The Internet running out of IP addresses

**HAL9000** · 07-02-2011, 11:17 AM

OK so the last five /8 ranges have been dished out and we're running out of IP addresses. People are now starting to rush around like Henney Penny and squwark "The sky is falling, the sky is falling".

Now I know that 4.3 billion addresses is a finite resource, especially when you consider that most devices are issued with a public address when connecting to the Internet, but do they really need that public address.

I will state here that my knowledge of what happens past my ADSL modem is vague but hear me out.

I have a small network here in my office. I have an ADSL modem that has a public IP address on the external interface. This connects to my firewall using private range IPs (192.168.x.x). My firewall in turn has a second subnet of private range IP addresses (192.168.y.x). And routing through two private range IPs works just fine.

So why cannot this occur at an ISP level?

OK, let me expand on this. Most of the non business clients, and some of the business clients I have do not need a public IP address. All they do is browse webpages, and check their emails. In most cases they only have one PC and maybe one laptop/netbook.

Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.

I am sure people with more knowledge them me will tell me why this can't or shouldn't be done. All I am doing here is posing a question borne out of my limited knowledge at what happens at an ISP level.

**Chilling_Silence** · 07-02-2011, 11:57 AM

I've wondered likewise too, but I'm not proficient enough in IP routing to know for certain.

I'm pretty sure though that once upon a time when I first had mobile data going to my Cellphone (Around 6-7 years ago now?) that my iMate Jam was given a private IP Address.

There could be other technicalities around things such as gaming, voice-chat (skype) etc, but for basic browsing and things it ought to be OK?

Still, I saw a good article this morning which described it like running out of car numberplates. Existing cars can still drive around just fine, it's not like the roads will suddenly explodes.

**Speedy Gonzales** · 07-02-2011, 12:15 PM

And

**Erayd** · 07-02-2011, 12:56 PM

Originally Posted by HAL9000

...but do they really need that public address....So why cannot this occur at an ISP level?

There are quite a few reasons why this isn't feasible as anything other than a stopgap measure - some of the more important ones are:

TCP & UDP each have a maximum of 65535 ports per IP address. Every outgoing or incoming connection uses a new port, as does every process that is listening for an incoming connection. This means that there is a limit to the number of simultaneous connections that can be shared behind a single IP address.
Legal compliance becomes a nightmare, as customers can no longer be associated with a single IP. This means that it's no longer enough to simply log which IP is assigned to a particular customer; instead the full netflow data must be logged for every single connection that traverses the NAT device, in order to retrospectively figure out who did what. This causes performance issues (netflow data gathering is done at the routers and usually offloaded to another server for processing & storage), and can get expensive very quickly.
Firewalling specific users becomes impossible for any party other than the ISP - simply blocking / allowing specific IP addresses or ranges is no longer an option unless you're happy to also block / allow every other customer sharing the same IP. As TCP & UDP source ports are usually randomised, and never associated with an individual endpoint, these cannot be used as a basis for firewalling.
There is currently no ISP equivalent of uPNP, and thus no way for applications to automatically map incoming ports. In most cases there is also no way for the user to map them manually either. This effectively means that incoming connections cannot be used.
NAT causes issues with protocols that embed endpoint addresses, even if they can run on top of a NAT-compatible protocol such as TCP or UDP - various VPN protocols are particularly prone to disruption this way.
Not all IP protocols are even capable of successfully traversing a NAT connection.
Direct connections between endpoints become impossible except via UDP, and require an additional third party with a public address to assist with connection setup.
If you're running any kind of server that utilises a standard port (e.g. HTTP, HTTPS, SMTP etc) then you're out of luck - it's not possible to map a single incoming port to several endpoints at once without a whole lot of annoying trickery in the way, and often not even then.
Multihoming is impossible with NAT; global routing tables work on an AS/IP basis (via BGP), and cannot be adapted to manage multiple ASs sharing a single IP or IP range.

There are plenty of other issues with carrier NAT, but those are a few of the big ones.

Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.

Many cellular providers already use this technique, and assign IPs based on the APN the customer is using (e.g. 2degrees' 'internet' and '2degrees' APNs - one assigns public IPs, the other doesn't). Unfortunately it doesn't translate very well to the customers of a typical consumer ISP, and even for cellular providers can cause problems.

A better long-term solution is dual-stack IPv6 and IPv4, which allows access to legacy networks while IPv6 is being rolled out. For ISPs who are unable to acquire sufficient IPv4 resources, NAT64 is a viable alternative (allows IPv4 endpoints to be accessed by IPv6-only customers).

**utopian201** · 07-02-2011, 12:59 PM

Originally Posted by HAL9000

Now if an ISP creates two classes of internet connection, one class that issues a public address to the connection and the other class that get a private range address. The private range addresses would be NATed at the ISP level to deliver packets correctly. I see this freeing up thousands of IP addresses per ISP.

Private ranged IPs can be used by anyone. What if you were using 192.168.1.x on your LAN and the ISP had allocated 192.168.1.x to your friend in another city?

You wouldn't be able to send data between the two because your router won't send the data out the ADSL modem - it thinks all 192.168.1.x traffic is local

**Erayd** · 07-02-2011, 01:10 PM

Originally Posted by utopian201

Private ranged IPs can be used by anyone. What if you were using 192.168.1.x on your LAN and the ISP had allocated 192.168.1.x to your friend in another city?

You wouldn't be able to send data between the two because your router won't send the data out the ADSL modem - it thinks all 192.168.1.x traffic is local

Which is why ISPs don't usually pick ranges that common - they usually pick things way out in the 10/8 range to avoid colliding with the more commonly-used ranges that people use for their own networks.

**ubergeek85** · 07-02-2011, 01:12 PM

Erayd explained it better than I ever could, but I see what you mean. I've seen it mentioned that ISP-wide NAT may be used as a last-ditch effort, but I'm not sure if the sources were credible.

I can see a situation arising where public IPs might be treated similar to static IPs, i.e. you have to request one, otherwise you get lumped in with a few hundred other customers behind the same public, NATed IP. Yes, there are a lot of people out there who just surf the web and check emails, and would probably survive behind large-scale NAT, but it is only a stopgap measure.

**Chilling_Silence** · 07-02-2011, 01:17 PM

But it's theoretically doable though?

**Erayd** · 07-02-2011, 01:19 PM

Originally Posted by Chilling_Silence

But it's theoretically doable though?

It's doable, but bloody expensive, and causes a lot of problems - in most cases it's actually cheaper (and more sensible) to deploy IPv6.

**utopian201** · 07-02-2011, 03:11 PM

Originally Posted by Erayd

Which is why ISPs don't usually pick ranges that common - they usually pick things way out in the 10/8 range to avoid colliding with the more commonly-used ranges that people use for their own networks.

IPs starting with 10.x.x.x, 172.16-31.x.x and 192.168.x.x are private addresses and cannot be used on the internet. There isn't really a 'common' range.

ISPs don't pick their IPs; they are allocated to them by the IANA. From those, they give them out to their customers.

Originally Posted by Chilling_Silence

But it's theoretically doable though?

no, for the reasons i mentioned. Basically you wouldn't be able to communicate with anyone else that had a private IP. Can you imagine the support calls, when people ask their ISP why they cannot skype to their relative (or any other p2p application).

Some ISPs already use a single public IP for multiple customers via NAT as ubergeek said.