back to article Huawei handed 2,596,148,429,267,413,
814,265,248,164,610,048 IPv6 addresses

Huawei has been allocated 2.56 decillion IPv6 addresses by regional internet registry the Asia Pacific Network Information Center (APNIC). That's a lot. The allocation is the largest ever made by APNIC, and saw the registry apply to the Internet Assigned Numbers Authority (IANA) for a second /12 block of IPv6 addresses to meet …

  1. jokerscrowbar
    Joke

    I wouldn’t say

    My ex puts it about but.

    She’s had more pokes than an IPv6 network!

    1. Anonymous Coward
      Anonymous Coward

      Re: I wouldn’t say

      I think I spent 4 years living with your ex

    2. Anonymous Coward
      Anonymous Coward

      Re: I wouldn’t say

      Found Greg Wallace's account.

  2. Pascal Monett Silver badge

    Good for Huawei

    I still don't understand why IPv4 + NAT wouldn't work.

    Huawei has 18 regions ? Each region could use the full IPv4 range and, with NAT translation between regions, business is done.

    IPv4 + NAT scales to any size you want. IPv6 seems to me to be just an administrator's excuse for a good idea.

    1. jailbird

      Re: Good for Huawei

      Because NAT is a kludge that breaks many things (eg, SIP), unless you use yet even more kludges (STUN).

      1. mpi

        Re: Good for Huawei

        Yeah, but that's because SIP makes wrong assumptions about how networks work.

        1. DougMac

          Re: Good for Huawei

          No, SIP was built in an era before the NAT hack was prevelent, and the world changed around NAT, leaving other protocols to adapt to the new world order.

          1. Roland6 Silver badge

            Re: Good for Huawei

            NAT was proposed in 1992 and adopted in 1994 (RFC1631), was first designed in 1996 and standardised in 1999 (RFC2543)….

            Whilst the initial work on the Mbone (on which SIP was developed) could ignore NAT, by 1999, it was obvious a significant number of (non corporate) WWW/Internet users were behind NAT. I suspect the distance for NAT in some quarters, is a factor in why the Mbone ignored NAT…

            1. Roland6 Silver badge

              Re: Good for Huawei

              Replace distance with disdain in the above.

              Plus just to clarify it is SIP that was first designed in 1996.

              Personally, I have no problem with some stuff only working in single LAN segments, or only with fully public (explicitly end-to-end) addresses., or requiring specific implementation (issues with SIP can be resolved with either STUN or VPN with a “man-the-middle” server, We just need to be clear in the RFC.

      2. Alan Brown Silver badge

        Re: Good for Huawei

        And at least some of those kludges put the entire NATed subnet at risk (eg: Mirai propagates almost exclusively on network cameras that have tunnelled back to a portal on the maker's network)

      3. Excused Boots Silver badge

        Re: Good for Huawei

        "Because NAT is a kludge that breaks many things (eg, SIP), unless you use yet even more kludges (STUN).”

        To be fair, it’s kludges all the way down!

    2. doublelayer Silver badge

      Re: Good for Huawei

      I'm not sure I understand what your suggestion is, and I'm not sure your suggestion would work at all, and I'm not sure your suggestion would be a good idea even if it did work.

      "Huawei has 18 regions ? Each region could use the full IPv4 range and, with NAT translation between regions, business is done."

      The article says they have 39 regions, but I doubt it matters, so let's ignore that. So if I'm understanding your plan correctly, and there's a possibility that I'm really not, we're going to let all those regions use all 2^32 IPV4 addresses, minus some outward facing NAT endpoints. Just using the 10.0.0.0/8 block isn't going to be large enough. In that case, what happens when a customer is assigned the internal IP 104.18.4.22. How do they identify whether they're trying to access themselves or The Register (that's one of their IPV4 addresses)? For that matter, how do they identify if they're going for that address in a different cloud region? I understand how you can encode that into something the routers will interpret and redirect properly, but I don't understand how you identify it in the first place. Every server and application would need to know that there are at least three things any IPV4 address could mean: this region, the internet, or a different region which needs to be identified. Huawei-written software can be given a special address struct to do that, possibly just an 8-bit integer identifying the region or the internet attached to the normal four-byte address, but that won't work as well for user-written software. Software people buy in is going to have an even harder time of it.

      Even if you did that, what would happen for all the machines accepting traffic that hasn't already been set up? NAT works well enough if you only open out, but a lot of those devices are the ones that people are opening out to, meaning they need to have somewhere to accept connections. A single IP can only host 65536 services before running out of ports. It's likely that any server will have more than one of those, as even a basic HTTP server generally has three (HTTPS, HTTP, and management, usually SSH). Lots of things use more ports than that, including internal devices making up the network. Is this really better than IPV6, and if so, why?

      1. Filippo Silver badge

        Re: Good for Huawei

        Basically, by the time you have found solutions for all the small and not-so-small problems that arise out of using large-scale IPv4+NAT, you have created something that's at least as messy as IPv6. And that's the answer to the OP.

        1. Pascal Monett Silver badge
          Thumb Up

          Now that's an interesting answer.

          Thank you.

        2. Alan Brown Silver badge

          Re: Good for Huawei

          Yup, exactly that.

          As one of the NAT pioneers I frequently wish we hadn't started using it. It's caused vastly more problems than it ever solved

          1. sedregj Bronze badge
            Windows

            Re: Good for Huawei

            Absolutely. IPX/SPX makes far better use of a frame and was available decades ago.

            OK so your MAC address is your network address but surely sacrificing a little privacy is worth it? I'm surprised the PRC haven't tried to bring it in ...

            1. Yes Me Silver badge

              Re: Good for Huawei

              Emphasis on was available.

              IPX? Please!

            2. Roland6 Silver badge

              Re: Good for Huawei

              Works well in a single subnet, now route between subnets and then scale….

              However, agree, much of the discussion around the Internet has overlooked single segment LAN networking services as exemplified by XNS ( on which IPX/SPX was based) and Bonjour et al

              1. sedregj Bronze badge

                Re: Good for Huawei

                SPX is the router part of IPX/SPX. It is a 32 bit number.

                An IPX/SPX "internet" is 32 bit subnets each of which is a 48 bit subnet.

                An IPv4 internet is 32 bit in its entirety.

                For each IPv4 address you can map a SPX network and hang an entire 48 bit address space off it.

          2. Roland6 Silver badge

            Re: Good for Huawei

            NAT as proposed did solve several groups of problems. Remember what is widely known as NAT is only one form of NAT covered by the RFC.

            Without NAT we would probably had a whole bunch of gateway solutions…

    3. Roland6 Silver badge

      Re: Good for Huawei

      A big factor will be the number of subnets that can be created, remember it is typical for an ISP to assign a single user a /48~/64.

      I remember reading somewhere that some thought there were insufficient subnets given the way the first 48 bits of the address have been structured.

      1. Yes Me Silver badge
        Unhappy

        Re: Good for Huawei

        Not so. Actually the top 48 bits aren't structured; they're allocated non-geographically just like IPv4 prefixes. And most ISPs don't allocate a /48 per subscriber anyway; /56 is more common unless you want to pay extra.

        So we do have a ridiculous amount of address space for everybody. I can only assume that Huawei wants to pursue the idea of semantic addressing, i.e. using address bits for more than just network topology. Otherwise they could not conceivably need that much space. I think that's a REALLY BAD IDEA but some people don't agree, including some Huawei people.

        1. Arthur the cat Silver badge
          Happy

          Re: Good for Huawei

          And most ISPs don't allocate a /48 per subscriber anyway; /56 is more common unless you want to pay extra.

          That's one of the nice things about Zen - when you finally find someone who knows what IPv6 is, they give you a /48.

          So we do have a ridiculous amount of address space for everybody.

          A back of the envelope calculation suggests that if I managed to assign a machine to every address(*) I'd need a few percent of the Sun's total power output to run them. That might make my office a little too warm in summer.

          (*) I'm not sure whether there's enough Si and Cu on Earth for this. Left as an exercise for the reader.

    4. munnoch Silver badge

      Re: Good for Huawei

      My assumption is that the People's Party wants all devices regardless of which side of a gateway they lie on to be accessible and open to surveillance hence the hard-on for v6.

      1. Furious Reg reader John

        Re: Good for Huawei

        Make all the Huawei devices in the world tunnel everything back to Huawei in China, and then give the device a public IPv6, so that everything the device does can be monitored by the CCP from inside China, regardless of the device's physical location?

        1. Yes Me Silver badge

          Re: Good for Huawei

          They can only tunnel if the relevant gateways let them tunnel. And that's always been true and always will be true, so love your firewall and keep it warm and happy.

    5. david 12 Silver badge

      Re: Good for Huawei

      I still don't understand why IPv4 + NAT wouldn't work.

      Yes, but why bother? IPV6 will work. With numbers that big, you need new routing hardware anyway, so it's not like they could use their existing IPV4 equipment.

      (Yes, you could build and buy new IPV4 equipment to handle it, but no, older equipment wasn't built for it)

  3. Michael Hoffmann Silver badge

    I dimly remember that baryonic matter is estimated to be around 2^88 particles. And there's 5 times more "dark matter", if that even exists or is in some form particular. So, an IPv6 for every bit and bob and plenty left over. That's what I call foresight! Prolly covers even the multiverse!

    And one for every Auditor! Which would make each one identifiable. Ergo, an individual. Ergo, they would all disappear in a puff. Death and Susan would rejoice!

    OK, that last part was really Pratchett-nerdism, sorry.

    1. doublelayer Silver badge

      "I dimly remember that baryonic matter is estimated to be around 2^88 particles."

      Where did that figure come from? I'm not sure it's correct. For example, the sun's mass is approximately 2*10^30kg. That's 2^101 kg. That would make for some very heavy particles even without including any other stars. Having searched for the information, I think you might have used this article which comes up with a number of 10^80 (2^266).

      It's also annoyingly vague about what a particle is, as I am not a physicist. For example, is a neutron a particle? If it is, do the proton and electron that make it up not count as two particles? If not, will they when the neutron comes apart? When that happens, does the proton count as one particle or are we going to count the quarks and gluons?

      1. IanRS

        Particles

        When it comes to particles at a quantum level, they are pretty vague things.

        The general meaning of 'particle' at this sort of level is a small self-contained package. Hence an atom is a particle, but if you split the atom you now have two particles, plus any loose bits such as alpha particles or beta particles (but not gamma radioactivity as that is in the form of photons rather than particles - light rather than lumps).

        However, whether you count the atoms or the mid-level sub-atomic particles (neutrons, protons, electrons) or fundamental particles (quarks and other stuff, electrons are already fundamental as far as we know) only makes a small difference, as most matter is either hydrogen or helium and only has a few internal pieces. All the rest might be enough to increase the cound from 10^80 to 10^81.

      2. Michael Hoffmann Silver badge
        Thumb Up

        You may be right. It's late Friday, after all. 2^ vs 10^ didn't register.

        So, not enough for every Auditor, then? Dammit!

      3. Bebu sa Ware
        Windows

        "vague about what a particle is"

        An affliction common amongst quantum mechanics I believe.

        I think in this context* I think it's basically hydrogen (contaminated by a little helium) although the 1080 number comes from an author that claims chemical reactions would have created more helium, deuterium, lithium but then astronomers do insist on calling elements not hydrogen nor helium, metals. ;)

        The second author with different reasoning proffers 4 x 1054 kg which if you take the mass of the proton or neutron rounded up to be around 1.675×10-27 kg then 1080 of the blighters should weigh in at 1.67×1053 kg which is roughly the same within a factor of 10 which is normally called a good result in their game I understand.

        2128 = 10128 x log 2 ~ 3.4×1038 ( log (2) is ~0.3010 from the four figure tables of my school days.)

        A mole contains 6.02×1023 atoms so 2128 hydrogen atoms would be 5.6×1014 moles which is only a 560 teramoles which would weigh in at a mere 560 mega tonnes. ;)

        So we might have to wait for IPv7 with presumably at least 512 bit addresses before we can assign every baryon an address.

        The best way to deal with th

        * New Scientist: How much stuff is there in the universe

      4. Bebu sa Ware
        Windows

        "vague about what a particle is"

        An affliction common amongst quantum mechanics I believe.

        I think in this context* I think it's basically hydrogen (contaminated by a little helium) although the 1080 number comes from an author that claims chemical reactions would have created more helium, deuterium, lithium but then astronomers do insist on calling elements not hydrogen nor helium, metals. ;)

        The second author with different reasoning proffers 4 x 1054 kg which if you take the mass of the proton or neutron rounded up to be around 1.675×10-27 kg then 1080 of the blighters should weigh in at 1.67×1053 kg which is roughly the same within a factor of 10 which is normally called a good result in their game I understand.

        2128 = 10128 x log 2 ~ 3.4×1038 ( log (2) is ~0.3010 from the four figure tables of my school days.)

        A mole contains 6.02×1023 atoms so 2128 hydrogen atoms would be 5.6×1014 moles which is only a 560 teramoles which would weigh in at a mere 560 mega tonnes. ;)

        So we might have to wait for IPv7 with presumably at least 512 bit addresses before we can assign every baryon an address.

        The best way to deal with an Auditor from The Thief of Time would appear to have them incarnate themselves like Myria LeJean and entrap them through sensation in the reality they purport to audit.

        * New Scientist: How much stuff is there in the universe?

      5. sebacoustic
        Boffin

        baryon

        electrons are leptons not baryons

      6. Paul Kinsler

        It's also annoyingly vague about what a particle is

        For these kinds of order-of-magnitude estimates it doesn't matter very much whether you count a neutron as one particle or its three constituent quarks (or, for the old school types, a proton plus an electron). The number is to get an idea of the scale, not to get a value which is supposed to "correct".

    2. Phil O'Sophical Silver badge

      Obligatory XKCD

  4. Jim Willsher

    It's too early in the morning, but I'm wondering how many /12 blocks there are? e.g. if Huawei have been given a /12 then how many other orgs could be given a /12? Thinking back to when IBM etc had a /8 on IPv4.

    I'm guessing 65520? Based on /12 being 1111111111110000

    Or does it work differently?

    Lame question, but it's 7-ish at the end of a long week so it's easier to ask the experts here than hurt my brain.

    1. ggm

      IANA let's the rir play in 2000::/3. There are 512 /12 in 2000::/3 and the rir have used about 16 of them, so 3% or so. A /3 is 1/8 of the total space, so we've got permissiom to subdelegate from 3% of 1/8 which is 0.6% of the total space.

      Bear in mind that overall occupancy of the 16 /12s is well under half. We're doing fine. There is no shortage of space already delegated to BGP speakers.

      1. Yes Me Silver badge
        Headmaster

        See for yourself

        "IANA let's the rir play in 2000::/3"

        More accurately: the IETF lets IANA let the RIRs play in 2000::/3

        The large majority of IPv6 address space is still completely reserved. The authoritative information is at https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml

    2. doublelayer Silver badge

      In the whole address space, there are 2^n /n blocks. There are therefore 4096 valid /12 blocks. However, some of those are already assigned for local usage, some are assigned, and some aren't part of an open block.

      Also, Huawei did not get a /12 block. APNIC got a /12 block. They then gave Huawei a /17 block inside it. In the whole address space, there are 131,072 of those.

  5. O'Reg Inalsin

    We've asked Huawei why it needed all those IP addresses. It hadn't responded

    They need time to put together the list?

    1. Korev Silver badge

      Re: We've asked Huawei why it needed all those IP addresses. It hadn't responded

      It's RIPE for discussion...

    2. seven of five Silver badge

      Re: We've asked Huawei why it needed all those IP addresses. It hadn't responded

      Still sitting in their hollowed out volcano and counting.

      213456498746... heheh 213456498747.. ha! 21345649874 and EIGHT muahaha...

  6. Anonymous Coward
    Anonymous Coward

    I have one major worry about IPv6

    .. and that is that it makes devices directly addressable. Without any real control. With NAT you have a set of options because NAT traverse is still not that easy from the outside (despite various efforts to break that because other fun stuff wouldn't actually work).

    If I now have a range of tat that speaks IPv6, doesn't that mean they're now directly reachable from the Net? In other words, if I don't have every device operating on a zero trust basis (good luck with IoT, see 'tat'), can be addressed directly from the Net? That'll be fun with camera's.

    Not a network aspect, so happy to be corrected and any hints on how to secure that would be good too. For the moment most dumber things are IPv4 which is easier as they live on a subnet, but I'm not as comfortable yet with IPv6, it feels too uncontrolled. I have an ISP router which talks Wifi6, and I see many devices pick up an IPv6 address via DHCP..

    1. Blue Shirt Guy

      Re: I have one major worry about IPv6

      I'm not sure how many times it needs to be said but NAT is not a firewall, it just breaks a lot of things. If you don't have a firewall for IPv6 then you don't have one for IPv4. Worse, with IPv4 you may think you have something you don't, while having to impliment bodges that make things even less secure. IPv6 generally makes it simpler to be secure as there's no hidden port translation.

      1. Phones Sheridan Silver badge

        Re: I have one major worry about IPv6

        "I'm not sure how many times it needs to be said "...

        The confusion comes from many teachers saying, but no-one actually showing. If it was demonstrated that all internal LAN machines behind NAT can be probed by a thousand bots on the internet, then people would believe it. But if those people see that their NAT router is being probed by a thousand bots on the internet, but the unsolicited traffic does not get through to the LAN (unless a port forwarding rule is set up), they will continue to believe that NAT is an ingress firewall, despite an endless tide of protestations that "NAT is not a firewall".

        1. Anonymous Coward
          Anonymous Coward

          Re: I have one major worry about IPv6

          I should have started with stating that I *know* that NAT isn't a firewall, but it IS a speedbump.

          My ISP router has some filtering, but I have everything set up with zero trust anyway because I travel, about the only thing that can be reached is the printer, and that has updates disabled (it's an inkjet, so no prizes for guessing why that is :) ).

          I can scan the one IPv4 presence I have online and I won't get much back (also because I don't use the DMZ function which would cart all incoming to one IP address - don't have the time to set up a Linux box for it), but I haven't had time yet to check what IPv6 looks like from outside - I must find some time to run an nmap from outside on the router public IP6 address as well as some of the IP6 addressen it has been handing out.

          The plan is to eventually move everything internal onto a herd of Netgear Omnis but I have another few things to do first. And they're not cheap..

      2. Roland6 Silver badge

        Re: I have one major worry about IPv6

        >” but NAT is not a firewall”

        But it is a firewall rule: allow all outbound traffic, but only allow inbound traffic to a port that has an active outbound session or for which a static mapping exists.

        I expect ISP IPv6 routers will implement something akin to this rule, so that they provide at the minimum a fig leaf of privacy for your average user who has zero interest in doing anything to their router, other than plugging it in.

        I’ve found very little these days gets broken by NAT, but then that’s probably because I tend to adhere to good security practices so that things that might be broken by NAT avoid NAT.

        1. the spectacularly refined chap Silver badge

          Re: I have one major worry about IPv6

          But it is a firewall rule: allow all outbound traffic, but only allow inbound traffic to a port that has an active outbound session or for which a static mapping exists.

          But that isn't how it works. If your LAN is on 192.168.0.0/24 any inbound traffic to 192.168.0.x appears directly on the LAN, yes even if it originated from the WAN side: that is how NAT works by design. Far from being some impenetrable security barrier you are actually giving your ISP unfettered access to your network and trusting them to keep you secure. End to end connectivity was always a core design principle of the original Internet which NAT broke for purely pragmatic reasons, security was not a consideration.

          It is also whay many more recent network applications depend on a usually proprietary gatekeeper rather than open stnadrds you can implement for yourself - you need the gatekeeper to traverse the NAT. That is why you do not have open, interoperable IM clients for instance.

          1. Roland6 Silver badge

            Re: I have one major worry about IPv6

            >"But that isn't how it works. If your LAN is on 192.168.0.0/24 any inbound traffic to 192.168.0.x appears directly on the LAN, yes even if it originated from the WAN side: that is how NAT works by design."?

            ? On many routers I've played around with, the routing of private traffic on the WAN ports had to be explicitly enabled.

            Although, if memory is correct (ie. not got one setup to look at) the 4G routers do get a private IPv4 and IPv6 address on the WAN port, and thus cannot be routed to directly, unless you are using an overlay

            like A&A L2TP-VPN.

            In either case the ISP is doing NAT, so whilst your ISP might be able to talk directly to devices on your network (with the security implications you allude to), joe public on the Internet (or other people on your ISP) won't.

            1. Yes Me Silver badge

              Re: I have one major worry about IPv6

              "On many routers I've played around with, the routing of private traffic on the WAN ports had to be explicitly enabled."

              Absolutely true, but (see my other comment) that is exactly the same for IPv4 and IPv6. NAT is irrelevant to opening and closing external ports, except of course that a NAT box can only support one instance of port 80 whereas an IPv6 router can support one port 80 for each host on your LAN.

              1. david 12 Silver badge

                Re: I have one major worry about IPv6

                that a NAT box can only support one instance of port 80 whereas

                So (1), completely irrelevant to home and small business, and (2), mostly irrelevant to anybody using a load-balancing front end.

                IPv6 is a protocol designed for internal use in large system networks like Huawei. Which is why large system networks like Huawei are adopting it.

                If the IPv6 adopters would stop asserting that it had benefit for average end users, it would be less annoying and invite less push-back.

                1. doublelayer Silver badge

                  Re: I have one major worry about IPv6

                  "(1), completely irrelevant to home and small business,"

                  Home I'll grant you, though some home users (me, for instance), wouldn't mind being able to publicly address multiple machines without a manually-maintained port forwarding and DDNS setup. When you consider CGNAT which prevents any public ports and covers billions of home users, there's another reason. But true, a lot of home users won't notice the switch. Small business is not so uncaring. Some small businesses actually have some infrastructure that benefits from public IPs.

                  "(2), mostly irrelevant to anybody using a load-balancing front end."

                  Rubbish. Load balancing does not eliminate the benefits of IPV6. You still put a load balancer in front of your servers here, but when you need to identify and locate those servers, you have an easier time of it rather than shoving everything into the 10.0.0.0 space and hoping that nothing overlaps. You can also have multiple addresses for multiple servers. If you direct all those addresses to a single load balancer because your load can take it, fine. If you want to have a different server outside the balancer, for instance one that you intend to be available in the case of a failure of the balancer, you can do that. Of course, most of the people who are in such a position have some IPV4 addresses to spare and do that because they have already paid for the ones they'll need. With IPV6, you won't have to participate in five-figure auctions for a /24.

                  1. Roland6 Silver badge

                    Re: I have one major worry about IPv6

                    >” 1) … Some small businesses actually have some infrastructure that benefits from public IPs.”

                    Need to be careful, whilst many things eg. On prem Mail server, RDS server, PABX benefit from a static public address, the individual systems don’t need to have different public IP addresses. In the case of Exchange server, having it behind a firewall, means only exposing key ports to the Internet, and thus only traffic to those ports will impact performance of that server.

                    >”2) … “

                    It is going to be interesting to see whether those hosting companies that host multiple web sites on a single IPv4 address change to giving each website a unique IPv6 address…

                    Agree about the auctions - supply and demand…, but if you must have your own IPv4 address, rather than rent someone else’s IPv4 address…

                    The big question is when will the trickle of migrations become a flood and IPv4 effectively gets relegated to internal private networking.

                    1. doublelayer Silver badge

                      Re: I have one major worry about IPv6

                      "Need to be careful, whilst many things eg. On prem Mail server, RDS server, PABX benefit from a static public address, the individual systems don’t need to have different public IP addresses."

                      I agree that user desktops, for example, don't need public addresses. If they get them thanks to IPV6, they'll need a strict firewall in front of them, which the default config will usually do.

                      There are often enough things that do need a public endpoint that having addresses for them is helpful. When I've seen ISP plans for small businesses, they tend not to give out very many. The last one I saw had options for two statics and six (six was a lot more expensive than two). A lot of businesses can fit their public infrastructure into six addresses. Some can manage with two. However, if someone has seven machines and wants them all to have public addresses, I want to give them that option. I could pack things together so that their machines share addresses, or I could just give them IPV6 and no sharing is required even if they buy an eighth one. That means there's a lot less complex configuration, fewer opportunities for things to not work until the network admin can be called in to reassign ports and clean up the DNS, and less opportunity for an ISP to overcharge people for providing no service, just a scarce resource that has no reason to be scarce.

                      1. Roland6 Silver badge

                        Re: I have one major worry about IPv6

                        Agree, I’ve regularly seen allocations of either /29 or a /30 static addresses, which as you note after allowances leaves 6 or 2 usable host addresses, which is useful if you are setting a “simple” WAN with both Internet access and private/dedicated inter site connections. Obviously, if building redundancy a second allocation is desirable from a different ISP.

                        I think there are two issues here: first what is and isn’t possible with IPv4 and the clear and present issue of IPv4 address space exhaustion and hoops we are having to go through to get around this in those circumstances that demand something a bit different.

                        Whilst it is reasonably obvious IPv6 is a solution to the address space problem, I disagree with the idea that everything should/must have a publicly accessible IP address. I.e.

                        Much of the traditional network design thinking is still relevant, particularly in these security conscious days, where as you note the default IPv6 firewall settings won’t be much different to the default IPv4 firewall settings.

              2. Roland6 Silver badge

                Re: I have one major worry about IPv6

                > a NAT box can only support one instance of port 80 whereas an IPv6 router can support one port 80 for each host on your LAN.

                That is just an implementation issue. Not aware of there being a limit to what could be done with IPv4 (would have to reread the various RFCs), but in general terms if IPv6 can do it the so can IPv4, just that most routers probably don’t provide support for anything other than the simple case. Given that ISP/consumer grade routers are designed to a cost, it would be natural for them to implement the simplest variant of NAT, expect similar implementation constraints to appear in ISP/consumer grade IPv6 routers.

                1. doublelayer Silver badge

                  Re: I have one major worry about IPv6

                  No, it is not an implementation issue. It's not that your individual devices can't have their own port 80s, but that only one thing can receive packets directed to your only public IP's port 80. You can implement several ways to have traffic sent to different internal devices, such as:

                  1. Direct your traffic to one server which reads the request and sends it to whichever machine can handle that request.

                  2. Have a machine acting as a load balancer across multiple internal devices.

                  3. Have different ports forwarding to your devices and include those in the links you give to users.

                  4. Implement a custom protocol which includes a specific device identifier with every packet and make sure that whatever is talking to you speaks it and your networking equipment understands it.

                  What none of those solutions does is let you have a single IP and port, sent to one of multiple independent devices, because that is not possible. It is not possible on IPV6 either, and the reason that it can handle this is that you have enough addresses that anything you want to be publicly contactable can have its own address and all the ports to itself.

                  1. Roland6 Silver badge

                    Re: I have one major worry about IPv6

                    Reread what the original poster said:

                    “a NAT box can only support one instance of port 80 whereas an IPv6 router can support one port 80 for each host on your LAN.”

                    The clear implication is that an IPv6 router is somehow different to an IPv4 router that supports NAT. Otherwise, I agree with your points.

                    Although a router with packet inspection could perhaps implement a per individual LAN host firewall policy.

                    However, the real question is just how many inbound connections are actually required I the typical home/small business. Because even for Ring et al to access their device on my LAN, my device needs to call out to register, and with dynamic addressing, there is no guarantee when a remote host decides to communicate my device has changed to another random IP address (which also is incompatible with SIP and the “holy grail” of universal end-to-end connectivity….

                    1. doublelayer Silver badge

                      Re: I have one major worry about IPv6

                      While I grant you that someone wanting to claim a difference in the router could phrase that the way they did, that's not what they meant. What they meant was that a NAT connection has only one IPV4 address, and thus only one port 80, whereas an IPV6 network has more than one and thus more than one port 80. I'll concede that they should have said "network" instead of "box" in that sentence.

                      You're right that a lot of homes won't need very many, if any, connections. This doesn't matter very much to me. We can ignore those people and consider only those who actually care about inbound connections, and for any of them, IPV6 offers significant advantages. A Ring camera doesn't need to have a public port because it calls out to Amazon's servers and only talks to them. A privacy-respecting one might self-host, which you could do with a directly accessible public port or with a network setup of your own choice. Ring benefits if we don't get public access, whereas personal control benefits if we have that flexibility. Some people who currently don't understand why IPV6 would help them, including some who don't know what that is at all, would also benefit from that. Randomly changing addresses are also not much of a concern, because ISPs are unlikely to randomize the IPV6 prefix you were assigned because they have plenty of those, and your devices don't have to change their address at all. Some machines are set to do that, but that's an option, not a requirement. Meanwhile, ISPs generally reclaim IPV4 addresses if the network gives them up because they are a scarcer resource, so changing addresses are more likely there.

                      1. Roland6 Silver badge

                        Re: I have one major worry about IPv6

                        Yes a NAT connection, whether it be over IPv4 or IPv6 will only have one IP address and thus port 80. Giving a host a public IP address (whether it be IPv4 or IPv6) presents a different firewall scenario.

                        Yes the home server for the security cameras, energy management etc. is an interesting challenge, as it needs to be able to be setup by Joe Public, who will naturally not be interested in the details of IP addresses and firewalls. Hence these will need to implement some form of UPnP to get a static IP address, enable inbound routing and to declare a name that can be resolved by dns (this may be part of service from the ISP), so the user can configure their phone app to call in, or dial in from some random Internet cafe, without having to get involved with IP addresses. I suspect the resolution of all this is going to be a lot more complex than the current server-in-the-middle solutions currently being sold to Joe Public…

        2. Yes Me Silver badge

          Re: I have one major worry about IPv6

          "I expect ISP IPv6 routers will implement something akin to this rule"

          What do you mean by "will"? Of course they do; I haven't looked at the code, but I can't see any reason why the same code path can't be used for both IPv4 and IPv6 firewall rules.

          If I want an IPv6 app to be able to accept incoming traffic on port N for IPv6, I have to tell my home gateway. It's called "Port sharing" and it's configured on the same page for IPv4 or IPv6. There is simply no difference. The idea that network address translation adds any actual security is just bogus.

          (It is true that NAT prevents an external attacker learning a little bit about the internal addressing of your network, and possibly guessing a few things about its topology if you have multiple LAN segments and routers. Some enterprise networks claim to care about that and want to hide their IPv6 topology.)

      3. AndrueC Silver badge
        Boffin

        Re: I have one major worry about IPv6

        I'm not sure how many times it needs to be said but NAT is not a firewall

        Who said it was? Certainly not the person you're replying to. All they have stated is that NAT provides protection from outside attacks. And it does. I can tell you my laptop's IP address and there's no way that you can launch an attack at it. Even if I tell you the public IP address I am using you still can't directly attack my laptop. All you can do is DDoS my router. There is the corner case of your ISP mounting an attack against you via private address space propagation but worrying about that is like worrying about a meteorite striking your head while you're out walking.

        it just breaks a lot of things.

        And yet the internet and associated protocols are everywhere. The world runs on the internet. We've even turned things upside down and now telephony runs on top of the internet instead of the other way around. Even complete dweebs (aka 'users') are gaming (client and server), watching TV, chatting and exchanging banal claptrap without the faintest idea of how it all works.

        What exactly is NAT supposed to have broken?

        Having written that I will say that I'm a fan of IPv6 and wish adoption had gone further quicker (my ISP has been offering dual-stack for nearly 20 years and my own mail server is configured to send and accept traffic on it).

        But I'll also defend NAT for the simple fact that it's keeping the internet going without any obvious (to the users who really matter) problems.

    2. firstnamebunchofnumbers

      Re: I have one major worry about IPv6

      > doesn't that mean they're now directly reachable from the Net?

      Yes, that would be the case if you didn't have a firewall in place. Why would you not have a firewall in place? :)

      Most firewall/gateways outside of provider-locked home routers will let you specify the source+destination address+port traffic flows are allowed through in the same way for IPv6 as for IPv4.

      Seriously though I had the same confusion about 15 years ago then moved my home internet to Zen which offered IPv6 and it forced me to understand it. Once you get your head around it there's not much difference.

      My biggest source of annoyance with IPv6 though isn't anything to do with IPv6 addresses, it's the move away from DHCP as being the convention for handing out addresses. SLAAC (automatic) IPv6 addressing with PD (Prefix Delegation, giving devices a v6 address from ranges given to you by your ISP) works well but I never end up using it in isolation. Generally I also need a DHCPv6 daemon to hand out things like DNS, dns-search, boot-file, ntp-server and other options.

      Another thing that holds back wider deployment certainly for bigger organisations is the idea having to re-number v6 hosts to new provider-allocated ranges when you change provider. The way around that is to run your own AS and get your own slice of v6 space from the RIR so you are not tied in to a specific provider. Yes, you can use DDNS for hosts to update their IPv6 (forward and reverse) DNS records but that was a scary switchover even for my home network.

      In a way this has actually forced more centralisation on the internet, where orgs will outsource their edge to a CDN so the public-facing network and addressing is not their problem. There are internal IPv6 ranges that you can use (search for ULA addressing) but in my experience that's a massive kludge and only works for internal-internal traffic anyway and is best avoided (apart from something like a storage or other strictly internal VLAN etc).

      1. Jusme

        Re: I have one major worry about IPv6

        > Another thing that holds back wider deployment certainly for bigger organisations is the idea having to re-number v6 hosts to new provider-allocated ranges

        ...

        > In a way this has actually forced more centralisation on the internet, where orgs will outsource their edge to a CDN so the public-facing network and addressing is not their problem.

        At which point you might as well stick with IPv4 RFC1918 addresses internally, and your "CDN" will have (possibly shared) public IPv4 addresses for your "website" so everyone can access it.

    3. Phones Sheridan Silver badge

      Re: I have one major worry about IPv6

      "I have an ISP router which talks Wifi6, and I see many devices pick up an IPv6 address via DHCP.."

      Yes, but all you need is the "Deny All" set as your default rule on your firewall, and then you can poke individual holes through to your hearts content. No less secure than a Deny All rule on IPV4.

    4. doublelayer Silver badge

      Re: I have one major worry about IPv6

      Yes, they are directly reachable, but you have to keep several things in mind:

      1. If you have a firewall, they're as secure as your IPV4 addresses. You probably have a firewall.

      2. If you have a firewall, but you have UPNP turned on, then your IPV4 boxes are punching their own holes in the firewall meaning they're more directly reachable than the IPV6 hosts are.

      3. Finding and harassing a random address is a lot easier for IPV4, where I can sweep every address in ten hours from one machine or five minutes from a botnet than IPV6, where your incoming pipe is most often the limiting factor to a random or sequential search.

      NAT has often provided a basic firewall-like service to people who won't set up their own, although UPNP makes a lot of it worthless, but it is certainly not required. If you know why NAT was sort of helping, you know all you should need to to set up a basic firewall or at least check that you already have one, and you should take that step. The rest of people is why a lot of network hardware has firewall software on it, usually set to a basic config anyway.

      I have an NAT setup over IPV6, which is intended as a privacy measure because it mixes lots of devices' traffic from one outgoing address which changes on a cycle. That isn't proven to help, I just thought it might and had some time to write the rule, but it also doesn't provide any security that I didn't already have with my firewall. If you prefer that method, you can have IPV6 and NAT together.

    5. Kevin McMurtrie Silver badge

      Re: I have one major worry about IPv6

      That's exactly the point. NAT breaks everything.

      There are IPv6 "link local" addresses and IPv6 NAT if you'd like to use them. You can also set firewall rules.

      I remember the days when a lot of the Internet wasn't behind NAT. It drove innovation. People could share data and prototypes effortlessly.

    6. Alan Brown Silver badge

      Re: I have one major worry about IPv6

      "With NAT you have a set of options"

      NAT is not a firewall. Firewalls are not NAT

      If you're relying on the _small_ accidental protection that NAT confers, then you've already lost the security game. All it takes is one device tunnelling out of your network (eg: Most network cameras/DVRs) and you're toast

      1. Roland6 Silver badge

        Re: I have one major worry about IPv6

        The risk is the same as someone using a browser to "tunnel" out of your network. ie. You can see my browser and thus attempt to finger it, but you will have to compromise the system the browser is running on to gain wider access to my network.

  7. Sceptic Tank Silver badge
    Terminator

    So I should basically be able to assign myself an IPv6 address and the chance of a collision with someone else's address is remotely minuscule. Also, if there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses to scan, maybe the bots won't find you.

    1. Anonymous Coward
      Anonymous Coward

      The chances of collisions are low but so are the chances of your traffic getting routed properly. I wouldn't advise it.

      You are right, though, that random port scans of whole ranges are essentially a thing of the past because the vastness of the address space. My ISP hands out a /48 block of IPv6 addresses at my home address. That is 1,208,925,819,614,629,174,706,176 addresses which I can divide into 65,536 separate LANs. The IPv4 address space globally is limited to 4,294,967,296 addresses so my home IPv6 block is 281,474,976,710,656 times larger than the entire IPv4 block theoretically available.

      In short: the chances of a random IPv6 address being in use are really, really low.

    2. doublelayer Silver badge

      "So I should basically be able to assign myself an IPv6 address and the chance of a collision with someone else's address is remotely minuscule."

      You have two choices:

      1. Get a normal IP block, which you'll get automatically if your ISP supports IPV6*, and assign yourself an address inside it. The chance of a collision is zero unless your ISP screwed something up, and if they did, you'll find out quickly and you'll have someone to complain to.

      2. Assign yourself a random IPV6 address and your chance of collision is very small indeed. Your chance of actually getting any traffic is also pretty small, since that's not your address and the routing tables know it.

      * Generally, residential ISPs give a /64 to the average customer and larger blocks, /56s or /48s are common, if you ask for a dedicated block.

  8. Wellyboot Silver badge

    I remember...

    A mere 40 ish years ago, when IT companies & countries* were allocated entire /8 networks each because there was no way 4 billion addresses could ever be used & everyone having a personal computer was only just becoming a sci-fi thing. I believe a repeat of this was high in the minds when V6 was designed around 128bit, it roughly allowed everyone on the planet to have an entire V4 size pool each before half the bits were even needed.

    ISPs grabbing multiple /12 strikes me as a similar land grab, especially as a /48 (280+ billion of those) still allocates 2^80 addresses which allows giving the entire global population many trillions each.

    *The US gov picked up a bucket full of /8 ranges.

  9. Anonymous Coward
    Anonymous Coward

    IPv6 network topologies are a godsend

    Do not assume Huawei has decillions of devices to connect, though – or ever will.

    As the Internet Society pointed out in 2001, it's not always practical to use every address in a range. But with Huawei and APNIC holding decillions of them in hand, even if mere sextillions are used – each of which is one thousand million million million - an awful lot of devices can have unique IPv6 addresses

    That is quite right. We have had to unlearn the old way to design network topologies that were common under IPv4. Because IPv4 networks are designed around address scarcity you tend to end up with lots of duct tape and messy solutions.

    With IPv4, if you had ten location with machines needing an IP and those sites had needed 200 IPs you could give them all a block of 255 addresses and painfully accept the loss of 55 IPs per location. At least from the block you could see which location was which and that might be worth losing 55 IPs. If, however, you had ten locations and eight of those needed 200 IPs but two only needed four IPs you would be loath to take the hit and lose 251 available IP addresses per location just for network clarity. You'd probably add those smaller locations to the eighth location's block and lose clarity.

    With IPv6 a single organisation can have such a large address allocation that you can be wasteful for the sake of clarity, ease or security. You could give each floor its own range, even if a floor only has a single network printer. You can give the publicly accessible lobby of your building an entirely different block for security purposes. The ultra paranoid could even rotate whole blocks to deter port or address sweeps. IPv6 network topologies can be radically better.

    1. Roland6 Silver badge

      Re: IPv6 network topologies are a godsend

      >” Because IPv4 networks are designed around address scarcity”

      Don’t remember being bothered by address scarcity in the 1980s; however, partitioning of traffic was a big factor in the design of a network.

      I suppose once we have 1 petabyte per second connections we won’t have to worry about traffic partitioning…

      Until then there is nothing to unlearn, only a need to learn how to apply good network design principles in the modern world.

      1. Anonymous Coward
        Anonymous Coward

        Re: IPv6 network topologies are a godsend

        I suppose once we have 1 petabyte per second connections we won’t have to worry about traffic partitioning…

        The way Microsoft Patch Tuesday is going we'll need this sooner rather then later..

      2. doublelayer Silver badge

        Re: IPv6 network topologies are a godsend

        And what kind of block did you have in the 1980s? I'm guessing you had no scarcity problems because that's when individual companies were getting /8s or /16s. It's really easy to assign addresses in a network like that. What's harder is assigning addresses to a country that only gets /24s because all those big blocks already disappeared. I think the record is St. Lucia, which in fairness, is a pretty tiny country with only 150k people living there. They get one /24.

        1. Roland6 Silver badge

          Re: IPv6 network topologies are a godsend

          Block size from my experience only really became an issue with the national rollout of 3G. I forget the allocation the mobile telco I worked with in circa 2004 had, but they were looking at potentially requiring multiple IPv4 blocks to support their expanding national subscriber base; hence the move to IPv6 carrier network was a no brainer.

          We forget the modern internet is something that largely happened post circa 1995. So given the applications of the time, many large organisations used the 10.x.x.x address space internally and had few systems facing on to the Internet. Obviously, merging two organisations that both used 10.x.x.x internally could be interesting… Given the background and the large numbers of private networks that were for the first time being connected to the Internet, NAT was a workable solution for many of the day-to-day (of the time) use cases.

  10. Altrux

    Overkill

    I always thought 128 bits was just too much. I reckon 80 would have been perfect: 2^48 networks with 2^32 addresses in each.

    Anyway, when can I finally turn off IPv4 on my router? Oh, not yet then? I thought we were nearly done with the transition. I'll check again in 2044...

    1. Alan Brown Silver badge

      Re: Overkill

      would you really want to have to redo everything AGAIN when 2^80 fills up?

      If you're going to do something as fundamental as the addressing change needed it's better to not have to do it again for the forseeable future

      IPv6 has been around for 30 years and we still haven't retired IPv4 - which was less than 20 years old at the time but already creaking

      1. Roland6 Silver badge

        Re: Overkill

        > would you really want to have to redo everything AGAIN when 2^80 fills up?

        ? But with ISPs giving out /48’s we will run out of networks at the same rate as was proposed in the 2^80 scheme. Okay with 2^80 those networks handed out would be smaller, but…

        However, we know 128 was decided upon because it was so vast and a nice multiple of 64. Perhaps (with respect to doing everything again) we should be pleased the decision was to go with 128 rather than 48 or even 64, both of which seemed huge at the time…

  11. Richard Tobin

    It's not that many

    My ISP gives me a /48, which is pretty common. That means that in theory I can have 2^80 devices, though more usefully I could have 2^16 subnets of up to 2^64 devices. Huawei's /17 would allow them to provide 2^31 = 2 billion customers with a /48, and that's not much more than the population of China. Not that I imagine that they want it for that.

    There are lots of fun things you can do when you have an effectively unlimited number of addresses. I have a string of christmas tree lights with 250 individually-controllable colour LEDs - I could easily write a program that gave each LED its own address.

  12. S. Steffann

    Counting IPv6 addresses is pointless

    Counting individual IPv6 addresses doesn’t make any sense. IPv6 is designed so that you never need to even think about individual addresses. Every subnet is a /64 (18446744073709551616 addresses if you really want to know), so what you usually think about is the number of subnets, how to organise and aggregate them etc.

    It is normal when using IPv6 to give every customer a /48 in every site. Let’s do the math: Huawei currently has 33 sites. Let’s leave room to grow to 64. That requires 6 bits. Starting with a /17 that leaves a /23 per site. Let’s take 5 bits for aggregation etc. In a massive network like Huawei’s that’s not unreasonable. Now we are at a /28. That’s 20 bits left to number customers, which is max 1 million customers.

    Considering that IPv6 was designed to supply more than enough numbers to last you a lifetime, the amount of addresses Huawei got is not as insane as it looks at first.

  13. talk_is_cheap

    People are missing EUI-64

    With IPv6, it is common to use the Extended Unique Identifier (RFC2373) solution to provide a unique local address for a network device. This is a unique 64-bit value often created by expanding the 48-bit Mac Address to 64 bits.

    The result is that every subnet becomes rather large but things like DHCP or manual address assignment can be dropped from the system design, which at scale for grand IoT networks is key.

    So, for the old hands here, the IPv6 address starts to look very much like the old Novell IPX address structure, which was, in turn, based on the older Xerox IDP protocol.

  14. martinusher Silver badge

    Its the IPv6 address space (dummy!)

    The IPv6 128 bit address space is broken down into sections. I can't be bothered returning the decimal number quoted to hexadecimal but its probably a 40 or 48 bit block. This fits nicely with the practice of expressing v6 addresses as 8 groups of four hexadecimal digits (separated by colons when written down).

    People who think in terms of large decimal numbers (like this article) either are being a big tongue in cheek or they're really clueless about how data is manipulated. Decimal numbers are entirely for end users (and a handful of specialist BCD coded applications), they have no place or relevance inside a computer.

  15. Alan Brown Silver badge

    Don't think of these allocations in terms of numbers of addresses

    They're SUPPOSED to be a red/black routing tree - very sparse tables, not dense ones

    IPv4 was supposed to be a routing protocol too, but it got kludged when it became clear that better addressing systems weren't coming in time to cater for the rapidly increasing number of machines on the Internet(ARPANet)

    In the IPv4 case, A.B.C.D was supposed to be "site","department","subnet","device" and it wasn't envisaged there would be more than 90 sites on ARPAnet at the time

    The kludging of IPv4 is WHY we have the unholy terror that's BGP - and IPv4 itself was a kludge even before the switch to dense-mode packing intended to only be in service for a couple of years

    Ironically the original proposals for IPv4 had 128 bit addressing instead of 32 bit but was trimmed because it argued as being was too big to be practical and a memory hog

    Raving on about the number of possible addresses is counterproductive and greatly impedes rollout speed.

    It's not about the numbers, it's about not having to do it again in the foreseeable future and not needing to have multi-gigabyte routing tables in the memory of the world's core routers

    1. Dan 55 Silver badge

      Re: Don't think of these allocations in terms of numbers of addresses

      I don't see how it's possible to cut down on multi-gigabyte routing tables if IPv6's address space is so many orders of magnitude bigger, there will in the end be just as many internet providers on IPv6 as on IPv4, and devices behind NATs would now be directly addressable. BGP doesn't disappear with IPv6, it grows to accommodate it.

  16. Porque_hablamos

    0-0

    2.56 decillion ip addresses = Malware Citadel

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like