IPv6 rollout is still inefficient with problems ahead, but there is slow progress.
Iljitsch van Beijnum - Jan 4 2013





In hindsight, we reached peak IPv4 two years ago. The good news is that IPv6 is doing very well—but not nearly well enough. Is the IPv6 glass 1 percent full or 99 percent empty?

"Hi, I'd like to sign up for Internet service at my new apartment."

"That's great! We have the highest speeds at the best prices, you won't be disappointed. But unfortunately, last week Europe ran out of IPv4 addresses. We still have plenty of IPv6, though."

"IPv6? So I can use that to visit all my favorite websites, use IM and VoIP, download podcasts, and watch videos?"

"Well..."

Luckily, I escaped this conversation when recently signing up for an Internet connection. But if I move again next year or even the year after, I could end up with a faster Internet connection that is less functional, because it will no longer let me connect to every other Internet user. All because we ran out of numbers, which don't even cost anything. Sadly, not having them will cost us a lot of time, money, and effort as some cling to IPv4 and others adopt IPv6—by choice or otherwise—over the next few years.
Where we stand

First, let's look at IPv4. Five Regional Internet Registries (RIRs) give out IP addresses in different parts of the world. APNIC (Asia, the Pacific, and Australia) ran out in April of 2011, and this past September the RIPE NCC (Europe, the Middle East, and the former Soviet Union) did the same. As a result, the number of IPv4 addresses given out this year is about a third of what it was in 2010: only 80 million.



(The statistics are derived from files the five RIRs publish on their FTP sites every day. However, the ARIN numbers didn't look right, so I replaced them with those found here. This also changes the earlier reported totals for previous years.)

So ISPs and other users of IPv4 addresses in the RIPE and especially APNIC regions have to make do with whatever is left in their own pipelines—which typically hold six months' to two years' worth. There's a final block of 1024 addresses, or they have to do some trading.

ARIN (North America) has 45 million addresses left and gave out 24 million IPv4 addresses this year. So barring unforeseen events, ARIN will be in a situation similar to those of APNIC and the RIPE NCC in the first half of 2014. LACNIC (Latin America and the Caribbean) also has about a year and change until IPv4 addresses run out, while AFRINIC (Africa) has enough for several more years.

Back in 1994, Microsoft's Christian Huitema looked into networks running out of address space, coming up with an "HD ratio." This is the logarithm of the number of systems connected to the network divided by the logarithm of the number of possible addresses. Experience with several different networks showed that an HD ratio of up to 80 percent was reasonable, 85 percent painful, 86 percent extremely painful, and 87 percent the practical maximum.

According to the ISC Domain Survey, there were 909 million systems present in the Domain Name System (DNS) as of July 2012 (resulting in an HD ratio of 93 percent). Obviously, that is well beyond that practical maximum. In this sense, IPv4 is like a tube of toothpaste that's almost empty: every day, if you squeeze hard enough, a little more will come out. But at some point it's easier to just buy a new one.

Now, with IPv4 in decline, surely IPv6 must be ready to pick up the slack? Yes and no. Yes, IPv6 is doing incredibly well compared to even one or two years ago, but... it's not enough.
IPv6 refresher

IP addresses are 32 bits in size, which means there can be some four billion of them. In the early 1990s, the Internet Engineering Task Force (IETF) realized the Internet was growing toward a size that requires more than four billion addresses. Increasing the size of IP addresses required modifications to the layout of IP packets, which meant that all systems that handle IP packets—in other words, everything connected to the Internet—must be upgraded. To be on the safe side, the new system uses an address length of no less than 128 bits, allowing a mind-boggling number of addresses:

340,282,366,920,938,463,463,374,607,431,768,211,45 6

For unknown reasons, the existing Internet Protocol has version number four. Five was already taken by something else, so the new version got six; hence IPv4 and IPv6. In addition to the larger addresses, IPv6 differs from IPv4 in a number of aspects, so the IPv4 ways of doing things don't always translate one-to-one. But IPv6 is still IP, and it can fulfill the same functions as IPv4. Just on a much larger scale.
IPv6 by the end of 2012: 1 percent full or 99 percent empty?

2012 was a good year for IPv6. Netapp's Lars Eggert has been measuring how many of the top 500 websites have IPv6 enabled. After last year's World IPv6 Day and this year's World IPv6 Launch, we're now at around 10 percent for the top 500 sites in Finland, Germany, India, Japan, South Korea, the UK, and the US. China is lagging behind at 4.8 percent. And of the worldwide top 500 sites, 22.4 percent have an IPv6 address in the DNS, up from eight percent a year ago. However, of the Alexa top one million websites, only five percent have an IPv6 address in the DNS.

According to Google's measurements (Flash required), currently about one percent of its users is able to reach those IPv6-enabled websites over IPv6, up from 0.4 percent a year ago and 0.2 percent two years ago. So the rate at which Google's users are taking up IPv6 has increased from a factor two in 2011 to a factor 2.5 in 2012. If we can stick with that factor 2.5, the entire Internet will have IPv6 by the end of 2017. Of course, these types of growth tend to slow down as they approach 100 percent.

More evidence that IPv6 is taking off can be found in a paper on measuring the deployment of IPv6. Researchers at the Cooperative Association for Internet Data Analysis (CAIDA) observe that after years of linear growth, IPv6 deployment across the autonomous systems (mostly ISP networks) that make up the Internet started to go up along an exponential curve around 2008. The growth of IPv4 autonomous systems, on the other hand, had been exponential until about a decade ago. It's linear since. Note the slightly different scales in the figure, though: 40,000 IPv4 ASes versus 4500 IPv6 ASes.
Growth in IPv4 vs IPv6 autonomous systems.




Last but not least, there are actual IPv6 traffic statistics. Akamai's IPv6 statistics show the content network has 0.8 percent IPv6 hits in North America, 0.3 percent in Europe, and less than 0.1 percent elsewhere. The 0.3 percent number is similar to the amount of IPv6 traffic at two of Europe's big Internet Exchanges: AMS-IX in Amsterdam and DE-CIX in Frankfurt. AMS-IX IPv6 traffic has always been relatively high, but DE-CIX IPv6 traffic has increased from 1 to 5 Gbps in the past twelve months.


It's the economics, stupid!

So we'd be in good shape if we had been five years further along in IPv6 deployment, or had five years worth of additional IPv4 addresses. But there's no point in crying over spilled milk. Apparently, the economics of moving to IPv6 before we absolutely, positively had to without delay weren't there. As with all technology, IPv6 gets better and cheaper over time. And just like with houses, people prefer waiting rather than buying when prices are dropping.

To make matters worse, if you're the only one adopting IPv6, this buys you very little. You can only use the new protocol once the people you communicate with have upgraded as well. Worse still, you can't get rid of IPv4 until everyone you communicate with has adopted IPv6. And the pain of the shrinking IPv4 supplies versus the pain of having to upgrade equipment and software varies for different groups of Internet users. So some people want to move to IPv6 and leave IPv4 behind sooner rather than later, but others plan on sticking with IPv4 until the bitter end.

As a result, we have a nasty Nash equilibrium: nobody can improve their own situation by unilaterally adopting IPv6. And multilateral action has its limits when it comes to the Internet, as the UN can attest to.

All this means that organizations that are experiencing a lack of sufficient IPv4 addresses will have to address that problem in some other way: by having multiple users share a single IPv4 address through Network Address Translation (NAT). NAT is already widely used today, but mostly at the edges of the network, where end-users can choose a NAT that doesn't get too much in the way of the applications that they use.

Of the 1,760 blocks of IPv4 space ARIN distributed this year, nine percent was responsible for 93 percent of the address space involved—the blocks above 10,000 addresses. These typically go to ISPs. But when ISPs can't get new address space, they'll soon have to start having multiple users share an IPv4 address. This brings relief in the short term, because most applications can work through NAT, even multiple layers of NAT. But some applications, especially peer-to-peer ones such as VoIP, video chat, and BitTorrent, have a harder time working through NAT. With as many as four NATs between two users (the home routers on both sides, and the ISP's "carrier grade NAT" at both user's ISPs), peer-to-peer applications have the deck stacked against them.

In the meantime, two-thirds of the world's population isn't even connected to the Internet yet. So while NAT will allow us to continue business as usual for the most part in the short term, it's not a long-term solution for an ever-growing Internet. At some (distant?) point in the future, we'll all be running IPv6 anyway, and all those big NAT boxes that ISPs have installed in the interim will be worth their weight in scrap metal.

But such is economics: pay a little today in order to postpone paying a lot until tomorrow.
Is moving to IPv6 really so hard?

Suppose you had to build a new IPv6 network from scratch. You would hire engineers who know about IPv6, buy hardware that can forward and filter IPv6 packets at the highest speeds, select software that works over IPv6, and sign up with an ISP that sells IPv6 service. There may be somewhat of a learning curve here, but all of this is eminently doable in late 2012 or early 2013.

However, few of us find ourselves in the situation where we can build a network from scratch using brand new parts. The usual situation is upgrading an existing environment to support IPv6. And then it only takes one IPv4-only link to break the IPv6 chain. A balance sheet full of IPv4-only hardware, an IT department full of IPv4-educated engineers, or a long-term contract with an IPv4-only ISP will derail an effort to upgrade to IPv6 faster than you can say "autonomous address-configuration flag."

Everything that touches IP packets must be upgraded. And that's pretty much everything with an Ethernet port or an antenna. The BSD socket API predates the Domain Name System (DNS) and therefore must deal with IP addresses directly. Thus, applications that use the BSD-style API (such as winsock) must be updated to support IPv6. However, the transition to IPv6 has been underway for so long that recent software will typically support IPv6 without issue unless it tries to do something complicated.

As networks get bigger, it's almost guaranteed there will be some device or application somewhere that can't be made to run (over) IPv6.
So what now?

First rule for getting out of a hole: if you find yourself in one, stop digging. The most important step you can take toward an IPv6-filled future is to avoid adding more barriers blocking your path towards that future. So don't buy routers, firewalls, or load balancers that can process IPv4 at full speed in hardware but can't handle IPv6, or can only do so slowly in software. When selecting new software, see if it works over IPv6 at all, and whether the features you need work over IPv6.

But you already knew that. There are also some less obvious IPv6 stumbling blocks. If you're running a Web server or another type of server, you will at some point encounter IPv6 users who make use of NAT64, a system for translating between IPv6 and IPv4. There are two things NAT64 doesn't handle very well: literal IPv4 address in URLs and small MTUs. For systems that have IPv4, this link works just as well as this one. But the first link has an IPv4 address in the URL, which bypasses the DNS and thereby the DNS64 magic that allows NAT64 to translate between IPv6 and IPv4. So, avoid IP addresses in URLs.

The IPv6 specifications require that IPv6 systems support a maximum packet size (MTU) of no smaller than 1280 bytes, while IPv4 in theory supports maximum sizes as small as 68 bytes, but 296 or 576 bytes aren't unheard of. Under normal circumstances, systems adapt to the maximum packet size supported by the path they communicate over. However, IPv6 systems won't reduce their packet sizes below 1280 bytes, potentially making all communication impossible. Or, if packets are fragmented, there is a significant risk of undetected transmission errors. So use MTUs of at least 1280 everywhere.

An easy way to bridge the gap between IPv4 and IPv6 is through a dual stack (having both IPv4 and IPv6) proxy. With a dual stack Web proxy, even Windows 95 machines can reach IPv6-only content, and IPv6-only systems can reach content hosted on IPv4-only servers. If you're an application developer, try to make your application work through a proxy. Many non-HTTP-based types of communication can be made to work through an HTTPS or Socks proxy.

Last but not least, make a plan. You may find that there are some time-consuming but cheap steps that you can take now, which will save you time and therefore money if and when the time comes that you have to roll out IPv6 in a hurry.
Still no plan B

When I look back at my story There is no Plan B: why the IPv4-to-IPv6 transition will be ugly from two years ago, the good news is we've made a lot of progress. Macs now support DHCPv6, making IPv6 deployment in large organizations easier. We've had World IPv6 Day, which proved that turning on IPv6 on a large website doesn't really break anything, and then World IPv6 Launch, where many large sites turned IPv6 on and kept it on. Consumer ISPs are beginning to roll out IPv6, and North America has jumped from third to first in many metrics of continent-wide IPv6 deployment. On the other hand, Asia has been underperforming despite a lack of IPv4 address space. Address trading seems to accommodate the most pressing needs for IPv4 address space, but so far, not to the detriment of IPv6 deployment.

There's still no plan B and there are still rough seas ahead. Lucky for us, it looks like we'll be able to weather them.