Found: One Troll

So I promised to answer Borepatch’s questions:

The Fed.Gov is making IPv6 a big deal. How long do you think until (a) large non-DoD migrations occur, or (b) we actually start to run out of IPv4 addresses?

As a member of the cable industry, I can say that for large, non-government, North American IPv6 deployments all eyes are on Comcast. Comcast will likely be the first US ISP to roll out IPv6 on a large (millions of users) scale. Comcast’s push is directly related to the fact that they are completely out of RFC1918 private addresses to use in their network.

For those unfamiliar with Comcast’s problem, the company has about 25 million cable modem subscribers, all of whom need at least two IP addresses. One address is for cable modem management and is not publicly visible, and one address is for the end-user which must be publicly visible. The address for CM management is almost always a private address which is not internet routable. In other words, the address only has significance within an organization, not on the public internet, and so these addresses can be duplicated between organizations. RFC1918 defines the addresses which should be used for this task: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. There are, in each of these networks, 16777216, 1048576, and 65536 addresses respectively. Since Comcast needs 25 million of these addresses, and there are just under 18 million available, they’ve run into a bit of a problem. Comcast has had to issue about 7 million of its public IP addresses, which are unique and must be assigned by ARIN, to cable modems for management purposes. This is a massive waste of the already limited IPv4 address space. There’s a fascinating (if you’re into this sort of thing) powerpoint presentation by one of Comcast’s IP architects available here which details his proposal for their IPv6 rollout and interim management solution.

So if we need it now, what’s the hold up? In the cable industry, one of the primary problems with deploying IPv6 is that the new protocol isn’t supported over existing cable plants. Cable internet is served with a method called DOCSIS, which is a specification that defines physical and data link layer requirements for transmitting internet packets over cable media. Most cable plants today are DOCSIS 1.1 or 2.0. DOCSIS 3.0, which was ratified in 2006, is required to operate IPv6. DOCSIS 3.0 gear is still relatively difficult to come by in today’s market. It’s also extremely expensive, about twice as expensive as installing DOCSIS2.0 compliant head end gear. But if that were the only thing holding us back, DSL and FTTP providers would be running IPv6 right now and leaving cable in the dust.

Other issues preventing large-scale IPv6 deployments include:

• A lack of support from upstream service providers. Backbone service providers such as AT&T and Level 3 are not currently running IPv6-capable routing protocols throughout their networks. Even if I could turn up IPv6 services tomorrow, I couldn’t send them across the internet in most of the US without translating IPv6 packets into IPv4 packets.
• A lack of support from backend vendors. Many DHCP provisioning solutions currently deployed do not support IPv6. Upgrading is costly.
• Security: IPv6 currently enjoys security by way of obscurity; very few people have any experience at breaking into IPv6 networks. We know where the security holes in v4 are, and we know best practices for plugging them or minimizing their impact. v6 is a virtual unknown. However, one upshot of IPv6 is that it supports IPsec natively.^[1].
• Databases: Every field that used to contain 32 bits for an IPv4 address must now contain 128 bits. Every application that reads from or writes to those databases has to be taught how to parse IPv6 addresses in a meaningful way.
• Apathy. I and other engineers across the country are having a hell of a time convincing management that IPv6 is worth the time and effort now when we know that IPv4 will last us at least another two to four years. It’s not unreasonable to guess that v4 will be around for another decade for the late adopters.

I haven’t been able to find any concrete info^[2], but given that Comcast is pushing its DOCSIS 3.0 rollout fairly hard I expect that Comcast has begun or will begin by the end of this year migrating all of their modem and set-top box management to IPv6. If that goes well, perhaps they will trial issuing IPv6 addresses to end users by the end of 2010 with large migrations by the end of 2011. IPv4 addresses are estimated to be exhausted by the end of 2012. but as large ISPs like Comcast and Verizon start migrating to IPv6, they’ll turn in their IPv4 allocations to ARIN or sell them to other corporations. Ultimately it’s possible that this could delay adoption of IPv6 even further.

While the Federal Government mandated that all of its agencies be IPv6 ready (at least at their core infrastructure) by June of last year, I’ll be very surprised if they require IPv6 transition of private corporations before the time that every major ISP is operating at least a dual-stack architecture, if ever.

1. IPv4 rewrites packets with a second header to use IPsec [↩]
2. It looks like Comcast is only advertising their aggregate IPv6 network (2001:558::/32, ASN 7922) via BGPv6. This could mean that they aren’t using their allocation yet, or it could mean that they’re tunneling all their IPv6 traffic to one location and advertising the prefix there, which is what I would do for management traffic. [↩]