PDA

View Full Version : The Internet running out of IP addresses



HAL9000
07-02-2011, 11:17 AM
OK so the last five /8 ranges have been dished out and we're running out of IP addresses. People are now starting to rush around like Henney Penny and squwark "The sky is falling, the sky is falling".

Now I know that 4.3 billion addresses is a finite resource, especially when you consider that most devices are issued with a public address when connecting to the Internet, but do they really need that public address.

I will state here that my knowledge of what happens past my ADSL modem is vague but hear me out.

I have a small network here in my office. I have an ADSL modem that has a public IP address on the external interface. This connects to my firewall using private range IPs (192.168.x.x). My firewall in turn has a second subnet of private range IP addresses (192.168.y.x). And routing through two private range IPs works just fine.

So why cannot this occur at an ISP level?

OK, let me expand on this. Most of the non business clients, and some of the business clients I have do not need a public IP address. All they do is browse webpages, and check their emails. In most cases they only have one PC and maybe one laptop/netbook.

Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.

I am sure people with more knowledge them me will tell me why this can't or shouldn't be done. All I am doing here is posing a question borne out of my limited knowledge at what happens at an ISP level.

Chilling_Silence
07-02-2011, 11:57 AM
I've wondered likewise too, but I'm not proficient enough in IP routing to know for certain.

I'm pretty sure though that once upon a time when I first had mobile data going to my Cellphone (Around 6-7 years ago now?) that my iMate Jam was given a private IP Address.

There could be other technicalities around things such as gaming, voice-chat (skype) etc, but for basic browsing and things it ought to be OK?

Still, I saw a good article this morning which described it like running out of car numberplates. Existing cars can still drive around just fine, it's not like the roads will suddenly explodes.

Speedy Gonzales
07-02-2011, 12:15 PM
And (http://computerworld.co.nz/news.nsf/news/is-your-isp-ready-for-ipv6)

Erayd
07-02-2011, 12:56 PM
...but do they really need that public address....So why cannot this occur at an ISP level?There are quite a few reasons why this isn't feasible as anything other than a stopgap measure - some of the more important ones are:
TCP & UDP each have a maximum of 65535 ports per IP address. Every outgoing or incoming connection uses a new port, as does every process that is listening for an incoming connection. This means that there is a limit to the number of simultaneous connections that can be shared behind a single IP address.
Legal compliance becomes a nightmare, as customers can no longer be associated with a single IP. This means that it's no longer enough to simply log which IP is assigned to a particular customer; instead the full netflow data must be logged for every single connection that traverses the NAT device, in order to retrospectively figure out who did what. This causes performance issues (netflow data gathering is done at the routers and usually offloaded to another server for processing & storage), and can get expensive very quickly.
Firewalling specific users becomes impossible for any party other than the ISP - simply blocking / allowing specific IP addresses or ranges is no longer an option unless you're happy to also block / allow every other customer sharing the same IP. As TCP & UDP source ports are usually randomised, and never associated with an individual endpoint, these cannot be used as a basis for firewalling.
There is currently no ISP equivalent of uPNP, and thus no way for applications to automatically map incoming ports. In most cases there is also no way for the user to map them manually either. This effectively means that incoming connections cannot be used.
NAT causes issues with protocols that embed endpoint addresses, even if they can run on top of a NAT-compatible protocol such as TCP or UDP - various VPN protocols are particularly prone to disruption this way.
Not all IP protocols are even capable of successfully traversing a NAT connection.
Direct connections between endpoints become impossible except via UDP, and require an additional third party with a public address to assist with connection setup.
If you're running any kind of server that utilises a standard port (e.g. HTTP, HTTPS, SMTP etc) then you're out of luck - it's not possible to map a single incoming port to several endpoints at once without a whole lot of annoying trickery in the way, and often not even then.
Multihoming is impossible with NAT; global routing tables work on an AS/IP basis (via BGP), and cannot be adapted to manage multiple ASs sharing a single IP or IP range.


There are plenty of other issues with carrier NAT, but those are a few of the big ones.


Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.Many cellular providers already use this technique, and assign IPs based on the APN the customer is using (e.g. 2degrees' 'internet' and '2degrees' APNs - one assigns public IPs, the other doesn't). Unfortunately it doesn't translate very well to the customers of a typical consumer ISP, and even for cellular providers can cause problems.

A better long-term solution is dual-stack IPv6 and IPv4, which allows access to legacy networks while IPv6 is being rolled out. For ISPs who are unable to acquire sufficient IPv4 resources, NAT64 is a viable alternative (allows IPv4 endpoints to be accessed by IPv6-only customers).

utopian201
07-02-2011, 12:59 PM
Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.

Private ranged IPs can be used by anyone. What if you were using 192.168.1.x on your LAN and the ISP had allocated 192.168.1.x to your friend in another city?

You wouldn't be able to send data between the two because your router won't send the data out the ADSL modem - it thinks all 192.168.1.x traffic is local

Erayd
07-02-2011, 01:10 PM
Private ranged IPs can be used by anyone. What if you were using 192.168.1.x on your LAN and the ISP had allocated 192.168.1.x to your friend in another city?

You wouldn't be able to send data between the two because your router won't send the data out the ADSL modem - it thinks all 192.168.1.x traffic is localWhich is why ISPs don't usually pick ranges that common - they usually pick things way out in the 10/8 range to avoid colliding with the more commonly-used ranges that people use for their own networks.

ubergeek85
07-02-2011, 01:12 PM
Erayd explained it better than I ever could, but I see what you mean. I've seen it mentioned that ISP-wide NAT may be used as a last-ditch effort, but I'm not sure if the sources were credible.

I can see a situation arising where public IPs might be treated similar to static IPs, i.e. you have to request one, otherwise you get lumped in with a few hundred other customers behind the same public, NATed IP. Yes, there are a lot of people out there who just surf the web and check emails, and would probably survive behind large-scale NAT, but it is only a stopgap measure.

Chilling_Silence
07-02-2011, 01:17 PM
But it's theoretically doable though? :D

Erayd
07-02-2011, 01:19 PM
But it's theoretically doable though? :DIt's doable, but bloody expensive, and causes a lot of problems - in most cases it's actually cheaper (and more sensible) to deploy IPv6.

utopian201
07-02-2011, 03:11 PM
Which is why ISPs don't usually pick ranges that common - they usually pick things way out in the 10/8 range to avoid colliding with the more commonly-used ranges that people use for their own networks.

IPs starting with 10.x.x.x, 172.16-31.x.x and 192.168.x.x are private addresses and cannot be used on the internet. There isn't really a 'common' range.

ISPs don't pick their IPs; they are allocated to them by the IANA. From those, they give them out to their customers.


But it's theoretically doable though? :D

no, for the reasons i mentioned. Basically you wouldn't be able to communicate with anyone else that had a private IP. Can you imagine the support calls, when people ask their ISP why they cannot skype to their relative (or any other p2p application).

Some ISPs already use a single public IP for multiple customers via NAT as ubergeek said.

Chilling_Silence
07-02-2011, 03:18 PM
No, that's only if I use the 192.168.*.* range, and so does my ISP.

If I use 10.0.0.0 with a subnet of 255.0.0.0 then yeah, again, I rule that possibility out.

What ISP's could do is use the US Military range, they've got some public IP's that they use for internal-only stuff that nobody (Certainly not us) ever uses.

So I still stand by the prospect that it's theoretically possible, if not really practicle.

Erayd
07-02-2011, 04:49 PM
IPs starting with 10.x.x.x, 172.16-31.x.x and 192.168.x.x are private addresses and cannot be used on the internet.They aren't publicly routable on the internet, but they can quite happily be used behind NAT devices as part of an edge infrastructure on an internet-connected network, such as an ISP. Obviously this has some known downsides - i.e. routing conflicts with customers' own private networks - which is why, when implementing this kind of infrastructure, less-common address ranges are chosen. There will always be a few customers who lose out and have to renumber their networks to maintain compatibility, but provided a suitable range is chosen they're generally rare.


There isn't really a 'common' range.Of course there are common ranges! Some of the most common are:
192.168.0.0/24
192.168.1.0/24
10.0.0.0/24
10.1.1.0/24
Obviously there are a few router models which do something stupid and use something like 10.0.0.0/8 by default, and some customers will assign various other ranges for their own purposes, but the ones listed above are by far the most common.

If an ISP chooses to use something like 10.152.89.128/25 for NAT customers, then realistically they are going to have *very* few customers who will have issues with that range. Additionally, most users likely to assign such a range to their own network will usually be either corporate customers or very tech-savvy consumers, who will generally understand how to configure their equipment to avoid this being an issue.


ISPs don't pick their IPs; they are allocated to them by the IANA. From those, they give them out to their customers.This is only the case for globally routable, public addresses. Private addresses can be used by anyone, for any purpose, but can't be globally routed. Private addresses are designated as such by IANA, and anyone wishing to make use of them does not need to apply to IANA or any other body in order to do so.


...no, for the reasons i mentioned. Basically you wouldn't be able to communicate with anyone else that had a private IP.You don't seem to quite understand the way IP routing works. Assigning private IPs to customers behind a NAT router does *not* prevent those customers from communicating with other private IPs, however they choose to do this, unless there is a routing conflict on the customer's gateway - which, if the ISP chooses a sensible range, is extremely rare.

If an ISP decides to use 10.123.234.0/24 as a NAT range behind a public IP, then customers of that ISP who are given addresses from this range and who are also using 10.123.234.0/24 on another interface of their gateway router will be unable to reach either the segment of their network using this range, or the rest of the internet, depending on how the router is configured.

Everyone else will be able to connect outgoing on all NAT-able protocols with no difficulty, but will not be able to receive directly incoming connections.


Can you imagine the support calls, when people ask their ISP why they cannot skype to their relative (or any other p2p application).Many P2P applications are smart enough to get around NAT by dynamically mapping where they can, and where they can't, by making outgoing connections to those who can receive them, or by soliciting incoming connections via a third party (this only works for UDP).

Obviously support is an issue, particularly regarding the inability to easily accept incoming connections, and is one of the reasons for pushing IPv6.


What ISP's could do is use the US Military range, they've got some public IP's that they use for internal-only stuff that nobody (Certainly not us) ever uses.Too dangerous unfortunately; unlike the designated private address ranges, most routers will consider that to be a valid public range, and will quite happily propagate BGP advertisements for it.

ubergeek85
07-02-2011, 08:50 PM
Obviously there are a few router models which do something stupid and use something like 10.0.0.0/8 by default

bleepin' Dlinks!

Chilling_Silence
07-02-2011, 08:58 PM
Yep pretty much it's just the %@#$ D-Links ....

HAL9000
10-02-2011, 06:52 PM
Erayd, wow that's certainly a damn fine response to my speculation.

From what you are saying it is technically possible, although there would be some cost involved for the ISP.

I did not really mean this to be a solution to the problem, but rather a measure that could be taken to push back the eventual running out of addresses.

wainuitech
10-02-2011, 07:10 PM
Then of course there are the ones no one will ever get.

The military and Government allocated (http://www.uaff.info/militarytracking.htm).

Mainkerchipa
11-02-2011, 07:41 AM
If you want to know IP address information service that [edited] will give you this service information

Agent_24
11-02-2011, 09:58 AM
Piss off you stupid spammer!