6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

The Dirty Little Secrets of ISPs
By Lawrence E. Hughes
Chairman and Chief Technology Officer, InfoWeapons

Lawrence E. Hughes
InfoWeapons

One of the main benefits of moving to IPv6 is the restoration of full end-to-end connectivity, Internet-wide. In the original Internet, all IP addresses were "static externally routable" addresses. Any node on the Internet could connect directly to any other node on the Internet. All was right with the world. Then we started running out of addresses, about 10 years ago! I'm going let you in on some of the dirty little secrets of Internet Service Providers regarding how they have tried to cope with this reality.

Let's look in more detail at the phrase "static externally routable addresses."

Private Addresses and NAT
The "externally routable" part of this phrase refers to the use of "private non-routable" addresses, as described in RFC 1918 ("Address Allocation for Private Internets") released February 1996 – I told you this problem has been around for ten years!). As we started running out of IPv4 addresses, the authors of this RFC came up with the idea of setting aside a few special address ranges (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) that could be used in anyone's "internal network," much like three- or four-digit "extension numbers" in an office phone system. Say my office phone is "extension 1234." You can't simply call that number from anywhere in the US – you must call one of the company's "real" phone numbers, then either have a receptionist or machine further connect you to my extension ("if you know the person's extension, dial it now").

The "routable" part of the above expression refers to the fact that these "internal" addresses may not be routed from your network to the outside world directly, but only by being mapped to a routable external address (one not in the RFC 1918 ranges, for example 123.45.67.89). If someone did route an internal address to the outside world, (which happens occasionally by mistake, and is called "leakage"), there is no way to know which network it came from, so the return packet cannot be delivered correctly.

The thing that does that mapping between internal phone extensions and a single "real" phone number is a PBX (Private Branch eXchange). Most companies today have a PBX because "real" phone numbers are scarce and hence expensive. If you have to "dial 9" to get an "outside line," you are behind a PBX. If phone lines and numbers were cheap or free, it would be better for every employee to have a direct line (no PBX) with their own globally valid phone number. Question – if your company has four outside lines and they are all in use – what happens when you dial 9?

The thing that does the equivalent mapping between RFC 1918 internal IP addresses and a single "real" IP address is called NAT – Network Address Translation. In its most common form, it is even worse than a PBX, because it will only map one way – going out! Imagine a phone system in which you can make outgoing calls to anyone around the world, but no one can call you. That is a typical network configuration today. NAT is typically done in a border router or firewall. I can assign 10.0.0.0/8 addresses in my internal network, and you can assign the same numbers in your internal network. Outgoing connections from my clients get mapped to my routable external address, and outgoing connections from your clients get mapped to your routable external address. This kind of NAT (NATP) does source port shifting to keep track of how to get return packets back to the right internal node. It cannot figure out how to get a connection that originates outside to a particular inside node. Hence is it one-way (only good for outgoing connections). Question – if your company uses NAT and all possible port values for shifting are already in use, what happens when you try to make an outgoing connection?

This scheme, (which I consider to be bad engineering, done only to stretch the use of IPv4 addresses another few years), breaks end-to-end connectivity. I cannot give others my internal address for them to connect to me. It works OK so long as I am a passive consumer of content published by those lucky folks (like cnn.com) who have static externally routable addresses. This is the "client-server" model where a few people publish content and millions of people can only consume it. When I try to publish content from home, (What? An end user running a website, mail server or ftp server? Never!), or participate in connections other than client-server, (say P2P, or end-to-end VoIP, IM, gaming, etc), I'm out of luck. I have to pay for a static external address, and do mapping from my single external address to one inside node ("default server") via a firewall that supports port mapping ("incoming connections on port 80 should go to this internal node").

Static Addresses versus Dynamically Allocated Addresses
The "static" part of the phrase means that you own the address (at least as long as you pay your service provider bill), that you will always get the same address when you connect, and that you don't have to share it with anyone else. You can even publish it in the global DNS. Today, many ISPs have far more customers than they have valid IP addresses. Typically many times as many users (10 times as many is not unusual). They can't provide each user with a static (unchanging) address, because they simply don't have enough to do so. They use DHCP (Dynamic Host Configuration Protocol) to assign addresses to dial-in customers, on a first come first served basis. Once all their external addresses have been allocated, the next caller can't get service (they might get a busy signal or a modem connection but still no login). As soon as you hang up, your "rented" address goes back into the pool from which new addresses are assigned. It may be reused by many, many people over the space of a day (put that address down – you don't know where it's been!).

Again, if you are only ever a passive consumer of Internet content, this is not a serious problem. Once you become a publisher, or a peer (prosumer), then you need to somehow publish your address in a directory (which for the Internet is DNS). There are schemes like dynamic DNS (see www.dyndns.com), but these are workarounds, and less than satisfactory in most cases. Imagine if every time you picked up your telephone at home, you were assigned a different telephone number that was shared with many other people over time. How would people be able to call you? That is dynamically assigned IP addresses.

So what about broadband, "always on" service? If you are going to be connected 24x7, you need your own address, which can't be shared with anyone else. This is one reason that broadband service costs more than dial-up. ISPs must pay more for the necessary static addresses. Soon there won't be any more for them to buy. Smart ISPs know this and wake up in the middle of the night shaking. Others believe the line that there is no shortage of IPv4 addresses today. Sure there isn't. Sleep well (for another year or two, anyway). The US (with 5% of the population) has about 70% of the address space. The rest of the world (with 95% of the population) is fighting over the remaining 30%. This is why Asia is way ahead of the US in IPv6 – they have already "hit the wall." I've spent the last four years in Asia – trust me – they are way ahead of the US in IPv6.

Why do ISPs want you to be just a consumer? A consumer typically has far more bandwidth going to them than from them. They can sell asymmetric service (e.g. down speed 1024 kbit/sec, but up speed only 128 kbit/sec), and you will never notice the difference. Ever notice that uploading things takes longer than downloading? When you publish a website or host an e-mail server, you will have far more content going up than if you are a simple consumer. ISPs would rather you not compete with them, or their premium customers (e.g. businesses) who pay much more than you do. Ask for prices on Symmetric DSL versus Asymmetric DSL, or for a "T1," which is 1.544 Mbit both up and down with 4 to 32 static IPv4 addresses – typical T1 service costs about $800 to $1,200 a month. ISP's don't want for you (an end user) to be a producer. Some actually block port 25 (e-mail) connections to end users.

Why should you have to pay for a number? There are in theory an infinite number of numbers! Even in a real world system, the number of numbers in a given system is determined by the number of bits used to express it. IPv4 addresses are 32 bits in length, hence the maximum theoretical number of addresses is four billion. IPv6 addresses are 128 bits in length, hence the maximum theoretical number of addresses is 340 trillion, trillion, trillion. In both cases, the actual usable number of addresses is far lower. Estimates for IPv4 place the number of practically usable addresses at around 250 million. There are more users of the Internet today than that, which is only possible through use of NAT and dynamically assigned addresses.

Now you know the dirty little secrets of ISPs, and why it is such a hassle to move to the new paradigm connectivity applications, like P2P. Already some applications, like VoIP and IM are far more complicated and less scalable than they should be if we weren't using NAT and dynamically assigned addresses. Sometime research the term "NAT traversal," which refers to threading through the mess described above to connect to an end user. It accounts for most of the complexity in today's VoIP and P2P products. There is no need to do that with IPv6.

The Internet today has become a two (or more) layer addressing scheme, which breaks a lot of things. It should be a flat address space (every address assigned out of a single address space), which would restore end to end connectivity, which we need to advance past the current producer/consumer mindset.

Near Term Solution – Dual Stack
What I recommend to solve this problem, until the entire world is changed over to IPv6, is to get dual service – both IPv4 and IPv6. Use the IPv4 service for all your old stuff like client server connections to existing sites like cnn.com (which probably won't go IPv6 for some time). Buy use IPv6 for new paradigm connectivity. Your ISP doesn't yet provide IPv6 service? Not a problem – you can get tunneled IPv6 service (with a /64 or /48 address block) right over your existing IPv4 service anywhere in the world. Even with a /64 address block, in addition to your one internal, dynamically assigned IPv4 address, you will have four billion times the size of the entire existing IPv4 Internet, just for your network. And they will be globally unique, not shared by anyone else. All the static external addresses you could ever conceivably eat.

More and more "tunneled IPv6 service providers" are coming on line. Some are free today. Others are starting to offer commercial grade service at reasonable costs. For a company level network, you can get commercial grade IPv6 tunneled service today for about $200 a month, and give everyone in your network static externally routable IPv6 addresses. If you have multiple subnets, request a /48 – this supports up to 65,536 subnets, and is the standard allocation block for customers. You can deploy the necessary infrastructure (dual stack DNS, dual stack firewall, Router Advertisement daemon, dual stack clients) today, with commercial products, or ones you put together yourself using open source (if you are on a budget).

Internet users of the world, throw off your (IPv4) shackles and chains! No more NAT! No more rented temporary addresses! Enter the bright new world of universal end-to-end connectivity with IPv6, today. It's like being able to go back in time before we started running out of addresses, and broke the Internet. Only better!