[menog] IPv4 March 2011 depletion

[Owen DeLong]

On Nov 17, 2010, at 6:59 AM, Brian Candler wrote:

> On Mon, Nov 15, 2010 at 07:44:57AM -0800, Owen DeLong wrote:
>> Again, I'm not understanding the need to phase a subnet. I can understand
>> phasing large or complex environments by doing them a subnet at a time,
>> but, phasing within a subnet strikes me as a recipe for greater pain and
>> complexity with minimal benefit in most environments. Especially in a
>> residential environment.
> 
> If you don't offer the option to plug in new V6-only devices, then people
> won't switch their networks to V6-only, because it involves reconfiguring
> everything they already have.
> 
For the moment, I see no need to switch a network which has v4 addresses
to v6 only.

> You're then hoping that new customers are where V6 deployment takes place. 
> This may work in some places, but I think not where Internet is close to
> saturation already.
> 
Even where the internet is close to saturation, there is churn (i.e. ISP A's
old customer becoming ISP B's new customer) and growth. Both of these
will lead to IPv6 deployment.

Additionally, IPv4 only networks will be at an ever increasing disadvantage
vs. dual-stacked networks in terms of reaching points on the internet which
have been created since IPv4 exhaustion. This disadvantage may not
matter much for some time, but, it will be a monotonically increasing
disadvantage. Eventually, it will be hard to ignore.

>>> As for enterprises, most have already deployed RFC1918 and NAT44 widely.  So
>>> whilst turning on native IPv6 alongside it ought to be moderately easy, it
>>> also doesn't yet offer any particular business reason to do so.
>>> 
>> Key word being yet. However, if you wait until the need arises, you are going to be
>> way behind the power curve trying to catch up.
> 
> Most places where I've worked spend money when there is a recognised need
> and not before.
> 
Yep... And if you don't recognize the need for IPv6 yet, you can share fate
with people who watch the ocean rapidly roll out and think "free fish".

(In case you miss the reference, look up the word Tsunami)

> About 10-15 years ago, in the UK it was common for dial-up Internet access
> products to offer static IP addresses.  Gradually there was a shift to a
> lower grade of service, by sharing addresses through dynamic pools.  For
> anybody who cared, they could work around it (e.g.  using dynamic DNS), or
> pay extra for a static IP.
> 
Sure... The same thing happened in the US, but, there are two key differences:

1.	This switch occurred when fewer than 5% of current customers were
	connected and the ISPs knew they could survive with sustained growth
	even if they lost every single current customer.

2.	There was no practical alternative and ALL dial-up ISPs had to
	make the same change.

> What I foresee over the next 3-5 years is a gradual acceptance of a lower
> grade of service, where many people end up behind LSN.  For those who care,
> they can work around it (e.g.  upstream ISP offers inbound HTTP proxy and
> SMTP proxy and/or port forwarding), or pay extra for a real IP.
> 
Since there is no universal need for ISPs to provide LSN and a higher
level of service can be provided by placing all new customers on IPv6
with NAT64, I think that the competitive landscape in most markets
will limit the number of customers that accept LSN. Further, the idea
of paying extra for a "real IP" only works if there is a real IP available
for the carrier to provide.

> Certainly there are market segments which are interested in direct
> peer-to-peer applications: in particular, gamers and illegal filesharers. 
> Given that filesharing accounts for a large % of traffic today, that might
> be enough to swing a sizeable proportion of traffic (if not users).  It will
> be an interesting way of selling V6 to governments.
> 
Interesting choices of examples. You conveniently left out the
vast majority of instant messaging applications, many VOIP
packages, and more.

I also find it interesting that you first point out illegal filesharing,
then go on to state that filesharing accounts for a large % of
internet traffic today. This, of course, is intended to vilify all
filesharing by lumping it in with illegal filesharing when in
reality, the vast majority of the filesharing traffic is not actually
illegal. While the fact that there is no easy way to distinguish
content on an automated basis makes it hard to prevent
illegal filesharing with disrupting legitimate communications,
it is disingenuous to claim that all or even the majority of
filesharing is illegal.

> The rest of us sit behind NAT44 today, and a whole bunch of third-party
> services have sprung up to support it - things like 'logmein' and instant
> messaging servers.  These meet-me servers aren't just workarounds.  They add
> their own value by managing authentication and brokering access between
> endpoints - the sort of things people are very bad at doing themselves.
> 
Interesting. I'm not engaged in illegal filesharing. While I do some gaming,
it's not more than 1% of my traffic and I don't believe I"m engaged in any
gaming which would not behave satisfactorily behind a NAT. However,
I do not sit behind NAT44 and moving behind NAT44 would negatively
impact many things I do, including hosting several web sites for non-profit
organizations, my email server, my use of VNC and SSH to manage
my systems remotely while I am traveling, my ability to retrieve recorded
programs from my DVRs while I am traveling and more.

In fact, it would even break my nameservers since the primary
authoritative server for several zones is also there.

> Speaking for myself: I do use dynamic DNS with inbound port forwarding in
> order to ssh to my box at home.  If I end up behind LSN, then yes I'd like
> my ISP to offer me one port on a real IP address which forwards to me.  As
> this is likely to be on a static IP, this would actually be an improvement
> for me.
> 
Speaking for myself, I prefer static DNS on a server that I administer, but,
to each their own.

> Deploying V6 at home doesn't benefit me, even if my ISP offered it, because
> it's not reachable from anywhere that I care about (*).  That's the
> chicken-and-egg situation which dual-stack has spectacularly failed to
> address.  Oh, and it would cost me money to replace my router too, and time
> to reconfigure every device on my LAN.
> 
In the long run, however, this won't be about what does or does not
benefit the individual customer of the ISP. It will be about what allows
the ISP to continue doing business and growing. The simple reality
is that whether you want to or not, there will come a day when your
ISP will start charging you quite a bit more to do IPv4 vs. what you
will be able to pay if you switch to IPv6.

> You can call me cheap, clueless and lazy. The question is, how many other
> people are there like me?  :-)
> 
There are many who are cheap, clueless and lazy. I, myself, am cheap
and lazy. For me, IPv6 didn't cost anything extra. My CPE was capable
of IPv6 before I added it to my network. (I have since replaced my CPE,
but, my 7204VXR was perfectly capable of doing IPv6 and doing it
quite well before I installed the SRX-100 that replaced it).

>> I don't see how the loopback idea really helps conserve address space.
> 
> It saves the wastage from allocating 2^N IPs to each VLAN, sometimes more
> than twice the space required to allow for easy future growth.  If you're
> using lots of small subnets then the wastage from broadcast and network
> addresses is also significant.
> 
Wow... I can't say that's the dumbest thing I've ever heard, but, I do think
the term "does not scale" certainly applies. Managing that across
customer installations would be an absolute support nightmare.
I presume you'll then use RFC-1918 space on the physical interfaces
meaning you have now doubled your address administrative
overhead. You've also pretty much broken the ability for the
customer to use any form of sophisticated load balancer (or
increased the amount of IP space they need to facilitate it).

> By putting real IPs on servers as loopbacks, with static routes in your IGP,
> you can deploy individual IPs where you need them.  If you want to
> aggregate, you can still do it at a higher level (e.g.  per POP)
> 
Yep... Now I understand your theory. In fact, this thought occurred to
me when you first mentioned the idea of using loopbacks, but, I
thought to myself "That can't be it, most of his arguments have
been misguided, not absurd."

>>>> Again, can you cite any specific example of equipment which breaks if IPv6
>>>> is turned on, or, is this pure speculation on your part?
> 
> To be absolutely clear: no, I cannot give you a specific example of this.
> 
> I think you're right that a device which doesn't understand V6 at all is
> unlikely to break when IPV6CP is turned on.  I think that a device with a
> partial or broken V6 implementation may well do stupid things when V6
> packets start to flow, in the same way as some routers when presented with
> DNSSEC packets do stupid things.  But no, I have not met one, because I've
> not been turning on V6.
> 
Well... I've been turning on V6 for years and I haven't met one, either.

In my experience, there aren't partial or broken V6 implementations in
CPE routers on that level. There are definitely problems with various
forms of IPv6 functionality on various CPE devices which purport to
support IPv6, but, not such that the device fails to continue doing
what it did for IPv4 in the face of IPv6 traffic. All of the IPv6 failures
I have observed in various equipment have been limited to impacting
IPv6.

> Anyway, selective enabling of V6 is straightforward to implement, so that
> part doesn't worry me.
> 
Good to know. It sounded like you were discouraging people from
doing so on that basis.

> Regards,
> 
> Brian.
> 
> (*) OK, I'm a techie, and from my laptop I could probably use a tunnel
> broker to get home if I could be bothered.  I couldn't use it from someone
> else's PC where I have an ssh client but nothing else.

Sure you can... If you have a meet-me dual-stack SSH server in
between, anything that would work from that environment to your
IPv4 based home will work to your IPv6 based home.

For example, if you have an IPv6 web server at 2001:db8::3eb
and an SSH server that is at 192.0.2.25 and 2620:db8::558
and you are on a box at 192.168.5.3 which gets natted
to 192.0.2.80, you can execute the following:

ssh -L 8000:2001:db8:3eb:80 mylogin at 192.0.2.25

Once you are logged in, you can then use the SSH
tunnel with URLs like:

http://localhost:8000/...

This means your IPv6 web server has to do address-based
virtual hosting rather than name-based virtuals in order to work,
but, one of the advantages of IPv6 is that you can easily assign
an IPv6 address uniquely to each web site without a problem,
so, this is not an issue.

Oh, you can also use a 6to4 tunnel or a Teredo tunnel from
that site in most cases, but, if your access is absolutely
limited to SSH, this might take a bit more work. OTOH, if
your access is limited to SSH only, it might be hard to
use services like logmein as well.

Owen