What To Do About The Shortage Of IP Addresses

Posted by jerry as technology

For years now, we have heard about the impending end of the Internet as we run out of IP addresses. For a while, it was so persistent and frequent, it became background noise to me. The only way to save the Internet is to move to IPv6, the story goes.

I’ve spent a lot of the past decade in various networking, programming and technology management roles, and dabbled a bit in web hosting work. One thing that is obvious to me is that we are not going to be moving wholesale to IPv6 any time soon.

I was surprised to see an article the other day bringing up the dreaded doomsday of the Internet, predicting that we have 3 years until the end.

SSL Sites

In the early days of my experience with hosting, I was troubled to find that EVERY web server that serves HTTPS traffic with a unique digital certificate requires a separate IP address. What a waste, it seemed to me. There, of course, is a logical explanation:

When a browser opens a connection to a web server, a handshake to establish the SSL tunnel is performed based on the hostname used in the browser. From the perspective of the server, it is simply an incoming connection that needs to establish an SSL session. The server does not have context of what host the browser is trying to reach, and so relies on a one-to-one mapping of IP addresses to SSL certificates.

Modifying the SSL protocol to include the context of the domain that is being requested at the time of handshake should provide an additional number of years before which we must convert to IPv6. The change could well be fairly easy to accomplish, assuming there is a mechanism for backwards compatibility. Of course, web server software writers and browser authors would have to implement the protocol enhancement, then push those updates out to the world.

The number of certificates issued each year is not a published number, so it is difficult to tell just much the growth rate of IP’s could be slowed with such a solution.

Portable Net Blocks

At several points in my career, I had the responsibility of procuring IP addresses for several fast growing companies. In all cases, the companies were using non-routable addresses that were address translated by a firewall, which essentially only used one “real” IP address for the hundreds systems on the company’s network. Each company was implementing redundancy with it’s ISPs – essentially connecting to two or three ISPs in case something bad happened to one or two of the other ISPs. In order to facilitate this, we wanted to obtain our own IP addresses. Each of our ISPs was willing and able to assign IP addresses that could be used across multiple ISPs. However, those IP addresses remained the “property” of those ISPs. So, if we decided that ATT stunk and we were using ATT, we would need to re-address our enterprise.

We did not actually need that many addresses – less than a class C (or /24) of 255 addresses. At the time, at least, the minimum size allocation that ARIN would make was a /21 net block, consisting of 32 class C net blocks, or 8,160 addresses. In each case, I had to justify the use of that many IP addresses. The companies were large enough that it was pretty easy to justify that many IPs, assuming we assigned each host on the network a “real” IP address, in addition to showing the contracts that we had with the various ISPs, indicating our intent to “multi-home” our networks. And re-IP we did. I did this 4 times, wasting somewhere around 30,000 IP addresses. Yay for me.

ARIN has since updated it’s allocation policies, now providing minimum net blocks of 4 class C’s. Based on my experience, I cannot fathom how many IP addresses are allocated and sit unused or used poorly because of situations like mine. Unlike the SSL issue, there doesn’t appear to be a good solution to this. There is a practical limitation to the number of individual networks that can be announced on the Internet. Continuing to make the minimum allocation smaller and smaller will create a different kind of problem on the Internet – routing may become unstable without major upgrades to the Internet’s network equipment.