Public IPv4 drought: Verizon Wireless to stop handing out static addys Verizon Wireless will soon stop issuing public static IPv4 addresses to its business customers “due to a shortage of available addresses.” Instead, it will dish out persistent prefix IPv6 addresses. If you're a Verizon customer and you need a static public address for an IPv4-only device, you'll have to replace that hardware …
The article also said "business customers", and the point is really the M2M space, where there's the occasional server sitting behind the cellular modem. Verizon does/did, Sprint (the cellular division) does, T-Mobile and AT&T do for certain business accounts, and there's at least one European cellular operator with the capability but I can't remember offhand which one it is.
Given the security and unsolicited usage issues associated with assigning public static IPs to cellular devices (especially when there are servers/cameras/whatever M2M kit sitting on/behind them), using static private IPs and IPsec tunnels between the MNO/MVNO and the customer's sites has been the traditional workaround for a decade or so, as it's a rare application architecture that truly requires static public IP to function.
" and the point is really the M2M space"
Your experience may well differ from mine, but the first thing any connected device I've seen does is try connecting to some mothership somewhere; as such its IP address tends to be irrelevant. On the other hand, I've never seen any organization actually possessing fleets of connected devices that didn't have their mothership on some fixed URI, whatever IP that was pointing to being irrelevant again.
As for non-business, as a vanilla ISP customer I never had any static IPs - I just found a new free dyndns provider the other day after getting finally fed up once and for all with the atrocious torture that no-ip subjects its non-paying victims to.
@Dropbear, my experience does differ from yours, but that's probably because my job involves working with what you'd consider the outliers: M2M companies requiring "mobile-terminate" access to their devices. Riding existing TCP or UDP sessions inside NAT timeouts hasn't been a really satisfactory approach for many of my customers, and beyond that anything requiring nonlocal maintenance/configuration/polling/whatever gets a VPN to private-IP'ed devices of one flavor or another.
It will depend a lot on how you got it. If you got it before the registries stopped giving them away and moved to a rental model then yes, it's valuable.
The annoying part is, I know exactly how expensive a /24 is right now given that I'm working on a startup that needs a /24
Over the years much has been touted about ISPs and their lack of concern in upgrading and going IPv6 compatible. Some even denying it's a problem and a lot not knowing how to even respond to the query.
I guess the answer will be that when access to IPv6 becomes a challenge customers will have to walk from ISPs who can''t provide it. I doubt it'll be a problem in the main as it would be suicide for an ISP to be on the 'old' internet.
I'm sure some marketeers are already dreaming up ways to sell it as an enhanced service to the great unwitted.
I guess the answer will be that when access to IPv6 becomes a challenge customers will have to walk from ISPs who can''t provide it.
Or more likely: business who want to put content on the Internet, or have staff access their VPNs over the Internet from hotels all over the world, will walk to ISPs who can still provide them with IPv4.
And they will happily pay, because a single lost customer costs a lot of money.
It's the businesses who control the flow of money, not the ISPs.
Now how do customers in many places that have ISPs only offering IPv4 talk to you?
Stuff a tunnel broker or Cloudflare/CDN in front of it. Okay, more hassle than having a native dual-stack, but it works fairly easily for most web services.
Or, content providers could just get with the decade. I have literally this morning been introduced to a Server 2008 R2 box running IIS7.5. Which hasn't been touched since it was initially set up.
Scores F on SSLLabs and securityheaders.io because it offers SSL2/3 and TLS 1.0, but not TLS1.1 or 1.2 (it does actually need HTTPS - they do handle a small amount of sensitive user data, though nothing PCI related thank-fu..). It's vulnerable to every fashionable exploit except Heartbleed (DROWN, POODLE, BEAST, you name them). They were wondering why some people's versions of Chrome were throwing hissies with it.
But most crucially, IIS7.5 didn't support SNI - so they have a dozen or so sites running prehistoric "encryption" all consuming one-IP-per-certificate/domain.
I think I just found them 11 spare static IPs...
Indeed, this report reckons it's spotted >36.7milion IIS 7.x servers running in the wild. How many wasted IPv4 addresses could be salvaged by migrating to IIS8+ and enabling SNI? Not as many as if the US DoD gave back some of their /8s, but enough to let administrators run dual-stack a bit longer whilst ISPs slowly enable IPv6 for users!
So you get this static IPv6 address for your web server, OK.Now how do customers in many places that have ISPs only offering IPv4 talk to you?
That's why IPv6 has always been pushed as dual stack / parallel run / co-existence with IPv4, but with a higher priority to IPv6 at the OS level, so that a controlled cut over can be achieved, however as everyone has been playing chicken in the headlights of the oncoming train, it can only end in one of two ways.
The chicken moves and starts migrating.
The chicken ends up as a nice emblem on the front of the train.
Who's going to start reading up on IPv6 this weekend ?
Its not difficult to get to grips with, its just a little different to what you are used to.
That's why IPv6 has always been pushed as dual stack / parallel run / co-existence with IPv4, but with a higher priority to IPv6 at the OS level, so that a controlled cut over can be achieved
This is in part why I started an ipv4 to IPv6 NAT device. The theory behind it is you could map a range and when there was a DNS lookup, it would assign a temporary mapping. I have been just too busy at my main job to finish it.
"Who's going to start reading up on IPv6 this weekend ?"
Not me. My router doesn't actually have enough memory to run the IPv6 capable version of the firmware (yes, I've explicitly checked). My router works fine, I can actually forget it exists for extended periods of time, which is the highest praise any appliance can receive. Ergo for the foreseeable future IPv4 it is...
After having had the IPv6 conversation with all of the ISPs I deal with and coming up with a series "ya'what" and [tumbleweed] responses, I started checking IPv6 tunnel brokers. This way you can fully IPv6 your site and start getting some direct experience. The only thing you need to be aware of form the start is that you try and ensure that the tunnel access point is along the path that your IPv4 packets would be flowing anyway. No point using one in Germany when you ISP is connected to London.
If you go with he.net they also do a certification scheme that might help you skill up.
Meanwhile, back in the UK there is an ISP - Vodamoanfone actively wasting IPs ! If you make the mistake of getting a DSL line from them, they stuff you with mandatory use of the crappiest router I've seen for ages, and some "interesting" manglement decisions.
We have a customer (hence posting as AC) where we are having to "rent" a block of 8 IPs when only one is needed. Why ? Well the fixed IP you can have with the connection has a mandatory reverse mapping to something like static-xxx-xxx-xxx-xxx.vodafonexdsl.co.uk and they refuse to change this (even though I know from stuff that's happened before that they do in fact have the technical capability).
If a user needs to run a mail server, and set reverse DNS sensibly to avoid everything being labelled as spam, then the only option Vodamoanfone allow is to pay extra for a block of 8 IPs JUST so you can set the DNS for one of them.
Pure manglement "nickle&diming" customers, and forcing them to use up NINE Ips when just one would do - I wonder if RIPE would have anything to say about the practice ?
My ISP gave me a /48 by default, which is equivalent to a /16 in v4-world. Not that I use more than a /63. I could, in principle, change my home network to v6 only, at least for the laptops, android, a couple of servers, as my ISP runs a 4-to-6 service to map v4s in the Internet to temporary v6 addresses. No such luck for the blu-ray player and DVRs though. I guess it'll be a long while before new models of them become dual stack.
...came from the ludicrously long public addresses and the insistence that all internal addresses be external addresses. It's IANA's fault, they began the idiotic policy of beginning all registrations with 2001:0200::/23, then 2001:0400::/23, etc, so all public addresses start ugly and painful. Only in 2006 did they start allocating 2400::/12, 2600::/12, because everyone HATED the old scheme. Then ISPs do the same thing with their allocations, so you get to start off with something like 2601:201:8201:9390::/56 (my actual Comcast allocation) before you can even start using your own digits.
Then there was the constant drum-banging for a decade about how "NAT is evil, NAT is not security, NAT is a kludge." The entire reason that IPv6 is 128 bits instead of 64 bits is that NAT was supposed to go away forever, and we would all be in the glorious world where every network-connected device is public again.
Of course NAT is one layer of security, and admins actually don't think allowing all of their PCs to be publicly accessible for the latest vulnerability du jour is a good idea! The bad taste of that crusade and the related overengineering probably retarded IPv6's growth by a decade.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
