back to article UK.gov squatting on £1bn IPv4 motherlode

The UK's Department for Work and Pensions is sitting on up to £1bn worth of IPv4 addresses that it is not using, according to an online petition. The epetition was sparked by a blog posting from programmer John Graham-Cumming, who spotted the /8 block of addresses, over 16.8 million, was completely unused on the Autonomous …

COMMENTS

This topic is closed for new posts.
  1. djack

    It is in use

    That range houses all the networks used to connect together government departments and other organisations. Things such as the GCSX and GSI exist there... and no they couldn't have used RFC1918 addresses as many separate organisations and networks attach to it.

    1. streaky
      Facepalm

      Re: It is in use

      "and no they couldn't have used RFC1918 addresses as many separate organisations and networks attach to it"

      Uhm.. Nonsense?

      1. Anonymous Coward
        Anonymous Coward

        "Uhm.. Nonsense?"

        Not at all. Administration across multiple administrative realms becomes an impossible headache if you have to muddle around in RFC1918 space. Not to mention that they registered their space in 1994, predating RFC1918 by more than a year.

        The DWP did the fine and perfectly acceptable thing to register a block and use it. No guarantees that it should be reachable from the public internet, that's entirely up to them. No, the current dearth of IPv4 address space and lack of uptake of IPv6 does not change that.

        The nonsense is this pro-grammer starting an e-petition decrying something that's essentially right and proper, demonstrating that he is in fact another idiot besserwisser without a clue outside his cosy little internet-connected world. As becomes perfectly clear when you but consider the cost of clearing out the space, that will not in the least be covered by flogging it off.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Uhm.. Nonsense?"

          It's slightly less right and proper now we know what's it's worth to the public purse. Are you seriously suggesting it would cost a billion to do some network reconfiguration? (If the cost approaches a fraction of that amount, it's a tacit admission the work is in dire need of doing anyway. How much is the inevitable migration from IPv4 within the DWP cost us?)

          If the space is that precious to the DWP, let them not route it to the outside world and then fix things as they break.

          And best to do it now while it's still worth anything.

    2. El Biggles

      Re: It is in use

      Correct - GSI routing uses non-private IP addresses in order to be able to unambiguously route from Govt Departments which connect to multiple private networks. With hindsight, if each govt dept had avoided using the 10. private address space, this could have been used by GSI, thus avoiding the use of a chunk (but ONLY a chunk of, not all) of the 51. space. There is probably a large percentage of the 51. space remanining unused which could be recycled.

  2. James Marten
    Holmes

    Already answered

    I was curious about this some time ago (and also 25.0.0.0 which the MoD owns). Responses at

    http://www.whatdotheyknow.com/request/internet_protocol_ipv4_address_a

    http://www.whatdotheyknow.com/request/internet_protocol_ipv4_address_a_2

    1. Brewster's Angle Grinder Silver badge

      Re: Already answered

      1. Well done.

      2. From the DWP's response: "The cost and complexity of re-addressing the existing government estate is too high to make this a viable proposition." Really? More than half a billion?

      1. Ragarath

        Re: Already answered

        Surely a few routers and firewalls makes the address space unused totally on the Internet and can therefore can be sold.

        This should not take very long or be to hard and is most probably already in place.

        1. Anonymous Coward
          Anonymous Coward

          Re: Already answered

          Clearly you don't understand how IP routing works then..

        2. Anonymous Coward
          Anonymous Coward

          Re: Already answered

          = CLUELESS.

          This isn't some home ADSL/NAT setup: the address space IS used internally. Has been for years. Can you even begin to imagine the job of re-addressing everything, not to mention testing ALL the services that use those networks, including some VERY BIG and VERY CRITICAL ones??

      2. djack
        Pint

        Re: Already answered

        "More than half a billion?"

        Yep. Easily, even if it were technically possible.

        Let's accept their estimate of 80% usage. That means that whatever range you replace it with is effectively a class A range. This network connects a lot of networks that require access to the Internet, so whatever range you use must be in RFC1918. SO, the easiest option is to use 10.x.x.x.

        OK, that's the easy bit out of the way, to enable communications across this network, it is your task to organise and re-number the internal networks of every government department, every local council, school, police authority, fire service etc. etc. so that they do not use any 10.x.x.x address internally (to ensure that they can reach any and all services on the network) and then go round and do the same for all the private companies that have a need for direct communications with any aspect of government.

        If you can do that for less than half a billion and within a time-scale so that the whole exercise isn't pointless I'll buy you that pint to the left!

        1. User McUser
          Megaphone

          Re: Already answered

          Why not use this as an opportunity to migrate to IPv6 and sell the IPv4 address block while it's still worth something?

          At least then you can off-set the cost of the migration in whole or in part. If they wait much longer they'll have migrated to IPv6 anyway and the IPv4 block will be worthless.

          1. Anonymous Coward
            Anonymous Coward

            "Why not [...] migrate to IPv6..."

            "... and sell the IPv4 address block while it's still worth something?"

            Because that'd mean having the DWP move faster than glacially slow. This is the government we're talking about, after all. Beyond that, it's bound to be interesting in the Chinese sense in that it is guaranteed to unearth and uproot just about everything on all the attached networks, from the very newest to the very oldest. What percentage of the devices involved, would you wager, would be unable to talk IPv6 at all?

            Given that sprinkling the networks with various 4-to-6 bodges aren't acceptable as the final design, that means replacing at least that percentage of attached devices as well as revamping the network design. And then you'll find that a well-used /8 is quite a large space.

            So it's going to be costly, perhaps roughly on the same order as swapping out the floggable space for 10/8. And that for a gain that doesn't offset the costs. This again neatly turns the "Why not?" into a "Why bother?" Especially since government departments are adept at spending other people's tax money already. No need to stoke that fire, eh.

        2. localzuk
          WTF?

          Re: Already answered

          @djack - you misunderstand routing quite seriously. There's no reason whatsoever for the DWP to hold on to 16 million internet useable addresses for internal use. All of that can be handled quite easily using 10.x.x.x ranges, routers and using brains to design your network properly.

          External facing services, which companies will connect to, would still use public routable addresses, but internally? Why? Look at somewhere like the SWGfL in education. All the addresses internally to that are 10.x.x.x, and that's used by thousands of schools, which connect to each other, and to LEA provided services. External facing services are assigned public IPs which then get either NATed or routed normally.

          Re-addressing it all would not cost half a billion quid, that's preposterous.

          1. Ken Hagan Gold badge

            Re: Already answered

            "All of that can be handled quite easily using 10.x.x.x ranges, routers and using brains to design your network properly."

            It may be theoretically possible. Then again, it may not. I assume that many of the networks in this range allow clients to VPN in from outside. If the other end of that VPN is itself on a network lazily set up as 10.x.x.x/8 (which is by no means uncommon and beyond your control) then routing doesn't work.

            However, even if it *is* possible, you still have to prove that this job (including re-testing every bleedin' system in the DWP) is cheaper than saying "FFS, switch to IPv6 you numbskull!". It's ready. Many people in many parts of the world are already using it. ISPs support it. Even for the domestic market, routers that support it are now available.

            Yes there are still idiot ISPs and vendors who don't. Who gives a toss about them? They won't be in business next year. Why should the UK taxpayer subsidize the band-aid for these vendors lack of preparation?

      3. Bod
        Thumb Up

        "Really? More than half a billion?"

        Government IT contract to do the job, yeah, half a billion at least, more like 4 times that.

        I say go ahead and let them remap it. I'm prepared to offer my services for a nice fee. Should keep a lot of people working on it for the next 5 years at gov IT time scales. By which time it will be abandonned and they'll be forced to go IPv6 and we can all move on to the next waste of money ludicrous gov IT project.

  3. ojb
    Go

    Give every unemployed person in the UK a /29.

  4. Anonymous Coward
    Anonymous Coward

    When I worked there

    They used a public address space internally (probably this one). Yeah it's wasteful but I imagine they began doing this LONG before the idea of using NAT, and running out of IPv4, was ever considered. And I imagine it would cost close to that £1bn for the project to re-address everything!

    Ah, this suggestion originated from a PROGRAMMER?? That explains it then - no idea of the real world! :-)

    1. Anonymous Coward
      Anonymous Coward

      Re: When I worked there

      Really? Assuming that we pay contractors £300 a day, you figure it would take 3.3 million man-days to change the IP addresses of the kit in a government department? 9,100 man-years? You're the one with no idea of the real world... don't suppose you work in the civil service as an IT procurement manager, by any chance, if you consider a £1 billion price tag on the job to be reasonable?

      1. skipper
        Windows

        Re: When I worked there

        Whilst they could migrate onto a private address space with a handful of public addresses, it probably isn't worth it.

        The fact that private companies in the same situation aren't bothering means they don't see it being worth the cost and more importantly, risk to service. By the time they've actually freed up the range it'll probably be worth less than they've spent on the army of contract engineers, PMs, BAs, etc etc, and more likely they'll get half way through, there'll be a change of minister and they'd try to go back.

      2. Anonymous Coward
        Anonymous Coward

        Re: When I worked there

        Erm, not just re-addressing: but then TESTING EVERYTHING - EVERYTHING - that uses those networks, some systems going back years...

    2. Brewster's Angle Grinder Silver badge

      Re: When I worked there

      According to a 2007 report the DWP has ~125,000 staff. Even assuming there are 2 computers per employee, you're saying it will cost £4000 to remap each computer.

      1. WonkoTheSane
        Alien

        Re: When I worked there

        "You think they pay $20,000 for a hammer? $30,000 for a toilet seat?" - Independance Day

  5. Mike Wilson
    Alert

    Time of the essence, I think

    If that block of addresses is really worth as much as $1.5bn, they'd better move quickly. As soon as everyone gives up on IPv6 denial and actually starts implementing it, IPv4 blocks will be worthless.

    1. TonyHoyle

      Re: Time of the essence, I think

      It's worth what someone would pay for it... Nobody has $1b to spend. They'd also have to do it underhand anyway as under RIPE rules they can't sell it, only relinquish it back to RIPE for $0.

      The whole thing's pretty silly. Even if it *was* released back into the pool it pushes back exhaustion about a month. Then you're back to square one except you've spent millions forcing several government departments to restructure for no reason.

    2. Len
      Headmaster

      Re: Time of the essence, I think

      Yes, and no. Time is of the essence but speed isn't. The price of an IPv4 block will rise while they become increasingly scarce. For a while they will be interesting to companies that can't move to IPv6 (yet).

      Until the moment that still having IPv4 becomes less necessary and staying on IPv4 is more expensive than moving to IPv6. At that point the price for an IPv4 block will plummet. My guess would be that that point is four years away.

      If the DWP's objective was to profit from speculation they'd better hold on to it for some time. Fortunately they have other objectives and spending a lot of money on a major network overhaul that will take a few years to complete is, in the current state of the economy, madness.

  6. Pete 2 Silver badge

    The tip of the iceberg

    This is hardly news - or newsworthy.

    When you look at the list, it's plain that huge tracts of IP addresses were given to all and sundry when the internet was new, empty and ran on modems. Apart from the easily-kicked target of the british govt. there are loads of companies that are also sitting on /8's. Ford Motors, Eli Lilly (who?), the long-defunct DEC. Hell: even Apple have a slice of the pie.

    If there's any policy worth pursuing here it would be a "use it or lose it" across the whole 32-bit address range. Not just picking on the usual suspects.

    1. Steve Foster

      Re: The tip of the iceberg

      Eli Lilly is a large US pharmaceutical company.

      http://www.lmgtfy.com/?q=eli+lilly

      1. FrankAlphaXII

        Re: The tip of the iceberg

        IIRC, DEC is HP nowadays. And I can see how HP would justify having a /8. They probably even actually use it. Ford and Eli Lilly I have a harder time understanding.

        1. Anonymous Coward
          Anonymous Coward

          Re: The tip of the iceberg

          > DEC is HP nowadays. And I can see how HP would justify having a /8

          HP had their own /8 before acquiring DEC

          1. RegGuy1 Silver badge
            Coat

            HP had their own /8 before acquiring DEC

            Wow! They must be twice as good. I'll look out for them.

            Coat -- so I can go out and see if I can find anything about them out there.

    2. Anonymous Coward
      Anonymous Coward

      Re: The tip of the iceberg

      > Apart from the easily-kicked target of the british govt. there are loads of companies that are also sitting on /8's. Ford Motors, Eli Lilly (who?), the long-defunct DEC. Hell: even Apple have a slice of the pie.

      And if you can tell me how I can force these companies to tell me what they are doing with these addresses I will do it.

      If isn't just that the British govt is an easy target, it is because they have to respond.

    3. Charlie Clark Silver badge
      Thumb Up

      Re: The tip of the iceberg

      Tis true: the vast majority of IPv4 addresses were issued to companies and institutions in the USA. Getting them released would make a difference whereas releasing the odd range in Europe is a bit like rearranging deckchairs on the Titanic, to stick with the iceberg metaphor.

      Much better to have whichever government department or Quango is responsible for internet agree a timetable for the mandatory phasing in of IPv6 with ISPs. Pretty much all the equipment in all the networks can do IPv6 as can the vast majority of consumer's computers so the marginal cost would be minimal. You have to ask yourself that what, apart from complacency or ineptitude, is holding ISPs back?

  7. The Vociferous Time Waster
    Go

    six

    IPv6 really isn't that scary and solves a lot of the problems that weren't envisaged when v4 was designed. It doesn't solve everything but there are at least enough transitional technologies out there to make it work. Good provider support is the key to getting it moving though, I know of plenty of corporate grade network providers who still don't support dual stack v4/v6 connections and that's a big ballache for those who are ready because a v6 network is next to useless if you can't get on the internet.

    IMHO all the original /8 networks should be forced to give up their address space though. How many addresses does iTunes need?

  8. PassiveSmoking
    Holmes

    Don't sell them now!

    There's still a few Ip addresses left, though supply is admittedly circling the drain just now.

    Wait until AFTER they've run out before selling, you'll get more for them!

    Don't do a Gordon Brown and flog off a valuable resource when it's only set to become more valuable later

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't sell them now!

      I take it you are referring to gold, which has fallen back again. Or do you know something we don't?

  9. Anonymous Coward
    Anonymous Coward

    How do you flog addresses?

    Where did the figure of £1bn come from, how could they sell and transfer them, is there such thing and an ip address block auction? I thought all you could do was transfer them back to RIPE which they'd do at no financial gain

    1. Tom 38

      Re: How do you flog addresses?

      I'd imagine they'd ask Nortel's administrator.

      1. Uplink

        Re: How do you flog addresses?

        There's always something you can do. Like assign the IP addresses to a distinct business unit, then flog that. Then whoever buys that unit reassignes the IP addresses to its own relevant department and dissolves the unit. All done nicely through company restructuring and flogging processes, not involving RIPE or equivalent except maybe to update their records.

        Can't move the item as is? You find a vehicle that can move the item, then move the vehicle. Man with a van for IP addresses. If you're clever, you might even be able to claim it as a loss towards your profits when you dissolve the purchased unit (some ad company MS dumped recently gave me this idea).

  10. Alan Brown Silver badge

    RIPE and ARIN can also clawback space.

    They have done it a few times.

    More worryingly, large tracts of "unused" space are prime targets for route hijacking. Spammers use such things ephemerally to send out untraceable attacks, whilst forged documents have been routinely used since the late 1990s to grab such spaces.

    Space which is allocated, used internally but not routed to the 'net at large are particularly vulnerable to these hijackings - mainly because noone notices.

  11. Mage Silver badge

    The US

    Each major US University, many US tech companies and US DOD have 100s of millions of unused or unnecessary IPs

    1. Alan Brown Silver badge

      Re: The US

      Yes the US does and it is highly likely that allocated but unrouted netspace is going to be taken back.

      1. Tom 38

        Re: The US

        There is no requirement for you to make allocated addresses routable, you are allowed to use them for non-routable segments. Just like DWP are doing.

  12. Quirkafleeg
    Holmes

    They could consolidate somewhat, freeing up part of the /8 – assuming, of course, that they've not hardcoded all over the place…

    1. Captain Scarlet
      Unhappy

      Of course they have probably hardcoded it, they probably run systems much like in Dilbert.

      I.e An old computer system which should have been replaced long ago managed by members of staff with no knowledge hidden by newer systems using marketting slang "Cloud" "Web 2.0".

  13. David 164

    I bet selling these IPs addresses of just encourage companies to delay investing in upgrading IP6?

  14. niksgarage

    IBM ..

    IBM is sitting on the 9/8 network range .. all internal (blue zone). Internet-routable addresses are on 62.186* the last time I looked.

  15. Anonymous Coward
    Anonymous Coward

    It's possible that they started at 51.0.0.1, and worked up from there. Maybe they haven't went past 51.127.255.255 yet?

    They could sell off 51.128.0.0/9 and get maybe £500m for it. :) Theoretically they wouldn't even need to update their routing tables due to subnet mask lengths.

  16. Anonymous Coward
    Anonymous Coward

    A lot of people seem to be forgetting that this gov't has no idea how technology works.

  17. A J Stiles
    Devil

    Yes, but look at it this way

    In any subnet, at least two addresses are unusable: the one with all the low-order bits zero (network address, e.g. 51.0.0.0) and the one with all the low-order bits one (broadcast address, e.g. 51.255.255.255). And by convention, the one with just the lowest-order bit one (e.g. 51.0.0.1) is reserved for the router.

    A single /8 wastes just 3 potential IPv4 addresses. 65536 separate /24s would be wasting 196608 potential addresses; while 1048576 separate /28s would be wasting a whopping 3145728 addresses!

    1. druck Silver badge

      Re: Yes, but look at it this way

      A single /8 wastes just 3 potential IPv4 addresses. 65536 separate /24s would be wasting 196608 potential addresses; while 1048576 separate /28s would be wasting a whopping 3145728 addresses!

      Or again; a non publicly routeable /8 wastes the full 16,777,216 potential addresses.

    2. Jellied Eel Silver badge
      Pint

      Looking at it in a different way..

      "In any subnet, at least two addresses are unusable: the one with all the low-order bits zero (network address, e.g. 51.0.0.0)"

      That's RFC950 thinking, not RFC1878. Or even post-IOS 12.0. CIDR made some aspects of old-school thinking obsolete and you can happily use subnet zero (most of the time). Far more IP addresses are probably wasted by people assigning /30s to point-point links when they don't need to. See RFC3021 for more info.

  18. Anonymous Coward
    Anonymous Coward

    "over 16.8 million"

    No, that is a false statement.

    2^24 = 16,777,216.

    This number should be deeply ingrained in the mind of anyone professing to have computer knowledge.

    It's also the number of colours in the RGB palette (256^3).

    1. . 3

      Re: "over 16.8 million"

      "It's also the number of colours in the RGB palette (256^3)."

      No it isn't, that would be infinity. Though by quantizing it at 256 levels per channel you actually end up with many repetitions of the same set of colours at differing brightness or saturation.

      (Also RGB HDMI uses 30 bits per pixel.)

  19. Anonymous Coward
    Anonymous Coward

    GE

    I sit here with everything around me on the GE /8 subnet, with stupid amounts of resouces committed to stopping me accessing most of those numbers and significant chunks of the outside world. Attempted IPv6 traffic (even via tunnelling) goes nowhere! There are some very active systems admin ludites out there!

This topic is closed for new posts.