Why are IPv4 addresses running out?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
3












I understand that we are running out (or ran out already?) of IPv4 addresses, but I don't really understand why that is. Right now, every home has its own IP address (dynamically assigned, but still, each has an address). Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city? Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.



I'm sure that my understanding is wrong somehow otherwise IP addresses would not run out. What's wrong with my understanding?










share|improve this question









New contributor




Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    5
    down vote

    favorite
    3












    I understand that we are running out (or ran out already?) of IPv4 addresses, but I don't really understand why that is. Right now, every home has its own IP address (dynamically assigned, but still, each has an address). Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city? Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.



    I'm sure that my understanding is wrong somehow otherwise IP addresses would not run out. What's wrong with my understanding?










    share|improve this question









    New contributor




    Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      5
      down vote

      favorite
      3









      up vote
      5
      down vote

      favorite
      3






      3





      I understand that we are running out (or ran out already?) of IPv4 addresses, but I don't really understand why that is. Right now, every home has its own IP address (dynamically assigned, but still, each has an address). Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city? Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.



      I'm sure that my understanding is wrong somehow otherwise IP addresses would not run out. What's wrong with my understanding?










      share|improve this question









      New contributor




      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I understand that we are running out (or ran out already?) of IPv4 addresses, but I don't really understand why that is. Right now, every home has its own IP address (dynamically assigned, but still, each has an address). Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city? Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.



      I'm sure that my understanding is wrong somehow otherwise IP addresses would not run out. What's wrong with my understanding?







      ip ipv4 ip-address






      share|improve this question









      New contributor




      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 7 mins ago









      Community♦

      1




      1






      New contributor




      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 5 hours ago









      Loreno

      282




      282




      New contributor




      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Loreno is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          8
          down vote



          accepted










          The IPv4 Address Shortage



          According to Vint Cerf (the father of IP), the IPv4 32-bit address size of was chosen arbitrarily. IP was a government/academic collaborative experiment, and the current public Internet was never envisioned. The IP paradigm was that each connected device would have a unique IP address (all packets sent between IP devices would be end-to-end connected from the source IP address to the destination IP address), and many protocols using IP depend on each device having a unique IP address.



          Assuming we could use every possible IPv4 address*, there are only 4,294,967,296 possible IPv4 addresses, but (as of September 2018) the current world population is 7,648,290,361. As you can see, there are not enough possible IPv4 addresses for every person to have even one, but many people have a computer, printer, cell phone, tablet, gaming console, smart TV, etc., each requiring an IP address, and that doesn’t even touch on the business needs for IP addresses. We are also on the cusp of the IoT (Internet of Things), where every device needs an IP address: light bulbs, thermostats, thermometers, rain gauges and sprinkler systems, alarm sensors, appliances, vehicles, garage door openers, entertainment systems, pet collars, and who knows what all else. All this adds up to the fact that IPv4 simply cannot handle the addressing needs of the modern world.




          *There are blocks of IPv4 addresses that cannot be used for host addressing. For example, multicast has a block of 268,435,456 addresses that cannot be used for host addressing. IANA maintains the IANA IPv4 Special-Purpose Address Registry at https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml to document all the special address blocks and their purposes.




          IANA (Internet Assigned Numbers Authority) ran out of IPv4 address blocks to assign to the RIRs (Regional Internet Registries) to be assigned in their respective regions, and the RIRs have now also run out of IPv4 addresses to assign in each region. ISPs (Internet Service Providers) and companies that want or need IPv4 addresses can no longer get IPv4 addresses from their RIRs and now must try to buy IPv4 addresses from businesses that may have extra (as the IPv4 address shortage deepens, the price of IPv4 addresses goes up).



          Even if all the IPv4 addresses that are reserved for special purposes and cannot be used for host addressing were made available for use, we would still be in the same position because there are simply not enough IPv4 addresses due to the limited size of IPv4 addresses.



          Mitigating the IPv4 Address Shortage



          IANA and the RIRs would have run out of IPv4 addresses many years before they did if IANA and the IETF (Internet Engineering Task Force) had not adopted mitigations for the IPv4 address shortage. One important mitigation was the deprecation of IPv4 network classes in favor of CIDR (Classless Inter-Domain Routing). Classful addressing only allows for three assigned network sizes (16,777,216, 65,536, or 256 total host addresses per network), meaning that many addresses are wasted (a business needing only 300 host addresses would need to be allocated a classful network that has 65,536 possible host addresses, wasting over 99% of the addresses in the classful the network), but CIDR allows for network sizes to fit more closely with network address requirements (a business needing only 300 host addresses could be allocated a CIDR /23 network that has only 510 usable host addresses), wasting far fewer addresses and still providing some room for growth.



          By far, the mitigation that has had the biggest impact on extending the life of IPv4 is the use of Private Addressing and a variant of NAT (Network Address Translation) called NAPT (Network Address Port Translation), which is what most people mean when they refer to NAT or PAT (PAT is a vendor-specific term for NAPT). Unfortunately, NAPT is an ugly workaround that breaks the IP end-to-end paradigm, and that breaks protocols that depend on unique IP addressing, requiring even more ugly workarounds.



          NAT/NAPT



          The concept of NAT is pretty simple: it replaces either or both the source and destination IPv4 addresses in a packet header as the packet passes through the NAT device. In practice, it requires computation because the IPv4 header has a computed field to check the integrity of the IPv4 header, and any change made to the IPv4 header requires recalculation of the field, and some transport protocols in the packet payload also have their own computed fields that must be recalculated, using computing resources in the NAT device that could be used for packet forwarding.



          In Basic NAT, the NAT device has a pool of IPv4 addresses that it uses to replace the source IPv4 addresses of the packet headers for IPv4 packets sent from an inside network to an outside network, and it maintains a translation table in order to translate the destination IPv4 addresses of traffic returning from the outside network in order to deliver the packets back to the correct hosts on the inside network. This also requires resources on the NAT device to build and maintain the translation table, and to perform table lookups. This resource utilization can slow the forwarding of packets because the resources used by NAT are taken from the resources that could be used for packet forwarding.



          NAPT takes Basic NAT further by also translating the transport protocol addresses (ports) for TCP and UDP, and the Query IDs for ICMP. By also translating the transport-layer addresses, NAPT allows the use of a single outside IPv4 address for many inside host IPv4 addresses. NAPT is even more resource intensive than Basic NAT because it requires a separate table for each transport-layer protocol, and it must also perform the integrity calculations for the transport protocols.



          The use of Private IPv4 addressing, that can be reused on multiple networks (you may have noticed that most home/residential networks default to use the same 192.168.1.0/24 network, which is in one of the IANA allocated Private IPv4 address ranges), along with NAPT, allows business and home users to each use a single outside (public) address for a large inside (privately addressed) network. This saves many, many IPv4 addresses (several times the total number of possible IPv4 addresses) and has extended the life of IPv4 far beyond the point at which it would have collapsed without NAPT.
          NAPT does have some serious drawbacks:



          • NAPT breaks the IP end-to-end paradigm, and it only works with TCP,
            UDP, and ICMP, breaking other transport protocols. There are also
            application-layer protocols that use TCP or UDP that are broken by
            NAPT, even though TCP and UDP nominally work with NAPT. Other
            mitigations, e.g. STUN/TURN, may be available for some
            application-layer protocols, but they can add cost and complexity.

          • NAPT is very resource intensive, slowing packet forwarding compared
            to what is possible without using any form of NAT. Some vendors add
            dedicated hardware to mitigate the need to steal resources from
            packet forwarding, but this comes at added expense, size, complexity,
            and power usage.

          • When using NAPT, traffic initiated from outside the NAPT network
            cannot be delivered to the inside network because there is no
            translation entry in the translation table, which is added by inside-initiated traffic. The single outside
            (public) address is configured on the NAT device, and any packets
            with that destination IPv4 address and no entry for the source IPv4
            address in the translation table for the transport protocol is
            assumed to be for the NAPT device, itself, not the inside network.
            There is a mitigation, called Port Forwarding, for this problem.

          • Port Forwarding basically configures, manually, a permanent entry in
            a translation table to allow outside-initiated traffic that is
            destined to a particular transport protocol and address for the
            protocol to be delivered to a particular inside host. This does have
            the drawback of only allowing one inside host to be the target for a
            particular transport protocol and address. For example, if there are
            multiple web servers on the inside network, only one of the web
            servers can be exposed on TCP port 80 (the default for web servers).

          • Because the IPv4 address shortage is so severe, the ISPs (Internet
            Service Providers) are running out of public addresses to assign to
            their customers. The ISPs can no longer get any more public
            addresses, so they have adopted some mitigations that especially hurt
            home/residential users. The ISPs want to reserve their precious
            public address pool for their business customers that are willing to
            pay for the privilege of getting public addresses. To do that, the
            ISPs are now starting to assign Private or Shared addresses to their
            home/residential customers, and the ISPs use NAPT on their own
            routers to facilitate the use of multiple Private or Shared addresses
            on a single public address. That creates a situation where a
            home/residential network is behind two NAPT translations (ISP NAPT to customer
            NAPT), and port forwarding configured by the customer on the
            home/residential router no longer works because it is broken by the
            ISP NAPT, which is not configured to forward the port to the customer
            router.

          • Many people make the mistake of equating NAPT and security because the
            inside hosts cannot be directly addressed from outside. This is a
            false sense of security. Because a firewall connecting a network to
            the public Internet is a convenient place to run NAPT, that simply
            confuses the situation. It creates a dangerous perception that that
            NAPT, itself, is the firewall, and a real firewall is unnecessary.
            Network security comes from firewalls, which block all
            outside-initiated traffic by default, only allowing traffic it is
            explicitly configured to permit, possibly doing a deep inspection on
            the packet contents to drop dangerous packet payloads. What some
            people fail to realize is that, without a firewall, either in
            hardware or software, on the outside of or built into the NAPT device,
            to protect the NAPT device, the NAPT device itself is vulnerable. If
            the NAPT device is compromised, it, and by extension an attacker, has
            full access to the privately addressed inside network.
            Outside-initiated packets that do not match a translation table are
            destined to the NAPT device, itself, because it is the device that is
            actually addressed with the external address, so the NAPT device can
            be directly attacked.

          The Solution to the IPv4 Address Shortage



          The IETF predicted the IPv4 address shortage, and it created the solution: IPv6, which uses 128-bit addresses, meaning there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses. The almost unimaginable number of IPv6 addresses removes the need for NAPT (IPv6 doesn’t have any NAT standards, the way IPv4 does, and the experimental IPv6 NAT RFC specifically forbids NAPT), restoring the original IP end-to-end paradigm. The mitigations for the IPv4 address shortage are meant to extend the life of IPv4 until IPv6 is ubiquitous, at which point IPv4 should fade away.



          Humans cannot really comprehend numbers of the size used for IPv6. For example, a standard IPv6 network uses 64 bits for each of the network and host portions of the network address. That is 18,446,744,073,709,551,616 possible IPv6 standard /64 networks, and that same (huge) number of host addresses for each of those networks. To try to understand a number that large, consider tools that scan all the possible addresses on a network. If such a tool could scan 1,000,000 addresses per second (unlikely), it would take over 584,542 years to perform the scan on a single /64 IPv6 network. Currently, only 1/8 of the total IPv6 address space is allocated for global IPv6 addresses, which works out to 2,305,843,009,213,693,952 standard IPv6 /64 networks, and if the world population is 21 billion in the year 2100 (a somewhat realistic number), every one of those 21 billion people could have 109,802,048 standard IPv6 /64 networks, each network having 18,446,744,073,709,551,616 possible host addresses. Unfortunately, the (decades of) IPv4 address shortage has so ingrained address conservation in people, that many people simply cannot let it go, and they try to apply it to IPv6, which is pointless and actually detrimental. IPv6 is actually designed to waste addresses.



          The IETF also had the advantage of hindsight, and it improved IP (in IPv6) by removing features of IPv4 that didn’t work well, improving some IPv4 features, and adding features that IPv4 didn’t have, creating a new and improved IP. Because IPv6 is a completely separate protocol from IPv4, it can be run in parallel with IPv4 as the transition is made from IPv4 to IPv6. Hosts and network devices can run both IPv4 and IPv6 on the same interface at the same time (dual-stacked), and each is invisible to the other; there is no interference between the two protocols.



          The problem with IPv6 is that it is actually a completely different protocol that is incompatible with the ubiquitous IPv4, and the mitigations for the IPv4 address shortage are seen by many people to be “good enough.” The result is that it has been over 20 years since IPv6 was standardized, and we are just now getting some real traction in using IPv6 (Google reports, as of September 2018, worldwide IPv6 adoption of over 20%, and the IPv6 adoption rate in the U.S. is over 35%). The reason we are finally moving to IPv6 is that there are simply no more unused IPv4 addresses to be assigned.



          There are other obstacles, all part of the IPv4 culture, that are simply hard for people to look past. Many people are also scared of IPv6, having grown up and being comfortable with IPv4, warts and all. For example, the IPv6 addresses appear to be large and ugly compared to IPv4 addresses, and that seems to put many people off. The reality is that IPv6 is often easier and more flexible than IPv4, especially for addressing, and the lessons learned in IPv4 have been applied to IPv6 from the beginning.






          share|improve this answer






















          • This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
            – jonathanjo
            4 hours ago










          • This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
            – Loreno
            3 hours ago










          • This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
            – Ron Maupin♦
            3 hours ago

















          up vote
          1
          down vote













          Ron Maupin's answer gives a brilliant overview of the IPv4 shortage, but I'd like to address this part of your question:




          Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city. Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.




          On the face of it, this is exactly how "NAT" (or, more specifically, "IP address masquerading") works: a private network is set up which looks to the outside internet like a single host, and routes traffic internally to many different users. But there are some important limits you've overlooked in your example:



          • Users on the inside still need to be able to address the outside internet; if you assign the address 151.101.1.69 to an internal user on your network, you won't be able to access networkengineering.stackexchange.com, because that's the address where it's hosted. So in practice, you can only use internal addresses which are reserved for this use.

          • Less obviously, hosts on the outside need some way to pass traffic to the users on the inside, even if they're just browsing the web. This is because IP connections aren't like tunnels: sending a packet to a web server doesn't reserve a cable for the conversation, it just asks the server to send some packets back your way. If the web server is just sending its responses to one public address, something needs to keep track of which internal computer actually requested it. If more than one person on the internal network accesses the same web server, the only way to keep track is to assign each connection a unique dynamic port number for the replies to go to.

          There are around 18 million private-use IPv4 addresses, but only 65536 port numbers. You don't actually need a unique port for every connection, because you can have a lookup table which includes the remote address as well, but there's still a limit to how far you can scale without problems.



          That said, NAT is indeed one of the biggest reasons why the IPv4 network hasn't completely collapsed due to address shortages. Assigning an IP address to each household or office, and issuing them with a device to perform NAT, allows many more devices to be connected than the original design of IPv4 would allow. To scale further, carrier-grade NAT is used, where an ISP has fewer public addresses than connected households, possibly using two layers of NAT to manage the routing of packets to their eventual destination.



          In the end, squeezing every possible route out of the few remaining addresses is just life support for IPv4, and at some point, every address will either be reserved for internal use, the public face of some NAT'd network, or the public address of a server accepting unsolicited connections.






          share|improve this answer








          New contributor




          IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.
























            up vote
            -1
            down vote













            It's also worthy to note that a lot of the IPv4 IPs are owned by either cloud hosting companies or proxy resellers, and have been highly tainted. Anyone who rents proxies has surly experienced the issues running off a tainted IP address.



            While IPv4 addresses will run out, there are still more than enough to go around, and you can still buy blocks of them (by the 1000s), for a few dollars each.






            share|improve this answer
















            • 1




              ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
              – Jens Link
              32 mins ago










            • I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
              – McFlySoHigh
              26 mins ago










            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "496"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            Loreno is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53935%2fwhy-are-ipv4-addresses-running-out%23new-answer', 'question_page');

            );

            Post as a guest






























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            8
            down vote



            accepted










            The IPv4 Address Shortage



            According to Vint Cerf (the father of IP), the IPv4 32-bit address size of was chosen arbitrarily. IP was a government/academic collaborative experiment, and the current public Internet was never envisioned. The IP paradigm was that each connected device would have a unique IP address (all packets sent between IP devices would be end-to-end connected from the source IP address to the destination IP address), and many protocols using IP depend on each device having a unique IP address.



            Assuming we could use every possible IPv4 address*, there are only 4,294,967,296 possible IPv4 addresses, but (as of September 2018) the current world population is 7,648,290,361. As you can see, there are not enough possible IPv4 addresses for every person to have even one, but many people have a computer, printer, cell phone, tablet, gaming console, smart TV, etc., each requiring an IP address, and that doesn’t even touch on the business needs for IP addresses. We are also on the cusp of the IoT (Internet of Things), where every device needs an IP address: light bulbs, thermostats, thermometers, rain gauges and sprinkler systems, alarm sensors, appliances, vehicles, garage door openers, entertainment systems, pet collars, and who knows what all else. All this adds up to the fact that IPv4 simply cannot handle the addressing needs of the modern world.




            *There are blocks of IPv4 addresses that cannot be used for host addressing. For example, multicast has a block of 268,435,456 addresses that cannot be used for host addressing. IANA maintains the IANA IPv4 Special-Purpose Address Registry at https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml to document all the special address blocks and their purposes.




            IANA (Internet Assigned Numbers Authority) ran out of IPv4 address blocks to assign to the RIRs (Regional Internet Registries) to be assigned in their respective regions, and the RIRs have now also run out of IPv4 addresses to assign in each region. ISPs (Internet Service Providers) and companies that want or need IPv4 addresses can no longer get IPv4 addresses from their RIRs and now must try to buy IPv4 addresses from businesses that may have extra (as the IPv4 address shortage deepens, the price of IPv4 addresses goes up).



            Even if all the IPv4 addresses that are reserved for special purposes and cannot be used for host addressing were made available for use, we would still be in the same position because there are simply not enough IPv4 addresses due to the limited size of IPv4 addresses.



            Mitigating the IPv4 Address Shortage



            IANA and the RIRs would have run out of IPv4 addresses many years before they did if IANA and the IETF (Internet Engineering Task Force) had not adopted mitigations for the IPv4 address shortage. One important mitigation was the deprecation of IPv4 network classes in favor of CIDR (Classless Inter-Domain Routing). Classful addressing only allows for three assigned network sizes (16,777,216, 65,536, or 256 total host addresses per network), meaning that many addresses are wasted (a business needing only 300 host addresses would need to be allocated a classful network that has 65,536 possible host addresses, wasting over 99% of the addresses in the classful the network), but CIDR allows for network sizes to fit more closely with network address requirements (a business needing only 300 host addresses could be allocated a CIDR /23 network that has only 510 usable host addresses), wasting far fewer addresses and still providing some room for growth.



            By far, the mitigation that has had the biggest impact on extending the life of IPv4 is the use of Private Addressing and a variant of NAT (Network Address Translation) called NAPT (Network Address Port Translation), which is what most people mean when they refer to NAT or PAT (PAT is a vendor-specific term for NAPT). Unfortunately, NAPT is an ugly workaround that breaks the IP end-to-end paradigm, and that breaks protocols that depend on unique IP addressing, requiring even more ugly workarounds.



            NAT/NAPT



            The concept of NAT is pretty simple: it replaces either or both the source and destination IPv4 addresses in a packet header as the packet passes through the NAT device. In practice, it requires computation because the IPv4 header has a computed field to check the integrity of the IPv4 header, and any change made to the IPv4 header requires recalculation of the field, and some transport protocols in the packet payload also have their own computed fields that must be recalculated, using computing resources in the NAT device that could be used for packet forwarding.



            In Basic NAT, the NAT device has a pool of IPv4 addresses that it uses to replace the source IPv4 addresses of the packet headers for IPv4 packets sent from an inside network to an outside network, and it maintains a translation table in order to translate the destination IPv4 addresses of traffic returning from the outside network in order to deliver the packets back to the correct hosts on the inside network. This also requires resources on the NAT device to build and maintain the translation table, and to perform table lookups. This resource utilization can slow the forwarding of packets because the resources used by NAT are taken from the resources that could be used for packet forwarding.



            NAPT takes Basic NAT further by also translating the transport protocol addresses (ports) for TCP and UDP, and the Query IDs for ICMP. By also translating the transport-layer addresses, NAPT allows the use of a single outside IPv4 address for many inside host IPv4 addresses. NAPT is even more resource intensive than Basic NAT because it requires a separate table for each transport-layer protocol, and it must also perform the integrity calculations for the transport protocols.



            The use of Private IPv4 addressing, that can be reused on multiple networks (you may have noticed that most home/residential networks default to use the same 192.168.1.0/24 network, which is in one of the IANA allocated Private IPv4 address ranges), along with NAPT, allows business and home users to each use a single outside (public) address for a large inside (privately addressed) network. This saves many, many IPv4 addresses (several times the total number of possible IPv4 addresses) and has extended the life of IPv4 far beyond the point at which it would have collapsed without NAPT.
            NAPT does have some serious drawbacks:



            • NAPT breaks the IP end-to-end paradigm, and it only works with TCP,
              UDP, and ICMP, breaking other transport protocols. There are also
              application-layer protocols that use TCP or UDP that are broken by
              NAPT, even though TCP and UDP nominally work with NAPT. Other
              mitigations, e.g. STUN/TURN, may be available for some
              application-layer protocols, but they can add cost and complexity.

            • NAPT is very resource intensive, slowing packet forwarding compared
              to what is possible without using any form of NAT. Some vendors add
              dedicated hardware to mitigate the need to steal resources from
              packet forwarding, but this comes at added expense, size, complexity,
              and power usage.

            • When using NAPT, traffic initiated from outside the NAPT network
              cannot be delivered to the inside network because there is no
              translation entry in the translation table, which is added by inside-initiated traffic. The single outside
              (public) address is configured on the NAT device, and any packets
              with that destination IPv4 address and no entry for the source IPv4
              address in the translation table for the transport protocol is
              assumed to be for the NAPT device, itself, not the inside network.
              There is a mitigation, called Port Forwarding, for this problem.

            • Port Forwarding basically configures, manually, a permanent entry in
              a translation table to allow outside-initiated traffic that is
              destined to a particular transport protocol and address for the
              protocol to be delivered to a particular inside host. This does have
              the drawback of only allowing one inside host to be the target for a
              particular transport protocol and address. For example, if there are
              multiple web servers on the inside network, only one of the web
              servers can be exposed on TCP port 80 (the default for web servers).

            • Because the IPv4 address shortage is so severe, the ISPs (Internet
              Service Providers) are running out of public addresses to assign to
              their customers. The ISPs can no longer get any more public
              addresses, so they have adopted some mitigations that especially hurt
              home/residential users. The ISPs want to reserve their precious
              public address pool for their business customers that are willing to
              pay for the privilege of getting public addresses. To do that, the
              ISPs are now starting to assign Private or Shared addresses to their
              home/residential customers, and the ISPs use NAPT on their own
              routers to facilitate the use of multiple Private or Shared addresses
              on a single public address. That creates a situation where a
              home/residential network is behind two NAPT translations (ISP NAPT to customer
              NAPT), and port forwarding configured by the customer on the
              home/residential router no longer works because it is broken by the
              ISP NAPT, which is not configured to forward the port to the customer
              router.

            • Many people make the mistake of equating NAPT and security because the
              inside hosts cannot be directly addressed from outside. This is a
              false sense of security. Because a firewall connecting a network to
              the public Internet is a convenient place to run NAPT, that simply
              confuses the situation. It creates a dangerous perception that that
              NAPT, itself, is the firewall, and a real firewall is unnecessary.
              Network security comes from firewalls, which block all
              outside-initiated traffic by default, only allowing traffic it is
              explicitly configured to permit, possibly doing a deep inspection on
              the packet contents to drop dangerous packet payloads. What some
              people fail to realize is that, without a firewall, either in
              hardware or software, on the outside of or built into the NAPT device,
              to protect the NAPT device, the NAPT device itself is vulnerable. If
              the NAPT device is compromised, it, and by extension an attacker, has
              full access to the privately addressed inside network.
              Outside-initiated packets that do not match a translation table are
              destined to the NAPT device, itself, because it is the device that is
              actually addressed with the external address, so the NAPT device can
              be directly attacked.

            The Solution to the IPv4 Address Shortage



            The IETF predicted the IPv4 address shortage, and it created the solution: IPv6, which uses 128-bit addresses, meaning there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses. The almost unimaginable number of IPv6 addresses removes the need for NAPT (IPv6 doesn’t have any NAT standards, the way IPv4 does, and the experimental IPv6 NAT RFC specifically forbids NAPT), restoring the original IP end-to-end paradigm. The mitigations for the IPv4 address shortage are meant to extend the life of IPv4 until IPv6 is ubiquitous, at which point IPv4 should fade away.



            Humans cannot really comprehend numbers of the size used for IPv6. For example, a standard IPv6 network uses 64 bits for each of the network and host portions of the network address. That is 18,446,744,073,709,551,616 possible IPv6 standard /64 networks, and that same (huge) number of host addresses for each of those networks. To try to understand a number that large, consider tools that scan all the possible addresses on a network. If such a tool could scan 1,000,000 addresses per second (unlikely), it would take over 584,542 years to perform the scan on a single /64 IPv6 network. Currently, only 1/8 of the total IPv6 address space is allocated for global IPv6 addresses, which works out to 2,305,843,009,213,693,952 standard IPv6 /64 networks, and if the world population is 21 billion in the year 2100 (a somewhat realistic number), every one of those 21 billion people could have 109,802,048 standard IPv6 /64 networks, each network having 18,446,744,073,709,551,616 possible host addresses. Unfortunately, the (decades of) IPv4 address shortage has so ingrained address conservation in people, that many people simply cannot let it go, and they try to apply it to IPv6, which is pointless and actually detrimental. IPv6 is actually designed to waste addresses.



            The IETF also had the advantage of hindsight, and it improved IP (in IPv6) by removing features of IPv4 that didn’t work well, improving some IPv4 features, and adding features that IPv4 didn’t have, creating a new and improved IP. Because IPv6 is a completely separate protocol from IPv4, it can be run in parallel with IPv4 as the transition is made from IPv4 to IPv6. Hosts and network devices can run both IPv4 and IPv6 on the same interface at the same time (dual-stacked), and each is invisible to the other; there is no interference between the two protocols.



            The problem with IPv6 is that it is actually a completely different protocol that is incompatible with the ubiquitous IPv4, and the mitigations for the IPv4 address shortage are seen by many people to be “good enough.” The result is that it has been over 20 years since IPv6 was standardized, and we are just now getting some real traction in using IPv6 (Google reports, as of September 2018, worldwide IPv6 adoption of over 20%, and the IPv6 adoption rate in the U.S. is over 35%). The reason we are finally moving to IPv6 is that there are simply no more unused IPv4 addresses to be assigned.



            There are other obstacles, all part of the IPv4 culture, that are simply hard for people to look past. Many people are also scared of IPv6, having grown up and being comfortable with IPv4, warts and all. For example, the IPv6 addresses appear to be large and ugly compared to IPv4 addresses, and that seems to put many people off. The reality is that IPv6 is often easier and more flexible than IPv4, especially for addressing, and the lessons learned in IPv4 have been applied to IPv6 from the beginning.






            share|improve this answer






















            • This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
              – jonathanjo
              4 hours ago










            • This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
              – Loreno
              3 hours ago










            • This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
              – Ron Maupin♦
              3 hours ago














            up vote
            8
            down vote



            accepted










            The IPv4 Address Shortage



            According to Vint Cerf (the father of IP), the IPv4 32-bit address size of was chosen arbitrarily. IP was a government/academic collaborative experiment, and the current public Internet was never envisioned. The IP paradigm was that each connected device would have a unique IP address (all packets sent between IP devices would be end-to-end connected from the source IP address to the destination IP address), and many protocols using IP depend on each device having a unique IP address.



            Assuming we could use every possible IPv4 address*, there are only 4,294,967,296 possible IPv4 addresses, but (as of September 2018) the current world population is 7,648,290,361. As you can see, there are not enough possible IPv4 addresses for every person to have even one, but many people have a computer, printer, cell phone, tablet, gaming console, smart TV, etc., each requiring an IP address, and that doesn’t even touch on the business needs for IP addresses. We are also on the cusp of the IoT (Internet of Things), where every device needs an IP address: light bulbs, thermostats, thermometers, rain gauges and sprinkler systems, alarm sensors, appliances, vehicles, garage door openers, entertainment systems, pet collars, and who knows what all else. All this adds up to the fact that IPv4 simply cannot handle the addressing needs of the modern world.




            *There are blocks of IPv4 addresses that cannot be used for host addressing. For example, multicast has a block of 268,435,456 addresses that cannot be used for host addressing. IANA maintains the IANA IPv4 Special-Purpose Address Registry at https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml to document all the special address blocks and their purposes.




            IANA (Internet Assigned Numbers Authority) ran out of IPv4 address blocks to assign to the RIRs (Regional Internet Registries) to be assigned in their respective regions, and the RIRs have now also run out of IPv4 addresses to assign in each region. ISPs (Internet Service Providers) and companies that want or need IPv4 addresses can no longer get IPv4 addresses from their RIRs and now must try to buy IPv4 addresses from businesses that may have extra (as the IPv4 address shortage deepens, the price of IPv4 addresses goes up).



            Even if all the IPv4 addresses that are reserved for special purposes and cannot be used for host addressing were made available for use, we would still be in the same position because there are simply not enough IPv4 addresses due to the limited size of IPv4 addresses.



            Mitigating the IPv4 Address Shortage



            IANA and the RIRs would have run out of IPv4 addresses many years before they did if IANA and the IETF (Internet Engineering Task Force) had not adopted mitigations for the IPv4 address shortage. One important mitigation was the deprecation of IPv4 network classes in favor of CIDR (Classless Inter-Domain Routing). Classful addressing only allows for three assigned network sizes (16,777,216, 65,536, or 256 total host addresses per network), meaning that many addresses are wasted (a business needing only 300 host addresses would need to be allocated a classful network that has 65,536 possible host addresses, wasting over 99% of the addresses in the classful the network), but CIDR allows for network sizes to fit more closely with network address requirements (a business needing only 300 host addresses could be allocated a CIDR /23 network that has only 510 usable host addresses), wasting far fewer addresses and still providing some room for growth.



            By far, the mitigation that has had the biggest impact on extending the life of IPv4 is the use of Private Addressing and a variant of NAT (Network Address Translation) called NAPT (Network Address Port Translation), which is what most people mean when they refer to NAT or PAT (PAT is a vendor-specific term for NAPT). Unfortunately, NAPT is an ugly workaround that breaks the IP end-to-end paradigm, and that breaks protocols that depend on unique IP addressing, requiring even more ugly workarounds.



            NAT/NAPT



            The concept of NAT is pretty simple: it replaces either or both the source and destination IPv4 addresses in a packet header as the packet passes through the NAT device. In practice, it requires computation because the IPv4 header has a computed field to check the integrity of the IPv4 header, and any change made to the IPv4 header requires recalculation of the field, and some transport protocols in the packet payload also have their own computed fields that must be recalculated, using computing resources in the NAT device that could be used for packet forwarding.



            In Basic NAT, the NAT device has a pool of IPv4 addresses that it uses to replace the source IPv4 addresses of the packet headers for IPv4 packets sent from an inside network to an outside network, and it maintains a translation table in order to translate the destination IPv4 addresses of traffic returning from the outside network in order to deliver the packets back to the correct hosts on the inside network. This also requires resources on the NAT device to build and maintain the translation table, and to perform table lookups. This resource utilization can slow the forwarding of packets because the resources used by NAT are taken from the resources that could be used for packet forwarding.



            NAPT takes Basic NAT further by also translating the transport protocol addresses (ports) for TCP and UDP, and the Query IDs for ICMP. By also translating the transport-layer addresses, NAPT allows the use of a single outside IPv4 address for many inside host IPv4 addresses. NAPT is even more resource intensive than Basic NAT because it requires a separate table for each transport-layer protocol, and it must also perform the integrity calculations for the transport protocols.



            The use of Private IPv4 addressing, that can be reused on multiple networks (you may have noticed that most home/residential networks default to use the same 192.168.1.0/24 network, which is in one of the IANA allocated Private IPv4 address ranges), along with NAPT, allows business and home users to each use a single outside (public) address for a large inside (privately addressed) network. This saves many, many IPv4 addresses (several times the total number of possible IPv4 addresses) and has extended the life of IPv4 far beyond the point at which it would have collapsed without NAPT.
            NAPT does have some serious drawbacks:



            • NAPT breaks the IP end-to-end paradigm, and it only works with TCP,
              UDP, and ICMP, breaking other transport protocols. There are also
              application-layer protocols that use TCP or UDP that are broken by
              NAPT, even though TCP and UDP nominally work with NAPT. Other
              mitigations, e.g. STUN/TURN, may be available for some
              application-layer protocols, but they can add cost and complexity.

            • NAPT is very resource intensive, slowing packet forwarding compared
              to what is possible without using any form of NAT. Some vendors add
              dedicated hardware to mitigate the need to steal resources from
              packet forwarding, but this comes at added expense, size, complexity,
              and power usage.

            • When using NAPT, traffic initiated from outside the NAPT network
              cannot be delivered to the inside network because there is no
              translation entry in the translation table, which is added by inside-initiated traffic. The single outside
              (public) address is configured on the NAT device, and any packets
              with that destination IPv4 address and no entry for the source IPv4
              address in the translation table for the transport protocol is
              assumed to be for the NAPT device, itself, not the inside network.
              There is a mitigation, called Port Forwarding, for this problem.

            • Port Forwarding basically configures, manually, a permanent entry in
              a translation table to allow outside-initiated traffic that is
              destined to a particular transport protocol and address for the
              protocol to be delivered to a particular inside host. This does have
              the drawback of only allowing one inside host to be the target for a
              particular transport protocol and address. For example, if there are
              multiple web servers on the inside network, only one of the web
              servers can be exposed on TCP port 80 (the default for web servers).

            • Because the IPv4 address shortage is so severe, the ISPs (Internet
              Service Providers) are running out of public addresses to assign to
              their customers. The ISPs can no longer get any more public
              addresses, so they have adopted some mitigations that especially hurt
              home/residential users. The ISPs want to reserve their precious
              public address pool for their business customers that are willing to
              pay for the privilege of getting public addresses. To do that, the
              ISPs are now starting to assign Private or Shared addresses to their
              home/residential customers, and the ISPs use NAPT on their own
              routers to facilitate the use of multiple Private or Shared addresses
              on a single public address. That creates a situation where a
              home/residential network is behind two NAPT translations (ISP NAPT to customer
              NAPT), and port forwarding configured by the customer on the
              home/residential router no longer works because it is broken by the
              ISP NAPT, which is not configured to forward the port to the customer
              router.

            • Many people make the mistake of equating NAPT and security because the
              inside hosts cannot be directly addressed from outside. This is a
              false sense of security. Because a firewall connecting a network to
              the public Internet is a convenient place to run NAPT, that simply
              confuses the situation. It creates a dangerous perception that that
              NAPT, itself, is the firewall, and a real firewall is unnecessary.
              Network security comes from firewalls, which block all
              outside-initiated traffic by default, only allowing traffic it is
              explicitly configured to permit, possibly doing a deep inspection on
              the packet contents to drop dangerous packet payloads. What some
              people fail to realize is that, without a firewall, either in
              hardware or software, on the outside of or built into the NAPT device,
              to protect the NAPT device, the NAPT device itself is vulnerable. If
              the NAPT device is compromised, it, and by extension an attacker, has
              full access to the privately addressed inside network.
              Outside-initiated packets that do not match a translation table are
              destined to the NAPT device, itself, because it is the device that is
              actually addressed with the external address, so the NAPT device can
              be directly attacked.

            The Solution to the IPv4 Address Shortage



            The IETF predicted the IPv4 address shortage, and it created the solution: IPv6, which uses 128-bit addresses, meaning there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses. The almost unimaginable number of IPv6 addresses removes the need for NAPT (IPv6 doesn’t have any NAT standards, the way IPv4 does, and the experimental IPv6 NAT RFC specifically forbids NAPT), restoring the original IP end-to-end paradigm. The mitigations for the IPv4 address shortage are meant to extend the life of IPv4 until IPv6 is ubiquitous, at which point IPv4 should fade away.



            Humans cannot really comprehend numbers of the size used for IPv6. For example, a standard IPv6 network uses 64 bits for each of the network and host portions of the network address. That is 18,446,744,073,709,551,616 possible IPv6 standard /64 networks, and that same (huge) number of host addresses for each of those networks. To try to understand a number that large, consider tools that scan all the possible addresses on a network. If such a tool could scan 1,000,000 addresses per second (unlikely), it would take over 584,542 years to perform the scan on a single /64 IPv6 network. Currently, only 1/8 of the total IPv6 address space is allocated for global IPv6 addresses, which works out to 2,305,843,009,213,693,952 standard IPv6 /64 networks, and if the world population is 21 billion in the year 2100 (a somewhat realistic number), every one of those 21 billion people could have 109,802,048 standard IPv6 /64 networks, each network having 18,446,744,073,709,551,616 possible host addresses. Unfortunately, the (decades of) IPv4 address shortage has so ingrained address conservation in people, that many people simply cannot let it go, and they try to apply it to IPv6, which is pointless and actually detrimental. IPv6 is actually designed to waste addresses.



            The IETF also had the advantage of hindsight, and it improved IP (in IPv6) by removing features of IPv4 that didn’t work well, improving some IPv4 features, and adding features that IPv4 didn’t have, creating a new and improved IP. Because IPv6 is a completely separate protocol from IPv4, it can be run in parallel with IPv4 as the transition is made from IPv4 to IPv6. Hosts and network devices can run both IPv4 and IPv6 on the same interface at the same time (dual-stacked), and each is invisible to the other; there is no interference between the two protocols.



            The problem with IPv6 is that it is actually a completely different protocol that is incompatible with the ubiquitous IPv4, and the mitigations for the IPv4 address shortage are seen by many people to be “good enough.” The result is that it has been over 20 years since IPv6 was standardized, and we are just now getting some real traction in using IPv6 (Google reports, as of September 2018, worldwide IPv6 adoption of over 20%, and the IPv6 adoption rate in the U.S. is over 35%). The reason we are finally moving to IPv6 is that there are simply no more unused IPv4 addresses to be assigned.



            There are other obstacles, all part of the IPv4 culture, that are simply hard for people to look past. Many people are also scared of IPv6, having grown up and being comfortable with IPv4, warts and all. For example, the IPv6 addresses appear to be large and ugly compared to IPv4 addresses, and that seems to put many people off. The reality is that IPv6 is often easier and more flexible than IPv4, especially for addressing, and the lessons learned in IPv4 have been applied to IPv6 from the beginning.






            share|improve this answer






















            • This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
              – jonathanjo
              4 hours ago










            • This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
              – Loreno
              3 hours ago










            • This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
              – Ron Maupin♦
              3 hours ago












            up vote
            8
            down vote



            accepted







            up vote
            8
            down vote



            accepted






            The IPv4 Address Shortage



            According to Vint Cerf (the father of IP), the IPv4 32-bit address size of was chosen arbitrarily. IP was a government/academic collaborative experiment, and the current public Internet was never envisioned. The IP paradigm was that each connected device would have a unique IP address (all packets sent between IP devices would be end-to-end connected from the source IP address to the destination IP address), and many protocols using IP depend on each device having a unique IP address.



            Assuming we could use every possible IPv4 address*, there are only 4,294,967,296 possible IPv4 addresses, but (as of September 2018) the current world population is 7,648,290,361. As you can see, there are not enough possible IPv4 addresses for every person to have even one, but many people have a computer, printer, cell phone, tablet, gaming console, smart TV, etc., each requiring an IP address, and that doesn’t even touch on the business needs for IP addresses. We are also on the cusp of the IoT (Internet of Things), where every device needs an IP address: light bulbs, thermostats, thermometers, rain gauges and sprinkler systems, alarm sensors, appliances, vehicles, garage door openers, entertainment systems, pet collars, and who knows what all else. All this adds up to the fact that IPv4 simply cannot handle the addressing needs of the modern world.




            *There are blocks of IPv4 addresses that cannot be used for host addressing. For example, multicast has a block of 268,435,456 addresses that cannot be used for host addressing. IANA maintains the IANA IPv4 Special-Purpose Address Registry at https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml to document all the special address blocks and their purposes.




            IANA (Internet Assigned Numbers Authority) ran out of IPv4 address blocks to assign to the RIRs (Regional Internet Registries) to be assigned in their respective regions, and the RIRs have now also run out of IPv4 addresses to assign in each region. ISPs (Internet Service Providers) and companies that want or need IPv4 addresses can no longer get IPv4 addresses from their RIRs and now must try to buy IPv4 addresses from businesses that may have extra (as the IPv4 address shortage deepens, the price of IPv4 addresses goes up).



            Even if all the IPv4 addresses that are reserved for special purposes and cannot be used for host addressing were made available for use, we would still be in the same position because there are simply not enough IPv4 addresses due to the limited size of IPv4 addresses.



            Mitigating the IPv4 Address Shortage



            IANA and the RIRs would have run out of IPv4 addresses many years before they did if IANA and the IETF (Internet Engineering Task Force) had not adopted mitigations for the IPv4 address shortage. One important mitigation was the deprecation of IPv4 network classes in favor of CIDR (Classless Inter-Domain Routing). Classful addressing only allows for three assigned network sizes (16,777,216, 65,536, or 256 total host addresses per network), meaning that many addresses are wasted (a business needing only 300 host addresses would need to be allocated a classful network that has 65,536 possible host addresses, wasting over 99% of the addresses in the classful the network), but CIDR allows for network sizes to fit more closely with network address requirements (a business needing only 300 host addresses could be allocated a CIDR /23 network that has only 510 usable host addresses), wasting far fewer addresses and still providing some room for growth.



            By far, the mitigation that has had the biggest impact on extending the life of IPv4 is the use of Private Addressing and a variant of NAT (Network Address Translation) called NAPT (Network Address Port Translation), which is what most people mean when they refer to NAT or PAT (PAT is a vendor-specific term for NAPT). Unfortunately, NAPT is an ugly workaround that breaks the IP end-to-end paradigm, and that breaks protocols that depend on unique IP addressing, requiring even more ugly workarounds.



            NAT/NAPT



            The concept of NAT is pretty simple: it replaces either or both the source and destination IPv4 addresses in a packet header as the packet passes through the NAT device. In practice, it requires computation because the IPv4 header has a computed field to check the integrity of the IPv4 header, and any change made to the IPv4 header requires recalculation of the field, and some transport protocols in the packet payload also have their own computed fields that must be recalculated, using computing resources in the NAT device that could be used for packet forwarding.



            In Basic NAT, the NAT device has a pool of IPv4 addresses that it uses to replace the source IPv4 addresses of the packet headers for IPv4 packets sent from an inside network to an outside network, and it maintains a translation table in order to translate the destination IPv4 addresses of traffic returning from the outside network in order to deliver the packets back to the correct hosts on the inside network. This also requires resources on the NAT device to build and maintain the translation table, and to perform table lookups. This resource utilization can slow the forwarding of packets because the resources used by NAT are taken from the resources that could be used for packet forwarding.



            NAPT takes Basic NAT further by also translating the transport protocol addresses (ports) for TCP and UDP, and the Query IDs for ICMP. By also translating the transport-layer addresses, NAPT allows the use of a single outside IPv4 address for many inside host IPv4 addresses. NAPT is even more resource intensive than Basic NAT because it requires a separate table for each transport-layer protocol, and it must also perform the integrity calculations for the transport protocols.



            The use of Private IPv4 addressing, that can be reused on multiple networks (you may have noticed that most home/residential networks default to use the same 192.168.1.0/24 network, which is in one of the IANA allocated Private IPv4 address ranges), along with NAPT, allows business and home users to each use a single outside (public) address for a large inside (privately addressed) network. This saves many, many IPv4 addresses (several times the total number of possible IPv4 addresses) and has extended the life of IPv4 far beyond the point at which it would have collapsed without NAPT.
            NAPT does have some serious drawbacks:



            • NAPT breaks the IP end-to-end paradigm, and it only works with TCP,
              UDP, and ICMP, breaking other transport protocols. There are also
              application-layer protocols that use TCP or UDP that are broken by
              NAPT, even though TCP and UDP nominally work with NAPT. Other
              mitigations, e.g. STUN/TURN, may be available for some
              application-layer protocols, but they can add cost and complexity.

            • NAPT is very resource intensive, slowing packet forwarding compared
              to what is possible without using any form of NAT. Some vendors add
              dedicated hardware to mitigate the need to steal resources from
              packet forwarding, but this comes at added expense, size, complexity,
              and power usage.

            • When using NAPT, traffic initiated from outside the NAPT network
              cannot be delivered to the inside network because there is no
              translation entry in the translation table, which is added by inside-initiated traffic. The single outside
              (public) address is configured on the NAT device, and any packets
              with that destination IPv4 address and no entry for the source IPv4
              address in the translation table for the transport protocol is
              assumed to be for the NAPT device, itself, not the inside network.
              There is a mitigation, called Port Forwarding, for this problem.

            • Port Forwarding basically configures, manually, a permanent entry in
              a translation table to allow outside-initiated traffic that is
              destined to a particular transport protocol and address for the
              protocol to be delivered to a particular inside host. This does have
              the drawback of only allowing one inside host to be the target for a
              particular transport protocol and address. For example, if there are
              multiple web servers on the inside network, only one of the web
              servers can be exposed on TCP port 80 (the default for web servers).

            • Because the IPv4 address shortage is so severe, the ISPs (Internet
              Service Providers) are running out of public addresses to assign to
              their customers. The ISPs can no longer get any more public
              addresses, so they have adopted some mitigations that especially hurt
              home/residential users. The ISPs want to reserve their precious
              public address pool for their business customers that are willing to
              pay for the privilege of getting public addresses. To do that, the
              ISPs are now starting to assign Private or Shared addresses to their
              home/residential customers, and the ISPs use NAPT on their own
              routers to facilitate the use of multiple Private or Shared addresses
              on a single public address. That creates a situation where a
              home/residential network is behind two NAPT translations (ISP NAPT to customer
              NAPT), and port forwarding configured by the customer on the
              home/residential router no longer works because it is broken by the
              ISP NAPT, which is not configured to forward the port to the customer
              router.

            • Many people make the mistake of equating NAPT and security because the
              inside hosts cannot be directly addressed from outside. This is a
              false sense of security. Because a firewall connecting a network to
              the public Internet is a convenient place to run NAPT, that simply
              confuses the situation. It creates a dangerous perception that that
              NAPT, itself, is the firewall, and a real firewall is unnecessary.
              Network security comes from firewalls, which block all
              outside-initiated traffic by default, only allowing traffic it is
              explicitly configured to permit, possibly doing a deep inspection on
              the packet contents to drop dangerous packet payloads. What some
              people fail to realize is that, without a firewall, either in
              hardware or software, on the outside of or built into the NAPT device,
              to protect the NAPT device, the NAPT device itself is vulnerable. If
              the NAPT device is compromised, it, and by extension an attacker, has
              full access to the privately addressed inside network.
              Outside-initiated packets that do not match a translation table are
              destined to the NAPT device, itself, because it is the device that is
              actually addressed with the external address, so the NAPT device can
              be directly attacked.

            The Solution to the IPv4 Address Shortage



            The IETF predicted the IPv4 address shortage, and it created the solution: IPv6, which uses 128-bit addresses, meaning there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses. The almost unimaginable number of IPv6 addresses removes the need for NAPT (IPv6 doesn’t have any NAT standards, the way IPv4 does, and the experimental IPv6 NAT RFC specifically forbids NAPT), restoring the original IP end-to-end paradigm. The mitigations for the IPv4 address shortage are meant to extend the life of IPv4 until IPv6 is ubiquitous, at which point IPv4 should fade away.



            Humans cannot really comprehend numbers of the size used for IPv6. For example, a standard IPv6 network uses 64 bits for each of the network and host portions of the network address. That is 18,446,744,073,709,551,616 possible IPv6 standard /64 networks, and that same (huge) number of host addresses for each of those networks. To try to understand a number that large, consider tools that scan all the possible addresses on a network. If such a tool could scan 1,000,000 addresses per second (unlikely), it would take over 584,542 years to perform the scan on a single /64 IPv6 network. Currently, only 1/8 of the total IPv6 address space is allocated for global IPv6 addresses, which works out to 2,305,843,009,213,693,952 standard IPv6 /64 networks, and if the world population is 21 billion in the year 2100 (a somewhat realistic number), every one of those 21 billion people could have 109,802,048 standard IPv6 /64 networks, each network having 18,446,744,073,709,551,616 possible host addresses. Unfortunately, the (decades of) IPv4 address shortage has so ingrained address conservation in people, that many people simply cannot let it go, and they try to apply it to IPv6, which is pointless and actually detrimental. IPv6 is actually designed to waste addresses.



            The IETF also had the advantage of hindsight, and it improved IP (in IPv6) by removing features of IPv4 that didn’t work well, improving some IPv4 features, and adding features that IPv4 didn’t have, creating a new and improved IP. Because IPv6 is a completely separate protocol from IPv4, it can be run in parallel with IPv4 as the transition is made from IPv4 to IPv6. Hosts and network devices can run both IPv4 and IPv6 on the same interface at the same time (dual-stacked), and each is invisible to the other; there is no interference between the two protocols.



            The problem with IPv6 is that it is actually a completely different protocol that is incompatible with the ubiquitous IPv4, and the mitigations for the IPv4 address shortage are seen by many people to be “good enough.” The result is that it has been over 20 years since IPv6 was standardized, and we are just now getting some real traction in using IPv6 (Google reports, as of September 2018, worldwide IPv6 adoption of over 20%, and the IPv6 adoption rate in the U.S. is over 35%). The reason we are finally moving to IPv6 is that there are simply no more unused IPv4 addresses to be assigned.



            There are other obstacles, all part of the IPv4 culture, that are simply hard for people to look past. Many people are also scared of IPv6, having grown up and being comfortable with IPv4, warts and all. For example, the IPv6 addresses appear to be large and ugly compared to IPv4 addresses, and that seems to put many people off. The reality is that IPv6 is often easier and more flexible than IPv4, especially for addressing, and the lessons learned in IPv4 have been applied to IPv6 from the beginning.






            share|improve this answer














            The IPv4 Address Shortage



            According to Vint Cerf (the father of IP), the IPv4 32-bit address size of was chosen arbitrarily. IP was a government/academic collaborative experiment, and the current public Internet was never envisioned. The IP paradigm was that each connected device would have a unique IP address (all packets sent between IP devices would be end-to-end connected from the source IP address to the destination IP address), and many protocols using IP depend on each device having a unique IP address.



            Assuming we could use every possible IPv4 address*, there are only 4,294,967,296 possible IPv4 addresses, but (as of September 2018) the current world population is 7,648,290,361. As you can see, there are not enough possible IPv4 addresses for every person to have even one, but many people have a computer, printer, cell phone, tablet, gaming console, smart TV, etc., each requiring an IP address, and that doesn’t even touch on the business needs for IP addresses. We are also on the cusp of the IoT (Internet of Things), where every device needs an IP address: light bulbs, thermostats, thermometers, rain gauges and sprinkler systems, alarm sensors, appliances, vehicles, garage door openers, entertainment systems, pet collars, and who knows what all else. All this adds up to the fact that IPv4 simply cannot handle the addressing needs of the modern world.




            *There are blocks of IPv4 addresses that cannot be used for host addressing. For example, multicast has a block of 268,435,456 addresses that cannot be used for host addressing. IANA maintains the IANA IPv4 Special-Purpose Address Registry at https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml to document all the special address blocks and their purposes.




            IANA (Internet Assigned Numbers Authority) ran out of IPv4 address blocks to assign to the RIRs (Regional Internet Registries) to be assigned in their respective regions, and the RIRs have now also run out of IPv4 addresses to assign in each region. ISPs (Internet Service Providers) and companies that want or need IPv4 addresses can no longer get IPv4 addresses from their RIRs and now must try to buy IPv4 addresses from businesses that may have extra (as the IPv4 address shortage deepens, the price of IPv4 addresses goes up).



            Even if all the IPv4 addresses that are reserved for special purposes and cannot be used for host addressing were made available for use, we would still be in the same position because there are simply not enough IPv4 addresses due to the limited size of IPv4 addresses.



            Mitigating the IPv4 Address Shortage



            IANA and the RIRs would have run out of IPv4 addresses many years before they did if IANA and the IETF (Internet Engineering Task Force) had not adopted mitigations for the IPv4 address shortage. One important mitigation was the deprecation of IPv4 network classes in favor of CIDR (Classless Inter-Domain Routing). Classful addressing only allows for three assigned network sizes (16,777,216, 65,536, or 256 total host addresses per network), meaning that many addresses are wasted (a business needing only 300 host addresses would need to be allocated a classful network that has 65,536 possible host addresses, wasting over 99% of the addresses in the classful the network), but CIDR allows for network sizes to fit more closely with network address requirements (a business needing only 300 host addresses could be allocated a CIDR /23 network that has only 510 usable host addresses), wasting far fewer addresses and still providing some room for growth.



            By far, the mitigation that has had the biggest impact on extending the life of IPv4 is the use of Private Addressing and a variant of NAT (Network Address Translation) called NAPT (Network Address Port Translation), which is what most people mean when they refer to NAT or PAT (PAT is a vendor-specific term for NAPT). Unfortunately, NAPT is an ugly workaround that breaks the IP end-to-end paradigm, and that breaks protocols that depend on unique IP addressing, requiring even more ugly workarounds.



            NAT/NAPT



            The concept of NAT is pretty simple: it replaces either or both the source and destination IPv4 addresses in a packet header as the packet passes through the NAT device. In practice, it requires computation because the IPv4 header has a computed field to check the integrity of the IPv4 header, and any change made to the IPv4 header requires recalculation of the field, and some transport protocols in the packet payload also have their own computed fields that must be recalculated, using computing resources in the NAT device that could be used for packet forwarding.



            In Basic NAT, the NAT device has a pool of IPv4 addresses that it uses to replace the source IPv4 addresses of the packet headers for IPv4 packets sent from an inside network to an outside network, and it maintains a translation table in order to translate the destination IPv4 addresses of traffic returning from the outside network in order to deliver the packets back to the correct hosts on the inside network. This also requires resources on the NAT device to build and maintain the translation table, and to perform table lookups. This resource utilization can slow the forwarding of packets because the resources used by NAT are taken from the resources that could be used for packet forwarding.



            NAPT takes Basic NAT further by also translating the transport protocol addresses (ports) for TCP and UDP, and the Query IDs for ICMP. By also translating the transport-layer addresses, NAPT allows the use of a single outside IPv4 address for many inside host IPv4 addresses. NAPT is even more resource intensive than Basic NAT because it requires a separate table for each transport-layer protocol, and it must also perform the integrity calculations for the transport protocols.



            The use of Private IPv4 addressing, that can be reused on multiple networks (you may have noticed that most home/residential networks default to use the same 192.168.1.0/24 network, which is in one of the IANA allocated Private IPv4 address ranges), along with NAPT, allows business and home users to each use a single outside (public) address for a large inside (privately addressed) network. This saves many, many IPv4 addresses (several times the total number of possible IPv4 addresses) and has extended the life of IPv4 far beyond the point at which it would have collapsed without NAPT.
            NAPT does have some serious drawbacks:



            • NAPT breaks the IP end-to-end paradigm, and it only works with TCP,
              UDP, and ICMP, breaking other transport protocols. There are also
              application-layer protocols that use TCP or UDP that are broken by
              NAPT, even though TCP and UDP nominally work with NAPT. Other
              mitigations, e.g. STUN/TURN, may be available for some
              application-layer protocols, but they can add cost and complexity.

            • NAPT is very resource intensive, slowing packet forwarding compared
              to what is possible without using any form of NAT. Some vendors add
              dedicated hardware to mitigate the need to steal resources from
              packet forwarding, but this comes at added expense, size, complexity,
              and power usage.

            • When using NAPT, traffic initiated from outside the NAPT network
              cannot be delivered to the inside network because there is no
              translation entry in the translation table, which is added by inside-initiated traffic. The single outside
              (public) address is configured on the NAT device, and any packets
              with that destination IPv4 address and no entry for the source IPv4
              address in the translation table for the transport protocol is
              assumed to be for the NAPT device, itself, not the inside network.
              There is a mitigation, called Port Forwarding, for this problem.

            • Port Forwarding basically configures, manually, a permanent entry in
              a translation table to allow outside-initiated traffic that is
              destined to a particular transport protocol and address for the
              protocol to be delivered to a particular inside host. This does have
              the drawback of only allowing one inside host to be the target for a
              particular transport protocol and address. For example, if there are
              multiple web servers on the inside network, only one of the web
              servers can be exposed on TCP port 80 (the default for web servers).

            • Because the IPv4 address shortage is so severe, the ISPs (Internet
              Service Providers) are running out of public addresses to assign to
              their customers. The ISPs can no longer get any more public
              addresses, so they have adopted some mitigations that especially hurt
              home/residential users. The ISPs want to reserve their precious
              public address pool for their business customers that are willing to
              pay for the privilege of getting public addresses. To do that, the
              ISPs are now starting to assign Private or Shared addresses to their
              home/residential customers, and the ISPs use NAPT on their own
              routers to facilitate the use of multiple Private or Shared addresses
              on a single public address. That creates a situation where a
              home/residential network is behind two NAPT translations (ISP NAPT to customer
              NAPT), and port forwarding configured by the customer on the
              home/residential router no longer works because it is broken by the
              ISP NAPT, which is not configured to forward the port to the customer
              router.

            • Many people make the mistake of equating NAPT and security because the
              inside hosts cannot be directly addressed from outside. This is a
              false sense of security. Because a firewall connecting a network to
              the public Internet is a convenient place to run NAPT, that simply
              confuses the situation. It creates a dangerous perception that that
              NAPT, itself, is the firewall, and a real firewall is unnecessary.
              Network security comes from firewalls, which block all
              outside-initiated traffic by default, only allowing traffic it is
              explicitly configured to permit, possibly doing a deep inspection on
              the packet contents to drop dangerous packet payloads. What some
              people fail to realize is that, without a firewall, either in
              hardware or software, on the outside of or built into the NAPT device,
              to protect the NAPT device, the NAPT device itself is vulnerable. If
              the NAPT device is compromised, it, and by extension an attacker, has
              full access to the privately addressed inside network.
              Outside-initiated packets that do not match a translation table are
              destined to the NAPT device, itself, because it is the device that is
              actually addressed with the external address, so the NAPT device can
              be directly attacked.

            The Solution to the IPv4 Address Shortage



            The IETF predicted the IPv4 address shortage, and it created the solution: IPv6, which uses 128-bit addresses, meaning there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses. The almost unimaginable number of IPv6 addresses removes the need for NAPT (IPv6 doesn’t have any NAT standards, the way IPv4 does, and the experimental IPv6 NAT RFC specifically forbids NAPT), restoring the original IP end-to-end paradigm. The mitigations for the IPv4 address shortage are meant to extend the life of IPv4 until IPv6 is ubiquitous, at which point IPv4 should fade away.



            Humans cannot really comprehend numbers of the size used for IPv6. For example, a standard IPv6 network uses 64 bits for each of the network and host portions of the network address. That is 18,446,744,073,709,551,616 possible IPv6 standard /64 networks, and that same (huge) number of host addresses for each of those networks. To try to understand a number that large, consider tools that scan all the possible addresses on a network. If such a tool could scan 1,000,000 addresses per second (unlikely), it would take over 584,542 years to perform the scan on a single /64 IPv6 network. Currently, only 1/8 of the total IPv6 address space is allocated for global IPv6 addresses, which works out to 2,305,843,009,213,693,952 standard IPv6 /64 networks, and if the world population is 21 billion in the year 2100 (a somewhat realistic number), every one of those 21 billion people could have 109,802,048 standard IPv6 /64 networks, each network having 18,446,744,073,709,551,616 possible host addresses. Unfortunately, the (decades of) IPv4 address shortage has so ingrained address conservation in people, that many people simply cannot let it go, and they try to apply it to IPv6, which is pointless and actually detrimental. IPv6 is actually designed to waste addresses.



            The IETF also had the advantage of hindsight, and it improved IP (in IPv6) by removing features of IPv4 that didn’t work well, improving some IPv4 features, and adding features that IPv4 didn’t have, creating a new and improved IP. Because IPv6 is a completely separate protocol from IPv4, it can be run in parallel with IPv4 as the transition is made from IPv4 to IPv6. Hosts and network devices can run both IPv4 and IPv6 on the same interface at the same time (dual-stacked), and each is invisible to the other; there is no interference between the two protocols.



            The problem with IPv6 is that it is actually a completely different protocol that is incompatible with the ubiquitous IPv4, and the mitigations for the IPv4 address shortage are seen by many people to be “good enough.” The result is that it has been over 20 years since IPv6 was standardized, and we are just now getting some real traction in using IPv6 (Google reports, as of September 2018, worldwide IPv6 adoption of over 20%, and the IPv6 adoption rate in the U.S. is over 35%). The reason we are finally moving to IPv6 is that there are simply no more unused IPv4 addresses to be assigned.



            There are other obstacles, all part of the IPv4 culture, that are simply hard for people to look past. Many people are also scared of IPv6, having grown up and being comfortable with IPv4, warts and all. For example, the IPv6 addresses appear to be large and ugly compared to IPv4 addresses, and that seems to put many people off. The reality is that IPv6 is often easier and more flexible than IPv4, especially for addressing, and the lessons learned in IPv4 have been applied to IPv6 from the beginning.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 45 mins ago

























            answered 4 hours ago









            Ron Maupin♦

            57.1k953100




            57.1k953100











            • This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
              – jonathanjo
              4 hours ago










            • This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
              – Loreno
              3 hours ago










            • This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
              – Ron Maupin♦
              3 hours ago
















            • This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
              – jonathanjo
              4 hours ago










            • This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
              – Loreno
              3 hours ago










            • This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
              – Ron Maupin♦
              3 hours ago















            This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
            – jonathanjo
            4 hours ago




            This is a great summary of the situation. I'd only add that attitudes vary extremely widely on the costs and benefits both of changing from IPv4 to IPv6 and various exhaustion mitigation approaches.
            – jonathanjo
            4 hours ago












            This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
            – Loreno
            3 hours ago




            This summary is so great, that in my opinion it's one of the best texts on this topic on the Internet! Explained in an easy to understand language with a real intention to actually help someone undertstand it. Thank you so much Ron, clearly you have good understanding of this all. From your answer it seems that my idea of using one IP for many homes is actually being used. But clearly it has problems, with NAT, as you explained. If many homes have one IP, they cannot host separate websites for example. I guess this approach would be good only for people who only browse Internet without hosting
            – Loreno
            3 hours ago












            This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
            – Ron Maupin♦
            3 hours ago




            This is basically one of the documents that I created for scouts interested in learning about network engineering. Scouting has embraced STEM (Science, Technology, Engineering, and Math), and I am going to hold a lecture for scouts in my area.
            – Ron Maupin♦
            3 hours ago










            up vote
            1
            down vote













            Ron Maupin's answer gives a brilliant overview of the IPv4 shortage, but I'd like to address this part of your question:




            Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city. Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.




            On the face of it, this is exactly how "NAT" (or, more specifically, "IP address masquerading") works: a private network is set up which looks to the outside internet like a single host, and routes traffic internally to many different users. But there are some important limits you've overlooked in your example:



            • Users on the inside still need to be able to address the outside internet; if you assign the address 151.101.1.69 to an internal user on your network, you won't be able to access networkengineering.stackexchange.com, because that's the address where it's hosted. So in practice, you can only use internal addresses which are reserved for this use.

            • Less obviously, hosts on the outside need some way to pass traffic to the users on the inside, even if they're just browsing the web. This is because IP connections aren't like tunnels: sending a packet to a web server doesn't reserve a cable for the conversation, it just asks the server to send some packets back your way. If the web server is just sending its responses to one public address, something needs to keep track of which internal computer actually requested it. If more than one person on the internal network accesses the same web server, the only way to keep track is to assign each connection a unique dynamic port number for the replies to go to.

            There are around 18 million private-use IPv4 addresses, but only 65536 port numbers. You don't actually need a unique port for every connection, because you can have a lookup table which includes the remote address as well, but there's still a limit to how far you can scale without problems.



            That said, NAT is indeed one of the biggest reasons why the IPv4 network hasn't completely collapsed due to address shortages. Assigning an IP address to each household or office, and issuing them with a device to perform NAT, allows many more devices to be connected than the original design of IPv4 would allow. To scale further, carrier-grade NAT is used, where an ISP has fewer public addresses than connected households, possibly using two layers of NAT to manage the routing of packets to their eventual destination.



            In the end, squeezing every possible route out of the few remaining addresses is just life support for IPv4, and at some point, every address will either be reserved for internal use, the public face of some NAT'd network, or the public address of a server accepting unsolicited connections.






            share|improve this answer








            New contributor




            IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















              up vote
              1
              down vote













              Ron Maupin's answer gives a brilliant overview of the IPv4 shortage, but I'd like to address this part of your question:




              Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city. Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.




              On the face of it, this is exactly how "NAT" (or, more specifically, "IP address masquerading") works: a private network is set up which looks to the outside internet like a single host, and routes traffic internally to many different users. But there are some important limits you've overlooked in your example:



              • Users on the inside still need to be able to address the outside internet; if you assign the address 151.101.1.69 to an internal user on your network, you won't be able to access networkengineering.stackexchange.com, because that's the address where it's hosted. So in practice, you can only use internal addresses which are reserved for this use.

              • Less obviously, hosts on the outside need some way to pass traffic to the users on the inside, even if they're just browsing the web. This is because IP connections aren't like tunnels: sending a packet to a web server doesn't reserve a cable for the conversation, it just asks the server to send some packets back your way. If the web server is just sending its responses to one public address, something needs to keep track of which internal computer actually requested it. If more than one person on the internal network accesses the same web server, the only way to keep track is to assign each connection a unique dynamic port number for the replies to go to.

              There are around 18 million private-use IPv4 addresses, but only 65536 port numbers. You don't actually need a unique port for every connection, because you can have a lookup table which includes the remote address as well, but there's still a limit to how far you can scale without problems.



              That said, NAT is indeed one of the biggest reasons why the IPv4 network hasn't completely collapsed due to address shortages. Assigning an IP address to each household or office, and issuing them with a device to perform NAT, allows many more devices to be connected than the original design of IPv4 would allow. To scale further, carrier-grade NAT is used, where an ISP has fewer public addresses than connected households, possibly using two layers of NAT to manage the routing of packets to their eventual destination.



              In the end, squeezing every possible route out of the few remaining addresses is just life support for IPv4, and at some point, every address will either be reserved for internal use, the public face of some NAT'd network, or the public address of a server accepting unsolicited connections.






              share|improve this answer








              New contributor




              IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.



















                up vote
                1
                down vote










                up vote
                1
                down vote









                Ron Maupin's answer gives a brilliant overview of the IPv4 shortage, but I'd like to address this part of your question:




                Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city. Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.




                On the face of it, this is exactly how "NAT" (or, more specifically, "IP address masquerading") works: a private network is set up which looks to the outside internet like a single host, and routes traffic internally to many different users. But there are some important limits you've overlooked in your example:



                • Users on the inside still need to be able to address the outside internet; if you assign the address 151.101.1.69 to an internal user on your network, you won't be able to access networkengineering.stackexchange.com, because that's the address where it's hosted. So in practice, you can only use internal addresses which are reserved for this use.

                • Less obviously, hosts on the outside need some way to pass traffic to the users on the inside, even if they're just browsing the web. This is because IP connections aren't like tunnels: sending a packet to a web server doesn't reserve a cable for the conversation, it just asks the server to send some packets back your way. If the web server is just sending its responses to one public address, something needs to keep track of which internal computer actually requested it. If more than one person on the internal network accesses the same web server, the only way to keep track is to assign each connection a unique dynamic port number for the replies to go to.

                There are around 18 million private-use IPv4 addresses, but only 65536 port numbers. You don't actually need a unique port for every connection, because you can have a lookup table which includes the remote address as well, but there's still a limit to how far you can scale without problems.



                That said, NAT is indeed one of the biggest reasons why the IPv4 network hasn't completely collapsed due to address shortages. Assigning an IP address to each household or office, and issuing them with a device to perform NAT, allows many more devices to be connected than the original design of IPv4 would allow. To scale further, carrier-grade NAT is used, where an ISP has fewer public addresses than connected households, possibly using two layers of NAT to manage the routing of packets to their eventual destination.



                In the end, squeezing every possible route out of the few remaining addresses is just life support for IPv4, and at some point, every address will either be reserved for internal use, the public face of some NAT'd network, or the public address of a server accepting unsolicited connections.






                share|improve this answer








                New contributor




                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                Ron Maupin's answer gives a brilliant overview of the IPv4 shortage, but I'd like to address this part of your question:




                Why can't a city (for example) have just one IP address and all homes in this city would just be on a private network of that city. Then this one city would be able to assign addresses from range 0.0.0.1 to 255.255.255.254.




                On the face of it, this is exactly how "NAT" (or, more specifically, "IP address masquerading") works: a private network is set up which looks to the outside internet like a single host, and routes traffic internally to many different users. But there are some important limits you've overlooked in your example:



                • Users on the inside still need to be able to address the outside internet; if you assign the address 151.101.1.69 to an internal user on your network, you won't be able to access networkengineering.stackexchange.com, because that's the address where it's hosted. So in practice, you can only use internal addresses which are reserved for this use.

                • Less obviously, hosts on the outside need some way to pass traffic to the users on the inside, even if they're just browsing the web. This is because IP connections aren't like tunnels: sending a packet to a web server doesn't reserve a cable for the conversation, it just asks the server to send some packets back your way. If the web server is just sending its responses to one public address, something needs to keep track of which internal computer actually requested it. If more than one person on the internal network accesses the same web server, the only way to keep track is to assign each connection a unique dynamic port number for the replies to go to.

                There are around 18 million private-use IPv4 addresses, but only 65536 port numbers. You don't actually need a unique port for every connection, because you can have a lookup table which includes the remote address as well, but there's still a limit to how far you can scale without problems.



                That said, NAT is indeed one of the biggest reasons why the IPv4 network hasn't completely collapsed due to address shortages. Assigning an IP address to each household or office, and issuing them with a device to perform NAT, allows many more devices to be connected than the original design of IPv4 would allow. To scale further, carrier-grade NAT is used, where an ISP has fewer public addresses than connected households, possibly using two layers of NAT to manage the routing of packets to their eventual destination.



                In the end, squeezing every possible route out of the few remaining addresses is just life support for IPv4, and at some point, every address will either be reserved for internal use, the public face of some NAT'd network, or the public address of a server accepting unsolicited connections.







                share|improve this answer








                New contributor




                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                share|improve this answer



                share|improve this answer






                New contributor




                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 11 mins ago









                IMSoP

                1113




                1113




                New contributor




                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                IMSoP is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.




















                    up vote
                    -1
                    down vote













                    It's also worthy to note that a lot of the IPv4 IPs are owned by either cloud hosting companies or proxy resellers, and have been highly tainted. Anyone who rents proxies has surly experienced the issues running off a tainted IP address.



                    While IPv4 addresses will run out, there are still more than enough to go around, and you can still buy blocks of them (by the 1000s), for a few dollars each.






                    share|improve this answer
















                    • 1




                      ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                      – Jens Link
                      32 mins ago










                    • I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                      – McFlySoHigh
                      26 mins ago














                    up vote
                    -1
                    down vote













                    It's also worthy to note that a lot of the IPv4 IPs are owned by either cloud hosting companies or proxy resellers, and have been highly tainted. Anyone who rents proxies has surly experienced the issues running off a tainted IP address.



                    While IPv4 addresses will run out, there are still more than enough to go around, and you can still buy blocks of them (by the 1000s), for a few dollars each.






                    share|improve this answer
















                    • 1




                      ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                      – Jens Link
                      32 mins ago










                    • I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                      – McFlySoHigh
                      26 mins ago












                    up vote
                    -1
                    down vote










                    up vote
                    -1
                    down vote









                    It's also worthy to note that a lot of the IPv4 IPs are owned by either cloud hosting companies or proxy resellers, and have been highly tainted. Anyone who rents proxies has surly experienced the issues running off a tainted IP address.



                    While IPv4 addresses will run out, there are still more than enough to go around, and you can still buy blocks of them (by the 1000s), for a few dollars each.






                    share|improve this answer












                    It's also worthy to note that a lot of the IPv4 IPs are owned by either cloud hosting companies or proxy resellers, and have been highly tainted. Anyone who rents proxies has surly experienced the issues running off a tainted IP address.



                    While IPv4 addresses will run out, there are still more than enough to go around, and you can still buy blocks of them (by the 1000s), for a few dollars each.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 45 mins ago









                    McFlySoHigh

                    1013




                    1013







                    • 1




                      ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                      – Jens Link
                      32 mins ago










                    • I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                      – McFlySoHigh
                      26 mins ago












                    • 1




                      ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                      – Jens Link
                      32 mins ago










                    • I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                      – McFlySoHigh
                      26 mins ago







                    1




                    1




                    ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                    – Jens Link
                    32 mins ago




                    ROTFL. Few Dollars would be about 14-15 + a fee for the address broker. A /24 (and you need that so you can route it on the internet) is about $5.000.
                    – Jens Link
                    32 mins ago












                    I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                    – McFlySoHigh
                    26 mins ago




                    I said they are sold in quantities of "1000s" for a few dollars each. But the last time I looked at the cost was a few years ago. I rent proxies personally, which go for about $1-5 per month depending on qty and quality. Virgin proxies with unused IPs go for about $15 for 1 per month, but qty can get you deep discounts. Here's the current pricing for blocks: arin.net/fees/fee_schedule.html
                    – McFlySoHigh
                    26 mins ago










                    Loreno is a new contributor. Be nice, and check out our Code of Conduct.









                     

                    draft saved


                    draft discarded


















                    Loreno is a new contributor. Be nice, and check out our Code of Conduct.












                    Loreno is a new contributor. Be nice, and check out our Code of Conduct.











                    Loreno is a new contributor. Be nice, and check out our Code of Conduct.













                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53935%2fwhy-are-ipv4-addresses-running-out%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke