[HN Gopher] Who is squatting IPv4 addresses? ___________________________________________________________________ Who is squatting IPv4 addresses? Author : todsacerdoti Score : 261 points Date : 2022-02-17 13:21 UTC (9 hours ago) (HTM) web link (blog.benjojo.co.uk) (TXT) w3m dump (blog.benjojo.co.uk) | typh00n wrote: | I am curious: Could I in theory buy a IPv4 address, which I can | use for the rest of my life? (given that I could convince my | provider to route it) | zamadatix wrote: | You'd need to buy and have transferred a /24 (256) or more of | "legacy" IPv4 that was allocated by IANA prior to the RIR | system for your region. Then you could either convince your | provider to route that block on your behalf or get an ASN and | BGP peer at your local IX (or even over a tunnel to one). | Getting it transferred to you may require setting up a business | depending on your RIR. | | All in all you could make the above happen for about the price | of a lower end new car in the best case. | | There are other ways to get non-legacy IPv4 assignments now but | those are leased not owned. | fullstop wrote: | There are a lot of /24 in use strictly for BGP, even if they're | not fully utilized. | | This is the public address space, though, and not really | "squatting" | _nickwhite wrote: | This. I have a few /24s and only actually use maybe 25 active | IP addresses. If I want to exist in global BGP tables, it's the | smallest block I can use for my ASN (and not be filtered out). | I think in 2022, the rise of SDWAN, CDNs, and, Zero-Trust | reverse proxy services, it's not actually relevant to roll your | own BGP, unless you're a big player, or if you just want to fly | solo on the Internet. | taubek wrote: | At University where I was working until few years ago we all have | had static IP addresses for all of our desktops/laptops. | alar44 wrote: | How is this relevant to public IPv4 squatting? | angulardragon03 wrote: | My old uni holds two /16s which are used for clients. | Firewalled, but if you use the Wi-Fi there then you are getting | your own "personal" IPv4 address per device. | jeroenhd wrote: | I know several universities that do the same. On certain LANs | there isn't even a firewall, you just get a public IP. At my | current university I think there's a limit of five or six | static allocations per person, the rest is all dynamically | allocated (and still a normal IP, no NAT here). | | And I honestly don't see why not. This is how the internet | was designed to be used, and it works a lot better than most | large managed networks in the 10/8 range I've seen. It'll | only be a problem once there are more students and services | than there is address space. | briffle wrote: | You mean they are using IP's as they were originally | designed? Those people probably have NO conflicts or problems | with things like video conferencing, VPN's, etc. | | NAT is a cludge, not a security feature. | trollied wrote: | I can't recall the last time that NAT caused me any | problems. Is it still an issue these days? | thereddaikon wrote: | Even if its a mature cludge, its still a cludge. | lesuorac wrote: | IIUC, things like WebRTC have STUN & TURN servers solely | to get around NAT. | codechad wrote: | atkbrah wrote: | US Department of Defense has 14 /8 blocks. You'd have to wonder | what they do with that large number of public IPs. | | Sure, some companies have large blocks but that's nothing | compared to that. | Wohlf wrote: | They use them like private IPs, across several air gapped | networks. When I was enlisted we were putting them on desktops. | ipaddr wrote: | How does this scale to other military globally. Does anyone | else have an /8 block? | [deleted] | Melatonic wrote: | Supposedly they do use some of it for honeypotting schemes but | I imagine some of it is out of paranoia | kube-system wrote: | Most of it is probably just because they invented IPv4, and | were therefore able to keep as much as they wanted. | kube-system wrote: | The DoD is also larger than _any_ company. | martin8412 wrote: | Last I heard, that any project needing more than one IP got a | /24 | lesuorac wrote: | Ask them [1] and report back. | | [1]: https://open.defense.gov/transparency/foia.aspx | judge2020 wrote: | The actual page to request is foia.gov: | https://www.foia.gov/request/agency- | component/4fce7e7d-3b32-... | eatbitseveryday wrote: | > over 16% of all of the non-RFC1918 space is suspected squatted | DoD space! | mananaysiempre wrote: | Well, I'm entirely willing to believe the US DoD is one of the | few entities that have more than 2^23 computers they want to be | mutually addressable, so the RFC 1918 space is just too small | for them if they are to run IPv4. | JAlexoid wrote: | DoD has 8 million computers? It's not like it's all | government branches combined. | | In fact - DoD should just have it's own internet - that is | completely separate. I'd argue that DoD networks should not | have any connectivity with broader internet, making their use | of the whole 32 bit space completely independent from | everyone else. | IncRnd wrote: | The entire address space was created for DoD use, so that is | understandable. | Swizec wrote: | I have an old static IP from the days of running a server from my | bedroom. My mom kept it after I moved out. Stopped responding to | pings 2 or 3 years ago when she upgraded her internet package and | the ISP didn't honor our _"Hey we have a static IP"_ agreement. | | Good old 193.77.212.100, may you rest in peace. | ajp11 wrote: | A couple of years ago Amazon bought four million ip addresses for | $108 million dollars. 44.192.0.0/10 | | AMPRnet sold them a quarter of the ip addresses that were | allocated for amateur radio. They got a /8 back in the 1980s. A | small number of addresses were used for ham radio networks but | the AMPRnet addresses were generally not routed between the | internet and the radio networks. | prichino wrote: | The author of trilema.com at some point boasted of having bought | a /16 and then renting it out. | | Something I don't quite understand is why IPV6 is assumed to be | better, if anything sticking to IPV4 will lead to more | "selective" use. Actually useful things get an IP, the rest, | well, better get more useful? Wishful thinking? | | Thank you, | Plasmoid wrote: | > if anything sticking to IPV4 will lead to more "selective" | use. | | That's a scarcity mindset and isn't useful in this case. | | Who cares if "low" value things use the internet? Imagine a | network in rural Africa. It can't pay market rates for IP | addresses but would be extremely valuable for its users. | | IP addresses aren't a negative externality like pollution or | traffic, they're an artificial construct. So restricting them | doesn't actually help people, and making them abundant is a | huge benefit to literally everyone. | zauguin wrote: | > [...] if you want to get a /24 block from RIPE NCC when you | sign up as a member, then you are currently looking at a 2 month | wait for a recycled IPv4 /24 block. | | That's a rather optimistic view of the situation. The next member | who will get a block has already been waiting for 2 months and | it's unclear when they will get one. It stands to reason that | members applying now wold have to wait (potentially | significantly) more than 2 months. | svdr wrote: | I applied in October last year, and at that time the waiting | list was zero days, so I received our /24 instantaneously. | | Some nice data on the prices of IPv4 addresses: | https://auctions.ipv4.global/prior-sales | z3t4 wrote: | Should change to a montly fee. Then people would get rid of | the ones not used. | traceroute66 wrote: | > Should change to a montly fee. Then people would get rid | of the ones not used. | | There is a fee. Your EUR 1,400 annual fee. | | For that money you get one IPv4 and one IPv6 (IPv4 subject | to availability, obvs!). | | Above that they charge per resource assignment, 50EUR per | annum per resource assignment ( defined as: _" IPv4 and | IPv6 PI assignments; Anycast assignments; IPv4 and IPv6 IXP | assignments; and Legacy IPv4 resource registrations through | a sponsoring LIR. AS Numbers are excluded from this | charge"_) | | And yes, I think the 50EUR should be put on a ladder scale | so hoarders get charged exponentially more. ;-) | Eikon wrote: | > And yes, I think the 50EUR should be put on a ladder | scale so hoarders get charged exponentially more. ;-) | | They would just start to put IPV4 blocks behind shell | companies. | doubleunplussed wrote: | Georgism rears its head once more | rhplus wrote: | > _At the time of writing the market price for an IPv4 address is | around 50 USD_ | | That's quite an outperforming asset class if true [0]. | | For a point of comparison, Microsoft paid $11 per address in | 2011[1]. To get to $50 is about 15% appreciation/year, plus the | added benefit of being able to rent them out by the minute. This | article estimates that Amazon has paid about $25 per address in | recent years [2]. | | [0] https://auctions.ipv4.global/ | | [1] https://www.marketwatch.com/story/microsoft-buys-nortels- | vin... | | [2] https://www.techradar.com/news/amazon-has-hoarded- | billions-o... | emilecantin wrote: | About 10 years ago, IBM used to use the 9.0.0.0/8 space in | basically exactly the same way as one would use 10.0.0.0/8, for | internal-only networking. Each workstation got its own 9.x.x.x | IP, but it wasn't routable from outside. | | I hope they stopped doing that, but I doubt it. | onei wrote: | HP did the same for 15.0.0.0/8 and 16.0.0.0/8 until the HP/HPE | split at which point I think they couldn't figure out who | should get the address space. As 2 x /8 is pretty valuable, | they sold off chunks of it and are presumably still doing so. | | Ironically, having such addresses was sort of useful when | companies got acquired and teams got shifted around. Starting | to use an acquired company's network that was never designed | with "what if we get acquired and have to play nice with | others" in mind causes all sorts of routing pain. | dheera wrote: | At MIT we had 18.0.0.0/8 until they sold a bunch of it to | Amazon. | DonHopkins wrote: | MIT also had "WTBS" until they sold it to Ted Turner in 1979! | It was said to stand for "Wildly Technical Bull Shit". | | MIT Student Radio WTBS 1964-65. | | https://www.youtube.com/watch?v=PI2Xx3XSTFw | | WTBS "The Ghetto": Soul-Music Radio Show. Created by Black | MIT students in 1970, this radio program gained popularity in | the Cambridge/Boston area. | | https://www.blackhistory.mit.edu/story/wtbs-ghetto | | Promo for MIT BSU's "The Ghetto" (WTBS 88.1 FM) | | https://www.youtube.com/watch?v=6wUcHb6FMY8 | remram wrote: | My university (11 years ago) was the same. They had a /16, all | of which was firewalled and could only access the internet | through an HTTP proxy. | | edit: Just did a quick WHOIS. They still have the /16 even | though the university doesn't exist any more (merged with | another). Crazy. | Tsiklon wrote: | At the same time frame HP did the same with their /8 IIRC | Aloha wrote: | Ford does the same. | jmreid wrote: | Apple was the same when I was there for 17.0.0.0/8 | Aloha wrote: | I thought apple owned the 17.0.0.0/8 netblock? | thetinguy wrote: | They do. | Aloha wrote: | Then how is it squatting? | | Even the article defined it as IP space not owned. | | From the parent article "I will define IP address | squatting as "using IP addresses that are not RFC1918 | defined and not your unicast space issued by a RIR"." | | Unless this is meant to construe all legacy assignments | as "squatting" which is a pants on head definition. | toast0 wrote: | By analogy, domain squatting isn't using a domain that | isn't yours, it's underutilizing a limited resource | that's assigned to you. | | Using IPs for internal networking doesn't necessarily | mean under utilizing though; but might not be enough to | justify such an assignment today. | Aloha wrote: | I dont disagree, there might-should be clawback | provisions for those legacy allocations. | | But how do you define 'use' they could easily 'use' them | by simply announcing them via BGP and null routing the | traffic to the IP's they don't want exposed? | | The end answer is still IPv6, where everyone can have as | much or as little IP space as they want. | toast0 wrote: | > But how do you define 'use' | | Can they make a plausible spreadsheet showing use. But, | clawback of IP allocations is very rare, even for | allocations that were made with agreements allowing it. | There's some high profile cases relating to fraud, but | otherwise nope. Legacy allocations would be nice to clean | up, but if it's not voluntary, it's not happening. And at | this point, if it happens, it's probably going to be a | sale rather than a return. | cameronh90 wrote: | Was it still behind NAT? | dijit wrote: | Since it can't be routed globally the return path almost | certainly has to be NATd to something globally routable. | wmf wrote: | IBM owned 9/8 so this is a legitimate use of address space. All | hosts should have globally unique addresses, even if you want | to use NAT to hide various things. IBM does multiple | acquisitions per year. Imagine merging two corporate networks | that both use 10/8; it's a nightmare. | wongarsu wrote: | The acquisition's IPs might not conflict with IBMs, but | surely they conflict with those of the other acquisitions? Is | there any benefit after the first acquisition? | wmf wrote: | My point is that if every company uses real IPs then you | can merge networks with no conflicts. 10/8 is fine for home | use but not for enterprise networks. | wongarsu wrote: | In a word where any medium sized company could just get a | /20 network and any enterprise could get a /8 I would | agree, but with IPv4 we live in a world where the vast | majority of companies don't have anything but 10/8 (and a | couple of IPs for public facing stuff). | | The only real options besides 10/8 are to have been big | at the advent of the internet (like IBM or Apple) or | misappropriate one of those IP blocks in the hope it | never becomes publicly routable. | epc wrote: | I do not know IBM's current practice but in the 1990s | acquisitions continued to use their internal networking for | quite a long time, just interconnecting the networks as | necessary and announcing routes internally. | | 9. addresses only started being used widely inside IBM around | 1992 as the internal multi protocol network rolled out | (combining RSCS over SNA and TCP/IP). As APPC connected | devices gave way to TCP/IP connected devices allocations shot | upward, IIRC each major campus was a /16. | | Advantis/IBM Global Network ran the 9 network on the same | physical and logical circuits as the public networks they | managed, leading me to bypass the IBM firewall | unintentionally multiple times as the filters they used | broke. This may be one of the reasons RFC1918 addresses were | discouraged (at least through 12/2001 when I left). | zozbot234 wrote: | > Imagine merging two corporate networks that both use 10/8; | it's a nightmare. | | Reasonable corporate networks are not going to use the | _whole_ of 10 /8 but well-defined ranges within, perhaps with | a pseudo-random prefix that can be expected to make future | collisions unlikely in the first place. The vast majority of | small/medium enterprises can even get away with using | 172.16/20, i.e. 172.16 -- 172.31 (1 million addresses total). | | All in all, merging the networks just requires pushing out a | simple configuration change setting up a switch to new | addresses for the existing hosts. It can also be reasonable | to use a cross-NAT setup between the two networks as a simple | stopgap measure. | jrockway wrote: | > Imagine merging two corporate networks that both use 10/8; | it's a nightmare. | | This is a nightmare even inside companies. Two teams set up a | default VPC, and one day you go to peer them and find that | the IP ranges conflict. At my last job, I ended up using | Netbox to manage our private IP ranges alongside our public | IP ranges. (In theory, it would be nice if cloud providers | offered this feature. "8 other VPCs on this account also use | 10.0.0.0/8. Are you sure you want to be the 9th?") | Milner08 wrote: | About 5 years ago that was still a thing! | Aloha wrote: | Doesn't IBM own the 9.0.0.0/8 netblock? | xoa wrote: | Why would that be relevant here (or sibling comment about | Apple)? Last I checked except for 9.9.9.0/24 (to quad9) IBM is | indeed the assignee for 9.0.0.0/8 from back in 1992. Apple got | 17.0.0.0/8 back in 1990. Back in the day a lot of big entities | got whole /8 blocks (including of course a lot of the USG but | private corps as well). Many of them are still around and fully | active, while others are defunct (Halliburton had a /8 and that | went back to ARIN then out to registries) and/or have shifted | (like IIRC Amazon now has 3.0.0.0/8 but that was General | Electric originally). That's not squatting, that's just making | use of what they have. | | > _I hope they stopped doing that, but I doubt it._ | | Why should they stop? Ideally we'd have had at least 64-bit or | better 128-bit from the beginning in a nicer form then IPv6 | ended up and then every single one of us could have millions of | IPs if we wished. That isn't how it ended up but that doesn't | mean those who got them shouldn't use them. I make use of my | minuscule bit of public IPv4 for my own stuff. | KennyBlanken wrote: | Of a highly constrained resource, they're using a tiny | fraction of what they've been given. That's a weird | definition of "using what they have." | | If I asked for a class C for my business running a local | corner store, I'd be looked at like I was crazy. | | IBM gets 16 million _public_ IPs and it 's cool? | | Yeah, I know you can't perfectly use an IP space, but with | 128 offices, IBM could give each office an allocation of | around a hundred thousand IP addresses (rounding down by over | 20%. But even if it were 10,000 - that's still absurd.) | Melatonic wrote: | Everyone was talking about domain name squatting but turns | out its been IP addresses this whole time :-D | | But that does definitely seem like an excessive amount for | them to own. I would guess the huge swathes the government | has reserved are not exactly being used to their potential | either. | oarsinsync wrote: | > If I asked for a class C for my business running a local | corner store, I'd be looked at like I was crazy. | | I asked for a /22 of IPv4 for my home, and was given it, 3 | years ago. I also got a /32 of IPv6, and a 32bit ASN to do | BGP with. | | I paid the signup fees to become an LIR, paid the | membership fees, and requested my /22, /32, and ASN | allocations. There were no looks, crazy or otherwise. The | policies are pretty transparent. Pay money, receive | resources. | | That said, the policies have since changed (about a year | ago?) | icedchai wrote: | It may be difficult to understand now, but back in the | 90's, addresses were handed out like candy. IBM got their | allocation in the late 80's. | | I worked for a couple of small and mid-sized companies that | had /16's and larger. And we barely used a fraction of that | space. | | I have a /24, personally, registered back in 1993. It's | routed to my home network. I know several other folks who | were on the early internet, and had the same. | bluGill wrote: | Using only a fraction of your assigned IP address space | is good and normal. | | What is bad is ipv4 doesn't have enough space for | everyone. Time to move onto ipv6. I don't know how to | make that happen. | jrwr wrote: | Over at a University we run, we like to run like a ISP | and only have a /16 to work with, its very tight even | now, we have thousands of students using the Wifi, Dorm | Networks and such. I do wish we had more. | digisign wrote: | Shouldn't many of those be on NATs? | detaro wrote: | No, ISPs shouldn't force users behind NATs. | chocken wrote: | Incorrect. ISPs should use NAT. Users should pay for | their own address if they desire. | lesuorac wrote: | I'd rather the ISP pushed for IPv6. | birdman914 wrote: | We are at least at the ISP I work for. That is a major | project for us this year, but any network engineer can | tell you that deploying IPv6 is not straight forward at | the ISP level. Getting everyone together on how to have | some standard form of addressing from different entities | is the toughest lift. Get Juniper, Cisco, and Arista on | the phone and you will get three different ways on how to | deploy it. You don't want to be the odd duck once the | dust settles. | Karrot_Kream wrote: | Interesting. What are the big differences if you're | allowed to talk about it? I have no doubt that the IPv6 | rollout is difficult, I helped move some simply cloud | stuff to IPv6 and even that had a few issues. I'm much | happier without the heavy layers of NAT though. | digisign wrote: | During a shortage, push comes to shove. | detaro wrote: | > _" shouldn't"s are not very useful during shortages._ | | There is an important difference between "it might be | necessary to put them behind NATs" and " _shouldn 't_ | they be on NATs?". | digisign wrote: | Hence the word "many." It's interesting because econ | deniers are common at university, haha. | | In any case, /16 should be enough room to prioritize. | kart23 wrote: | dorms and wifi should definitely be NAT. you can always | give a public address if someone specifically requests | it. | digisign wrote: | Yes, and they help protect as well. The percentage of | folks who even ask will be low. | erik_seaberg wrote: | Do dorms have IPv6? If students can't run servers, where | does the next generation of developers come from? | [deleted] | FuriouslyAdrift wrote: | IBM was the original "cloud"... AKA mainframes. They had a | LOT of addressed services for decades (still do). | | If you want to pick on a company for hogging IPv4 space, | pick on Apple. They have a /8 and probably aren't using any | of it. | giantrobot wrote: | > If you want to pick on a company for hogging IPv4 | space, pick on Apple. They have a /8 and probably aren't | using any of it. | | Most (if not all) of Apple's infrastructure uses their /8 | block. With Apple Park they've moved to using a 10/8 with | NAT for talking to the outside. Between iCloud, iTMS/App | Store, and iMessage Apple's got a non-trivial amount of | global network infrastructure beyond just their corporate | network. | | So I guess be mad at Apple for using their IP space? | Aloha wrote: | I'd thought apple was using its own IP space for its | 'services' hosting. | | Indeed, both apple.com and icloud.com resolve to | 17.253.144.10 | thetinguy wrote: | Apple is definitely still using it. | manuel_w wrote: | > Why would that be relevant here | | Because it shows how wasteful these companies operate with | resources others are in need of. | xenadu02 wrote: | It's irrelevant. Even if the authority existed to reclaim | all the /8s handed out to private companies (it doesn't) | you'd kick the can down the road a few years at best. Then | we'd be right back in the same boat. | | There are only ~4 billion IPv4 addresses. There are more | than that many humans alive, most of whom have or will have | a smartphone. So we're already short on addresses without | considering network equipment, servers, IoT, or anything | else. | otabdeveloper4 wrote: | But the point is that they're not using it. If it's not | addressable from the internet, why not use 10.0.0.0/8 | instead? | dheera wrote: | You might want to allow specific machines to be addressable | from the internet. Also, NATs were buggy back then and many | pieces of software simply wouldn't work unless you had a | real IP address. VLANs and other advanced router features | didn't really exist, either. | aparks517 wrote: | For some applications, it's valuable to have globally- | unique addresses even if they're not (all) broadly | accessible from the open Internet. For example, if you're | building private links between networks which don't share | an authority for distributing private network addresses | (they're administered by different companies or | organizations perhaps). I don't know how common this is | anymore, but I've seen it in the past. | cesarb wrote: | > For some applications, it's valuable to have globally- | unique addresses even if they're not (all) broadly | accessible from the open Internet. | | For a real-life example of that: according to | documentation which can be found at its website, the | Brazilian Central Bank has been allocated a full /18 for | the national inter-bank network; each financial | institution connected to that network receives a /27 or a | /28 (or a pair of them) from that range. If you look up | that address range on bgp.he.net, you'll find out that | it's not announced to the public Internet at all. | JAlexoid wrote: | There's a case for these, but it's not as broad as | needing 16 million publicly usable IPs for IBM alone. | gertrunde wrote: | It's not relevant whether or not it's accessible from the | internet. | | And that 9/8 allocation predates RFC1918 by at least four | years. | tyingq wrote: | I'm curious what you mean by this. RFC1918 is just an | update for earlier RFCs that go back farther in time, | like RFC1597. And IBM people are credited on the relevant | RFCs. | | IBM is basically hoarding a bunch of addresses where | there's no technical reason to. I get that they aren't | required to do anything about it, but it does seem | topically relevant. | wiseleo wrote: | IBM owns Softlayer. They may have a legitimate need for | that many addresses. :) | numpad0 wrote: | Why 10.0.0.0/8 is as it is now and why IBM used to be | 9.0.0.0/8 in the first place? | FuriouslyAdrift wrote: | Before classless addressing, RFC1918 set out a reserved | IP space in each class. 10.0.0.0/8 was set aside in the | class A range by ARIN. | JAlexoid wrote: | We have run out of freely allocatable IPv4 and equipment | isn't catching up to IPv6 - it's very relevant here. | | Neither Apple, not IBM, actually need that many publicly | useful set of IPs. IBM would be smart to sell them off. Apple | is probably going to sit on them. (I used to work at IBM and | that 9 block was very confusing to me, considering that IBM | isn't even that big of a DC operator these days) | AshamedCaptain wrote: | Artificial scarcity is best scarcity. | | Certain popular western european ISP still gives IPv4s cheaper | than IPv6s (still a high price, though). | [deleted] | tempnow987 wrote: | In the US it's hard for many home users to get static | allocations of IPv6 but you can easily get an IPv4 block for | $10/month or whatever. So same issue, if you need IPv6 static | then you have to go to very expensive service tiers given the | "shortage" of ipv6. Reality is I think IPv6 is just a pain up | and down to deal with and they haven't sorted out all the | tooling to deal with it for static IPs. | futharkshill wrote: | I don't understand why was the next version of IP not just | identical to IPv4 but with more bits in address space? Were they | trying to do too many things at once in the 90's? | reincarnate0x14 wrote: | It was fixing (or trying to) issues with the v4 spec that were | now very apparent. | | For example, ipv4 technically has a link-local address space | but barely anything will use it and even less will | successfully. Many other 80/90s protocols did much better at | that (IPX being an example) as well as having distributed name | and service locators and such. | | IPv6 local networks of IoT devices or whatever can pretty much | automagically start communicating with zero configuration to | anything else locally. No DHCP or whatever required. | | The world didn't stand still between v4 and v6, it'd be weird | if the protocol did. | detaro wrote: | I don't think it not being that harms it as much as people | think. It _has to_ require updates for everything either way, | people by and large don 't care about "oh but it's only a small | total breakage, going to jump on that then". On the other hand, | yes, there certainly was some "we break everything anyways, so | lets 'improve' things", combined with those improvements being | designed at the wrong time, with assumptions that not always | turned out to match reality. (E.g. a bunch of pieces that were | added to IPv6 kind of assumed that routers would stay as they | were, with routing done on CPUs, in software. Which they | obviously didn't, and specialized hardware works on entirely | different constraints) | JAlexoid wrote: | IPv6 suffers the classic "we didn't think of thaaaaat" | syndrome. | | We will probably use IPv4 for decades more. It's going to be | even slower with constrained semiconductor pipeline. | | That's why we have squatters and expensive IPv4 blocks. | detaro wrote: | > _We will probably use IPv4 for decades more_ | | But I think we would also be in that situation if it were | just IPv4-but-bigger. The main problem is incentives, and | they wouldn't change through that. | Thoreandan wrote: | I think D.J.Bernstein has the same question -- and has for 20 | years now :^) | | https://cr.yp.to/djbdns/ipv6mess.html | wmf wrote: | This has been addressed hundreds of times but I guess DJB | doesn't care. He just lit the fuse and walked away. | aidenn0 wrote: | https://en.wikipedia.org/wiki/Second-system_effect | api wrote: | Interesting work, but IMHO anything that extends the life of IPv4 | does active harm. I'd prefer if these addresses stay out of the | pool so scarcity increases and forces people to upgrade. | | IPv4 is fundamentally too small, period. There are already more | people and computers on Earth than possible IPv4 addresses even | if it were perfectly optimally used. It leads us further down a | path in which everything is behind increasingly starved NATs, | making point to point connectivity more and more difficult. Now | we are seeing NATs in front of carrier-grade NAT and other | madness. | | ... and no, NAT is not a security feature. You can and almost | always do have a firewall in front of IPv6. If you _really_ want | NAT there is IPv6 NAT, but it allows you to have all mappings be | 1:1 eliminating the need for port starvation madness and making | P2P always work. All internal IPs get their own external IP, but | those can be random and rotated if you want. | paulnpace wrote: | The total population I don't find to be a very strong argument, | because all that matters is the population of people who desire | to communicate with my service. If people not able to | communicate with my service also don't want to communicate with | my service and I don't see a need for them to communicate with | my service, why do we both need the same protocols? | | Something I have observed is that sites that tend to attract | DDoS attacks tend not to use IPv6 (note that reddit and HN do | not have AAAA records, though I don't know the actual reason | for this). I've even seen the heavily attacked sites that I | know are using paid Cloudflare or Sucuri services to not have | AAAA records, and I wonder if that's a decision or | recommendation from the service providers. So, elimination of | IPv4 may mean that sites can more easily and cheaply be knocked | off the Internet. | api wrote: | As for point one: I'm not talking about client/server access | to services. I'm talking about the capacity for endpoints to | talk to each other. IPv4 would be fine if we want a fully | centralized computing infrastructure where everything is only | a thin client, but that's a future with zero privacy or | personal freedom. | | I don't think there's anything special about IPv4 in terms of | DDOS mitigation. What you're probably seeing is an artifact | of focus and investment. IPv4 is still the lowest common | denominator standard. Virtually everyone can talk to an IPv4 | endpoint. As a result the DDOS protection services still | mostly use IPv4 endpoints because it reduces the amount of | attack surface they have to protect. If they were dual-stack | they would have to deal with BGP black holing on what amounts | to two BGP networks instead of just one. | | DDOS is something that desperately needs a more comprehensive | solution, but it's a hard problem to solve. Right now the | solution is for DDOS protection services to run bastions with | enough bandwidth to absorb attacks, but that's a solution | that constricts innovation tremendously. I feel like a | permanent solution would require cryptography to be designed | into the entire network so that you could do things like rate | limit packets to your host for people who didn't present a | certificate. That would require a deep redesign of the entire | network though, and that's not going to happen. | paulnpace wrote: | I'm not clear that IPv4 doesn't offer at least one measure | of reduction against a DDoS, and that's just one time hits | every second from 1 quadrillion unique IPv6 addresses. You | simply can't have that level of problem in IPv4. However, I | have never been on the inside of a DDoS attack, so I don't | speak from experience on this. | | In regards to mitigation, what we are talking about is an | exclusive network with central controllers in the form of | ICANN. Every packet has digital footprints, so what ICANN | could do is permit IP address blocks to be seized and | transferred when it is demonstrated the owners are | consistently using the network for purposes of doing harm, | even when it is through negligence. This would work its way | through the service level agreements between various ISPs. | As in the rest of the business world, you cannot just dump | your garbage onto someone's property without eventually | being forced to pay for it. | welterde wrote: | With spoofed addresses (which are not uncommon in ddos | attacks) you have exactly the same issue with IPv4. And I | don't really see it making any difference if the packets | contain 32bit of random information or 128bit. | api wrote: | IPv6 /64 prefixes are analogous to the role IPv4 | addresses typically play. Most cloud endpoints have one | or more /64s and most endpoint connections from ISPs get | a /64. Yes this does mean your house can have | 18,446,744,073,709,551,616 devices in it with unique | public addresses, but they're behind one /64. | | When DDOS black holing is done the recipient will | actually look up the BGP advertised prefix from which the | attack is coming and black hole the whole thing. Many | IPv6 prefixes are /32 and /48. | | I am pretty deeply familiar with this stuff. There's | nothing about IPv6 that makes current mitigation | techniques much harder. The most logical explanation for | IPv4-only in the DDOS protection world is just to limit | the attack surface by picking the lowest common | denominator address. That way you only have to defend in | the IPv4 realm instead of in two addressing realms. | | IPv6-only would give you the same effect but there are | still too many edge devices without IPv6 addresses to use | IPv6 alone for anything public facing. IPv6-only systems | are sometimes used in private networks, as bastion boxes, | etc. | aurizon wrote: | Use it or Lose it. Back in the day companies were allocated large | blocs of IP space. They do not own it - what they do not use | should be allocated to others who will use it with zero | compensation to squatters - they own nothing. Sadly some have | valued the IP blocs as assets = boosted bottom line - and there | are some large boosts! These people will whine and scream - but | screw them, they are just squatters and deserve nothing. Valid | users can easily be identified by network data. | dublin wrote: | There is still plenty of IPv4 space available, it's just very | badly distributed, for instance, due to early limits in Cisco's | IOS, Chevron acquired an insane 26 Class B address blocks when | connecting to the net back in the early 90s! With CIDR, we can | easily reuse the many unused addrs like those, but the pain of | readdressing has their owners sitting on them, raising prices and | making them even more reluctant to turn loose of any for fear | they won't be able to get them back... | | And, let's face it, IPv6 addressing is so fundamentally horked-up | that it's practically _only_ usable by propellerheads in the | cloud backend: First, the addresses are too damn long and | unwieldy to really be used; and second, even most people reading | this, tech people in a tech forum, struggle to really grasp the | inane IPv6 address shortening rules! Like X.400 mail addresses, | they work technically, but are unusable in practice. | | (For those of you fortunate enough not to remember, the best way | to get and transfer someone's X.400 address, even within the | X.400 network, was to have them mail someone through an internet | gateway and use whatever it said. Marshall Rose devoted an entire | chapter to ranting about this in his Internet Mail book...) | xnyanta wrote: | > First, the addresses are too damn long and unwieldy to really | be used; and second, even most people reading this, tech people | in a tech forum, struggle to really grasp the inane IPv6 | address shortening rules! | | Ever heard of DNS? | vel0city wrote: | I don't know about everyone else, but when I want to go to | Hacker News I go to https://209.216.230.240 and ignore the | security warnings of mismatched name. Way easier to remember | than news.ycombinator.com, its five fewer characters! | Bluecobra wrote: | I am a little ashamed to admit this, but I can't remember | the URL for Hacker News and always have to search for it in | Google if I am on a device that doesn't have it bookmarked. | Somehow I still remember other long URL's like | http://altavista.digital.com though. | cameronh90 wrote: | Remembering and hand manipulating IPv6 addresses is not | something end users need to deal with. | | Like everyone else on my ISP, I have a publicly routeable v6 | subnet at home and v6 addresses on my phones. I couldn't tell | you what they are, but they work just fine. | ospzfmbbzr wrote: | > Remembering and hand manipulating IPv6 addresses is not | something end users need to deal with. | | Assuming it's configured correctly. Most devices are not. | | > Like everyone else on my ISP, I have a publicly routeable | v6 subnet at home and v6 addresses on my phones. I couldn't | tell you what they are, but they work just fine. | | Why would you ever want publicly routable addresses on | devices inside your home? | | If Ipv6 was simply a 64-bit quad improvement on IPv4 it would | be fine. However, the only valid use cases I can think of are | mostly to the benefit of end users. | | What possible need could anyone have for more address space | than the non-routable private address blocks already afforded | by IPv4? Throw in the insecure-by-default and frequent | misconfiguration out-of-the-box and you have the current | flaming security dumpster fire that is IPv6. | jeroenhd wrote: | > Assuming it's configured correctly. Most devices are not. | | Aren't they? I've never seen a home user fight with IPv6 | | > Why would you ever want publicly routable addresses on | devices inside your home? | | Because that's how the internet is supposed to work. It's | what protocols are designed for. IPv4's shortcomings have | led to many stupid security issues (SIP ALG, FTP ALG, all | the other ALGs, all allowing anyone website to punch a hole | straight through consumer firewalls). I don't know what | insecure-by-default devices you use, but all routers I've | seen come with a firewall enabled by default set to deny | all incoming traffic. | | If you don't want that for some reason, feel free to NAT66 | your network into your own chosen ULA. | | IPv6 is no more of a flaming security dumpster fire than | IPv4. | buttocks wrote: | > First, the addresses are too damn long and unwieldy to really | be used; and second, even most people reading this, tech people | in a tech forum, struggle to really grasp the inane IPv6 | address shortening rules! | | I have been using IPv6 for at least twelve years and I will | agree that at first - maybe the first six months or year - I | found these things confusing. But I think your assertion is | based on lack of familiarity. Fundamentally, IPv6 works well, | and just needs some open-minded people to spend time with it. | zozbot234 wrote: | > First, the addresses are too damn long and unwieldy to really | be used | | How so? The network-prefix portion of IPv6 is 64 bits, which is | a pretty conservative extension of ipv4. Everything after that | is under the control of end users, so nothing's stopping them | from manually assigning simple ::1, ::2 etc. values for the | host identifier part - or whatever addressing scheme happens to | be most convenient for any given application. | Chocoflan wrote: | I have some IPv4 addresses. What can I do with them? | tomc1985 wrote: | Am I the only one alarmed that WD maintains a public registry | (via DNS) of MyCloud device UUIDs, their public IP, _and_ their | private IP? How many of those are on networks with exploitable | routers? | | Like, you have an external entrypoint and a target internal IP | that you know will contain a trove of potentially interesting | data. | jedberg wrote: | I agree that's a ridiculous privacy issue. Definitely a case of | poor security to provide a minor inconvenience (access your | data from anywhere on the internet). | inopinatus wrote: | I had an ASSIGNED PORTABLE /24 in my name back in the 90s. I | don't have many regrets in life, but returning that to the | registry remains a real big one. | tempnow987 wrote: | I've said it before. Charge $10/year/ip. | | Would stop a lot of squatting on unused space and free it up. | wdb wrote: | Need to look into this. Vaguely remember my dad had a block of | IPs. Not sure, if it's lost since he passed away | trimminghedges wrote: | Blackrock. | mtmail wrote: | Can you elaborate or link to a source? | tabtab wrote: | Ipv4Coin, my latest sca....entrepreneurial project. | coretx wrote: | geenew wrote: | Relevant bit of related humour: | | "How I Learned to Stop Worrying and Love IPv6" | | https://www.theregister.com/2012/08/21/verity_stob_ipv6/ | | Choice quote: "'Do you NATter with your Neighbours? Don't | squander the nation's resource!'" | cute_boi wrote: | I think this is good. If these guys hoard ipv4, corporation will | be forced to ipv6. Isn't that a good news? | brippalcharrid wrote: | I know a number of IPv6 activists that are hoarding IPv4 | address space with that in mind. Market forces will eventually | provide compelling incentives once we have exhausted the easily | accessible types of CGN magic. | JAlexoid wrote: | With the constricted supply of semiconductors - this may | backfire spectacularly! | stjohnswarts wrote: | We have a solution, so it doesn't really matter does it? Time to | move on to IPV6 people. | zwieback wrote: | I work at hp and we have all of 15.x.x.x and use it for all our | internal networking. At one time we also had all of 16.x.x.x | because of DEC/Compaq. I suppose at some point this could be an | asset for us since we could use some different scheme internally. | ck2 wrote: | DOD needs to release those 175 million addresses back to the US | public. | | That blog mentioned it but still, the timing of when it happened | and who got control of them is odd af. | | https://arstechnica.com/information-technology/2021/04/penta... | kevincox wrote: | One minor philosophical question. If you are using AWS | PrivateLink because your VPC is not connected to the internet are | you really squatting anything? You are just aren't using the | public internet. This means that you own the entire address space | and can decide what you want to do with it. | | Of course it still may make sense to stick to ranges you own in | case you need to peer your VPC with someone else, but I don't see | much difference between using some random batch of IPs that you | don't "own" on the public internet vs any block reserved for | internal use. Either can conflict with someone that you want to | merge with. | quickthrower2 wrote: | Yes I didn't understand this as squatting and made me question | if I understood the post. As it is a topic I admit to not being | too deeply knowledgeable about. | kevincox wrote: | I think in general the author's definition of squatting is | reasonable. I see it to mean "living on land you don't own" | or more directly "using IP addresses that you don't own". | | My point is about fully private networks that aren't | connected to the internet. I would argue that in this case | you do own all of the addresses, even if someone else owns | them on the public internet. | iqanq wrote: | That's like saying if I create a 3D model of my neighbour's | car and drive it around the streets of a videogame I am | "squatting my neighbour's car" or "using a car I don't | own". | quickthrower2 wrote: | Thanks. I have a question then. | | If you squat as per this definition, can you divert | internet traffic designated foe the real IP address to your | server? | | Or does it only divert it for computers on your network? | kevincox wrote: | The author is only talking about private networks. This | does however occasionally happen on the public internet | (or when a government turns their country into a private | network and does this maliciously). The most common | source is "BGP Leaks" which is a fun search. | erik_seaberg wrote: | My favorite example is when a Turkish ISP accidentally | declared themselves to be the best route to anywhere, and | the whole Internet simply took their word for it. | | https://web.archive.org/web/20080228131639/http://www.ren | esy... | thedougd wrote: | That's not really what the author was getting at. The VPC | endpoints just provide a way (via TLS certificate authority | logs) for the author to discover DNS addresses that they can | then use to check for queries and determine what IP addresses | are being used in private networks. | | They found a number of AWS users that are treating publicly | routable IP space as their own private IP space. If someone | were to ever offer a public service in that IP space, the | company/network using it as private IPs would not be able to | access the public service. | | The author is trying to understand how prevalent this is, and | to what extent of trouble an owner of these IP spaces would | have if they decided to host a public service. | jcims wrote: | This is useful threat intel as well b/c many firms employ | source ip address in policy constraints and log monitoring. | However it's trivial to masquerade as a target IP address | range in a private vpc, and overlap could indicate that | someone is up to some tomfoolery. | | (FWIW cloudtrail will include source vpc and/or vpc endpoint | information when the request is coming through an endpoint. | This will help detect those requests) | thedougd wrote: | And you can use IAM policies with VPC endpoints! | | I wish AWS would offer an all-in-one VPC endpoint that | covered all their services. Of course they're not | financially incentivized to do that. | kevincox wrote: | I agree with you in general. If you do expect to be able to | connect to the public internet and map an endpoint over a | public address you are aiming a gun at your foot. However the | point I was trying to make was about this quote: | | > This is useful since it can remove the need for some | servers to have any outbound internet access at all. | | My point is that if you are not connected to the public | internet at all I don't see why you should be expected to | follow the rules of the public internet (who owns what). You | can use whatever rules you want for your own private network. | Arnt wrote: | This particular survey finds things that _are_ connected to | the public internet. For example, the WD NASes used are | specifically those NASes whose owners have chosen to | connect them to the public internet. | | The squatters probably don't intend anything at all evil, | but their address use conflicts with access to the general | net. If you addresses that aren't yours _and_ you expect to | be able to connect to web sites in general, you might by | chance use an address that is later allocated to a web site | you 'll want to use. If you squat on 193.168/16, that's 216 | addresses and you might block your own access to a few | thousand web sites. | benjojo12 wrote: | For what it's worth, I've these endpoints in use for VPCs | that still had internet access. Meaning that if you | attempted to read the "real" internet address you put your | VPC subnet on, they would be unreachable. | | It's hard/impossible to figure out if the VPC in question | has been setup this way. But I agree that it would be | likely that most of these VPC with the endpoints on don't | have internet access. | | However if we assume (dangerously I suppose) that the VPC | subnet distribution is similar to other VPCs without | private link, we can imagine how many other VPCs are | squatting on space that do have internet access! | | (Assuming any of this makes sense) | kevincox wrote: | For sure, I'd bet that most of the examples you found | were still connected to the internet. I don't think the | findings are any less valid I just thought it was an | interesting observation that if you are in fact | disconnected from the internet there isn't really any | reason you should follow the public internet's rules. | thereddaikon wrote: | >My point is that if you are not connected to the public | internet at all I don't see why you should be expected to | follow the rules of the public internet (who owns what). | You can use whatever rules you want for your own private | network. | | Hypothetically if you were dealing with a network that had | zero access to the outside world then you are right, it | doesn't matter. You can use whatever IPs you want and it | wouldn't make a difference. | | Its a bit of a moot point though since outside of niche | situations like high security air gapped networks you don't | really see that scenario anymore. Yes, the network at a | nuclear missile silo could do that but everyone else is | connected to the internet. | thedougd wrote: | I understand you now. | | I suppose the argument is you're building a house without a | door. While you may believe you have everything you will | ever need in that house, there's a likelyhood you will | eventually need to leave (or something needs to arrive). | Now you're stuck. Of course, it's not all or nothihng when | it comes to IP space. | | If you were going to use 11.x for an air gapped secure | enclave, I would have a very difficult time presenting a | scenario where that may bite you later. However, I'd vote | to use CGNAT reserved space before any 'unused' public IP | space. | hotpotamus wrote: | I believe the networking term is "bogon". Basically you're | using space in a way that isn't intended. Mostly I've seen it | as people trying to use RFC1918 space on public networks | probably because of misconfigurations and most routers/FWs will | ignore these. This is sort of the inverse. | Godel_unicode wrote: | Not really, bogon is generally used for either unallocated | space or "Martian" packets (packets with a source in private | space). This space is unannounced, but not unallocated, | therefore it doesn't show up on the bogon list. | | Here's the team cymru bogon list, for instance: https://team- | cymru.com/community-services/bogon-reference/bo... | hellow22 wrote: | IPv4 address space is in short supply, so some people decide to | use IP space ( allocated, but not advertised) that doesn't belong | to them. The consequences are pretty well described in the | article you quote. | jeroenhd wrote: | But this address space is non-routable, so it's effectively | using address space that's equivalent to a 10/8 or 172/12 or | 192.168/16 address. There's no need to grab random /8s when | there is plenty of IPv4 address space that won't ever get | routed to the internet (assuming nobody does something as dumb | as actually changing the 127/8 semantics). If they somehow run | out of those, 100.64/10 is also pretty much guaranteed not to | be reachable from the internet. | boomchinolo78 wrote: | The author of trilema.com at some point boasted of having bought | a /16 and then renting it out. | | Something I don't quite understand is why IPV6 is better, if | anything sticking to IPV4 will lead to more "selective" use. | Actually useful things get an IP, the rest, well, better get more | useful | colinmhayes wrote: | Artificial scarcity is bad. IPv4 is bad because it's expensive. ___________________________________________________________________ (page generated 2022-02-17 23:00 UTC)