IPv4 depletion: Threat? Danger? Crisis? Turning IPv6 Up and IPv4 Down
I was interviewed recently for an article in Tweakers. It’s a good article, but I think a shade of meaning was lost in translation between Dutch and English. Hence, I’d like to restate the article in my own words.
The nuance of meaning revolves around the words “danger”, “threat”, and “crisis”. Joost opened the interview asking me whether I thought that IPv4 depletion presented a threat, and whether the Internet was in danger. I replied that there was a crisis, but not a threat.
A “threat” is, per http://dictionary.com, “a statement of an intention to inflict pain, injury, damage, or other hostile action”. “Danger” is “liability or exposure to harm or injury; risk; peril.” A “crisis” is “a stage in a sequence of events at which the trend of all future events, especially for better or for worse, is determined; a turning point.”
In 1990, Frank Solensky pointed out that the classful approach then in use for allocation of IPv4 address space would have us running out of address space by 1994. The depletion of the IPv4 address space was a threat to every business that depended on the Internet, and a danger to the Internet itself. This was because there was a problem, and there was no solution for it. Businesses would die, applications like the World Wide Web, File Sharing, and YouTube-style video would never be developed, and the general improvement of our quality of life that we have experienced in the past 20 years would not have happened.
We, collectively, did three things; we changed the way that we allocated address space, we invented private address space and network address translation, which have helped us hobble along until the present, and we developed a new protocol with a new address space which we’re in the process of changing over to – Ipv6.
Twenty-two years later, I think that IPv4 address depletion presents a crisis – we are at a point, due to IPv4 address depletion, where inaction is no longer an option. But it only presents a threat to those actors that fail to take heed; the fact that the IPv4 address space has been depleted in spite of the early-1990’s changes means that those actions were not sufficient for the long term health of the Internet or the businesses it serves. For those that recognize the crisis and take the indicated action, which is to deploy IPv6 in their networks and their services, the business of the Internet and the businesses that depend on it should continue robustly. So for the wise, there is no threat, and there is no danger. But there is a crisis, an event that requires action.
With that background, permit me to restate the article.
The exhaustion of IPv4 addresses is indeed a problem, but not a threat to the development of the Internet. It is not a threat because we have a replacement protocol that will support the services currently running on the Internet, and which indeed gives opportunities to develop new services that require a common global address space and would therefore not run well in the Internet of the past forty years.
The current situation can be compared to the “Y2K problem”, the problem we had leading up to the year 2000. Software supporting banks and other functions represented the year in a two digit form; the “19” in the year number was assumed. At the point that “19” could not be assumed, when the year was rolling over into 2000, we had a crisis; software had to be found, changed, and verified, and large databases revamped, to represent the number of the year in four digits. But because people recognized the problem and took the indicated action, very few actual issues were reported in January 2000. The Internet has reached a similar point. We have a crisis, in which people need to deploy the new protocol and ensure that their services operate using it. Once they have done so, there is little reason to expect that there would be an ongoing problem.
RIPE NCC recently announced that they are down to their last IPv4 /8, as APNIC did in April 2011, and have instituted a policy of handing out IPv4 address space in a very restricted way. This, if you depend on a flow of IPv4 address space from your Regional Internet Registry (RIR think APNIC, ARIN, RIPE, etc), is a problem. The solution on the table is a transition to IPv6. This transition is underway as we speak; as of 8 June 2012, over half of the world’s 1000 largest ISPs have deployed the technology, more are in the process, and the roughly 7300 ISPs worldwide are taking steps in that direction.
And it isn’t limited to transit networks. Residential access networks including NTT, Free, Orange, Comcast, and Time-Warner are very public about their progress. Large content providers such as Google and Facebook have deployed it and run over IPv4 or IPv6 seamlessly and interchangeably. Mobile telephone operators such as T-Mobile and China Mobile are experimenting with IPv6-only networks (networks in which they have turned IPv4 off). Large enterprises including Bechtel, Cisco, and others have deployments in progress. Check http://www.kame.net; If the turtle dances, you and your network are among those happy campers – and you may not even know it.
Why are so many networks transitioning to IPv6? There are a number of reasons. For the ISPs, the alternative is to operate Network Address Translators within their own networks, which makes their businesses more complex and difficult to operate, and prevents their enterprise customers from offering services except through hosting providers. Networks in India, Africa, South America, and Central Asia have done this for years, and are moving away from it. For the Content Providers, whose lifeblood depends on being able to identify their subscribers and their current locations, Network Address Translation obscures basic business-relevant information. For the Mobile Internet, which has suffered with internal translation for years, it gives them the opportunity to simplify their networks. It enables enterprises to manage their networks more effectively – debugging with better visibility and allocating address space to LANs with less headaches and overhead. And for residential broadband networks, which share aspects of each of those, a common address space grants them each of those benefits.
In addition, there is the threat – for each of us but especially for enterprise and residential users – of inaccessibility of content. If we deploy IPv6 networks, we can still reach IPv4-only content, if only through NAT64 translators. But if others turn IPv4 off or only have it behind NATs – carrier grade or otherwise – and we can only use IPv4 services, we will be unable to reach their content, for the same reason that we (mistakenly) think of IPv4 NATs as giving us security. We want to reach our customers and business partners, and we want them to be able to reach us, and address multiplexing prevents that. It is that threat that makes this a crisis. The Internet and the businesses that depend on it won’t die. The necessary result of inaction, though, might be compared to one losing one’s hearing without getting a hearing aid; the world in time becomes strangely silent and uninteresting as important voices are left unheard.
Permit a personal example. This past week, I installed a video surveillance system at my daughter’s home. The system advertises the capability of being accessed from an iPhone, Android, Mac, or PC, using the Internet and a Dynamic DNS service; that service is what made my daughter willing to spend $500 on the system. There’s a problem: my daughter’s ISP has a carrier NAT between her and the Internet, with the effect that the DDNS service can’t actually get to her DVR. Address multiplexing prevents her from using the service that sold her on the system. That, in a nutshell, is the crux of the issue. The Internet was intended and designed to offer such services, but with carrier NAT, it fails.
With the rollout of IPv6, stateful network address translation, invented to facilitate multiplexing of IPv4 address space, will no longer be needed. Some fear that the Internet will become less secure as a result. The correlation of address translation with security, however, is a myth. By coincidence, translation imposes one kind of perimeter security policy; it makes it harder for (but does not really prevent) sessions initiated from outside a domain from entering the domain. That particular policy is far from universal, and it is not effective; a very large percentage of attacks originate behind the firewall. So, yes, firewalls that impose security policy are a useful security tool, but translation is neither necessary nor sufficient for the purpose.
Although a transition to IPv6 is necessary for the Internet to continue to expand, it will be some time before the IPv4 part of the Internet completely disappears. On the Internet, we do not throw anything away that quickly. Right now, we are in the process of a very typical adoption curve. The RIPE NCC reports that about 15% of the world’s networks are advertising IPv6 address reachability to themselves or their customers, a number that has grown dramatically over the past few years. When an adoption curve crosses about 28%, it generally becomes self-sustaining; states that the value of a telecommunications network is proportional to the square of the number of connected users of the system, and at that point the value of interconnectivity itself drives further deployment. When an adoption curve reaches about 70%, we approach saturation, and the technologies that went before start to fall aside. For the Internet, that will likely be the point at which we start seriously discussing turning down IPv4 on the public backbone.
I estimate that we will reach 70% saturation in about five years. Why? That is the approximate half-life of equipment like laptops and residential routers. Right now, consumer operating systems including MacOSX, Windows (Vista and later), FreeBSD, and Linux all support IPv6 natively; if one has bought their computer since January 2007, it is IPv6-capable unless they have intentionally turned that off. The consumer computers that do not include IPv6, at this point, include the X-box, older mobile telephones, and Windows XP machines; XP will no longer be supported after April 2014, and even now XP users are pressured to upgrade. Residential gateways, however, are further behind; IPv6 in that equipment is a year to two years old, and some of it has residual problems. So we are really waiting for consumers to update equipment such as Linksys, Netgear, and D-Link routers, which is likely to happen during the normal lifetime of that equipment. The “normal lifetime”, with my squinted eye looking over my thumb, is about five years.
I get asked why IPv6 is not backward compatible with IPv4. The question misstates the real issue: IPv4 is not forward compatible with anything. We made the same mistake with IPv6, if it was a mistake; there is no easy way to replace it with a new protocol by tweaking the old. However, at the point that we use up the address space in IPv6, I suspect that requirements will have changed and we will need something dramatically different. If that is true, it’s unlikely that we could predict now what that “something new” would be. So, yes, at the point that we run out of IPv6 addresses a few thousand years from now, we will need a new protocol. But by then, I expect we will have already replaced IPv6 for other reasons entirely.