Unallocated IPv4 addresses are becoming scarce. For many organizations, that’s not an urgent problem, because they have a large enough supply of IPv4 addresses to last for the foreseeable future. This paper analyzes the costs and risks of IPv4, to help an organization determine when to begin working on deploying IPv6. If one needs IPv6 in 2-3 years, and it takes 2-3 to deploy, it is urgent to begin.
Asia and Europe have already implemented IPv4 austerity measures, with any organization being able to receive one small, final allocation at most. The Americas will follow in 2014 or 2015. Not all organizations are directly affected by an inability to receive new addresses, but the network effect applies; all network managers should consider when to implement IPv6, and should begin work in time to complete it before IPv6 is needed.
Some ISPs will deploy Carrier-Grade NAT (CGN) in some form, in order to share their few IPv4 addresses among more users. Not only does CGN have a fixed cost, for hardware and logging services, but it can also be customer impacting [RFC7021], and one may guess at what that may cost the ISP [TCO of CGN]. It is possible rising costs will lead to rising prices, which affects those who use their services.
Even while there are some unallocated addresses available, there is a market for IPv4 addresses, at $10-11 each [Mueller]. It is reasonable to assume that prices for addresses will rise once addresses are no longer available nearly free from regional registries.
An analysis of the public routing tables allows an estimate that 1 billion addresses could be available to the IPv4 address market. Based on historical allocations [NRO] the rate of demand prior to run-out was increasing steadily. If that rate of demand continues, the market will only be able to supply enough addresses to last until late 2015. If the pre-exhaustion demand remains flat, the market may last until 2017.
New uses of the Internet may actually increase demand. The Internet of Things needs addresses for many devices not historically considered network devices. Smart phone and tablet sales (and IPv6-supporting LTE) continue to rise, and people spend more Internet time on these devices, making CGN gains less efficient.
Thus, the cost for addresses is likely to rise in 2014 as registries run out of space, and again sometime 2015-2017 as the market is unable to meet demand. It is possible that rising costs will lead to rising prices, which affects those who use their services.
Even an organization that is not short of IPv4 addresses may be affected by the shortage. By analogy, when there is an oil shortage, industries relying on petroleum raise prices to cover rising costs, and there is a ripple effect through downstream customers. Similarly, if ISPs or other organizations raise prices to cover rising costs, anyone who is a customer, or paid peer, may be affected. If a content delivery network’s costs rise due to higher access or peering costs, web content will be more expensive. Any company relying on the Internet could see costs start to rise, probably some time between 2014 and 2017.
All current operating systems for servers, desktops, laptops, tablets, and mobile phones have IPv6 on by default. Many of them have tunneling or transition mechanisms enabled. “In scenarios in which IPv6-enabled devices are deployed on enterprise networks that are intended to be IPv4-only, native IPv6 support and/or IPv6 transition/co-existence technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes. “ [OpSec-IPv6-implications]
Unplanned IPv6 is a security risk which should be evaluated and mitigated.
The reverse of this risk is the shared fate of shared IPv4 addresses. Virtual hosting, where many sites share the same address, or CGN, mean that one malefactor using an IPv4 address can get a group of innocents blacklisted. That can also mean difficulty tracking down abusers, if only an IPv4 address is known.
Many large networks, including ISPs, mobile carriers, web sites, content delivery networks, and cloud providers, have already found themselves reaching the limits of IPv4 address space, including private [RFC1918] address space. Designers of the Internet of Things are using IPv6, because they require its scalability. When considering a new device or service that will be deployed at scale, initial deployment over IPv4 to be followed by a migration to IPv6 results in significant rework; although initial deployment may take a little longer if IPv6 has not been implemented, it will result in less work in the long run.
There is no way to know when users will start using IPv6 only, or when IPv4 will be degraded (either via CGN, or a tunnel, or other deprecation). Similarly, content may be available on IPv6 only, or on IPv6 before IPv4, or at better quality or capacity. Some applications require IPv6, usually with a tunnel or transition mechanism for backward compatibility. There is risk, then, that at some point some content, service, or user will be, if not completely unreachable, then suffering a performance degradation for using IPv4.
As shown, the risks of IPv4-only already exist, and are rising. The risk of increased cost begins some time in the next 1-4 years. The network operator must consider each risk, and make a best guess at the time when the risks will be greater than the cost of deploying IPv6.
Then, the network operator must assess how long IPv6 implementation will take, including hardware refresh cycles and software development. Modern hardware may not require further replacement, but for ISPs with old customer equipment, the refresh cycle needs to be considered. Software development may affect a significant number of systems that can not all be developed concurrently, and IPv6 is unlikely to be the only project under way.
1. Assess the risks described here to determine when lack of IPv6 is risky.
2. Assess the time required to deploy IPv6. One to two years is typical, but may range from a few weeks and several years. Lab work and training may be needed for an accurate assessment.
3. Begin deployment in time to complete before risks manifest.
[RFC7021] Donley, Chris, Lee Howard, Victor Kuarsingh, John Berg and Jinesh Doshi. “Assessing the Impact of Carrier-Grade NAT on Network Applications.”
http://tools.ietf.org/html/draft-donley-nat444-impacts-05, September, 2013.
[TCO of CGN] Howard, Lee. 2012. “Internet Access Pricing in a Post-IPv4 Runout World.” http://www.asgard.org/images/pricing_v1.3.docx
[Mueller] Milton Mueller, Brenden Kuerbis, and Hadi Asghari. “Dimensioning the elephant: An empirical analysis of the ipv4 number market.” Proceedings of the Telecommunications Policy Research Conference, 2012.
[OpSec-IPv6-implications] Gont, Fernando, and Liu, Will (Shucheng). “Security Implications of IPv6 on IPv4 Networks.” http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05