insight 

There are discussions starting within the Regional Internet Registries (RIRs) about the creation of trading market in IPv4 addresses as we approach the inevitable exhaustion of unallocated addresses.  The view being put forward is basically “this is likely to happen anyway and by discussing it now, we can ensure it happens in an orderly way”.

When I first heard this idea I was a bit surprised.  The RIRs are policy based bodies and so a shift to a trading market appears to be an abandonment of that policy base.  However I have been partly corrected on that.  The discussions within RIPE (I’ve no idea about the other RIRs policy process) are for a policy based allocation policy to stay in place, but the outcome of that is to be a ‘right to buy’ rather than an allocation as now.

Of course this hybrid trading market still only enables policy control of the buying of domains, not the selling of domains, which is where some of the real disagreements start to surface.

The international view

The view taken by some countries is that the global allocation of IPv4 address space is unbalanced in favour of the early adopters, namely US-based organisations.  The introduction of the RIRs has meant ‘fair’ allocation since then but the historical imbalance goes uncorrected.  So if a trading mechanism were established now, the countries that were not early adopters are going to have to pay possibly very large sums for things that others got for free.

The view from some of the RIR people is that the crunch is coming soon anyway and there is no point trying to correct that balance, it will take too much effort to do and not buy us much time anyway.  They also believe that the trading mechanism will lead to many of those early adopters selling on large parts of their allocations thereby introducing more addresses than would be available otherwise.  I’ll come back to both of those points later.

What about IPv6

Of course the looming exhaustion of IPv4 addresses is nothing new.  IPv6 was designed to get around the limitations of IPv4 and IPv6 addresses are available easily and in vast numbers, so why can’t we just use that?

The simple answer is that IPv6 devices cannot talk to IPv4 devices and only a small fraction of the Internet runs IPv6.  So if I have only IPv6 on my desktop, I will not be able to contact web sites such as the BBC News, Google, The Register or even our web site.

Therefore, for the foreseeable future, both IPv4 and IPv6 addresses are going to be needed.  If you have a closed network, such as an internal management system, then you can use IPv6 alone, but not otherwise.

Certified allocations

There has been talk of moving to a secure routing system for some years now where address allocations are issued certificates and those are then used by Internet routers to determine if someone is entitled to route the addresses they are advertising.

The RIRs have started the process of issuing certificates for allocated addresses, but the technology has not been finalised or deployed to see these being used automatically.  In the interim some RIRs hope they will be used manually (i.e. before we interconnect you show me yours and I’ll show you mine).

Now we have the really interesting position.  How do those with pre-RIR allocations get certificates?  Should they have to go through an allocation policy process before they can get a certificate?

Alternatively, what if the price of the certificate reflects the size of the addresses?   Say a /19 cost roughly €50,000.  That makes roughly €100,000,000 for a /8.   In a trading market this may well be the figure a /8 fetches when sold to the highest bidder.

Timescales and investment

Exhaustion of unallocated IPv4 addresses is unavoidable and we have to migrate to IPv6.  Everyone knows that even we don’t all act accordingly as uptake and use of IPv6 address space is very low.

This seems to come down to basic economics.  Without a business case for the move to IPv6 only a few are going to make the move.  So the question is whether a trading market aids that move, which to me appears not to be the case:

• Those who already have IPv4 addresses will not have any pressure to move.  Don’t forget, these are the ones running the established services that need to move to IPv6 to be accessible to others.
• Those who need IPv4 addresses may be able to use IPv6 for closed networks, but otherwise are going to have to spend money on IPv4 addresses that might otherwise be used for IPv6 migration

Equipment is generally replaced in cycles, often three to five years, at which point new functionality tends to be introduced by being included in the newer products.  If I ran a large network of cable modems I would have started a couple of years ago to look to the next versions to support IPv6, but I would never consider swapping out perfectly good ones just for that functionality.  It might take several years before they all had IPv6 and I could switch to that for the management network, reducing address allocation.

So going back to the point on the need to reclaim space, maybe there is a valid reason, which is to buy enough time for the ordinary update cycle to enable the functionality without forcing people to make out of the ordinary investment.

There’s more

There is a lot of stuff I haven’t covered here, such as the role of Network Address Translation (NAT), the worry that carperbaggers might try to grab the remaining space in anticipation of a market, the role of RIRs in controlling routeing (correct spelling, trust me) or not and how to get people to really plan for IPv6.

What is clear though is that there is a lot to think about in this one development and it has a heavy impact on a lot of people.  This is one to watch.

The misbehaviour of some users of the Internet has wrought a change that is probably going to end up being far wider than is currently perceived. It is likely to mean the reconsideration of some of the fundamental principles, whether those were defined or just assumed, that are believed to have been key contributors to the success of the Internet to date.

A spectrum of misbehaviour

To understand this we need to begin with a model of the mindset of the misbehaving parties. Rather than give one single model, which would be unrealistic, it is possible to define a spectrum of behaviours into which the majority of these parties fit and from that spectrum to derive a set of common indicators that identify such parties.

• At one end of the spectrum we have those who can be harshly characterised as the ’selfish’. These are the people who use their home connection to the maximum downloading videos over bittorrent, with no regard for the impact on the other users of what is still essentially a shared medium.
• In the middle of the spectrum we have a group that can be less contentiously characterised as the ‘carpetbaggers’. These are those who see the Internet as a source of profit driven by mass action. This is where the business model behind spam originates.
• At the other end of the spectrum we have those who are fairly characterised as ‘crooks’. These are the people who create botnets by taking advantage of the weaknesses in security both technical and social that protect home desktops.

Common mindset

The most obvious common indicator derived from this spectrum, is that these people see the Internet as a natural resource just waiting to be exploited. If we analyse this indicator further we get the following attributes:

• Anything that is not explicitly forbidden (or more accurately - prevented by the technology) is allowed.
• There are things out there on the Internet that are not ‘owned’ by anyone.
• What they want to do is more important that any other considerations.

It is remarkable just how many otherwise sensible parties fall into the trap of believing some of these things. For example the rampant theft of WHOIS data by security companies.

Explicit control

The technical response to this misbehaviour, from which the majority of success in this struggle has originated, has been focused on explicit control that either prevents or permits certain activity. A whole industry has built up around this.

There are varying degrees of success with that approach. For example the response is less than perfect when it is difficult to precisely identify the behaviour to combat, as is the case with spam. Furthermore the exploitative mindset continues to search and probe for new avenues to exploit.

Emerging from this response is the recognition that misbehaviour will only be controlled by securing each and every part of the Internet that can be exploited.

This is not to deny the impact of after-the-fact enforcement and economic mechanisms for controlling behaviour, but prevention is always better than cure.

End-to-end principle

One principle that has defined the Internet until now is the end-to-end principle, which can be summarised as the intelligent choices being made by the end devices with the core of the Internet being relatively simple.

However this principle cannot prevent the exploitation of the core which is just as much a target as anything else. If we try to maintain this principle then it will continue to allow the development of end services that try to grab as much of the core as possible. This is inevitable given the mindset above. Efforts might be made to regularise access to the core at the end devices, but then that is just a semantic trick to make it appear the end-to-end principle is still in place.

The conclusion then is that the only way we can prevent the misbehaviour that impacts the core is to allow the core to defend itself. That means the end-to-end principle has to give. There may well be other principles that have to give before this is all over.

The Monday 17 December deadline for sending feedback about our proposals for a Nominet Foundation is fast approaching. If you have any views on the concept of a foundation, or suggestions of possible beneficiaries we’d be very interested to hear from you. Either complete our short online survey or email comments to foundation@nominet.org.uk.

We have received some encouraging comments so far, but the level of feedback has been disappointing with only 20 responses received.

Some background:
Our proposal recommends that we create a Nominet Foundation for the purpose of public benefit to UK Internet stakeholders through education, research and the funding of suitable projects. We would set it up as a charity and company limited by guarantee, with a first year donation of £5m.

This proposal has been made to resolve the issue of the level of our reserves, which have been increasing significantly beyond the level we have identified as necessary for the ongoing running of the business.

We have thought long and hard about possible ways of resolving this issue and some of the more obvious options are not open to us. For instance we are unable to change the price of domain names unless 75% of our membership vote in favour of a change. And, although some members favour a price reduction, others are equally convinced that the price should be increased, as they feel price reductions devalue the product. Also, our constitution prevents us from distributing funds to our members.

As these options are not available to us, the plan for a Foundation to benefit the Internet industry in the UK has emerged as the most popular solution and we’re taking feedback on this proposal now, so do let us know your thoughts.