IPv4 depletion and the future of the internet.

ARIN, the American Registry for Internet Numbers, announced late last week that they have almost depleted their IPv4 allocations and for the first time have been unable to fulfil a request for IP allocation from a network operator. This is hugely significant because it means that the IPv4 address space in America is now gone, or at least very close to gone with less than 112,000 IP addresses left as of the 10th July. In North America at least, it is the beginning of the end.

Because of this near exhaustion of available addresses ARIN has activated a waiting list system where if an organisation needs a larger allocation than it can assign then they must simple wait for it to somehow become available. Alternatively that organisation could go out and purchase IP addresses on the open market which is becoming an increasingly profitable business as IP addressing becomes even more scarce.

All this said, ARIN is not the only RIR (Regional Interner Registry), each continental region has it’s own. There is LACNIC in South America, RIPE in Europe, AFRINIC in Africa, and APNIC in Asia/Pacific. To varying degrees those registries have much more address space left; AFRINIC has the most with just under 4x /8 pools left, that gives them approximately 40 million addresses left to allocate, however they are being used up quickly and current estimates put depletion in Africa sometime in early 2019, although that will potentially accelerate or level out depending on what policies AFRINIC put in place as they themselves approach depletion. APNIC should last into late 2020 with their remaining 13 million addresses with that depletion time pushed back due to the strict controls put in place to manage the run down to zero (APNIC News). Similarly RIPE in Europe put in place very stringent controls early on to ensure that addresses were fairly allocated as the run down to zero begins, this ensures fairness so that new networks were able to obtain IP address allocations (RIPE Announcements). These controls have allowed RIPE to stretch out their remaining pool an impressively long time, current estimates put RIPEs remaining 16 million (approximate) addresses as lasting well beyond 2020.

The key to the lifespan of each RIRs pool depends on what controls are put in place. ARIN did not put in place any controls at all, the IP allocations were a free for all right until he very end, the wisdom of this policy is debated and clearly among the RIRs they are in the minority with their very American approach. In 2013 ARIN had about 56 million addresses, dropping to their less than 112,000 addresses in just 30 months. LACNIC had no control policies in place in 2013 when they had about 48 million addresses, this dropped to just 8 million in 18 months, a near vertical plot on a graph, this has since levelled off when controls were put in place to manage the run down to zero, they’ve only allocated around 200,000 addresses in the last 12 months; at this rate their remaining pool should stretch out for quite some time.

Even with controls in place, the RIRs are simply delaying the inevitable and in the meantime potentially stifle growth of companies that need IP allocations for network expansion. But once the pools are dry, what happens next?

Once there are no addresses available from the RIR in a given region the only option for network operators is to either acquire addresses from another region via a shell company (Which is generally frowned upon) or purchase addresses from companies selling off their spare addresses. At the moment the price on the numerous IPv4 auction houses that have sprung up is hovering around $10 per IP addresses, this makes purchasing a large number of addresses a rather expensive prospect, a /17 block could fetch around $200,000 at auction, and now ARIN has no addresses left this price is only going to increase. The problem with this is that it means huge network operators can afford to grow whilst small companies are priced out of the market entirely and so have to stagnate, or increase their prices to cover their higher operating costs due to having to purchase expensive IP addresses for each new device connected to their network. This situation potentially makes for a very volatile business environment for network operators and could even see some companies forced out of business or taken over by bigger companies who just want them for their IP addresses.

The long term viability of the situation with IPv4 is questionable. Ultimately if action isn’t taken it’s going to stifle innovation, hurt small businesses, and hurt consumers through higher prices. As with anything on the internet though a coordinated approach is difficult to accomplish; a national governmental or regional governmental approach cannot be applied globally and would be difficult enough to enforce within the region where it did apply, let alone elsewhere. But what is the solution?

The solution to the problem is clear, and already available, IPv6. IPv6 will outlast the solar system (seriously!) it is that large a pool. The pool is so large it is almost impossible to come up with a comparison that communicates the sheer scale of the pool, suffice to say it will never run out. The problem is that major network operators are dragging their feet on implementing IPv6, preferring instead to implement Carrier Grade NAT (CGN) “solutions” that serve only themselves whilst degrading the experience of their customers. CGN is at best a hack and a work around to save the ISP money whilst they continue to put off IPv6 implementation as long as possible. It is a chicken and egg situation; ISPs won’t implement IPv6 because there is little or no content that is enabled for IPv6, and content providers won’t enable IPv6 because none of their customers have IPv6. So why would an ISP invest the time (and money)? Thankfully the balance is slowly shifting thanks in large part to major websites such as Google, Facebook, YouTube, and Netflix who have all enabled their services for IPv6. But even with this being the case, ISPs are still slow to implement IPv6 with many confirming trials are on-going but with no firm dates to go live. The solution to the stalemate isn’t clear.

One possible solution would have been to force the hand of the network operators, in a similar way to how HTTPS is mandated by the HTTP2 specification, it could be stipulated that HTTP2 must operate on dual stack IPv4/IPv6 networks and cannot be IPv4 only. Although how such a policy could be implemented isn’t clear.

Another possible solution would be for a major registry to implement policies that require a given TLD to be enabled for IPv6 by a particular date. This would force the hand of content providers at least, this would be a very unpopular policy and would probably never be approved at a large registry, however it would certainly kick start IPv6 adoption in a given region. An example of such a registry policy would be Minoa which requires all domains to be secured with SSL/TLS, although this is helped by the registry issuing certificated free of charge with domains.

A final option would be to legislate at a national level, a regional government like the European Union could pass legislation over a large portion of the internet effectively forcing ISPs across 28 member states to enable IPv6 for all customers. This would no doubt be unpopular with the ISPs but it would force their hand which is ultimately all that is required.

Whatever the solution, the problem is very clear, the long term stability of the internet is in question if urgent action isn’t taken to hasten the uptake of IPv6. It is the responsibility of network operators and content providers to bite the bullet and ensure their networks are IPv6 enabled before it’s too late.

If you’re interested in the number of addresses left at ARIN check out https://www.arin.net/. Similarly for RIPE you can view the number of addresses left at https://www.ripe.net/. Or if you like a good graph, then check out a graph of all the RIRs remaining addresses at Potaroo.