addresses than it has staff.

    Shortage, what shortage? I have literially dozens of IPv4 addresses that I neither need nor want but am forced to have if I want a static IP for an office firewall for VPN's etc. I can't help but think that if IPv4 scarcity was being taken a bit more seriously when I want one singlular IP address then the suppliers wouldn't obsessively insist on giving me four.

    Then again, this might be another one of those "is it me, or is it everybody else" things.

    1. Blitheringeejit
      Boffin

      IP addresses CAN be scarce...

      ...if you're a newcomer to the market. ISPs (and countries) who got in early reserved vast IP4 ranges which are still under-used, so IP4s are handed out like sweeties to the customers and residents of those ISPs and countries (including me). But if you were late to the party, you can't reserve any new ones, cos they've all gone.

      @sysconfig makes a good point - ARIN should be finding and re-allocating dormant addresses before the crims get their hands on them.

      But it would also be nice if some networks which use huge ranges of public IPs could implement some NAT and make better use of smaller address space. It's a bit of a culture thing - here in the UK most LAN PCs are NATted, but (if I understand it correctly from what I've been told) most North American colleges etc use public IPs for every client PC on their LANs.

      Is that the case, and if so, could we ease the pain by pushing NAT into those places, and offer a reward for freeing up IP ranges? There would be a lot of rerouting to do, but if there's sufficient moolah in IP4s for the crims to get involved, surely it would be worth a go.

      1. Vic

        Re: IP addresses CAN be scarce...

        But it would also be nice if some networks which use huge ranges of public IPs could implement some NAT and make better use of smaller address space.

        But that's not going to happen.

        I used to work for a large networking company. We had vast gobs of IPv4 space. Internal PCs all had non-reserved IP addresses - I almost wrote "globally routable", except they weren't; they were all firewalled at the perimeter. So there we wre, consuming all that address space without actually using it for accessing the Internet at large.

        Of course, some of us acted up about this, suggesting we move everyone onto reserved space and NATting at the perimeter - which was essentially the model we were using anyway. But that would mean change, and change means cost, and the beancounters said no.

        And therein lies the problem: there is no penalty for these companies to hang on to all that address space, and there is a cost to "doing the right thing", so until and unless we can make it a shameful act to keep it, that's what will happen.

        Vic.

    2. Fatman

      Scarce IPv4 addresses.

      I had a similar situation at a former employer. We needed only 3 IP addresses, and they gave us 8. Crazy, huh!

      BUT, if you remember your basic networking with subnets....

      a block of 4 contiguous IP addresses represents a net mask of /30.

      a block of 8 contiguous IP addresses represents a /29.

      a block of 16 contiguous IP addresses represents a /28.

      and so forth.

      And when you deal with subnets...

      an all bits zero after the net mask is the network address,

      all bits one is the broadcast address,

      and everything else in-between are available for assignment.

      Thus the wasteage.

      1. Peter2 Silver badge

        Re: Scarce IPv4 addresses.

        Yeah, but if I want a connection on a static IP then the ISP does not *need* to assign me an entire subnet. My home ISP just sets the DHCP lease for the IP to an infinite duration which means that it doesn't change. I'm quite happy with this.

        I have one site where the ISP set things up in a similar way. Again, since I can just present this IP directly to the firewall it's not an issue. I have explained this to people at the other ISP's and yet they still insist upon selling me (very cheaply!) a small block of IPv4 addresses that I neither need nor want, contributing to the exaustion of available IPv4 address space.

        1. Anonymous Coward
          Anonymous Coward

          Re: Scarce IPv4 addresses.

          But that isn't a static IP? That is still a dynamically assigned IP address with a long lease, it's not even a DHCP address with a reservation (which would probably have been better). However, if that DHCP server stops responding or a new one is started up (without being clustered and the reservation, or in your case, the client lease details being copied across) or you change your modem/router etc etc then you may lose your 'static' IP.

          However it is still possible to assign a single real static IP to a customer.

    3. kpanchev

      Have you thought that it might be because if you need an IP address for your own private use, they need to give you a network? The smallest network has 4 IP addresses from which you can use 2. If they just give you one IP address, it will be on a network with other IPs and thus accessible from other users. Surely you don't want this, do you? (Unless you are running a public server, then you can do with 1 IP accessible from everyone)

      1. Sandtitz Silver badge
        Stop

        @kpanchev

        "If they just give you one IP address, it will be on a network with other IPs and thus accessible from other users. Surely you don't want this, do you?"

        Why would this be a problem? The ISP likely filters broadcasts and prevents using other users' IP addresses, and everyone is expected to use NAT and/or firewalls in any case.

      2. Unicornpiss
        Alert

        "Static" IP...

        As a side note to all those that have paid good money for static IPs, my IP did not change for over 8! years from my leased cable modem connection, which uses DHCP. True, when I replaced my router I cloned the old MAC, and if I wanted to change my public IP, a little experiment showed that I could change it at will by changing the MAC and restarting the modem, then reclaim my old IP (I did not wait long enough for the lease to expire) by simply reverting to the old MAC. So my provider was apparently treating their public network more like an internal corporate network than what I would have expected an ISP to do. Not sure if this was due to apathy or just an abundance of IPs to hand out.

        My IP finally changed when the cable company changed some of their switchgear to support a higher speed connection for customer nodes. Having only had a couple of different providers since broadband became available, I was wondering how prevalent this is.

      3. patrickstar

        The proper, and well-established, way to fix this is to use Proxy ARP and either port protection or one VLAN per customer. Then all traffic will pass through the network gateway even though the IP addresses are in the same subnet.

  5. Anonymous Coward
    Anonymous Coward

    Some UK ISPs now only offer new users a unique IPv4 address - whereas previously you could opt for a NAT mechanism. It is annoying when you are sitting on an IPv4 address that is never needed for any unsolicited incoming traffic. In fact it probably lowers your security - as it offers a fixed correlation with the email domain name for anyone who might have nefarious intent.

    1. Mr Flibble
      Boffin

      Whut? You'd actually want CGNAT? I'll take a public IPv4 address, NAT that locally (as you'd do anyway, unless you should happen to have enough!) and an IPv6 block or 65536.

      Incoming traffic gets firewalled (with holes as needed); and should there be an incoming DDoS, I expect my ISP to take care of blocking it. Regarding linking a domain with an IP address ‒ well, the IP address doesn't offer that correlation. DNS does.

    2. Anonymous Coward
      Anonymous Coward

      NAT does NOT improve security, despite all of the mis-information. What improves security is a stateful firewall with a good ruleset.

      All NAT does is give a false sense of "security through obscurity" and breaks the fundamental concept of end-to-end communications that IP networks were intended for, thus breaking numerous protocols that then need hacky work arounds. It gets worse the more layers of NAT you add - so CGNAT to and then your own NAT is just plain nasty...

  6. Chewi
  7. chivo243 Silver badge

    It's finally come to pass

    I knew that the IPv4 pool was getting shallow, and the last remaining numbers would be hard to come by. Now the dormant numbers are in demand. I remember reading about big institutions having huge blocks of unused numbers... MIT, Stanford, Apple, the US Gubbermint etc I bet those addresses will continue to go unused.

    1. Fred Dibnah

      Re: It's finally come to pass

      I read somewhere that Yale Uni has more addresses than China.

      The UK Govt Department of Work & Pensions has an class A range - why??

      And who decided to waste 16 million addresses on an internal loopback?

  8. xeroks

    and don't forget the radio hams

    They have 16,777,216 addresses all to themselves..

    https://en.wikipedia.org/wiki/AMPRNet

    1. Mage Silver badge

      Re: and don't forget the radio hams

      A mere drop in the IP4 ocean, for world wide use, compared to greed of many USA Corporations and almost all USA Universities.

      1. xeroks

        Re: and don't forget the radio hams

        "A mere drop in the IP4 ocean"

        I know "hobby" doesn't adequately describe ham radio, but it is 1/256th of the whole internet for a single, niche purpose.

        Don't get me wrong, I'm not suggesting the status quo is wrong in this regard, or that ham radio is not important. I don't even know what they need all those IP addresses for.

        Knowing the ham radio lot, the IP address block was squirrelled away at the start of the internet specifically to act as reserve tank of IP addresses should the day come that we really ran out - they 'd have guessed that it would take till 2020 for the uninvented IPv6 to come into common use.

      2. hellwig

        Re: and don't forget the radio hams

        USA! USA! USA!

        My employer is working to release some of their block, and I think major universities have also started rolling-back (didn't Stanford or someone give back their Class A)?

        I do have to question what the DoD needs with 13 class-A blocks. I assume they're keeping enough IPs around to DDoS the world?

        Looking at this chart: https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks, there are many inefficiencies in the original IPv4. Does anyone use MultiCast? Why does it have 15 blocks? And future use? Another 15 blocks. That's almost 12% of the entire IPv4 address space, reserved for nothing.

        1. Anonymous Coward
          Anonymous Coward

          Re: and don't forget the radio hams

          We use multicast extensively, however it is only the private range.

          Multicast could be very useful for public broadcasters, but it seems that this has been overtaken by CDNs and requiring network (rather than local) pause/rewind facilities.

          The England/Wales game on BBC iPlayer may have actually been watchable if they'd used multicast for their live broadcasts (and all isps supported it - no reason why they shouldn't, I've not seen anything any infrastructure switches that don't have the relevant IGMP snooping).

          Alas, you're probably right and there is little public use, outside of the few specialist IPTV companies, in reality, but the intention was good and worthy of trying in a low bandwidth era.

  9. Mage Silver badge

    then resell them to users

    Is it actually illegal or immoral?

    1. allthecoolshortnamesweretaken

      Re: then resell them to users

      Well, that's free enterprise for you.

  10. Anonymous Coward
    Anonymous Coward

    ARIN did nothing to verify who owns IP blocks.

    Why if nobody responds to validations, assigned blocks aren't revoked and made unroutable?

    Spamhaus got Verizon routing "dormant" blocks back in February: https://www.spamhaus.org/news/article/726/verizon-routing-millions-of-ip-addresses-for-cybercrime-gangs

    I have to renew and pay for my domain, I have to ensure there are DNS entries and at least a landing page. Companies may own thousands of IPv4 addresses without being ever checked if they still exist?

    Did ARIN notice the XX century is over?

  11. MarkDelaney

    ARIN could identify the 'dark' IP ranges themselves and allocate them legitimately without the need of setting up shell companies and registering domains. Though I suppose there is no money to be made doing this as presumably ARIN can't sell IPv4 address space.

    1. Alan Brown Silver badge

      "ARIN could identify the 'dark' IP ranges themselves and allocate them legitimately "

      No, ARIN can't. It doesn't own them. Jon Postel handed them out and he's dead, so unless you're a medium it's hard to unilaterally cancel the allocation.

      ARIN only owns the ranges it inherited when it was setup. Everything else (which is the first 64 class A ranges at least) it can only take if freely given.

  12. JamieL

    So the crims are smarter than the corporates - who'd have thunk it?

    Bet ARIN are kicking themselves for not doing that: spotting the dormant blocks, tracing them through their ISPs and asking them if they still needed them.

  13. Dwarf

    Irony

    Its a bit ironic that IPv6 was designed to co-exist in a dual-stack manner with IPv4 to allow easier migration from one to the other. The impact is that nobody wanted to move first, hence the stalemate that largely exists today.

    For all the FUD, IPv6 isn't hard to get your head around, only layer-3 really changed. People claim the addresses can be hard to read, but often they are just as short as equivalent v4 addresses - e.g. 2001:db8:1234::1, or ::1, and anyhow, DNS still works, so why bother remembering addresses in the first place !!

    Grab a Raspberry Pi, sign up for free with Hurricane Electric or SixXS and get yourself a free /64 to play with - followed by the free /48 so you can play with address layout / VLAN's in IPv6.

    If more move forwards to IPv6, then the scammers won't have any need to be there scraping up the dregs of an empty barrel.

    I agree with @marcel that El Reg should have done the IPv6 change long ago ... c'mon chaps, you could even sort out the lousy web design at the same time !

    1. Stevie

      Re: Irony

      And sort out the idiocies with the app.

    2. -tim

      Re: Irony

      I've given a few talks to local IT groups about IPv6. The way I deal with the /64 /56 /48 stuff is by using the same wrong info that is in every networking book since 1993. A IPv6 class C is a /64. You have 64 bits of a network address and 64 bits for your host and this is the smallest you allocate to your local LAN (so yes you can have 18 quintillion hosts on your local lan). Auto configuration will use the hosts mac address to fill up that 64 bits (with 16 bits of padding in the middle) or you can assign hosts statically so their address end in nice readable stuff like ::1. The /56 is like the old class B where you have a (smallish) network of networks and a /48 is like the old class A when a large network of smaller networks of smaller networks is need. It is also helpful to look at the :: in the address as a division between the network side of things and the host side of things even though it technically just means "put as many zeros as can fit here"

    3. Vic

      Re: Irony

      sign up for free with Hurricane Electric or SixXS and get yourself a free /64 to play with - followed by the free /48 so you can play with address layout / VLAN's in IPv6.

      SixXS is no longer allocating subnets. There was a stroppy email about it a few weeks back - it's an attmept to force people to badger their ISPs to support IPv6 natively.

      El Reg should have done the IPv6 change long ago

      I'd rather El Reg concentrate on getting HTTPS working...

      Vic.

  14. Anonymous Coward
    Anonymous Coward

    Do ISP IPv6 implementations support NAT?

    There was a time when there were objections to having every IPv6 LAN device uniquely addressable by the outside world.

    1. Dwarf

      ISP NAT

      @AC

      The ISP generally doesn't do this in IPv4, your router does - unless you are "lucky" enough to have carrier NAT. Anyhow, the NAT only hides your LAN behind your public IP address and a quick reverse DNS lookup shows your provider / other details, so NAT isn't a security mechanism.

      In IPv6, you can translate to a different address / single outbound address if you want. The standard isn't official and it breaks end-to-end comms that might actually be helpful.

      What you actually need is a good IPv6 firewall to accompany the existing IPv4 one you already run. The risks are different, but so are the benefits.

      You can dynamically change your address regularly in IPv6 if you want to.

      You can set the MAC address to be the bottom end of your IPv6 address if you want to.

      Choose what works for you.

      Next time its raining and you are bored, take a look at IPv6 and see that its not that complicated.

      1. Anonymous Coward
        Anonymous Coward

        Re: ISP NAT

        "What you actually need is a good IPv6 firewall "

        and that is the key problem - most home routers etc are CRAP - and even worse, home users can't be bothered to configure things properly. Home users often don't even understand WHY it's not a good idea to have things locked down. You have no idea how many times I've had my stepson complaining that "sites he needs" are not accessible at home when they are at so and so's...

        Add in crappy IOT devices that are wide open to hacking and you've got a massive headache waiting to happen...

        even worse is the fact that the world and it's dog are all starting to standardize upon ip as the valid transmission protocol...your alarm system USED to use dvacs or dialup to reach the monitoring centre - now it's using ip to talk - and when you suddenly have something that's FULLY accessible from the world because your home router is poorly configured/poorly patched it's just a massive breach waiting to happen...

        I for one don't WANT my old printer being routeable from the world - and I most definitely would prefer not to rely on a dlink/asus/netgear etc home router to protect an ipv6 network from being hacked...

        1. Dwarf

          Re: ISP NAT

          @AC

          So, you've defined the situation of a badly configure / non-existent firewall.

          Is that problem any different if you note that I didn't say if this was IPv6 or IPv4 ????

          A badly configured / non-existent firewall is just that, irrespective of the version of IP

          I agree that most current generation (free with the £4.99/month internet service) routers are crap, but again that applies equally to IPv4 as well. You get what you pay for.

          You have several choices - either get a better router, flip it to dd-wrt or openWRT if it will support it, or as I originally said, get a Raspberry Pi and do it on that. This way it doesn't matter what your current router is as what goes out the front door is an IPv4 frame to HE or SixXS much like any other VPN tunnel.

          You can now quite happily do whatever firewall configuration you want.

          LAN to Internet with no inbound connections - check

          No access to my IoT device - check

          No access to the old printer (probably IPv4 only) - check

          No access to the new printer with IPv6 - check

          So, once again, where's the problem ????

          The user training issue I can't fix, nor the fact that most ISP's are lazy and looking for the volume market, not the technical market, but this is a technical web site right ???

          When the cheapo ISP's can't retain customers as the new/hip sites are all on IPv6, they will either die out, or up their game to maintain their customer base. This goes back to my original statement that parallel run of IPv4 and IPv6 was supposed to be the approach - not sit back and ignore the problem.

          Is this any different to ignoring that grinding problem on your car rather than getting it fixed ???

          So, go and buy a Pi, go and play, then come back once you've released how easy it is. There are plenty of sites out there that will help you to skill up.

          I assume you are not an "ordinary user", or you wouldn't be browsing this site in the first place !

    2. Alan Brown Silver badge

      "Do ISP IPv6 implementations support NAT?"

      Unequivocally: NO.

      You don't need NAT with IPv6. It (and dynamic address allocations) is a kludge that was hacked up for IPv4.

  15. Anonymous Coward
    Childcatcher

    IPv6 *is* hard

    I've spent quite a while with it. Here's a few things to ponder:

    You change ISP - then what? (hint: your ISP defines your prefix, ie your addressing across your network. ULA perhaps? oh that's sooo IPv4!)

    You have multiple WAN links ... (NAPT - hilarious and just like NAT)

    You want to define a firewall rule that says "from LAN" (for example). What the hell is "LAN" anymore? (hint: everything uses link local addresses on the same collision domain)

    The last one is a right giggle but should not cause snags because anything not using link local addressing hitting the router's LAN interface cannot have come from LAN. Probably.

    Now, I'd like you to imagine a router/firewall with four WANs, ~20 internal VLANs, ~50 IPSEC P1s, five OpenVPN servers and two IP stacks. Each firewall rule can be used to mess with routing as well as allow/deny/reject access (or mark packets etc etc etc). Routing can be to a single WAN or a failover/loadbalancer. Some outbound rules need to come before others to avoid dumping internal to external via an asymmetric route. There's a ridiculous number of NAT rules. There are no any - any rules. It works OK but it is bloody complicated and needs regular auditing from in and out.

    1. Dwarf

      Re: IPv6 *is* hard

      @gerdesj

      No, its not hard.

      Option 1: IPv6 is able to auto-configure if you change ISP, so the prefix may change, but the delegated address space can remain the same. Read up on prefix delegation. This works well for home, small sites or larger sites if its implemented right.

      Option 2: Like IPv4, you can get provider independent (PI) address space, so it doesn't change if you change ISP - if you prefer to do it that way, its a choice thing.

      If you have multiple WAN links, forget about NAT, just think about routing - its just two different paths to the same network. NAT is not necessary in IPv6, it was a bodge for IPv4.

      LAN is everything to the right of the /48 (or /64), that is everything that's been delegated to you. Obviously you can break it down to one or more of the 64K VLAN's / subnets / sites that you carve out of that /48 range.

      Link local - the give away is in the name, its a secondary address that is only valid on the same LAN segment (they are not routable). The delegated address ranges that don't start with fe80::/16 are used for Internet routable traffic. The only real difference here is that an interface can have more than one IPv6 address at the same time. Link local allows for Ethernet to be superseded in time.

      You are wrong on the "right giggle" . Link local is for administrative purposes - things like router discovery, address discovery etc.. Most traffic will not originate from this address, but the delegated addresses once real addresses have been obtained. This is why Link Local is not routable outside the local subnet.

      On your last point. Forget about NAT (see previous point that its not necessary), just do "ordinary" routing (to the 4 WAN links and other places). Use the 16 bits between the /48 and the /64 to carve up your network in some logical manner (The VLAN's and other sites). Now you can do simple routing / firewalling as you desire.

      Yes its a bit different to IPv4, but as I said before, its not hard.

  16. Crazy Operations Guy

    Take back some of the /8 blocks some organizations are sitting on

    The US DoD has many ( 6.*, 11.*, 26.*, 29.*, 30.*, 214.*, 215.*, and others, none of which they actually have connected to the public internet...). HP has 2 (15.*, 16.*), GE has 3.*, Bell Has 2 (47.*, 12.*), IBM 9.*, Xerox 13.*, Apple 17.*, MIT 18.*, Ford 19.*, Haliburton 34*, Merit 35.*, DuPont 52.*, USPS 54.*, Boeing 55.*, Eli Lily 40.*, Prudential 48.*, the list just goes on and on. None of those organizations need that many IPs, and most of them them waste them on internal networks that aren't even connected to the public internet.

    There are probably 40 or so /8's that can be reclaimed and the registrants be given much smaller blocks. That is 671,088,640 IP addresses to free up. Even if those orgs still needed a /16 worth of address, that'd still be 668 million free ones added to the pool.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon