Internet Security Systems - AlertCon(TM)

IANA, ARIN, and the IPv4 run-out  (Series - part I of IV)

Posted by Michael H. Warfield on December 01, 2010 at 10:46 AM EST.

At the NANOG / ARIN Joint Conference

In a series of articles we would like to highlight some of the issues that were hot topics at the recent joint conference in Atlanta, Georgia between the North American Network Operators Group, NANOG, and the American Registry for Internet Numbers, ARIN. We'll start this out with a little bit of acronym alphabet soup. Representatives were present at the conference from all 5 Regional Internet Registries, RIRs, plus the Internet Assigned Numbers Authority, IANA, from whom the RIRs obtain large blocks of Internet resources, such as addresses, to manage and allocate. In addition to ARIN for North America, the other 4 RIRs are RIPE NCC for Europe, APNIC for the Asia Pacific region, LACNIC for Latin America, and AfrNIC for Africa. Government, military, business, university, ISP, and law enforcement representatives were also in attendance and participating actively in the debates.

These issues center around the impending run-out of blocks of IPv4, Internet Protocol version 4, addresses at the Internet Assigned Numbers Authority, IANA. Warnings about running out of Internet addresses have been with us for years. The Internet Engineering Task Force, IETF, addressed these with the development of IPv6 many years ago but deployment has been lethargic at best. The time of the IPv4 run-out at IANA is coming close and upon us. At the ARIN conference, one conservative, optimistic, prediction was made for the run-out to be in June or July of 2011. Two more pessimistic predictions, one from IANA itself, put the run-out closer to February of 2011, just a few short months away. The reality is that there are so few of the large blocks left at IANA that nobody can really predict and it was estimated that as few as 12 large international customers could, jointly, trigger an immediate run-out at IANA. While the impact on the end users, corporate and individual, will not be felt immediately, there will be an impact affecting our operations and how we deal with security and incident response, with some dire implications for law enforcement, long before we feel the hurt of not being able to obtain addresses ourselves. We will examine some of these issues in closer detail in the coming days. More background information may be found at the ARIN, and IANA web sites.


Where we are today in the IPv4 run-out

The Internet Assigned Numbers Authority, IANA, hands out IPv4 address space to the regional registries in large chunks referred to as /8s (slash 8s). These blocks represent the top level number in an address. The IPv4 address 10.11.12.13 is in the 10.0.0.0/8, or 10Net (which happens to be a private address space usable by anyone and not routable on the Internet). In the structure of the IPv4 addressing, there were only a limited number of these, but they are large, comprising 16,777,216 addresses each which the RIRs then divide down further to hand out to their members. As the Internet has continued to expand, it was recognized some time ago that, eventually, all of these would get used up. We are now down to just a few left at IANA and plans have been made for the last few. When the number of remaining blocks gets down to 6, the next RIR to request a block (the 6th remaining block) immediate triggers an allocation of the remaining 5 blocks, one each to each of the RIRs. This is what is expected to happen sometime early next year. At that point, IANA has no more blocks of IPv4 space to hand out and what the RIRs have will have to suffice. It is anticipated and hoped that there will be some recovery of large unused blocks for reallocation but this is not expected to satisfy the demand and poses its own problems.

At the point when IANA runs out of /8 address blocks, the RIRs are going to engage their own recovery / transition policies. What has been discussed includes limiting the amount of address space handed to individual ISPs to a fraction of what they request and to possibly deny address space requests unless the ISP has a firm IPv6 transition plan in place.  Delays in obtaining necessary addresses will be extended and irregular.  The thresholds for triggering these policies may vary from region to region but the effect will trickle down relatively quickly and impact the RIR policies in handing out address space and managing recovery and reuse.

Eventually, one of the regions will run out of address space to deliver to the ISPs. It's anticipated that large international customers and ISPs will then turn to the other RIRs they have access to in order to fulfill the shortfall, accelerating the run-out at the remaining registries. This will eventually trigger the situation where all of the RIRs are out of allocated space and must rely on recovery, reuse, and reallocation with rationing of the recovered resources to the ISPs requiring them. The time frame for this is very much in doubt but, with the current burn through rate of allocations, it is not expected to take very long at all. There has been some concerns within the RIR community over hoarding and commodity trading in address space but policies are being placed in effect to avoid much of the worst part of this, while still allowing direct transfers of space between controlling entities.

At that time, we can expect to see the individual ISPs begin to engage several techniques to extend the life of IPv4 further without denying v4 addressing to their customer base. It's some of these extension techniques which may cause some known breakage of applications and which raises the most concern with regards to security and incident response causing some heartburn with law enforcement and government.

While not explicitly discussed in session at the conference it was clear address conservation and IPv6 requirements could extend to individual customers sooner or later. This may include requirements to insure IPv6 support on hosting facilities and web sites as well as for individual consumer delivery.  Justification requirements for end assignments will certainly be tightened and not all requests will be honored or honored in full.  Just out of necessity, this will impact the larger end customers with larger requests long before trickling down to smaller organizations and end users.  Large customers will almost certainly come under increasing pressure to conserve address space and implement IPv6 transition and support.

(....to be continued)

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.