250 million-plus reserved IPv4 addresses could be released – but the internet isn’t built to use them

Re: Cover them all

`127.1-255.0.0/16`

WTF?

Oh, You mean all of the 127/8 except 127.0/16?

That's a really weird way of writing a network definition, partly because it's a horrible definition...

Might be substantially easier just do the top half (a /9), or to move to IPv6

Re: Cover them all

Not possible. The standard definition of the loopback network is 127/8, so the interface IP address set to 127.0.0.1 with a netmask 255.0.0.0. You would have to patch pretty much every device in the world that uses IP to change that. That's an even more daunting task than the 240/4 thing, since some stuff like Linux has already been fixed for that.

Re: Cover them all

We did:

Probably the most important proposal was finally retiring fully the concept of 0 as broadcast: https://www.ietf.org/id/draft-schoen-intarea-unicast-lowest-address-05.html

That work is mostly done too, codewise.

So is 0/8. I´m really fond of that patch - deleted 5 lines of code and saved every computer on the planet a nanosecond or more on every packet.

Two MUCH more controversial proposals were limiting ipv4 multicast address space (which I do not feel like pursueing at this time), and shaving down 127 to something sane, and making it work with k8.

Re: Cover them all

From an earlier life before IPS, I built a crude IPS by adding 192.168.xxx 10.xxx and so on to an acl with logging. I also knew my expected public exposure and logged any thing that was not expected on that ip and port as well.

The router syslogged out to a server. With a bit of programming, the program on the server would add a route to the router for anything I did not like. If it was persistent, the application would send me an email.

I received an email that I was being attacked by 127.0.0.1! (Spoofed naturally) and the router was forwarding the packet. The Checkpoint firewall did not logg it or block it. It just did not exist to any software firewalls.

Using what is now called Wireshark, tapped and grabbed packets. 50% of my bandwidth was these packets and nothing was seeing it except my router.

With the ISP’s help, and we had to put acls on their routers to see it, we tracked it upstream and found the bot server. They were crafting the packets for control of the bots and blew this to everyone. They never expected a return packet nor did the Chinese student that had his dorm door busted in and server taken.

That said, I block all addresses that are not listed as public from entering or leaving our networks.

Re: Future use??

You'd be surprised by how much of the RFC1918 address space does get advertised for routing over ISP networks, which is a potential vulnerability if someone tries to connect to it and ends up reaching a malicious server. Most devices SHOULDN'T be handling packets for those blocks outside their WAN generally, and never advertising routes via routing protocols, but there's technically nothing that says you can't use a router internally at multiple points where such routing would be valid so outright preventing it wouldn't be good and it comes down to either bad configurations or malicious configurations. But 240/4 being reserved as a "never use this" block makes it a bigger deal to prevent anything on the public Internet ever accepting routes or sending traffic for it. Kind of an arbitrary dividing line between degrees of risk, I guess. But after we reached the point of not having anymore IPv4 addresses, and deciding that IPv6 was the future, 240/4 should have been released as there was clearly never going to be any other "future use" or experiments. (And what did they need 168 million addresses for when experimenting?)

Re: Future use??

“Reserved for future use”

So what do stupid manufacturers interpret this to mean? Block its possible future use…

“ The reasoning is that many manufacturers of networking equipment don’t recognize 240/4 and simply won’t process packets sent to the millions of addresses the block contains”

Interop failure.

Aside can’t find a RFC which defines what action should be taken with future use addresses and RFC3330 doesn’t give any either. So default behaviour should be for routers to treat these addresses as normal IPv4 reputable addresses.

Re: Future use??

240/4 is on the list of Bogon addresses. Basically if you are a router on the public Internet and you see packets to/from addresses on the bogon list, something has gone very wrong, and the reccomended thing to do is to drop the packet. (Or at least that was reccomended practice back when I was configuring Cisco 2501 routers).

Like you said, that probably shouldn't be hard coded in the firmware. Years back we used to manually update our bogons lists when new blocks were assigned to regional registries (ok, ok, actually 6 months later when someone complained about issues).

The only special thing about 240/4 was that by saying "future use" instead of "unassigned" there was greater uncertainty about what you would eventually see from those addresses. Maybe someone thought that the risk of oddball packets was too great to trust to the config layer.

Re: Future use??

Why would individual routers' firmware be set up to ignore 240/4 addresses? If anyone mistakenly sends requests to any such address they would simply time out just like a normal wrong address.

That may or may not be the end result depending on the set up of the routers involved in the the process, the other is an ICMP unknown/unreachable message. Regardless of the result the end user sees an awful lot of work is being wasted.

Without a filter in place your router will simply send the entire packet to it's default route (generally your ISP). If the receiving router is also configured in the same way then it then forwards the entire packet to it's default route until it reaches a level deep in the network core that has a true global routing table: i.e. there is no "default" route, it has a specific route for any address. Those routers are big, expensive and highly loaded, they typically have 100,000+ separate routes to manage even after summarisation.

It would only be at that level the decision can then be taken "sorry, can't send to that address" after wasting a lot of time and bandwidth in the process.

Re: Future use??

The risk that someone treats "unused for now" as "I can do whatever I want with it", it gets switched to "used for something different" and all the traffic breaks something. When the block was first reserved, "future use" might have meant that you send traffic to those addresses that might not be compatible with the existing specification; it was not stated which of the details would stay the same when they were eventually put to use. For example, we had a discussion a couple weeks back of companies who used a domain name they do not control for internal company stuff. If you never make a mistake, that's not going to cause any problems. If you have any misconfiguration, you will start to, at the very least, leak your internal names to an external DNS server, and possibly route to someone else's servers which could be quite dangerous.

Ideally, routers would configure such things in software. It would, by default, treat 240/4 as a range that might not act like normal ones and therefore wouldn't pass traffic intended for them, but there would be a table of addresses that were handled like that and people could remove the block. However, if you're going for speed, you might implement that logic in hardware and not bother to make it configurable. The same is true if the people building the hardware assume that the address space won't be used before this hardware is obsolete, and when it is used it will need custom software to handle which won't be written for obsolete hardware, so they shouldn't add it in. So, unfortunately, most equipment was not built to make it simple to disable that behavior.

Re: Future use??

Ignoring whole blocks is a MUCH faster process than trying to parse data that isn't going anywhere anyway.

Easier to just thow data away aimed at those addresses.

Re: Future use??

The reasons routers would drop packets with a 240/4 destination address is for compliance with RFC 1812, s5.3.7 which says:

> An IP destination address is invalid if it is among those defined as

> illegal destinations in 4.2.3.1, or is a Class E address (except

> 255.255.255.255).

> A router SHOULD NOT forward any packet that has an invalid IP

> destination address or a destination address on network 0.

And this was the justification for needing to implement this in IOS CEF when I worked at Cisco in the CEF team (and a customer request for compliance with this part of the RFC).

Destination address checks in any non-trivial packet forwarding implementation are essentially free, even in software, due to use of optimised forwarding lookups like mtries/Patricia tries. Source address checks cost cycles, but even then it was deemed acceptable to spend them on other s5.3.7 provisions for source addresses.

Re: IPv6

No more excuses, it is not that hard.

My hosted servers have used IPv6 for 20+ years, I have had IPv6 at home for 15 years.

Re: IPv6

Exactly. If you need to upgrade routing equipment for extra IPv4, you might as well go the whole hog and upgrade it for IPv6.

Re: IPv6

Bet there is some daft mess in the IPv6 address space and given the problems with 240/4 are wholly down to manufactures making stupid decisions, would not also be surprised if many IPv6 implementations contain daft constraints that will bite in the future.

Re: Where's my share of the sale?

Well, you can get funding from the Amateur Radio Digital Communications Foundation for your project if you apply for a grant. ARDC uses proceeds of the IP address sale fund their whole operation.

Re: 10.*.*.*

Essentially this would have helped Comcast right about the time they happened to sign up more than 16.7 million settop boxes / cable modems. There were overlapping RFC1918 networks at different cablecos when Comcast bought them and then needed to combine and integrate everything.

This right here, individual addressibility to EVERY cable settop and EVERY modem on their network was THE push for everything on their network to go ipv6 so they actually could have enough address space for their internal equipment. This has apparently given them a decade+ leap on the rest of the ISP industry.

I just wish other network providers *Centurylink/QuantumFiber I'm looking at YOU* would even turn up NATIVE DUAL STACK..

Hell, their most recent GPON fiber router doesn't even properly run the 6rd tunnel layer they've provided for a decade+ now.

Re: 10.*.*.*

Yes because internal use of the 240/4 block shows up in global traffic. It's still internal use ... but evidence leaks

Re: Odd.

Not that unusual. Lots of scarce things are cheap if you look at small quantities. How much does it cost to get twenty liters of water in a desert? Not that much. How much does it cost to have enough water for drinking, cleaning, and agriculture for everyone in a desert? A lot.

You usually can't buy one IP address for your use. You can rent them easily enough, and often it will be difficult to know how much of what you're paying is for the address as opposed to the server or network you're renting with it. When you're buying addresses, the smallest chunk you can usually buy is a /24, or 256 addresses, and that makes a price of $7,640. That's conservative. Current auctions for /24s are showing prices between $10k and $15k. Yes, I could do that, but it's not a small purchase. And yet, 256 addresses is not very many addresses when doing something at scale.

IPV6 is the future. just not the now. We moved our servers to ipv6 and itnisnt that hard, you juat need to get your head around "you dont nat your servers now" and get a decent firewall.

Re: Or...

Seeing as China doesn't even want to be part of the p2p internet, remove ALL china blocks, and let them run the entire thing on CGNAT. Hell, they could continue to use the IP addresses they already use, and proxy all external requests.

Re: Upgrade to IPv6

I get a /56 prefix from my ISP, which provides 2⁷² public addresses. Some ISPs provide a /48 prefix which is 256x bigger. There are enough public IPv6 addresses to give every single person on earth over 4000 /48s.

Re: Anyone not heard of IPv6?

"does not have an address space problem"

Oh god, a massive montage of techies just flashed through my head and this dumb statement tacked on to the end of it all.

"640k is enough memory"

"We'll never need bigger drives"

"You can fit the entire knowledge of mankind on a single CD"

"16GB is loads for gaming"

Argh! My head! I've heard so much of this shit in my lifetime that anytime I hear that something is "enough" in tech, I know it's probably not.

Just like folks that rolled out IPv4 back in the day couldn't fathom the future size of the internet, if we roll out IPv6 today, everywhere, we can't fathom the extent of whatever ends up on top of it.

Re: Oh god.

Y2k v2.

ISTR Microsoft had some hard-wiring built into their coding.

None of that stuff is ignored, you're just seeing a serious amount of FUD from people who don't know much about v6, or often networking in general.

The primary security concern I see is "it doesn't have NAT", which is nonsense because NAT doesn't give you any security. The complexity isn't that big, especially compared to v4-in-practice which involves a lot of NAT. The privacy problems are also nonsense given the presence of temporary addresses, RFC7217 and randomized MACs (...and HTTP cookies which are used for the majority of tracking). The addresses are SUPPOSED to be long, that's kind of the point; rather than ignoring it they added AAAA records to DNS and also allowed abbreviating addresses with lots of zeros in them.

All of this has been explained repeatedly, both in comments here and elsewhere.

"So, comments seem to agree that IP6 has far more addresses than anyone could ever need"

First off, if you want simple addresses, there's nothing to stop you from assigning them. Also, you can always use DNS so that you can access devices by host name. You should be doing that anyway.

We're long past the days when every byte counts and we also no longer have to worry about having sufficient addresses. Sticking with IPv4 means sticking with NAT and that means breaking things. It also means some people will not have a reachable address for use with VPNs etc., because they're stuck behind carrier grade NAT (CGNAT). IPv5 was an experimental streaming protocol that never went anywhere, but parts of it are incorporated into IPv6.

One thing that's driven IPv6 is mobile devices. There simply aren't enough IPv4 addresses to support them. With cell phones, 2 addresses are needed, 1 each for voice calls and for data. For this reason, VoLTE uses IPv6. Some telecom companies have found there aren't enough RFC 1918 addresses to operating their networks, without splitting them into zones. For them, remaining with IPv4 just creates one big mess, where one part of the network is not reachable from another part.

There are a lot of reasons moving to IPv6 is a good idea and none that sticking with IPv4 is.

Having more addresses than we could use up sounds like a bad thing to you? The problem we have now is that we're running out, and if we made it a bit larger so that we wouldn't run out for a while, that would be more fragile than just doing it right and pushing the limit far, far away. It's what we've done with most of the limits in our systems when we increase them.

When you're using someone else's network, you can't guarantee they'll all be 192.168.1.1. I've frequently seen 192.168.0.1, 172.16.0.1, 10.0.0.1, and various other /24s in those ranges. It doesn't matter, because if I want to access their gateway, I query my network to get the gateway address and it tells me. I do not need to try any of these when my computer already knows the address. It knows the V6 one too. Open that, copy it into your browser, and pull it up. The same steps you probably already use will still work here.

As for wasting bits in a packet, there are a ton of bytes in many protocols already, but I'm guessing you don't consider them wasted. If you're using WiFi or Ethernet, your network controller is already using and storing plenty of extra data in order to work with them. If storing 128 bits instead of 32 is really causing a problem for your hardware, you likely need to spend a couple pennies on better hardware, because we no longer work in dates where 512 bytes on chip is expected. There are embedded controllers that have small amounts, but they usually aren't running full network stacks and trying to communicate that way.

Re: Are we really running out of IPv4?

You're missing two important points. There are not even enough IPv4 addresses for all the mobile devices. Cell phones have moved to VoIP (VoLTE, VoNR) and they each need a public address, just for voice and they still need one for data. Also, the rest of the phone system has moved or is moving to VoIP.

Also, NAT breaks things. The first thing I was aware of that it broke was FTP, back in the days when we used command line clients. Lately, it's been things like VoIP and some games. The hack for that is STUN servers, so we have a hack on a hack, just to get around the address shortage.

Of course that 2³² addresses is not entirely usable due to various reserved blocks and addresses lost due to block sizes always being powers of 2.

Re: Are we really running out of IPv4?

Fortunately, we can go back to the mailing lists where the designers of IPng debated their ideas. [1] [2] As far as 128 bits is concerned, there were arguments that the address space should be large enough to accommodate any imaginable usage, especially because the opportunity to increase the address space again might not come around for a long time, if ever.

[1] https://www.sobco.com/ipng/archive/big-i/index.html

[2] https://mailarchive.ietf.org/arch/browse/big-internet/