The following was a news article that I intended to record and have included in this week’s WIA National News service, however I had problems cutting it down to the 1:30 required. So, I’ve put in additional information that there wasn’t time for, and I intend to put in a short piece for next week’s news.
For the technically minded, I do apologise if it seems a bit dumbed down, but not all the target audience are computer-savvy.
The IPocalypse is upon us, no I’m not talking about some new Apple product, I am talking about the Internet Protocol, specifically version 4. IPv4 has been with us since 1980, and has come to dominate all aspects of computer networking. In fact, so popular is this networking protocol, that earlier this week, the Internet Assigned Numbers Authority, ran out of addresses.
At the recently held linux.conf.au conference in Brisbane, Google Vice President Dr. Vinton Cerf, and APNIC Chief Scientist Geoff Huston both gave talks covering this very issue. For those who want an in-depth overview of the problem, I recommend viewing both these videos:
Back in 1973 when the beginnings of what became IPv4 was being conceived, it was decided that an address space of 2³² addresses (or 32-bits, about 4 billion) would be sufficient for what was considered, back then, an experiment. The “Internet” (then known as ARPAnet) barely spanned 5 computers. Computers occupied rooms and were not portable, nor was there any significant wireless telephony infrastructure at the time. The problem is, the experiment never ended, and now IPv4 in this modern age of handheld computers and wireless Internet, is being pushed to its absolute limits.
Most people are familiar with using a telephone. You need to know the number of the person you want to want to contact (or the phone number for directory assistance and quoting a name). Only then can you place the call, and get in touch. Now unlike a telephone network, where the call is established and a bi-directional connection exists for the duration of the contact, on the Internet, its more like dialling a voice mail service and leaving a message. I need to leave that person my phone number so that they can get back in touch with me (or rather, leave a message in my voice mail box).
Extending the metaphor a bit, it is common for computers to have multiple connections going on at a time. Servers also often run multiple services on the same system. Thus, each system uses separate ports, akin to individual mailboxes. Each computer has 65536 of them¹. On the sending side, a free port is usually allocated at random and used for the duration of the connection. At the server end, a fixed port is used to “listen” for incoming requests. When sending data from one computer to another, the sender needs to tell the receiver which mailbox (or port) the data came from, and which it belongs in, so that data goes to the right place, and any replies can be correctly addressed.
The problem now, is that the address space on this global network is now in the hands of regional registries. These regional centres look after the Internet services for a given geographic region. Once those registries run out, it’s game over. Internet service providers are forced into deciding between one of four actions:
- Turning away new users (the infamous “No Vacancy” sign)
- Implementing Carrier-wide Network Address Translators
- Becoming a walled garden
- Moving over to something new
I can see option 1 is not going to be popular, so I’m not even going to discuss it.
Option 2 is already happening in parts of Asia. Rather than giving everyone a number that is recognised world-wide, they give you and fellow customers private ones. They then employ an intermediate server, a Network Address Translator to re-write the addresses on the IP packets so that they appear to be sent from that server. NATs of course are not just things that exist in ISPs, home internet routers often do exactly this. Another example of NAT is Microsoft’s Internet Connection Sharing.
When a computer sitting behind the NAT wishes to contact a server outside, the NAT instead picks one of its ports, and places the outgoing message there. It then replaces the source address and port with its publicly visible address, and the port number it chose, and forwards that on to the outside world. When the reply comes back, it re-writes the destination on the reply to point to the original address and port number of the originating computer.
There isn’t a theoretical limit to the number of computers that can exist behind a NAT. The limitation is the number of ports. Ports may not be shared by two applications, if a program or service is already using a given port number, it is essentially unavailable for others until that program or service is finished.
That means that for any computer, there can be a maximum of 65536 connections at any one time. NATs are not magical devices, and this limit applies to them too. In this modern age of parallel computing, even web browsers will frequently launch multiple connections in parallel. Some of these connections are short lived (such as the time taken to download the text off this page), some take a while (such as the time taken to download one of the keynote speeches linked to earlier). The resource demand will change over time with user habits.
The first big problem with NATs though, comes when you have an application that needs to be contactable from the outside world. The application for all intents and purposes is like a server, and is listening for connections. The trouble is, this computer is behind a NAT, and its actual address is a private network address. Even if an outside computer knew what it was, it wouldn’t know how to get there, and quite likely, wouldn’t be allowed even if it did. So the only way to be contacted, is via this NAT box.
Now suppose you tell someone (or the application does on your behalf) your NAT box’s IP address, and the port number your application is listening on and an outsider tries to make contact. The NAT box hears the request, but where does it send it? It knows nothing about this port! The NAT box has to be told to reserve one of its ports (which again must be unique), and to forward any packets sent there, to the right port on your computer.
The hardest bit here is that not all NAT devices work the same way in this regard, there is no de-jure standard for configuring a port-forward. Microsoft UPNP is one of many de-facto standards that exist, and not all NAT devices or applications support it. A lot of these also have lots of problems of their own. In some cases, you have to set this up yourself. Doable if the NAT device is under your control, but in the future we may be faced with NAT devices that are controlled by ISPs.
The applications that will be hardest hit by this will be any applications that rely on peer-to-peer communications. This includes, amongst other things, the file-sharing services in instant messenger clients, peer-to-peer file sharing services such as Bit-Torrent, and Voice-over-Internet Protocol applications such as Skype and EchoLink. IRLP, which relies on nodes having a static public IP address will be hit particularly hard, many ISPs already charge extra for the privilege of a static IP.
Hardware devices that use the Internet are not immune from this too — in fact the situation there may be made worse, since in a lot of cases, the port numbers used are hard coded in the device’s firmware. You may ring up to get that special port forwarded, and already discover that another customer of the same ISP rang up 5 minutes ago and claimed it before you.
Ignoring these niggles, NATs don’t sound too bad if everyone is playing by the rules. But what if someone decides to set up an Internet marketing company and starts filling up everyone’s email boxes with yet more “Discount Viagra” offers. The way things are here in Australia, the ISP gives each customer a public IP address (which may be static, or it may change on a regular basis), and that is used as the public address on a NAT device owned by the customer. If a customer were to do that, the IP address of that NAT device is visible in the emails sent — an ISP can simply look up who had that IP address at that time, and can immediately take action.
Now, suppose that instead, the ISP relied on NAT. The IP address would be that of the ISP’s NAT box. The culprit could be any one of the many users sitting behind it. “Jjust log each connection on the NAT box” you say. Deary me, could you imagine how slow that would be? Not to mention the disk space used!
Now what happened if at the same time, other users were legitimately sending emails to that same network? The logs point to a dozen users, which one was it? If the complainant told you the source port used in the connection when the email was sent, maybe you can look that up, but I’m yet to see that sort of information recorded in system logs, email headers certainly don’t have them.
Clearly, this is not a solution. It’ll make address space stretch a little further, but not without causing a world of pain for software developers who have to make their software compatible with differing standards, and causing the rest of us grief as we drown in a mountain of malware and spam. If you think spam today is bad, you ain’t seen nothin’ yet!
The other way ISPs can go, is to close off from the world, and becoming a walled garden. That is, you need to be a member of their network, to be in contact with other users that happen to also use their network. Or if they provide connectivity to neighbours, it’s costly, and/or heavily controlled. Anyone remember CompuServe, America Online, The Microsoft Network? Ring any bells? Those long-ago isolated bulletin board systems? If they do, I apologise for stirring up bad memories. If they don’t, count yourself lucky, and hope like hell ISPs don’t go back there!
I did say there was a fourth solution didn’t I? Something new? The Internet Engineering Task Force weren’t naïve enough to assume 32-bits would be enough. They recognised that this would be a problem way back in the early 90’s. They formed the Internet Protocol Next Generation working group, which in 1998 produced RFC2460:² Internet Protocol version 6. IPv6 extends the address space to 128 bits, a big improvement on IPv4. It also addresses a number of other bug-bears that people had with IPv4.
Some notable ones include: Mobile IPv6 extensions to allow a portable computer (such as a smart phone) to remain contactable at the same address as it roams between multiple networks, improved quality-of-service handling for real-time streaming and multimedia, automatic addressing and simplified headers to make routing easier.
The biggest feature though is the address space. NAT is not implemented in IPv6, it is not necessary as there’s enough space to move around. Rather than being given a single IPv4 address which you must share with all your computers, in IPv6, you get given a whole network address prefix. Typically this prefix is 64-bits long, leaving you the remaining 64-bits of space to allocate to each of your computers. How many addresses is that? Remember the 4-billion (approximate) number I quoted for IPv4? Square it! If you have a computer network bigger than that, I do not want to see your power bill!
Modern computer operating systems can function on IPv6 already. Microsoft Windows XP includes support, which can be enabled by following a few easy steps. Windows Vista and 7 come with it enabled out-of-the-box, as do Mac OS X, Linux and the BSDs (FreeBSD, OpenBSD, NetBSD, etc…). Hardware devices can be made to support IPv6 by a simple firmware upgrade, if one is available. If a manufacturer has not published a firmware upgrade for a device you own to support IPv6, contact them now!
ISPs world wide are dragging the chain on IPv6 take-up. There are some notable exceptions, here in Australia for instance Internode offer native IPv6 for their customers. I’m unaware of others in Australia. If your ISP is one of the IPv4 sheep, it’s now time to contact your ISP and ask them what they are doing about IPv6. In the meantime, you can get an IPv6-in-4 tunnel from a tunnel broker such as AARnet, Hurricane Electric or Sixxs.
Many online services are slowly making the move over to IPv6. Google can be accessed via ipv6.google.com for instance. This blog is accessible via IPv6 (thanks to AARnet). Sixxs have a big list of sites that are IPv6 enabled. In June (the 8th to be exact) this year, there will be a world-wide test of IPv6. Google (as in their entire site), FaceBook and Microsoft’s Bing search engine among many other sites will be going IPv6-enabled on World IPv6 day. If you’re not already on IPv6, it’d be great if you could join us.
Openness is one of the things that made the Internet popular. There is a very real threat that this openness or freedom we currently experience will be lost. If you’re a software developer, we need you to ensure your software works with IPv6 for it to keep working into the future. If you’re a network administrator, you need to ensure your network is IPv6 compatible. If you’re a consumer, we need you to start pestering the help desks of these software companies, device manufacturers and ISPs to ensure the commercial world sees the user demand for this!
To quote Mark Pesce, “a resource shared is a resource squared”. We need to ensure the Internet remains open and free, for all people into the future.
1. To be more accurate, there are 65536 TCP ports, and 65536 UDP ports. However, a UDP port cannot be used for TCP traffic, or vice versa.
2. RFC = Request for comment
Quick note: in Italy all the 3G/HSDPA providers use carrier-grade NAT, as does one ADSL/fibre. I expect others to jump on that bandwagon also to reduce the p2p traffic from users. Yes it is an excuse, but I still think they’ll make use of it.