I used to own 10k IP addresses that I sold as proxy servers to internet marketers. I made about $20k a month and it paid my bills through college. I had no idea what I was doing and eventually shut down the company, but damn, I wish I at least kept control of those things.
If you want to see some sketchy shit, look deeply into what the VPN companies are doing.
The profit was more like 10k because the hosts all convinced me each server could only handle 256 IP addresses.
And I shut it down because the support requests became unmanageable, there was rampant fraud, chargeback rates were through the roof. I had more important things to do / opportunities to focus on.
Is there an implication that the bills appoached $20k/month? Whether he owed $1/month or $20k/month, 20k/month is only being asserted as at least equal to the amount of his unspecified bills.
Depending on the university that might not cover a semester. Still, within 6 months of making money at that level, your post tax earnings are going to be enough for even the most expensive undergraduate programs
Good luck paying living expenses for years with only $5k in one of the many European countries that don't generally provide stipends for that. I'm a student in Switzerland where my university recommends more like $2,300 a month.
> If you want to see some sketchy shit, look deeply into what the VPN companies are doing.
You mean selling use of residential IP addresses of people who have no idea? I assumed that was the case when I saw companies selling proxies that route through residential IPs
Luminati does this too, the provide an SDK to app developers that lets users decide between seeing ads, paying a fee or allowing use of their IP when it's not being used.
One example is the Hola VPN which, in itself, is a VPN that uses other users' connections to act as a VPN to almost all countries, but they also sell access to this network of IPs via https://luminati.io/.
Basically like Tor, some VPNs route someone else's VPN connection through your VPN client. If I want an IP address in Sweden and someone in Sweden wants a US address some VPN companies would just route our traffic through each other's home addresses (potentially leaving you on the hook for what the other user was doing).
Generally speaking you request them from a regional internet registry (RIR). In North America, the RIR is ARIN https://www.arin.net/resources/guide/request. Bear in mind it’s harder and harder to get V4 addresses from an RIR these days, but it’s still possible. Once they are allocated to you, you have to find a place to announce them. Some “cloud” based solutions are Neptune Networks (https://neptunenetworks.org/) or Vultr (https://www.vultr.com/).
There's a lot to be said about the anxiety of "I'm making a lot of money doing something I don't understand". I've backed out of businesses where I could have been a millionaire but also could have been in prison for violating some law/regulation that I knew nothing about. It starts feeling like you're running a scam.
My point is, if 20k/month motivates you, Silicon Valley has hundreds of thousands of people in that category. And by many perspectives, they are underpaid. Really, I'm just saddened by how out of touch the rest of the world is on the subject.
This wasn't a could have, this was a going to be a millionaire in 5 years. No school costs THAT much. I'd have dropped out immediately and hired someone who DID know wtf they were doing.
Industry leaders like NordVPN and ExpressVPN may engage in P2P routing (to use residential IPs especially) to unblock services like Netflix and Disney+ [1].
HolaVPN unapologetically does this too [2].
All of this is discounting the new-age dVPNs like Orchid (not quite the Tor replacement that was promised? [3]) and Mysterium [4].
It's always good for a VPN to deny any information about the customer to a server, I would imagine that's not what was referred to as sketchy. Making a user indistinguishable from a typical user from country X is just the VPN doing its job correctly.
It seems, however, that at least some VPN providers use their customers' bandwidth without their knowledge to route other customers through it. I'd say that qualifies as sketchy.
Although on an entirely personal level, I'm not a fan of stuff like going through VPN to use Disney+. I think people should ideally either not watch or pirate geoblocked content. Consuming geoblocked content through VPNs is basically letting such companies get away with discrimination and still get your money.
Its much more difficult to take this stance when you live in a part of the world where such services are not available to you, just because of your LAT/LNG.
Several times already I found myself "wanting" to pay for content, but the only way to get it was by circumventing geoblocking.
I pay a significant amount of money for MLB streaming, only to have many games blacked out. Due to various factors, I cannot legally get access to those games.
It figuratively kills me that I live in an area where three of the five closest teams to me are blacked out on MLB.tv but they're all far enough that it would take several hours of driving to actually go to a game in-person and the local TV stations don't air those games. It's actually pretty much completely killed my interest in baseball since I can't watch any of the teams I actually care about.
It's left over from a time before distribution over the internet was practical, when middle-men added value (local promotion, collection of royalties, etc) to video distrubution.
The internet made them largely redundant, but they still had their contracts and pushed to have things like geo-blocking to maintain their "local monopoly" arrangement.
When legal options are not readily available to me due to geo-blocking, I have no qualms about pirating instead.
I'm not arguing in favor of geographic blackouts, I'm arguing against them being "discrimination" by any sensible definition of the word. Nobody's sitting in an office somewhere trying to decide which sitcoms to block to most piss off the Armenians.
If they have to block you due to law, then sure since it's not their choice. Signing a contract however hardly makes it any less discriminatory. Signing a contract that means you now have to block Armenians is like signing a contract saying you won't allow Armenians into your store or will refuse to sell them stuff.
Just because this type of licensing contract is common in the media industry doesn't make it acceptable. People should just pirate whenever they hit a wall like that.
what's wrong with pirating geoblocked content in this case? if the owner actually believes that piracy == lost sales, this would be a signal that the person might have paid for the content if it were available in their locale.
Back at home the company behind NordVPN is touted as a top company.Recenly was reading an article that they'll be moving to new premises, as they've already got 1500 working for them.
Most users probably don't trust them much at all, but trust them just enough for the very minimal uses they might need them for. I would not use a consumer vpn if my life or liberty depended on it.
How much trust do you really need to lend to them if you're just using it because you want to unblock Netflix or get around your school/work network barriers?
I don't think that's unintentional either. All my targeted ads lately have been for VPNs, and anecdotally every single one has made a huge deal about the dangers of roaming the internet when not "protected" by a VPN. Every single one of my non-tech friends who has asked about security and privacy has had similar misconceptions too.
Very often your residential connection is sold as proxy to e.g. circumvent rate limits. Companies like luminati are used for example for scraping google search results and many more things.
I don't know about NL or elsewhere, but I'm pretty sure this can get you in trouble in Spain for several reasons:
1. Check your ISP contract. If it is a residential connection, it probably says you are not allowed to share your connection with people outside your home (and it could be argued that you are doing so by running this).
2. Check your laws. In Spain, if your connection is used to conduct illegal activities and you willingly gave access to the attackers (which is what you are doing here) then you are a "necessary collaborator" and would be found guilty of these crimes.
yeah I would think long and hard about 2). if I understand correctly, this would be the same as running a tor exit node. not technically illegal in most cases, but could be very stressful/expensive to defend against anyway. not worth it to save a few dollars a month.
In Spain, if you run a Tor exit node and someone commits a crime via Tor through your connection, you’re party to the crime.
In other countries, “not technically illegal” may apply. In Spain, it does not.
Or to give another analogy, it’s not technically illegal to sit in a car. It’s a different matter if you’re sitting in the car as a lookout while a crime is occurring. While there’s “intent” that matters in that particular example, when it comes to internet crime in Spain, intent doesn’t matter, facilitation is all that does.
I know you're being nice here, and I have no idea if that particular user cared, but like, as someone who has to take frequent user data/trust/privacy/handling trainings, like, don't ever do that.
Firstly, you really want to engineer your systems as much as possible so that you can't look at any PII -- and that includes things like usernames that aren't displayed to the public, and maybe even ones that are! -- as an administrator of your system, without going through some sort of "break glass in case of emergency" process that leaves an audit trail with a clear policy of when it is acceptable.
Second, even if you have access for job-related tasks, you shouldn't spontaneously try to tie user accounts to outside identities; that should be like line 4 or 5 in your data access policy. The right way to do the above would be something like saying "Thanks for vouching for us! If you message me your username @XYZ, I'll add some extra bandwidth credits to your account. :)"; that turns the interaction/demasking into something voluntary on the user's behalf, rather than you creepily stalking them through your user DB.
Is the 3% fee to "cash out" earned on your end or PayPal? It just feels a little disengenuous to advertise a rate but the only way to receive payment is at a loss of 3%. ...or is the model that the sharers are also customers and you encourage them to use the service while discouraging "cashout"?
It's been awhile since I've done much with PayPal, but at one point a typical fee was $0.30 + 2.9%, so at a 3% fee they'd be taking a small hit in the processing fees for orders below $300 and turning a mild profit when people cash out for more than that. YMMV with their current fee structure.
Agreed it's a little scummy to not factor your operating expenses into the price of the product, especially if that's not blatantly obvious from the outset.
It‘s probably one of the best in terms of value/price as it is pay-to-go. The only commitment is USD 50 minimum top-up. It‘s also pretty fast. Negative is that some countries have few Proxies and they don‘t say how many exactly. They also don‘t have city-level targeting.
I'm using your service (found it on HN too) for a side project and I'm very happy with it. Good job!
One nitpick: I'm seeing occasional timeouts (probably because the residential endpoint went down recently). Do you have a best practice on how to work around that?
How does your business manage 7 million+ residential IP addresses with 5000+ clients?
Is being a packeter safer than running a tor exit node? I'd worry that the people willing to run this risk for a small income couldn't afford adequate legal defense if necessary.
I seen that too. PayPal and Stripe on the list also. I think it's just a list of all the providers and software/tools they themselves used. Seems maybe a little misleading, wonder if people might think they are endorsed by Stripe, etc?
What's the issue with this if it accomplishes the goal of proxying your connection? I assume the LLCs are designed as a legal shield but would probably have their veils pierced.
Or good business sense, maybe? If you're in real estate and own a bunch of properties, you're going to have an LLC for each property, and maybe even one LLC for each state that owns the other ones. You could easily end up with a dozen LLCs for <10 properties in multiple states.
Yea I got hired as a CTO for a startup in my late 20s and thought I had found my dream job. They offered to double my pay as a JR engineer which was a good amount of money for my age and was given 4% ownership that vested over 4 years. Well about 9 months in, the CEO decides the current business plan isn't viable and wanted to setup a competitor to his previous employer. He knew that this could very easily result in litigation from his former company as he was also the CEO there and started playing the LLC umbrella game and suddenly I'm getting paid by some company in Wyoming with a totally different name.
To comfort me, the CEO told me that they would go ahead and vest my 4% shares immediately for the new entity. The checks were still cashing and I didn't think much of it at the time. The company started making decent money about 1M annual revenue, but when profit sharing season came, I was not given anything but a 2k bonus. Then one day when nobody was in the office, I happened to see some documents on a desk that dissolved the company I supposedly owned 4% of and described a 3 tier ownership scheme (dreamt up by a creative lawyer on retainer)
There are many people that will prey on young talent, get them to build their startup infrastructure by promising them 250k+ salaries plus profit sharing. After you build the thing and server your use, be warry of the people suddenly wanting to "help" or "co-administer" the system. It's code for they are trying to learn how to run things without you because you are too expensive now that the system is online. Additionally, in more conventional contracts vesting options can cost you a lot financially if you don't calculate the taxes right.
In the end the CEO and VP got sued by both their former employer and the state of california. The CEO's wife then divorced him and took half of his money after he lost nearly 500k. Karma was a little mean in my opinion on that one haha
For those reading along, States like Wyoming (and New Mexico IIRC) are attractive for these kind of LLC fillings b/c they don't have a public Company Databases.
> The legislation has limitations. The general public won’t have access to the ownership data, a disappointment to anti-corruption campaigners, who say public scrutiny would help combat criminal activity.
Looks like the data will only be available at the Federal level and not open to the public.
> In another transparency setback, the law also exempts some entities from the disclosure requirements, including domestic investment funds that are advised and operated by a registered investment adviser.
Sounds like the practice of using Registered Agents will still be allowed to continue.
So it's a new law that will change how the Feds can access and prosecute organized crime, which is a good thing, but won't help much in allowing us to learn who really owns that new shinny LLC.
Is there still a market for this? I own a lot of IPs and would be interested in learning more. It would depend on what they’ll be used for, but maybe there is something beneficial.
You could probably still do it and do fairly well. Go on BlackHatWorld as a starting point. I did this circa 2011-2013, but really all I did was arbitrage between webhostingtalk and BHW/Wickedfire. I ran a bunch of squidproxy instances and let the server providers convince me that I couldn’t have more than 256 IPs per server, so I way overpaid.
I’m more surprised that a single IP address is worth $20 apparently than Amazon owning 100 million of them.
What I wonder, is it a competitive advantage for Amazon at this point that they have so many? Phrased differently, would it benefit Amazon if the current status quo of IPv4 vs IPv6 adoption is maintained?
Yes, I think it would. Because despite the obvious business advantage they have, any would-be competitor would need IPs at a similar scale. That will either cost a ton more than Amazon has, or they simply won’t be available.
I own 2048 IPv4’s myself and their value is ever increasing. Like digital real estate, without the fluctuation of crypto. But I would prefer it if IPv6 would take over IPv4, and fast, because it will become a problem that will stifle competitors at some point. If most IPv4’s are owned by big corporations, that’s essentially.. them owning the current internet.
IPv6 is practically free.
I would love to see a breakdown of IPv4 FAANG ownership!
> I own 2048 IPv4’s myself and their value is ever increasing. Like digital real estate, without the fluctuation of crypto.
Until the day when ipv6-only connectivity becomes practical/commonplace. At some point ipv4 market is going to crash when they are simply not needed anymore. Of course that inflection point might still be quite far away, but I wouldn't count on ipv4 stock being a retirement fund
This is slowly happening. On my blog, I can see IP addresses of people who subscribed for my newsletter. It used to be 100 per cent IPv4 a year ago, now it is more like 8:1.
Not exactly. At 70% (like today in much of the world) that's certainly a practical option for most people. At 10% not so much.
So what happens is that beyond a certain point it stops making commercial sense to route IPv4 globally. That's probably before your 10% mark. So by then there's no point bothering with IPv4 for your systems unless you specifically serve that deprived market and will spend money to connect to them specially.
For IPv4 users the Internet still mostly works, when their system asks "A? some.website.example" and there is no A record because the IPv4 Internet isn't really a thing any more, it gets an answer like "10.20.30.40" where that address was arbitrarily picked as a temporary local assignment for some.website.example. When they connect to 10.20.30.40 a Network Address Translation module behind the scenes does an IPv6 connection to some.website.example and hooks them up.
So their copy of Internet Explorer still "works" although some more advanced features are flaky or missing but hey, they know they have crappy 20th century Internet and ought to upgrade.
Inside some larger companies there already is no IPv4, and that will spread, inconsistently but it will spread, because IPv4 is a pain in the backside, it's easier without it. Translation gateways keep things mostly working enough for people who have IPv4 only, today that's the majority, a decade from now it's a minority, and eventually it's too few people to care about.
Eventually (probably much below 10%) the translation gateways are thinly used enough that "nobody" proactively notices if they're broken, that'll happen in some places faster than others, but the effect is to push those final people to upgrade because it's just annoying to always be the person calling your ISP to complain when it breaks.
> I own 2048 IPv4’s myself and their value is ever increasing.
I own several /22's, and are renting them out through a broker. So far, 1 months rent (easily) covers the yearly RIR costs, so quite a good margin, and I still own them.
So when time comes, I can sell them, but before that, rent keeps coming in. Just need to make sure they are sold before the market value of an IPv4 crashes to zero.
This is a good question, I don't get why you are downvoted. I also own some /22 and I've been so far reluctant to rent them for the reasons you mentioned.
Just out of curiosity how does one go about purchasing and maintaining ownership of IPv4’s. Do you need to do it through your own company or is it possible as an individual. I’ve heard you have to demonstrate you can use them but that was in relation to IPv6’s.
Depending on which Regional Internet Registry you belong to (based on country of residence/incorporation), the process is roughly:
A) justify an AS and pay the fee
B) find someone to buy IPv4 addresses and pay them (probably a deposit)
C) justify IPv4 address space to the RIR and pay the fee to transfer from your seller
D) pay annual dues
If your RIR actually has space available, you might be able to skip step B. And you can get IPv6 addresses without finding a seller, because all the RIRs have IPv6 space.
RIR processes are generally human driven, so you might get more questions if you're filing as an individual.
It wouldn't take too much to make a breakdown of IP announcements. Ownership is a bit harder to track down, I think.
Looking at something like https://bgp.he.net/AS32934#_prefixes will tell you what IPs Facebook announces. Rinse and repeat for whoever else. Maybe a bit tricky if you need to track down subsidiary ASes.
Disclosure: I worked for WhatsApp including while it was part of Facebook, and was involved in getting AS11917 setup for WhatsApp.
I'm not sure what AS11917 is for now but the lion's share of WhatsApp now runs over/in Facebook's network/datacenters. WhatsApp chat connections are terminated on the FB edge like most other FB traffic and it shares FB's common CDN for media. AS11917 might be some legacy stuff or, as was mentioned, special policy stuff. But assuming things are as they were a year or two ago most of your WA traffic is via AS32934.
I'm not 100% sure, but if WhatsApp wanted to run their own datacenters, then they'll need their own IP ranges, and BGP/AS numbers is how IPs are "routed".
The AS number is used to let others know that a given IP range is reachable via your router.
I'd like to give a better explanation, but I think it would be wrong. BGP is really hard for me to grasp, even if my networking colleagues claims it's not really that complicated.
"Running a datacenter" isn't something that inherently needs its own IP range. You could run a datacenter only in private address space and NAT to the internet (though this wouldn't really be very practical) or even run in private space. My point is that having a lot of computers doesn't _necessarily_ require getting public IPs or ASNs.
You need public addresses if you want to be publicly reachable. If you're small you might find an ISP — let's say ISP Inc — that will give you an internet connection and allocate some part of the address space it in turn has been allocated. There's no need for BGP or dedicated IPs here — the rest of the internet already knows how to reach the range(s) of addresses assigned to ISP Inc, and from there ISP Inc's own network takes care of sending the traffic down the pipe to you.
If you need a lot more addresses, or you want to use more than one ISP (either of which could apply to WhatsApp's case), you probably need to get a dedicated assignment and an ASN. The ASN means you're an "autonomous system" — not a carved out bit of someone else's network. You go to your local registrar and convince them you need some addresses, and then you go to your ISP(s) and ask them for "transit", which means they'll connect you to their network and route to and from the rest of the internet for you. But since you're now using your own addresses it's not as simple as above, where your IPs were part of your ISP's range and everyone else just sent their traffic to your ISP for them to route to you. Your IPs are yours now, and until you tell the rest of the internet how to find you nothing will work. To make this work you have to get your ISP(s) to tell the internet "hey, y'all want to send traffic to Mr Weasel LLC? I can handle it for you". This is called "announcing" a prefix (IP range) and BGP is the mechanism through which all the routers on the internet propagate announcements detailing who is providing connectivity to who.
Conceptually this stuff is quite straightforward but in practice it can be mindbending. As well as transit there are peering arrangements (where Mr Weasel can arrange with Netflix to swap traffic over a dedicated physical connection, rather than their respective ISPs) and hella complicated traffic engineering schemes linking the big content providers to the internet. For instance, Facebook has thousands of transit and peering connections with other ISPs and providers and deciding which path is optimal for any given situation requires very complicated policies and management.
While what you suggest is possible it’s amature and fraught with problems.
Any halfway serious company that wanted to run a global application on their own infra is gonna need their own ASN and internet presence with their own IP space.
You can split hairs however you like on when one needs their own allocation. That wasn’t my point — I was just trying to illustrate to the parent poster (since they seemed uncertain) how internet routing works at a basic level and why decisions over IP space aren’t necessarily a concern for “running a datacenter”. Perhaps I took this remark too literally and I hope the parent commenter forgives me if that is the case.
The smallest routable IPv4 network on the Internet is a /24, which is 256 addresses. Regional Internet Registries won't assign you smaller than a /24, but individual ISPs might. Even if you have an assignment, maintaining it requires payment of annual fees to your RIR, unless you're a lucky "legacy" address holder from before the RIRs were formed.
I own a /24 from the early 90's, registered before ARIN and the other RIRs existed. It is considered a legacy block and I've never signed the legacy registration agreement, so no fees for me! I do have it routed to my home network over a "business broadband" connection.
I use my network mostly for experimentation and it is unlikely to be a target for hijack. If I were a commercial enterprise I would want RPKI for the future. Currently it seems mostly irrelevant in a practical sense, due to the small number of ASes actually validating.
From what I understand, the problem is in routing them. If you could buy a single IP address then all the routers need to keep a record of where that IP address goes to rather than a simple rule of this whole block goes out port 5
No, not really. If a new organization needs a large block of ip addresses, they just use IPv6. The biggest reason IPv4 persists is because deploying IPv6 can be very expensive for legacy users: new equipment, retraining, hiring. For a large organization, planning and executing such a deployment can take years. There are a lot of fresh new telecom providers in India who do not have that kind of baggage, so they chose to deploy IPv6 networks from the start for their cellular internet. You'll notice that if you're on a cellular network, even in the U.S., you will have an IPv6 address. If "the market" ever tries to price gouge for IPv4 addresses to the point where deploying IPv6 becomes the cheaper option, then organizations will just use IPv6 instead.
> You'll notice that if you're on a cellular network, even in the U.S., you will have an IPv6 address.
Just a data point.
I'm on a cellular network in the UK for both my phone and my phone network (via 4G router).
My phone get an IPv6 address only, no IPv4.
But my home network gets an IPv4 address only, no IPv6. I can't obtain IPv6 on the home network even though it's the same cellular service (down to the same kind of SIM and same contract) as the phone.
Please tell me which network so I can immediately switch.
Three unfortunately still don't use IPv6, and I'd prefer if my phone were IPv6-only than IPv4-only since everything else in my life is IPv6 capable -- all my servers, my home Internet, my email provider, etc...
EDIT: So it seems some people have gotten IPv6 addresses from Three last year - e.g. https://twitter.com/Mythic_Beasts/status/1195292901191892992 - so perhaps I just need to wait for Three to enable it for everyone? Not going to wait forever though...
The phone Settings > About > Status shows an IPv6 and no IPv4.
However it's not really IPv6-only. It is able to make IPv4 connections, which rather than going over the IPv6 route, are instead tunnelled to the network separately via the modem and the network applies CGNAT and assigned an ephemeral source IPv4.
I also I also use Three for my 4G+Wifi home router. That doesn't get an IPv4 at the moment, just an IPv6. None of my home devices can make IPv6 connections over the LAN to my internet services. They resolve ok, but then have no route.
Same applies when using my phone as a Wifi hotspot. The hotspot is IPv4 only, even though the phone itself has an IPv6 uplink.
Now I know it's an experimental partial rollout by Three, I wonder if I'd see the opposite if I swapped the two SIMs.
I've seen some VM providers charge more to get an instance with IPv4 connectivity. Amazon doesn't charge extra for that (last I looked anyway), so that's a potential advantage.
IPv6 penetration is growing, but Akamai reports that even the most IPv6 networks only go to ~ 92% IPv6. So if you want to have full reach, you need IPv4, but you don't really need IPv6 (although, you may want it, some of the CGNAT systems that users are behind are pretty bad, avoiding that is nice)
* They'll provide a free dynamic IPv4 address attached to any interface/VM for the life of that VM.
* They'll provide static IPv4 addresses. These are generally free, but you'll be charged if they're not attached to a VM (i.e., sitting unused). Only one IP per instance is free.
Charge is a half cent an hour, so works out to about $3.65/mo to camp on an IP address.
Nothing is free when you get it from a profitable business.
EC2 prices are pretty high compared to other offerings if you run the machine permanently. The "free" IPv4 address is certainly a part of the price. (There are other parts like good maintenance, which you don't necessarily get from cheaper competitors)
Scaleway charges you 1 € / month for such address whether you use it or not. That's a 25% premium on the cheapest machine when in use. Much cheaper than AWS whether in use or not.
Not sure how many customers could perfectly live without the IPv4, but AWS seems to be in the market position to (covertly) charge them, too.
Typically not (but I guess it's possible). CGNAT is expensive to run, but carriers do it because it can be less expensive than getting more IPv4 addresses, and it's faster to add capacity than to get addresses. IPv6 addresses are very low cost and quick to ger assigned, so if you're supporting IPv6, and you run low on addresses, adding CGNAT doesn't make sense.
It's much more typical to either have cgnat IPv4 and public IPv6, or just cgnat IPv4 and no IPv6 than to have cgnat both.
That doesn't sound quite right to be honest - do you have a source for that?
I don't even see what possible rational there could be for such a change.
Most native v6 consumer already have firewalls for IPv6 in the CPE which block any incoming connections per default, so not even the misusing NAT as firewall argument applies here.
That’s what’s happening here in Spain. The biggest ISPs are doing nothing to migrate to IPv6 because they are sitting on a shitload of IPv4 addresses and that makes it very hard for new ISPs to compete.
There's a u shaped curve on pricing. There's a lot of demand for /24s, because sometimes that's all you can justify.
Once you get bigger than what can be easily justified, the prices go down a bit. If you need a /18, you can probably use either an /18 or two /19s or ... You can make it work, and there's not enough benefit for contiguous to pay more. Of course, if you can justify an /8, there is a premium for contiguous. Otoh, not too many /8's for sale.
The original list of assigned blocks [1] is a fascinating glimpse of history. Some of the Class A networks are still recognizable (MIT, University College London, Stanford) while others have faded in prominence (BBN, CISL, DEC, MITRE, Tymnet). The same 1981 document also contains a list of assigned ports which of course does not include DNS, HTTP(S), IMAP, POP, or SSH.
MITRE is a non profit that "manages federally funded research and development centers (FFRDCs) supporting several U.S. government agencies" they have a technology and cyber security mandate which is still big (they run CVE, CWE, SCAP, etc.). They haven't faded so much as they were never a public/network company in the first place.
Why's that? They run an incredibly significant amount of internet infrastructure, is it not also natural for them to own a lot of IP addresses to go with that?
A small nitpick: They don't "own" these addresses, the regional internet registries (ARIN, RIPE, APNIC etc.) loan them to Amazon so they can use them, they could take them away again if AWS would do something that's against the RIRs' policies.
We also have a single /22 block of addresses from RIPE (we were one of the last companies to get such a block in 2019), so far we haven't made use of it though as it's still a bit tricky to find providers that will announce your addresses (without asking a hefty amount of money for it).
> o far we haven't made use of it though as it's still a bit tricky to find providers that will announce your addresses (without asking a hefty amount of money for it).
Thanks! I'm aware of them, but you need two peers to be able to announce your IP space (multi-homing requirement). AWS actually also allows you to bring your own IPs, so we might indeed go Vultr+AWS for now.
It’s only the RIR which requests proof you will multi-home and you must have been able to say to which AS you would peer to get the /22, since it’s a question RIPE asks as standard and the analyst will have considered in approving your application.
BGP itself doesn’t care at all. Announce the entire block from one “region” in Vultr, or split it out with a /24 in four different ones. It’ll work just fine.
I dont think the multihoming requirement works like that. Either Vultr or AWS would fulfill it, as they each certainly would be advertising the block out several redundant ISP paths, thus fulfilling the multihoming justification...
That’s a huge nitpick, given that RIRs generally don’t give a shit even if you don’t use the addresses at all. Also I can imagine Amazon would rightly sue if a RIR tried to take addresses from them.
The exception to this is a handful of remaining "legacy" pre-RIR address holders. I'm surprised AWS, etc. are so willingly handing the addresses they buy from legacy holders over to ARIN.
> jq is like sed for JSON data - you can use it to slice and filter and map and transform structured data with the same ease that sed, awk, grep and friends let you play with text.
I default to wget because as a sysadmin I usually want to download a file, and that is the default behaviour. Perhaps devs default to curl because they want to pipe things.
From what I understand the problem with IPv6 isn't technical problems it is with legacy. According to what I know in Africa and Asia they have mostly already been running on IPv6 the problem is just basically a bunch of lazy network admins in NA and the EU that don't want to learn the new tech and organizations that don't want to switch.
> …a bunch of lazy network admins in NA and the EU that don't want to learn the new tech…
That’s a cheap shot, and it’s not called for.
Network admins are paid to make the networks run. Anything else is less important. If your IPv6 network experiences some small problems, well, you’re going to hold on to IPv4 because small network problems can mean big inefficiencies or lost sales.
Just a few weeks ago I was on the phone with my WiFi router’s vendor for a couple hours or more because IPv6 traffic wasn’t working through it. I had narrowed the problem down to the router itself. It’s not necessarily that IPv6 is poorly tested or has technical problems, it’s that there’s a long tail of devices/configurations/software out there which screw it up, and it’s often cheaper to just use IPv4 rather than suffer even the minor inconveniences and troubleshooting sessions necessary to run IPv6.
It’s moving forward but it’s slow progress, and it’s not because network admins are lazy or stupid. It’s because there’s a lot of work to be done and not everyone has much of an incentive to do it at all.
Yeah, it's not the network admins, they want IPv6 too. If at all possible our network admins want IPv6 only networks, the sad fact is that it's not possible in most cases.
We had to return stacks of Cisco equipment, because despite being brand new it had no IPv6 support. We should have checked of cause, but we just didn't imagine that you could buy IPv4 only equipment in 2020.
Software is even worse, we have had software that advertised IPv6 support, so we build an IPv6 only solution, only to find out that the manufacturer has NEVER had a customer using their software on IPv6. They tested it six years ago and never followed up, meaning that IPv6 does actually work in the latest versions.
Docker is another example, who in their right mind designed Docker to be a IPv4 only solution and then attempts to bolt on IPv6 later. It should have been IPv6 and then if you really needed it you could add an IPv4 ingress. Most of the issues we have experience using Docker could have been avoided by using IPv6 and dropping IPv4 all together.
Definitely. At our company our network provider decided that it's better for us to use ipv6 from now on. For one day the customer support couldn't figure out what was wrong with our network. They even suggested that the recent heavy rain might have damaged the lines. Finally after a few struggles they mentioned in one sentence that they switched our region to ipv6 only, and that was when we, the customer, realized what's wrong. And obviously, we have a business plan. So that was one day of work without any internet.
One can really clean house if they understand networking well and pay close attention to what the WAN is doing. On the flip side, one can easily be ruined if the WAN is not considered during infrastructure planning.
Don't confuse long-range www traffic with the total number of endpoints. Serving a single page might take dozens or even hundreds of interacting services.
Not one of our enterprise customers has IPv6 enabled.
Not one of the public clouds we manage have IPv6 addresses on their virtual networks.
Meanwhile, putting a CDN in front of an otherwise 100% IPv4 web server will add an IPv6 address whether you like it or not, and that traffic will contribute to those stats you mentioned.
This article is about public cloud providers hoarding IPv4, which applies to things like the PaaS and SaaS services, internal APIs, etc... which are nearly 100% IPv4 in all three of the big public cloud providers.
Some carriers are engaging in IPv6-only peering spats, which is also harming adoption. Cogent, recipient (and rejector) of the famous Peering Cake[1], has no IPv6 routes to Google or Hurricane Electric, for example.
It has nothing to do with network admins. Everything the majority of customers care about in the US is available on IPv4 and sometimes ipv6. If v6 goes down for your customers, they probably won’t even notice. If you don’t have v4, you don’t have a business.
It hasn’t even been that long that Amazon EC2 has had v6 support, which is where a huge chunk of the Internet is hosted.
The network admins at ISPs are just providing connectivity the customers demand. It’s hosting providers and sys admins that don’t bother setting up anything interesting on v6 in the first place.
First: Here in Australia no major ISPs provide a native IPv6 service, and if they do, they don't provide it to business. It's obscenely difficult to obtain IPv6 in Australia. None of the major telcos do it, you have to go down the list to like the 5th or 6th biggest ones before it becomes an "experimental option" for residential connections only.
Second: Ever since IPv6 has been a thing, I've offered to customers the option to turn it on for free. No added charge. We'll just flip the switches and it's there. Not one customer, ever, has said "yes". They've all actively refused to turn it on, for any purpose.
Third: The few times IPv6 has been forced upon our customers, mostly due to Microsoft Windows DirectAccess, it was the network administrators frothing at the mouth, ranting and raving about how they don't want to do it, that DirectAccess should use IPv4 (I'll call Redmond and I'm sure they'll get right on it!), etc...
Fourth: As you've mentioned, AWS, Azure, and GCP had practically zero IPv6 support until very recently. Now, they have broken IPv6 support which is worse than useless, because it gives the impression that the problem is with IPv6, not with the people holding on to an appreciating asset of IPv4 addresses that they intend to use to lock out the competition.
TL;DR: IPv6 is held back by a combination of bad ISPs, lazy network admins, and monopoly seeking public cloud providers.
> Ever since IPv6 has been a thing, I've offered to customers [...] They've all actively refused to turn it on, for any purpose.
As such a customer, I’m worried that my ISP would eventually bait-and-switch me from routable IPv4 + optional IPv6 to CGNAT IPv4 + IPv6 when convenient to them. Sorry, but I’m not risking going behind a 1:n NAT layer that I don’t manage.
Keep in mind that many Australian Telcos are already using CGNAT, although they do allow customers to opt out. I've had to opt out, because CloudFlare was showing me Captchas all the time.
Sure, but the threat of me cancelling and switching to another ISP as the service is now unsuitable for my needs is enough to keep them from doing that.
Does this strategy work? Maybe, when I upgraded my plan they wanted to switch modems, the new one didn’t have working bridge support, and I said to them it was a requirement for me. No bridging, revert everything. The field tech escalated to engineering and they approved a business-class modem. I expect the same with IPv4, even if I have to pay extra.
Running a dual stack IPv4/IPv6 network at minimum doubles the amount of work network engineers need to do on a daily basis. Consider something as simple as a ping monitor to determine if a device is up or down now has to test for both IPv4 and IPv6 reachability.
The problem with IPv6 is that it's a fundamentally flawed design. Which looks easier to input / dictate over the phone / write down somewhere? 220.12.30.01 or 2001:cdba:0000:0000:0000:0000:3257:9652?
Use DNS, that’s what it’s there for. MAC addresses aren’t referred to as fundamentally flawed and they are approximately the same length as the shorted version of the address you posted.
Forget DNS. Use an overlay with content routing. Hierarchies suck.
It's extremely hyperbolic to call an ugly syntax a bad "design". But IMO it would have been much nicer if they just reused '.' as in IPv4. ':' seemingly came out of their pie in the sky desire to replace MACs.
Speaking of MACs, every time every time I see some cheap trash gizmo come with its own MAC I'm surprised there isn't address space pressure. I guess that's due to having 16 more bits as well as being non-aggregable.
Yeah, that extra 16 bits is a game changer. The whole v6 debacle wouldn’t have happened if v4 was 48 bits.
It’s funny, there is an interview with Vint Cerf where he mentions the choice of 32 bit address space for ipv4 was essentially pulled out of a hat and it could just as easily have been 48/64/24.
> On the other hand, most devs / technical staff type IPs into the browser and terminal daily.
No they don’t. Configure a DNS server and type these in once. Any time I see IP addresses passed around it’s a sign of broken infrastructure. (It also means you aren’t using tls or you’re training people to accept cert errors)
I think you’re confused a bit, so let’s split apart the use cases to be clear why IPs are bad in both cases.
You said devs and technical staff were typing IPs into their browsers. Presumably this means the address bar, which breaks TLS.
SSH derives a big chunk of security from key caching. If you’re using IPs you now can’t have an IP change without triggering key warnings on the SSH clients for a new key at a minimum or (worst case) a breach.
Every server/VM I control (~200) has a DNS entry. Every active IP has a reverse (PTR) entry.
I have a monitoring task to check for missing DNS entries, as it usually suggests a problem (i.e. we've deployed or undeployed something incompletely).
I let about 10 family and friends connect directly to my home server. My firewall blocks everything except for these 10 IP addresses.
I did get tired of having them figure out their IP address so now I just tell them to access a dummy page page on my external VPS and I check the web server log to see their IP to add to my firewall config.
So in other words IPv4's shorter addresses didn't help at all?
And also it seems like a lot to sacrifice in order to make something marginally more helpful about once or twice a year.
Also why would you say it over the phone? Would you not ask them to email or IM it? I can't count the number of times passwords and names have been misunderstood over the phone. Numbers? Basically always at least one number is misheard.
To be fair, your example would (according to the official spec) be shortened to 2001:cdba::3257:9652, which would not be hard to communicate over the phone.
You can't imagine there are other reasons for difficulties in replacing a core component of the internet other than "longer numbers are harder to type"?
You claimed one specific issue with it, you don't get to play the "but it has other problems too!" (it indeed does) card now. It being badly designed in some ways is indeed part of the "other reasons".
How are we not out of IPv4 addresses already? Aren't there a billion phones out there? And probably the same number of PCs and god knows how many servers?
There is a lot of NAT going on these days, and a lot of shared addresses. All those devices aren't all online at the same time.
As I see it, IPv6 can't come fast enough. NAT really needs to die a death so people can actually use the internet fully, not only as a client or using hack-y work-arounds.
I want ipv6 as much as anyone, but we are not spending enough time preparing for NATs death. It's responsible for far more security than we as a collective would like to admit and there's a lot more we could be doing now to get ready.
That's a common misconception. NAT isn't a security feature but rather a feature of a stateful firewall, which is. There's no reason to remove the firewalls that are in place now when ipv6 happens.
If firewalls are even needed, a recent poll on an IPv6 professional forum ended with 50/50 split between opt-in and opt-out for IPv6 firewalls in routers of consumer ISPs...
That's surprising and quite concerning. Imagine all the insecure IoT devices running ancient software having a direct connection to the Internet... It would be even more concerning if they were shipping routers without any firewall functionality at all. NAT basically requires a firewall. I hope the thinking isn't if you can do away with NAT you can do away with the firewall.
The thinking of the opt-inners seems to be (roughly) that :
-IPv6 is fundamentally much more secure than IPv4 (no scanning, etc.)
-opt-out is bad for innovation, especially since the cheap default ISP router firewall software is likely to not even allow opt-out for any other protocols than TCP and UDP. (Heck, these days on IPv4 even anything different than HTTPS can be problematic...)
-reliance on router firewalls is bad because they incentivize sloppy device security - the manufacturers should be instead liable when they are at fault for screwing it up (also, how many of these "insecure IoT devices running ancient software" are even able to run IPv6 ?)
So I guess that we're going to see in practice the problems that having no IPv6 firewall causes (most customers not having any idea about what even is a firewall) as it gets more popular... and since Free this summer boasted about reaching 99% IPv6 coverage, and is enabled by default, and can NOT be disabled...
> IPv6 is fundamentally much more secure than IPv4 (no scanning, etc.)
The same was true for ipv4 until about a decade ago.
> opt-out is bad for innovation, especially since the cheap default ISP router firewall software is likely to not even allow opt-out for any other protocols than TCP and UDP. (Heck, these days on IPv4 even anything different than HTTPS can be problematic...)
I can't wait for conficker6 to innovate it's way around the ipv6 net.
> reliance on router firewalls is bad because they incentivize sloppy device security - the manufacturers should be instead liable when they are at fault for screwing it up (also, how many of these "insecure IoT devices running ancient software" are even able to run IPv6 ?)
Sounds like an excellent reason for an opt-out by standard. 99% of the world's internet users wouldn't have a clue how to manage a firewall. Directly connecting all their devices to the internet is an awful idea for 99% of the world.
Your 50/50 example is hugely biased, first it's on a Telco discussion forum so that clearly selects for technical users, then it's on ipv6 which is going to further select for technical people.
Go canvas 100 random people outside a supermarket if they want to have to manually manage a firewall for every device they connect to their network. If they don't give you a blank stare at that question remind them that includes everything from lightbulbs, washing machines, "smart" speakers, to their computers/phones (likely the only thing they think of as being connected to the internet). If you find more than 1 I'll eat my hat.
> Your 50/50 example is hugely biased, first it's on a Telco discussion forum so that clearly selects for technical users, then it's on ipv6 which is going to further select for technical people.
As you can see I'm aware of that, they are also aware of that, and the discussion is not so much about themselves (since they know how to configure a firewall or even to install their own router), but about what your "average grandma" should get.
If only average grandma's were just limited to grandma's. I don't know a single person who isn't a gamer or IT person that can properly use a firewall as they exist now.
The overwhelming majority of users doesn't bother in changing any settings, as can be seen from the dramatic changes in IPv6 adoption when an ISP goes from opt-in IPv6 to forced IPv6.
Thanks. So yeah, it looks like IPv6 is more secure than IPv4... as long as we're talking about competent engineering ! Hopefully this is the case for major ISPs and OSes...
Especially interesting is this RFC :
https://www.rfc-editor.org/rfc/rfc6092.html
"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"
It shows that there are lots of different filterings involved, so it looks like that these millions of residential users connected to the IPv6 Internet without router firewalls might still have some router filtering going on ?
Also, it confirms that "The IPv6 stateful filtering behavior described in this document is intended to be similar in function to the filtering behavior of commonly used IPv4/NAT gateways, which have been widely sold as a security tool for residential and small-office/home-office networks.
As noted in the Security Considerations section of [RFC2993], the true impact of these tools may be a reduction in security. It may be generally assumed that the impacts discussed in that document related to filtering (and not translation) are to be expected with the simple IPv6 security mechanisms described here.
In particular, it is worth noting that stateful filters create the illusion of a security barrier, but without the managed intent of a firewall. Appropriate security mechanisms implemented in the end nodes, in conjunction with the [RFC4864] local network protection methods, function without reliance on network layer hacks and transport filters that may change over time. Also, defined security barriers assume that threats originate in the exterior, which may lead to practices that result in applications being fully exposed to interior attack and which therefore make breaches much easier."
So now I'm kind of confused as for the different meanings of 'filtering' and 'firewall' that might be used... The RFC seems to use 'firewall' in the sense of 'customizable firewall', while ISPs still often don't provide other options on their IPv6 'firewall' than 'ON/OFF'...
I'm well aware it's not a security feature and I know there are ways to punch holes, but in practice, a lot of machines are still relying on it. The number of IoT devices alone that would be screwed if they were public is massive.
Yes, everyone should have a hardware firewall, but we both know most people just buy the cheapest thing, and by bad large, real firewall features are mostly targeted toward higher end devices.
More seriously; for 99% of people their ISP router handles NAT and firewall duties. Adding DENY ALL inbound and ALLOW ALL outbound isn't a great stretch for them on ipv6.
Sadly this means that the poorer countries give the same IP to multiple users. I’ve received a “you’re doing that too much” error after the first google search of the day on my phone in South East Asia. I don’t remember which country
If you believe the Android screen Settings > About > Status, my phone is assigned only an IPv6 address, no IPv4.
Despite this, it's able to connect to IPv4 web servers just fine.
All connections from the IPv6-only phone to IPv4-only web are automatically NAT'd to IPv4 by the cell service provider. I've tested this recently and it uses a different ephemeral source IPv4 after a few minutes when doing this. Tested with HTTP, HTTPS and ICMP ECHO. It is definitely NAT.
At the same time, my connections from the phone to IPv6-only web are not using NAT. The server sees the same source IPv6 as the phone reports as its own.
When I enable tethering on my phone, it creates a local IPv4 wireless LAN. Devices on that LAN such as my laptop access the web using IPv4, which is NAT'd twice: Once on the phone when crossing from the WLAN to the cell network, then by the cell service provider to get an ephemeral source IPv4. This is double NAT.
When the Linux VM on my laptop connects to an internet service and I'm using the Wifi hotspot on my phone, there's yet another NAT in the way, on the laptop itself. This is triple NAT.
All this NAT means it doesn't matter so much that we are out of IPv4 addresses for phones. They can connect to both IPv4-only and IPv6-only services while assigned only a public IPv6.
In fact phones don't need a public IPv6 either. They don't need any public address.
Those NAT'd IPv4 connections don't go over the IPv6 link. They are not being translated to IPv6 and back. Rather, they go over what is effectively a private IPv4 tunnel to the cell provider. Just as IPv4 connections can work like that, so could IPv6 so there's no real need for the phone to report that it has any public IPv6 or IPv4 address at all.
However, mine is currently reporting a public IPv6 and no IPv4, while able to make connections to both.
We are out of ipv4 addresses. That is why amazons stockpile is worth $2B, that's how we are reduced to trading the existing addresses at ever increasing prices instead of getting new fresh ones essentially for free
When i read the title, I first thought to myself that those 2 billion dollars will be pretty much worthless once everyone uses ipv6. But as soon as more ipv6 adresses are used (or CG-NAT), ipv4 adresses will become cheaper, so there seems to be a natural balance which will keep the state of "There are IPv4 adresses left" and "IPv4 adresses will run out sometime soon"
Well, at some point the governments will actually start doing their jobs and ban IPv4 compatible hardware for sale, just like they did for obsolete analog/digital TV tuners and incandescent light bulbs.
IPv4-compatible equipment is bad because it slows down the transition from IPv4 (aka ARPANET) to IPv6 (aka Internet). Since the free market seems to have trouble to find incentives to do it itself, the governments should force it, in the same way that they forced the transitions from obsolete TV tuners and incandescent light bulbs.
Most new devices on the internet are wireless phones and most wireless telcos do not give out an ipv4 addresses. They use carrier NAT to share some aspects of ipv4 connectivity but not the important things like being able to use ports.
To extend this analogy a bit... wouldn't 'street addresses' be DNS and lat/long coordinates be IP addresses?
Can you elaborate a bit? Where do you find frustration with IPv6? I've been using IPv6 for probably close to 10 years now, and I can't say it's been frustrating
As someone who thinks they are pretty savvy with "network stuff", I find the whole thing daunting. But my ISP also doesn't support IPv6 yet either, so I have no easy way (or need) to experiment with it yet.
Years ago I used to have an IPv6 tunnel provided by SixXS. That let me get my feet wet by moving to v6 capable hosting and being able to send traffic to my website over the SixXS tunnel.
At this point, though, you may be able to find an IPv6 capable ISP and just switch to them. Your phone might also have IPv6 too, especially if it's 4G/LTE.
Any amount of exposure is better than none. If you're using AWS, I can help you setup IPv6 in your VPC and use it with EC2 which can let you get some first hand experience. My email is in my profile if you want to take me up on that offer.
That's a good analogy. Nobody writes lat/lon. So, your analogy is perfect enough to largely disqualify stylistic arguments.
Lat/lon is a data set primarily used by applications. IP addresses are much the same way aside from private networks and experimentation. If you need to describe a private space in IPv6 you have link local addresses that begin with fe80.
Modern routing tables are primarily defined by dynamic protocols, such as OSPF. If you really need to express a static IP address directly, such as for remote access to a switch, the IP address will be provided to you. This is why Cisco now requires Python for the CCNP.
Isn’t that what DNS is for? I get that 8.8.8.8 or 1.1.1.1 is easier to remember than an IPv6 address. But once you use 82.54.132.87 addresses - is it really that different from either saving an IPv6 in your ssh config file, or resolving it with a domain name?
There's nothing that prevents email from working over IPv6. The sender and receiver just need to have IPv6 connectivity.
Every email provider that supports IPv6 will also support IPv4 (for the time being). To use Gmail as an example:
aspmx.l.google.com. 293 IN AAAA 2a00:1450:400c:c0b::1a
aspmx.l.google.com. 293 IN A 173.194.76.27
There is both an A and AAAA record. You can send emails over IPv6 or IPv4 to Gmail addresses.
Did you mean you can't exclusively use IPv6? Because that is also true for browsing the web - because so few websites support IPv6, a lot of links will just not work.
Indeed. It's probably why they've been so slow to support IPv6 across their various services. I still don't think you can have a pure IPv6 network yet on a VPC.
There seems to be a lot of double counting in that list. For example, 44.192.0.0/11 and 44.224.0.0/11 are listed twice. Then there are 28 entries of 44.x.x.x that would fall under the two /11's already listed.
What are the reasons for slow IPv6 adoption a whole two decades after notification by IETF? I am assuming the demand for IPv4 address blocks is mainly driven by backwards compatibility requirements.
Lazy ISPs. Servers won't go IPv6-only until most users have IPv6. This it's on providers to take the initiative to deploy IPv6. Some have. Some have not.
For example, approximately nobody has IPv6 in Spain. It's one of the countries furthest behind in dual-stack adoption. This is entirely the fault of Spanish ISPs.
ISPs won't be forced to deploy dual stack IPv6 until IPv6 only servers are commonplace, and IPv6 only servers won't exist until that wouldn't lose them a significant fraction of users. And thus progress is glacial.
This. I have Comcast Xfinity in the USA (local monopoly, I would use a different ISP if I could) and they just don't offer IPv6. The rep on the phone seemed surprised that I would even ask.
Surely you mean static IPv6, because of the 3 different cities I've been forced to use Xfinity (even on their lowest plan Internet), I have been given IPv6 leases and I for sure didn't call anyone
Or, another certainly plausible explanation is that your router either doesn't support IPv6 or it is disabled
There was a long period of chicken and egg problems: no IPv6 users, so no IPv6 services, so no IPv6 users; that's over now, there are enough users and services (even if they're mostly CDN frontends) to justify turning on IPv6 as a service or a user, although maybe not enough to require IPv6 as either.
The other reasons are all about the difficulty of the change. IPv6 is not an incremental update to IPv4. There's a ton of changes that are just totally different. Arp is replaced by ICMPv6, dhcp is mostly replaced by slaac, but dhcpv6 was added later, header processing is different. All that means, it's a good bit of work to get IPv6 to run as well as IPv4, and chicken and egg issues made it hard to justify doing the work, and hard to verify the performance.
Finally, work towards making transition easier was only started much later than the protocol design. Making it easy to use, and easy to switch to should have happened during design. Things like continuing to use ARP for IPv6 would have been simple (arp is extensible), and reduced implementation work, and gotten things moving quicker. OTOH, you would be stuck with ARP forever, instead of ICMPv6, but it doesn't seem like a big difference to me.
I suspect tracking and analytics are also part of the problem. Imagine every single IPv4 IP ban now being rendered entirely and utterly useless. DRM/Geolocation blocks are also common and IP's are used quite widely in many software systems, most are likely to only accept a v4 address/format (perhaps terrible regex too).
Detectives and other governments rely on IPv4 addresses as part of 'evidence', and storing V6 uses more storage and is much more complicated generally due to the much longer address space.
We won't see the internet migrate to IPv6 entirely for another 20/30 years from now.
For web serving it's possible to have IPv6-only server accessible to anyone. Just use Cloudflare. I'm not sure it's documented but I started using IPv6-only origin server behind Cloudflare and it seems to work OK for people connecting both IPv4 and IPv6. The client IP is in CF-Connecting-IP, even for IPv4 connections. For me it just works.
B) it doesn't really matter, the value is still $2B. It's not the total dump sale value we care for but the actual value of these addresses in the hands of Amazon.
Edit: apply this same exact comment also to any discussion about Bezos' net worth
I would expect it would cost more from AWS. They're not just holding them unused like a lot of organizations, they're necessary for them to continue making their $35b+ per year from AWS.
If you go into a market and try to buy lots of something, it drives the price up because you're increasing demand and removing supply.
If you go into a market and try to sell lots of something, it drives the price down because you're increasing supply and removing demand.
AWS don't obviously have an incentive to sell IP addresses for substantially below market value, so I don't see why buying them from AWS versus someone else would make much difference.
I think the point you were trying to make is that just because the IPv4 addresses are valued at $2B doesn't mean you'd be able to get $2B for them if you tried to sell them. This is correct, but it does not imply that they are worth less than $2B.
The point I was trying to make is that just because the IPv4 addresses are valued at $2B doesn't mean you'd be able to buy them for $2B.
It's not routed on the public internet (nor is it listed by AWS as "theirs" anymore, it was on the list for just a little over 24 hours).
I got the impression it was meant for some internal to AWS use and was pushed to their list of IP addresses erroneously, but I barely speak to AWS, much less speak for them.
Hrmm it's not that much of an error since that is dominated by the /14 and /15 but there's a few /16 that Google uses for itself that aren't in that list. See the DNS TXT records for _netblocks{,2,3}.google.com
Ever since the big RIRs (like RIPE) have run out of IPv4 addresses to allocate - which was a couple years ago (ARIN was out 2015; and RIPE ran out end of last year - and that was already with quite restrictive allocation policies).
Even before the end of last year it was limited to exactly one last /22 per LIR for a few years already.
The pool that was set aside for that last allocation was depleted at the end of last year.
Now they are limited to handing out /24's that are returned to them to hand out to new ISPs (since going IPv6-only is still not quite possible..).
I don't see why. Major consumer-grade French ISPs give IPv6 by default on FTTH installations and the router is configured accordingly (Orange, Free, SFR, Bouygues Telecom).
Generally, you get a /64. Of course, when using IPv6 there is no NATting, each of your device has its own IPv6 address of the /64 range allocated to you.
Yep, I'm happy my ISP actually does proper prefix delegation and hands me a /56. I still often wonder if a /96 for a host and /64 for a network would have been a more reasonable allocation strategy though.
The addressing is exactly why IPv6 isn’t something most ISPs want you to have in your house.
Right now blocking a bunch of home servers is easy - just don’t give people addresses. With IPv6 you’ll need to thread that needle some other way or give people access to something that will actually test your advertised bandwidth commitments.
Edit: instead of downvoting how about having a conversation? That’s the great thing about this place, lots of diverse perspectives.
Home servers are already blocked by contract policy and firewalls. What difference does the IP make? You can filter on prefixes too so shutting off your entire IP block is easy.
Sure, they have other tools, but I think most users will be less understanding. NAT seems like a reasonable technological limitation, and filtering for the sake of filtering won’t feel that way.
Besides, why shouldn’t users be allowed to connect to machines on each other’s network without a central gatekeeper in the way?
Why would users care? None of the blocking is due to technical issues, it's contractual. IPv6 wouldn't change anything except make it easier for both the ISP and for users who stay within the contract terms.
If you want to see some sketchy shit, look deeply into what the VPN companies are doing.